Snort mailing list archives

Previous By Date Next
Previous By Thread Next

New FAQ in cvs....

From: Dragos Ruiu <dr () kyx net>
Date: Mon, 13 Aug 2001 07:02:17 -0700
Here is a patch that shows FAQ changes...

--- FAQ-v1.8.1  Sat Aug 11 05:08:24 2001
+++ FAQ Mon Aug 13 07:01:33 2001
@@ -1,4 +1,4 @@
-SNORT FAQ Version 1.8 - July 10 2001 v1.8.1
+SNORT FAQ Version 1.8.1' - 13 August 2001
 
 Suggestions for enhancements of this document are
 always welcome please email them to Dragos Ruiu at 
@@ -18,10 +18,25 @@
 Roman Danyliw
 Christopher Cramer
 Frank Knobbe
+Phil Wood   
+Toby Kohlenberg
+Ramin Alidousti
+Jim Hankins
+Dennis Hollingworth
+Paul Howell 
+Erek Adams
+Stef Mit    
+Ofir Arkin
+Jason Haar
+Blake Frantz
+Lars Norman Søndergaard
+Brent Erickson
 
-Frequently Asked Questions about "snort"
+-----------------------------------------------------------------------------
 
 
+Frequently Asked Questions about "snort"
+
 
 Section 1: Snort Background
 --------------------------
@@ -68,6 +83,8 @@
 3.12 Q: Which takes precedence, commandline or rule file ?
 3.13 Q: How does rule ordering work?
 3.14 Q: How do I configure stream4?
+3.15 Q: Where does one obtain new/modifed rules? How do you merge them in?
+3.16 Q: How do you get the latest snort via cvs?
 
 Section 4: Snort Rules and Alerts
 ---------------------------------
@@ -88,6 +105,7 @@
 4.15 Q: What about 'SMB Name Wildcard' alerts?
 4.16 Q: What the heck is a SYNFIN scan?
 4.17 Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte attack detected" false positives.  
How can I turn this detection off?
+4.18 Q: How do I test snort alerts and logging?
 
 
 Section 5: Getting Fancy
@@ -100,6 +118,7 @@
 5.6 Q: Snort complains about the "react" keyword...
 5.7 Q: How do I get snort to e-mail me alerts?
 5.8 Q: How do I log a specific type of traffic and send alerts to syslog?
+5.9 Q: Is it possible to have snort call an external program when an alert is raised?   
 
 Section 6: Problems
 -------------------
@@ -124,7 +143,8 @@
 6.17 Q: Snort is not logging to syslog
 6.18 Q: I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from 
is in my $DNS_SERVERs var
 6.19 Q: Why chrooted snort die when I send it a SIGHUP? 
-
+6.20 Q: My snort crashes, how do I restart it? 
+6.21 Q: Why can't snort see one of either the 10Mbps or 100Mbps traffic on my autoswitch hub
 
 
 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
@@ -154,6 +174,8 @@
 
 A: http://lists.sourceforge.net/mailman/listinfo/snort-users
 
+   Also look in the USAGE file in the distribution.
+
 1.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q:  Where can I get more reading and courses about IDS?
 
@@ -180,7 +202,10 @@
 1.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q: Does Snort handle IP defragmentation?
 
-A: Yes, use "preprocessor defrag"
+A: Yes, use "preprocessor frag2"  or "preprocessor defrag" or "preprocessor defrag2"
+
+   Each has slightly different capabilities.
+
    Snort also currently has the "minfrag" rule option available that looks for
    tiny fragments and can generate alerts based upon the size of the fragments
    alone.  This is a valid strategy because there is virtually no commercially
@@ -198,13 +223,11 @@
    session loggin, tcp reassembly and much much more... Check the FAQ question
    on configuring stream4.
 
-
 1.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q: Does Snort perform stateful protocol analysis? 
 
 A: Yes, see above answer regarding stream4 preprocessor
 
-
 1.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q: I'm on a switched network, can I still use Snort?
 
@@ -830,8 +853,32 @@
    the integrated system to enable higer performance implementations of
    Snort.
    
---faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
+3.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
+Q: Where does one obtain new/modifed rules? How do you merge them in?
+
+A: New rules can be downloaded via CVS (See next question) or alternatively
+   may be found at www.snort.org and snort.sourcefire.com.  There is
+   a mailing list dedicated to snort rules, called appropriately enough
+   snort-rules hosted at sourceforge.
+
+   to merge in new rules check out the snortpp program in the contribr
+   directory.
+
+3.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
+Q: How do you get the latest snort via cvs?
+
+A: The snoRt project's SourceForge CVS repository can be checked outr
+   through anonymous (pserver) CVS with the following instruction set.
+   The module you wish to check out must be specified as the modulename.r
+   When prompted for a password for anonymous, simply press the Enter key.
+
+   cvs -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort login
+
+   cvs -z3 -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort co modulename 
 
+   Updates from within the module's directory do not need the -d parameter.
+
+ 
 
 
 
@@ -925,8 +972,73 @@
 4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q: What are all these "ICMP destination unreachable" alerts?
 
-A: They are failed connections ICMP unreach packet carries first 64
-   bytes of the original datagram.
+A: ICMP is the acronym for Internet Control Message Protocol
+   They are failed connections ICMP unreach packet carries first 64
+   bits(8bytes) or more of the original datagrami and the original IP header.
+
+   The ICMP Destination Unreachable (message type 3) is sent back to the
+   originator when an IP packet could not be delivered to the destination
+   address.  The ICMP Code indicates why the packet could not be delivered.
+    The original codes are:
+         0       net unreachable
+         1       host unreachable
+         2       protocol unreachable
+         3       port unreachable
+         4       fragmentation needed and DF bit set
+         5       source route failed
+
+
+   As far as why... "it all depends..."
+
+   ICMP Unreachable Error Messages are divided into two groups:
+   - ICMP Unreachable Error Messages issued by routers (all 16 of them)
+   - ICMP Unreachable Error Messages issued by a Host (only 2)
+
+   What are the only 2 issued by a host?
+   ICMP Port Unreachable - the destination port on the targeted host is
+                           closed (a.k.a. not in a listening state).
+   ICMP Protocol Unreachable - the protocol we were trying to use is not
+                           being used on the targeted host.
+
+
+   Both ICMP Type field and Code field indicates why the packets could
+   not be delivered.  Some snort ICMP alerts" are informational like the ICMP
+   alerts found in icmp-info.rules.  At this time there are no references
+   or even classtypes associated with these rules.
+
+   Other rules are more likely to be associated with untoward activity.  For
+   example, in icmp.rules you will find:
+
+      alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger";
+      content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158;
+      classtype:attempted-recon; sid:465; rev:1;)
+
+   which has a reference where the importance might be determined by checking
+   out the aracnids reference.  The classtype may indicate more or
+   less the relative importance of the event.
+
+   When a destination UDP port is closed on the targeted host, a.k.a. not
+   in a listening state, the targeted host will issue an ICMP Port Unreachable
+   error message back to the offending packets source IP address, given in
+   the query.  Some programs use these messages, like traceroute with *nix
+   based machines. Windows based machines (tracert) will default to
+   ICMP Echo requests...
+
+   For further information about this see
+         IP      ftp://ftp.isi.edu/in-notes/rfc791.txt
+         ICMP    ftp://ftp.isi.edu/in-notes/rfc792.txt
+         TCP     ftp://ftp.isi.edu/in-notes/rfc793.txt
+         UDP     ftp://ftp.isi.edu/in-notes/rfc768.txt
+
+   and
+
+   http://www.iana.org/assignments/icmp-parameters
+
+   Actually, putting this URL somewhere handy is a good idea:
+
+   http://www.iana.org/
+
+   There is also a good ICMP paper on http://www.sys-security.com/
 
 4.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
@@ -1035,6 +1147,26 @@
 
        preprocessor http_decode: 80 8080 -unicode -cginull
 
+   Your own internal users normal surfing can trigger these alerts in the
+   preprocessor. Netscape in particular has been known to trigger them.
+
+   Instead of disabling them,try a BPF filter to ignore your outbound http
+   traffic such as:
+
+   snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80)
+
+   This has worked very well for us over a period of 5-6 months and Snort is
+   still very able to decode actual and dangerous cgi null and unicode attacks
+   on our public web servers.
+
+
+4.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
+Q: How do I test snort alerts and logging?
+
+A: Try a rule that will fire off all the time like:
+
+   alert tcp any any -> any any (msg:"TCP traffic";)
+
 
 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 
@@ -1182,7 +1314,26 @@
    > Just my $0.02.
    >                         
 
-   
+   Danger Will Robinson: Conventional wisdom says that 
+   auto-blocking is inherently dangerous. 
+
+   However, for those that like to live at the 
+   bleeding edge of tech (and the separate
+   process scanning logs and processing
+   firewall commands sounds like a good 
+   way to do this...):
+
+   Please remember to include an exclusion list and put 
+   on them important sites such as root servers, other 
+   important dns servers (yours, and important sites for 
+   your users), and in general any host you don't want 
+   to receive phone calls about being DoSed when
+   they are spoofed - usually inconveniently like that 
+   first time you actually manage to get on vacation....
+   (i.e. imagine "Crisis: the ceo can't reach his favorite 
+   redlite.org game.... you have to fly back from the 
+   carribean asap....")   
+
 5.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q: Snort complains about the "react" keyword...
 
@@ -1212,6 +1363,33 @@
 
 Then just do a telnet and type 'redalerttest'.  Presto, alerts to both.
 
+ 
+5.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
+Q: Is it possible to have snort call an external program when an alert is raised?   
+
+   Calling another program from within your main IDS loop is
+   generally a bad idea.  Having your IDS block while waiting
+   for <something> of dubious reliability and origin nevermind
+   timing while the packets are piling up is inviting packet loss.
+   Especially with the already oh-so-consistent "Gee I think
+   I'll go away for a minute" rock steady even cpu slicing
+   Windows gives you (that's sarcasm, sorry). Go  with the
+   second approach.... process invokation is expensive on 
+   Windows.
+
+   You want to keep that IDS task humming and munching
+   packets as efficiently as possible with as few interruptions
+   as possible, imho, and not be invoking the penalty of
+   process invocation.... particularly on Windows where
+   process invocation is much much heavier task than *nix.
+
+   Even in a secondary process... You'll probably find
+   something that stays "awake" all the time will work out
+   much more nicely than something that gets "woken up"
+   on a per alert basis for the aforementioned reasons.
+  
+   As a better alternative go check out swatch or logwatch.
+
 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 
 ***************************************
@@ -1309,7 +1487,9 @@
 
 A:  The Linux IP stack doesn't report lost packet stats.  This may be changing
     in version 2.4 of Linux, but for now you just don't get them.  Try one
-    of the BSDs, they work just fine.
+    of the BSDs, they work just fine. This also has been recently fixed with
+    the 2.4 kernel in the new version of libpcap... upgrade kernels and libpcap
+    and it should now work.
 
 6.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q: My /var/log/snort directory get very large.....
@@ -1551,6 +1731,117 @@
 
 A: It's a known problem with permissions. Workaround, restart snort instead.
 
+   But the short answer is this:  Due to the way the execv(2) call works, it
+   "Restarts" snort from scratch.  This has the odd side effect of making HUPS to
+   a chrooted snort become recursive.  For example, chroot to /snort.  It now
+   sees /snort as / .  Now HUP snort.  Snort now expects to have /snort/snort as
+   / .  In other words, you have to re-create your directories for your jail
+   inside it.  4 HUPS and you will be in /snort/snort/snort/snort .  *bleh*
+
+
+6.20 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
+Q: My snort crashes, how do I restart it? 
+
+A: Try this shell script or daemontools 
+
+#!/bin/sh
+#snorthup: Snort Restarter and Crash Logger 
+#(dr () kyx  net with help from kmaxwell () superpages com)  
+$conf = "snort.conf"
+for $IFACE in fxp0 fxp1
+do
+    if [ -f /var/run/snort_$IFACE.pid ]; then
+        if !  ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then
+            /usr/bin/logger -p user.notice snorthup: removing bogus pidfile
+            /usr/bin/logger -p user.notice snorthup: restarting absentee snort on $IFACE with conf file $i
+            rm -f /var/run/snort_$IFACE.pid
+            /usr/local/bin/snort -D -c $conf -i $IFACE
+        fi;
+   else
+       /usr/bin/logger -p user.notice snorthup: restarting snort on $IFACE with conf file $conf
+       /usr/local/bin/snort -D -c $conf -i $IFACE     
+   fi 
+done
+
+6.21 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
+Q: Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch hub
+
+   Basically it's a function of the design and all autoswitching hubs will behave
+   in this way.  It's the result of just not being able to stuff all the 100 Mbps
+   traffic into the 10Mbps CSMA/CD.  One solution I use to the problem is
+   these new cheapie four port switches... put all the 10Mbps on it's own
+   hub/switch/whatever and then route that to the 100Mbps hub I use for monitoring
+   but put a cheapie switch in between that works as an adapter basically
+   mediating the 10 up to 100 and vice versa.
+
+
+   The bad thing about hubs that _don't_ have this "feature", is that
+   in order to support 10bt devices, they throttle the entire hub speed
+   down to 10bt if there is one or more 10bt only devices hooked up to it.
+   I have seen this behavior (and did the bandwidth tests to proove it) on
+   old 3com office connect 10/100 hubs (newer ones do the 2 hubs with a switch
+   thing.)  So, the point of what I am saying is, since these old hubs have
+   no switching capabilities, and they don't know which port the traffic is
+   supposed to go to (no switch=no arp table), they have to throttle bandwidth.
+
+   None of the hubs and switches have any significant amount of storage
+   on the ethernet chip sets, and therefore _any_ non-layer-three box that
+   has 100 -> 10 capability can only handle small amounts of traffic before
+   the chip set drops incoming packets on the floor. Guess one might call
+   that throttled bandwidth, but at the expense of retransmission timeouts
+   and retransmissions at the end nodes.
+   
+   If the box has a backplane, multiple cards and some network management
+   functions, there is a higher _probability_ the manufacturer has some
+   additional buffering going on to keep dropped packets from happening
+   on at least small bursts of traffic.
+
+   In the most generic of terms, if a box supports 100 "full-duplex", then
+   its a switch (regardless of what the manufacturer calls it). If it
+   supports 100 -> 10, there is 50-50 chance the box has some MAC address
+   awareness. If a box only supports 10 -> 10 or 100 -> 100, there is a
+   high probability it is not MAC address aware and therefor functions
+   like a hub.
+
+   Many hubs have  different back planes, ie one for 10 one for 100.
+
+   From a definition standpoint, a hub segment whether it be 10 or 100 is
+   a single broadcast/collision domain.  You will not see ANY traffic
+   between segements without a bridge or layer3 route function between
+   them.
+  
+   In a switched environment, typically each port is a separate collision
+   domain but one big broadcast domain.  VLANs can be created in some to
+   separate into separate broadcast domains and some have built in layer
+   3 functionality which basically connects a router into the backplane
+   so that it can route between vlans at wire speed.
+  
+   Think of a switch as a bridge with many ports.  (that's what it is).
+   Some switches support port mirroring or span ports.  When you want to
+   "sniff" frames in a switched environment (beyond just
+   broadcast/multicast traffic) you need to be able to "see" the unicast
+   traffic (telnet,http for example).  You set up a port to mirror
+   traffic from the ports that have the devices your interested in to the
+   port you have your analysis device plugged into.  Without doing so,
+   you don't see the unicast conversations because the traffic is getting
+   "switched" accross the backplane so pc on port 1 talks to server on
+   port 2 and no other ports get this traffic. If server on port 2
+   broadcasts or multicasts, the information is flooded out all ports.
+   (multicast can be controlled on some switches so only those ports that
+   have listening stations get the traffic.  Not all switches have these
+   capabilities.
+  
+   An excellent book on the topic is Interconnections by Radia Perlman.
+   (Bridges and Routers).
+  
+   Additional caveat: if you deal with full duplex on a switched port,
+   only a tap would save you - users have succesfully used Shomiti's
+   ones on 100MB FD ports, and used two Snort instances, capturing
+   traffic on both directions. Port mirroring didn't work in that case ...
+
 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 
---END OF FAQ v1.8--
+--END OF FAQ v1.8.1--
+
+
+

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: