Snort mailing list archives
subsidy
From: "Ryan McClure (Systems Admin) - United Shipping" <rmcclure () unitedshipping com>
Date: Thu, 10 May 2001 15:09:39 -0600
-----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, May 10, 2001 2:43 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #631 - 4 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. redundant rules (Watson, Ed) 2. Re: redundant rules (Martin Roesch) 3. My apologies (Kevin.Brown () asu edu) 4. ******unsubscribe****** (Ryan McClure (Systems Admin) - United Shipping) --__--__-- Message: 1 From: "Watson, Ed" <ewatson () academic com> To: "Snort List (E-mail)" <snort-users () lists sourceforge net> Date: Thu, 10 May 2001 13:27:14 -0700 Subject: [Snort-users] redundant rules This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D98F.99649370 Content-Type: text/plain; charset="iso-8859-1" The default rules don't seem to pick up port scans, even obvious ones. I thought if I used the vision.rules, that would be more effective, and it hasn't. Could redundant rules cause it to not log these events? 1166 rules read... 1166 Option Chains linked into 257 Chain Headers 0 Dynamic rules System Dell 1550 dual PIII 833 1gb ram 100baseTX FDX Resource usage Mem .6% CPU .1% OS RH7 Ed Watson ------_=_NextPart_001_01C0D98F.99649370 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.3211.1700" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>The default rules don't seem to pick up port scans, even obvious ones. I thought if I used the vision.rules, that would be more effective, and it hasn't. Could redundant rules cause it to not log these events?</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>1166 rules read...</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>1166 Option Chains linked into 257 Chain Headers</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>0 Dynamic rules</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>System</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001> Dell 1550</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001> dual PIII 833</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001> 1gb ram</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001> 100baseTX FDX</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001> Resource usage</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001> Mem .6%</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001> CPU .1%</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>OS</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=677301720-10052001> RH7</SPAN></FONT></DIV> <P><FONT size=2>Ed Watson<BR></FONT></P></BODY></HTML> ------_=_NextPart_001_01C0D98F.99649370-- --__--__-- Message: 2 Date: Thu, 10 May 2001 16:31:05 -0400 From: Martin Roesch <roesch () sourcefire com> To: "Watson, Ed" <ewatson () academic com> CC: "Snort List (E-mail)" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] redundant rules What are your HOME_NET and EXTERNAL_NET variables set to? Are you portscanning yourself from the same network that you're monitoring? -Marty
"Watson, Ed" wrote:
The default rules don't seem to pick up port scans, even obvious ones.
I thought if I used the vision.rules, that would be more effective,
and it hasn't. Could redundant rules cause it to not log these events?
1166 rules read...
1166 Option Chains linked into 257 Chain Headers
0 Dynamic rules
System
Dell 1550
dual PIII 833
1gb ram
100baseTX FDX
Resource usage
Mem .6%
CPU .1%
OS
RH7
Ed Watson
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org --__--__-- Message: 3 Date: Thu, 10 May 2001 13:35:42 -0700 (MST) From: Kevin.Brown () asu edu To: snort-users () lists sourceforge net Subject: [Snort-users] My apologies I don't know what happened but the mail I send from outlook gets turned into html garbage when I send to this list. I verified my options in both outlook and with sourceforge, so somewhere between the two (maybe the damn exchange server) is converting my plain text messages into htmlized junk. --__--__-- Message: 4 From: "Ryan McClure (Systems Admin) - United Shipping" <rmcclure () unitedshipping com> To: snort-users () lists sourceforge net Date: Thu, 10 May 2001 14:43:37 -0600 Subject: [Snort-users] ******unsubscribe****** -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, May 10, 2001 2:17 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #630 - 8 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Snort + Acid w/ MySQL question(s) (roman () danyliw com) 2. unsubscribe (Ryan McClure (Systems Admin) - United Shipping) 3. Re: loggin issue (roman () danyliw com) 4. Rules vs performance (Robinson, Ken) 5. RE: Rules vs performance (Kevin Brown) 6. Re: Rule Managment Tool (shawn . moyer) 7. RE: Rule Managment Tool (Jeff Dell) 8. RE: New Conundrum (Kevin Brown) -- __--__-- Message: 1 To: alexus <ml () db nexgen com> Cc: snort-users () lists sourceforge net From: roman () danyliw com Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s) Date: Thu, 10 May 2001 15:18:07 US/Eastern One observation: - ACID 0.9.5 does not use ADODB. This DB abstraction was introduced in 0.9.6b2 (Jan 2001). Hence, this addition into acid_conf.php will be ignored. Two recommendations: - are you sure that you have CREATE permissions on the DB user set in acid_conf.php? If all else fails, try using the "create_acid_tbls_mysql.sql" to manually create the ACID tables. - upgrade to a more recent version of ACID => 0.9.6b9. There are significant feature improvements as well as bug fixes. If you prefer an older version, upgrade to at least 0.9.6b1 for it has a number of important bug fixes cheers, Roman
I'm using the following: FreeBSD 4.3 - RELEASE (STABLE) ACID-0.9.5 - RELEASE (STABLE) ADODB v1.0.1 - RELEASE (STABLE) PHP - 4.0.5 - RELEASE (STABLE) APACHE - 1.3.19 - RELEASE (STABLE) SNORT - 1.7 - RELEASE (STABLE) to compile snort i used following line: ../configure --with-mysql=/usr/local/mysql;make;make install i did change acid_conf.php i put path to adodb in adodb i put local path in adodb.inc.php when i go to http://localhost/acid it redirects me to acid_main.php and
when
it gets there i get this: The underlying database alexus@localhost apears to be invalid. The database version is valid, but the ACID DB structure (table: acid_ag)
is
not present. Use the Setup page to configure and optimize the DB when i click on "Setup page" in status window i get "DONE" for "Search Indexes" and i have "Create ACID AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
I do that nothing happenes, it won't disappear or it won't change status
to
"DONE".. what am i missing? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------
This message was sent using Voicenet WebMail.
http://www.voicenet.com/webmail/
-- __--__--
Message: 2
From: "Ryan McClure (Systems Admin) - United Shipping"
<rmcclure () unitedshipping com>
To: snort-users () lists sourceforge net
Date: Thu, 10 May 2001 13:33:14 -0600
Subject: [Snort-users] unsubscribe
-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net]
Sent: Thursday, May 10, 2001 1:06 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #629 - 4 msgs
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. Re: High CPU (Jon Bentley)
2. Re: alert message containing info from the packet? (Andreas Hasenack)
3. loggin issue (Koaps)
4. Re: snort pgsql keepalive (roman () danyliw com)
-- __--__--
Message: 1
From: "Jon Bentley" <jon () ascendanttech com>
To: "Steve" <stlukacs () mb sympatico ca>, <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] High CPU
Date: Thu, 10 May 2001 13:22:31 -0400
Hi, Steve. What type of system are you running on, and how many packets
are you generating?
----- Original Message -----
From: "Steve" <stlukacs () mb sympatico ca>
To: <snort-users () lists sourceforge net>
Sent: Thursday, May 10, 2001 12:40 PM
Subject: [Snort-users] High CPU
I am currently testing snort 1.7 and find the CPU to be very high (87%). I am running 1.6.3 in production and the CPU is about 9%... I've disabled
all
pre-processors, turned on binary loggind and have seen no change... anyone experienced this? Thank-you Steve Lukacs Qunara _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- __--__-- Message: 2 Date: Thu, 10 May 2001 14:58:26 -0300 From: Andreas Hasenack <andreas () netbank com br> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] alert message containing info from the packet? Em Thu, May 10, 2001 at 12:08:09PM -0300, Andreas Hasenack escreveu:
Would it be feasable for snort's alert messages to contain some information from the packet that caused the alert?
Answering to myself, this would probably be better handled with
the analysis tool...
-- __--__--
Message: 3
From: "Koaps" <koaps () 2nutz com>
To: "Snort" <snort-users () lists sourceforge net>
Date: Thu, 10 May 2001 11:27:56 -0700
Subject: [Snort-users] loggin issue
I don't get it....
I have Snort 1.7 on OpenBSd
it's telling me it's seeing Packets, it's sending alerts, but I see no data
in mysql....
============================================================================
===
Snort received 5065 packets and dropped 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 5048 (99.664%) ALERTS: 7
UDP: 0 (0.000%) LOGGED: 7
ICMP: 12 (0.237%) PASSED: 0
ARP: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
=======================================
connect info
Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database: user = ids
database: password is set
database: database name = snortdb
database: host = 192.168.69.5
database: sensor name = 192.168.69.12
database: sensor id = 2
database: using the "log" facility
796 Snort rules read...
796 Option Chains linked into 114 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
I am using ACID to look at the SnortDB
I can see it's registered in the database as a sensor...
I just see no data from it
L8rZ,
)\_/(
< o,0 >
~
\ /
KoAps
-- __--__--
Message: 4
To: Alexandre Dulaunoy <adulau-snort () colorado g-inter net>
Cc: snort-users () lists sourceforge net
From: roman () danyliw com
Subject: Re: [Snort-users] snort pgsql keepalive
Date: Thu, 10 May 2001 15:02:21 US/Eastern
I did some checking on Snort behavior when the DB server dies:
Snort 1.7: alerts dropped
Snort 1.8: alert dropped, Snort issues FatalError(), quits
In either case, the behavior is incorrect. The fact that 1.8 quits
instead of merely dropping (ala 1.7) is immaterial since neither version
will cache dropped alerts. Thus, without caching there is no
reason to even keep the sensor up, since no logging is occuring
(unless you have other logging mechanisms other than
the DB-plugin).
I believe that the correct action is to attempt a re-connect
to the DB when Snort detects a disconnect (i.e. when either
the Select() or Insert() fails with the appropriate error code, call
Connect() again, if this fails only then FatalError() ).
Roman
Hello, When the sensor got a connection to the postmaster (postgres) and if the postmaster goes down, the sensor will stop. Is there anyway to keep the sensor up and when the connection are coming back of the postmaster ? like a keepalive and reconnect... Thanks alx -- --- Alexandre J.D. Dulaunoy | "Engineering is the implementation of science; AD993-RIPE | Politics is the implementation of faith". http://www.foo.be/ | Another usenet quote... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------
This message was sent using Voicenet WebMail.
http://www.voicenet.com/webmail/
-- __--__--
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
http://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
-- __--__--
Message: 3
To: Koaps <koaps () 2nutz com>
Cc: snort-users () lists sourceforge net
From: roman () danyliw com
Subject: Re: [Snort-users] loggin issue
Date: Thu, 10 May 2001 15:35:26 US/Eastern
Is it logging anywhere else (e.g. to a file)? What does you
command line look like? Does it have a "-A", if so remove it.
Roman
I don't get it.... I have Snort 1.7 on OpenBSd it's telling me it's seeing Packets, it's sending alerts, but I see no
data
in mysql....
============================================================================
===
Snort received 5065 packets and dropped 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 5048 (99.664%) ALERTS: 7
UDP: 0 (0.000%) LOGGED: 7
ICMP: 12 (0.237%) PASSED: 0
ARP: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
=======================================
connect info
Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database: user = ids
database: password is set
database: database name = snortdb
database: host = 192.168.69.5
database: sensor name = 192.168.69.12
database: sensor id = 2
database: using the "log" facility
796 Snort rules read...
796 Option Chains linked into 114 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
I am using ACID to look at the SnortDB
I can see it's registered in the database as a sensor...
I just see no data from it
L8rZ,
)\_/(
< o,0 >
~
\ /
KoAps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------
This message was sent using Voicenet WebMail.
http://www.voicenet.com/webmail/
-- __--__--
Message: 4
From: "Robinson, Ken" <ken.robinson () ccra-adrc gc ca>
To: "Snort List (E-mail)" <snort-users () lists sourceforge net>
Date: Thu, 10 May 2001 15:41:30 -0400
Subject: [Snort-users] Rules vs performance
Hello,
Are there any rule-of-thumb, or such on how the number of Snort rules
affects the performance?
In doing some lab tests, we found that has the amount of traffic went up, we
detected fewer and fewer test attacks. CPU usage was high, but not
peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit
NICs and 256Meg RAM.
I don't know of the misses were due to an issue with the hardware (NIC
missing packets?), or if there were too many rules to sort through for the
Snort software, or too much logging?
We've looked through the snort rules from Whitehats and found many cases
were we could reduce the rules by either dropping them (i.e. don't care),
reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
instead of detecting which OS), or making groups of them as activate rules
(i.e. the DeepThroat backdoor rules). We could also use the Activate
rules to log the next 50 packets and then run a full set or rules on those
logged packets.
So, any advise for us? Should we use Activate rules as much as possible?
Should we generalize rules? Or is all of this not going to make much of a
difference?
Thanks.
----
Ken Robinson
-- __--__--
Message: 5
Date: Thu, 10 May 2001 12:53:00 -0700
From: Kevin Brown <Kevin.M.Brown () asu edu>
Subject: RE: [Snort-users] Rules vs performance
To: "'Robinson, Ken'" <ken.robinson () ccra-adrc gc ca>,
"Snort List (E-mail)" <snort-users () lists sourceforge net>
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0D98A.D121EE70
Content-Type: text/plain;
charset="iso-8859-1"
I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s link
the snort was clocking 40% of the cpu with absolutely no rules or plugins.
I don't remember the specifics, but I was removing rules from the list till
snort dropped to 80% or less and of the ruleset of 400 rules I had to drop
all but 50 I believe to get it down. I'm currently using a Sparc 500 and it
is clocking 50% of the CPU (same link) with the full ruleset in place
(snort1.8b5 build 20). I downloaded top and compiled it and just watch the
processes and notice that with just the database and spp plugins snort is
slowing eating up my 1GB of memory. I don't know if that is a memory leak
or just a lot of memory caching going on within snort.
-----Original Message-----
From: Robinson, Ken [mailto:ken.robinson () ccra-adrc gc ca]
Sent: Thursday, May 10, 2001 12:42
To: Snort List (E-mail)
Subject: [Snort-users] Rules vs performance
Hello,
Are there any rule-of-thumb, or such on how the number of Snort rules
affects the performance?
In doing some lab tests, we found that has the amount of traffic went up, we
detected fewer and fewer test attacks. CPU usage was high, but not
peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit
NICs and 256Meg RAM.
I don't know of the misses were due to an issue with the hardware (NIC
missing packets?), or if there were too many rules to sort through for the
Snort software, or too much logging?
We've looked through the snort rules from Whitehats and found many cases
were we could reduce the rules by either dropping them (i.e. don't care),
reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
instead of detecting which OS), or making groups of them as activate rules
(i.e. the DeepThroat backdoor rules). We could also use the Activate
rules to log the next 50 packets and then run a full set or rules on those
logged packets.
So, any advise for us? Should we use Activate rules as much as possible?
Should we generalize rules? Or is all of this not going to make much of a
difference?
Thanks.
----
Ken Robinson
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------_=_NextPart_001_01C0D98A.D121EE70
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] Rules vs performance</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>I know on the Intel box I was testing out (PII 450 =
256MB) on a 100Mb/s link the snort was clocking 40% of the cpu with =
absolutely no rules or plugins. I don't remember the specifics, =
but I was removing rules from the list till snort dropped to 80% or =
less and of the ruleset of 400 rules I had to drop all but 50 I believe =
to get it down. I'm currently using a Sparc 500 and it is =
clocking 50% of the CPU (same link) with the full ruleset in place =
(snort1.8b5 build 20). I downloaded top and compiled it and just =
watch the processes and notice that with just the database and spp =
plugins snort is slowing eating up my 1GB of memory. I don't know =
if that is a memory leak or just a lot of memory caching going on =
within snort.</FONT></P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Robinson, Ken [<A =
HREF=3D"mailto:ken.robinson () ccra-adrc gc ca">mailto:ken.robinson@ccra-ad=
rc.gc.ca</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 12:42</FONT>
<BR><FONT SIZE=3D2>To: Snort List (E-mail)</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Rules vs performance</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Hello,</FONT>
</P>
<P><FONT SIZE=3D2>Are there any rule-of-thumb, or such on how the =
number of Snort rules</FONT>
<BR><FONT SIZE=3D2>affects the performance? </FONT>
</P>
<P><FONT SIZE=3D2>In doing some lab tests, we found that has the amount =
of traffic went up, we</FONT>
<BR><FONT SIZE=3D2>detected fewer and fewer test =
attacks. CPU usage was high, but not</FONT>
<BR><FONT SIZE=3D2>peaked right out. The lab =
boxes were PIII 800Mhz systems with 100Mbit</FONT>
<BR><FONT SIZE=3D2>NICs and 256Meg RAM. </FONT>
</P>
<P><FONT SIZE=3D2>I don't know of the misses were due to an issue with =
the hardware (NIC</FONT>
<BR><FONT SIZE=3D2>missing packets?), or if there were too many rules =
to sort through for the</FONT>
<BR><FONT SIZE=3D2>Snort software, or too much logging? </FONT>
</P>
<P><FONT SIZE=3D2>We've looked through the snort rules from Whitehats =
and found many cases</FONT>
<BR><FONT SIZE=3D2>were we could reduce the rules by either dropping =
them (i.e. don't care),</FONT>
<BR><FONT SIZE=3D2>reducing them (i.e. all the ICMP Itype 8 could just =
be recorded as ping</FONT>
<BR><FONT SIZE=3D2>instead of detecting which OS), or making =
groups of them as activate rules</FONT>
<BR><FONT SIZE=3D2>(i.e. the DeepThroat backdoor =
rules). We could also use the Activate</FONT>
<BR><FONT SIZE=3D2>rules to log the next 50 packets and then run a full =
set or rules on those</FONT>
<BR><FONT SIZE=3D2>logged packets. </FONT>
</P>
<P><FONT SIZE=3D2>So, any advise for us? Should we use =
Activate rules as much as possible?</FONT>
<BR><FONT SIZE=3D2>Should we generalize rules? Or is all of =
this not going to make much of a</FONT>
<BR><FONT SIZE=3D2>difference? </FONT>
</P>
<P><FONT SIZE=3D2>Thanks. </FONT>
</P>
<P><FONT SIZE=3D2>----</FONT>
<BR><FONT SIZE=3D2>Ken Robinson</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users () lists sourceforge net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or =
unsubscribe:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://lists.sourceforge.net/lists/listinfo/snort-users"; =
TARGET=3D"_blank">http://lists.sourceforge.net/lists/listinfo/snort-user=
s</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users"; =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A></FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0D98A.D121EE70--
-- __--__--
Message: 6
Date: Thu, 10 May 2001 14:54:31 -0500
From: "shawn . moyer" <shawn () net-connect net>
To: Cedric Guillotin <guillo_c () fluxus net>
Cc: Jeff Dell <jdell () teleplace com>,
snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rule Managment Tool
By the way, I pulled this down, still twiddling with it, but the first
thing I noticed is it needs MSCOMCTL.OCX -- I dl'd this from:
http://www.microxl.com/wintersasj/download/mscomctl.zip
--shawn
--
s h a w n m o y e r
shawn () net-connect net
"May the forces of evil become
confused on the way to your house."
--George Carlin
-- __--__--
Message: 7
From: Jeff Dell <jdell () teleplace com>
To: "'shawn . moyer'" <shawn () net-connect net>, Cedric Guillotin
<guillo_c () fluxus net>
Cc: Jeff Dell <jdell () teleplace com>, snort-users () lists sourceforge net
Subject: RE: [Snort-users] Rule Managment Tool
Date: Thu, 10 May 2001 16:03:21 -0400
yea.. it needs ms visual basic runtimes installed. they should be included
in win2k.
Jeff
-----Original Message-----
From: shawn . moyer [mailto:shawn () net-connect net]
Sent: Thursday, May 10, 2001 3:55 PM
To: Cedric Guillotin
Cc: Jeff Dell; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rule Managment Tool
By the way, I pulled this down, still twiddling with it, but the first
thing I noticed is it needs MSCOMCTL.OCX -- I dl'd this from:
http://www.microxl.com/wintersasj/download/mscomctl.zip
--shawn
--
s h a w n m o y e r
shawn () net-connect net
"May the forces of evil become
confused on the way to your house."
--George Carlin
-- __--__--
Message: 8
Date: Thu, 10 May 2001 13:15:30 -0700
From: Kevin Brown <Kevin.M.Brown () asu edu>
Subject: RE: [Snort-users] New Conundrum
To: snort-users () lists sourceforge net
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0D98D.F5EA8F20
Content-Type: text/plain;
charset="iso-8859-1"
OK, did some more digging and I'm still under the impression that
something's not right. I finally figured out that for each sensor it
creates a new cid entry in the event table that is unique only against the
sid (e.g. if you have 4 sensors logging you could have four rows with a cid
of 1000 with a unique sid attached to each). So with that in hand I did a
select statement to find the cids for just the sun box and came up with:
sid | cid | signature | timestamp
-----+--------+-----------+------------------------
3 | 30 | 424 | 2001-05-09 05:07:40-07
3 | 31 | 424 | 2001-05-09 05:07:40-07
3 | 32 | 668 | 2001-05-14 02:10:41-07 <----
3 | 33 | 424 | 2001-05-09 05:07:41-07
3 | 34 | 5538 | 2001-05-09 05:07:41-07
3 | 35 | 1250 | 2001-05-14 02:10:42-07 <----
3 | 36 | 424 | 2001-05-09 05:07:42-07
3 | 37 | 424 | 2001-05-09 05:07:42-07
3 | 38 | 424 | 2001-05-09 05:07:42-07
3 | 39 | 424 | 2001-05-09 05:07:42-07
3 | 40 | 424 | 2001-05-09 05:07:42-07
3 | 41 | 5541 | 2001-01-28 22:19:42-07 <----
3 | 42 | 1053 | 2001-05-14 02:10:43-07 <----
Notice that the timestamp field jumps around in date even though the Cid of
the events are sequential. I don't know where this problem is introduced,
but it doesn't seem to have happened to the Linux (RH6.2 kernel 2.2.19) box
that was in the wild.
-----Original Message-----
From: Kevin Brown [mailto:Kevin.M.Brown () asu edu]
Sent: Wednesday, May 09, 2001 16:03
To: snort-users () lists sourceforge net
Subject: [Snort-users] New Conundrum
Got a new little thing I found. I just finished putting that Netra T1 into
place to begin testing. I have it logging to the same database as the PII
450 that was out there. I went looking through the database to verify that
it is indeed logging and found that the timestamp for the events being
logged by the Sun box are 5 days behind today (5/4/2001). I discovered this
by just doing a "select timestamp from event where cid = <count of rows>;".
The box has the following on it.
Solaris 8
psql 7.0.3 (for the shared libs to send data to a remote sql box)
snort 1.8b4 (build 14)
running date returns the following: Wed May 9 15:58:05 MST 2001
which is only off by a minute or less from current local time.
The linux box that had been there (PII 450) last logged a packet at 10:44AM,
Wed May 9 which is the time that I shut it down to put the Sun in its place.
------_=_NextPart_001_01C0D98D.F5EA8F20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] New Conundrum</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>OK, did some more digging and I'm still under the =
impression that something's not right. I finally figured out that =
for each sensor it creates a new cid entry in the event table that is =
unique only against the sid (e.g. if you have 4 sensors logging you =
could have four rows with a cid of 1000 with a unique sid attached to =
each). So with that in hand I did a select statement to find the =
cids for just the sun box and came up with:</FONT></P>
<P><FONT SIZE=3D2> sid | cid | signature =
| =
timestamp </FONT>
<BR><FONT =
SIZE=3D2>-----+--------+-----------+------------------------</FONT>
<BR><FONT SIZE=3D2> 3 | 30 | =
424 | 2001-05-09 05:07:40-07</FONT>
<BR><FONT SIZE=3D2> 3 | 31 | =
424 | 2001-05-09 05:07:40-07</FONT>
<BR><FONT SIZE=3D2> 3 | 32 | =
668 | 2001-05-14 =
02:10:41-07 <----</FONT>
<BR><FONT SIZE=3D2> 3 | 33 | =
424 | 2001-05-09 05:07:41-07</FONT>
<BR><FONT SIZE=3D2> 3 | 34 | =
5538 | 2001-05-09 05:07:41-07</FONT>
<BR><FONT SIZE=3D2> 3 | 35 | =
1250 | 2001-05-14 =
02:10:42-07 <----</FONT>
<BR><FONT SIZE=3D2> 3 | 36 | =
424 | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2> 3 | 37 | =
424 | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2> 3 | 38 | =
424 | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2> 3 | 39 | =
424 | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2> 3 | 40 | =
424 | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2> 3 | 41 | =
5541 | 2001-01-28 =
22:19:42-07 <----</FONT>
<BR><FONT SIZE=3D2> 3 | 42 | =
1053 | 2001-05-14 =
02:10:43-07 <----</FONT>
</P>
<P><FONT SIZE=3D2>Notice that the timestamp field jumps around in date =
even though the Cid of the events are sequential. I don't know =
where this problem is introduced, but it doesn't seem to have happened =
to the Linux (RH6.2 kernel 2.2.19) box that was in the wild.</FONT></P>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Kevin Brown [<A =
HREF=3D"mailto:Kevin.M.Brown () asu edu">mailto:Kevin.M.Brown () asu edu</A>]<=
/FONT>
<BR><FONT SIZE=3D2>Sent: Wednesday, May 09, 2001 16:03</FONT>
<BR><FONT SIZE=3D2>To: snort-users () lists sourceforge net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] New Conundrum</FONT>
</P>
<P><FONT SIZE=3D2>Got a new little thing I found. I just finished =
putting that Netra T1 into place to begin testing. I have it =
logging to the same database as the PII 450 that was out there. I =
went looking through the database to verify that it is indeed logging =
and found that the timestamp for the events being logged by the Sun box =
are 5 days behind today (5/4/2001). I discovered this by just =
doing a "select timestamp from event where cid =3D <count of =
rows>;".</FONT></P>
<P><FONT SIZE=3D2>The box has the following on it. </FONT>
<BR><FONT SIZE=3D2>Solaris 8 </FONT>
<BR><FONT SIZE=3D2>psql 7.0.3 (for the shared libs to send data to a =
remote sql box) </FONT>
<BR><FONT SIZE=3D2>snort 1.8b4 (build 14) </FONT>
</P>
<P><FONT SIZE=3D2>running date returns the following: Wed May 9 =
15:58:05 MST 2001 </FONT>
<BR><FONT SIZE=3D2>which is only off by a minute or less from current =
local time. </FONT>
</P>
<P><FONT SIZE=3D2>The linux box that had been there (PII 450) last =
logged a packet at 10:44AM, Wed May 9 which is the time that I shut it =
down to put the Sun in its place.</FONT></P>
</BODY>
</HTML>
------_=_NextPart_001_01C0D98D.F5EA8F20--
-- __--__--
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
http://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
--__--__--
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
http://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- subsidy Ryan McClure (Systems Admin) - United Shipping (May 10)