Snort mailing list archives
Re: Snort-users digest, Vol 1 #787 - 8 msgs
From: "ORA" <LSMITH147 () nc rr com>
Date: Mon, 9 Jul 2001 20:32:32 -0400
kvdb is a snortaholic.no one needs any tech information from someone who can't spell.get me someone who can help me with the information I am looking for. thanks...... ----- Original Message ----- From: <snort-users-request () lists sourceforge net> To: <snort-users () lists sourceforge net> Sent: Monday, July 09, 2001 3:04 PM Subject: Snort-users digest, Vol 1 #787 - 8 msgs
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Snort+database HOWTO??? (Peter Bates) 2. How to keep internal traffic out of "HTTP decode"
(=?iso-8859-1?Q?Marcus_Vin=EDcius_de_Melo_Rocha?=)
3. Re: Misc - Zone Transfer Fale Positives (Paul Asadoorian) 4. RE: Snort+database HOWTO??? (Peter Bates) 5. Introducing HogWash (Jed Haile) 6. Database logging (gerhard () wtci net) 7. Re: Connection lost (Luca Mauri) 8. RE: Database logging (Kevin Brown) --__--__-- Message: 1 Date: Mon, 9 Jul 2001 16:18:39 +0100 To: snort-users () lists sourceforge net From: Peter Bates <peter.bates () lshtm ac uk> Subject: [Snort-users] Snort+database HOWTO??? Hello all... Probably wiser to wait for the arrival of snort-1.8, but I thought I'd explore logging to a PostgreSQL db. I'm using the stock snort-1.7 (i.e. getting on a bit) RPM, but rebuilt with postgresql option... I have following line in snort.conf= output database: log, postgresql, dbname=snort user=snort host=localhost password=xxx But all I get is: Jul 9 16:11:09 sykes snort: database: Connection to database 'snort'
failed
If I'm on the machine as the user 'snort', and power up 'psql snort', I can do: snort=> select * from event snort-> ; sid | cid | signature | timestamp -----+-----+-----------+----------- (0 rows) fine and dandy... Can anyone point me to a really noddy HOWTO on how to get the two working, or am I doing something REALLY stupid? Otherwise, I think I'll wait for the 'proper' release of 1.8... --__--__-- Message: 2 From: =?iso-8859-1?Q?Marcus_Vin=EDcius_de_Melo_Rocha?=
<marcus () limiar com br>
To: <snort-users () lists sourceforge net> Date: Mon, 9 Jul 2001 12:33:43 -0300 Subject: [Snort-users] How to keep internal traffic out of "HTTP decode" Hi all! I am setting up a Linux box to run Snort in my net. I have noticed that
both
inbound and outbound traffic are going through the "HTTP decode plugin".
As
I have a lot of outbound traffic, I would like to avoid "HTTP decode" looking at this traffic. Any ideas? I could use IPChains to keep this
trafic
off my Linux box, but I would like to know if there's anything in Snort to do the same. Best regards, Marcus --__--__-- Message: 3 Date: Mon, 09 Jul 2001 12:14:19 -0400 From: Paul Asadoorian <paul.com () home com> To: Martin Roesch <roesch () sourcefire com>, snort-users <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Misc - Zone Transfer Fale Positives Sure: #alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS212 - MISC - DNS Zone Trans fer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: 2; depth: 16;) Snort Information: -*> Snort! <*- Version 1.7 Running on: SunOS <hostname> 5.8 Generic sun4u sparc SUNW,Ultra-5_10 Martin Roesch wrote:Can you give us the SID of the rule (or the rule itself) that's firing? -Marty Paul Asadoorian wrote:All: I have been getting a large number of DNS zone transfers. After
further
investigation I noticed that my mail server was triggering this rule every minute or so with most of the packets looking like this: 07/09-10:32:39.885532 MY.DNS.SERVER.9:53 -> MY.MAIL.SERVER.202:38356 TCP TTL:63 TOS:0x0 ID:37893 IpLen:20 DgmLen:856 DF ***AP*** Seq: 0xE82EEF59 Ack: 0xCC2A0F95 Win: 0x60F4 TcpLen: 20 03 2E 9F 90 81 80 00 01 00 17 00 05 00 11 07 68 ...............h 6F 74 6D 61 69 6C 03 63 6F 6D 00 00 FF 00 01 C0 otmail.com...... 0C 00 02 00 01 00 00 0B 08 00 06 03 6E 73 31 C0 ............ns1. 0C C0 0C 00 02 00 01 00 00 0B 08 00 06 03 6E 73 ..............ns 32 C0 0C C0 0C 00 02 00 01 00 00 0B 08 00 06 03 2............... 6E 73 33 C0 0C C0 0C 00 02 00 01 00 00 0B 08 00 ns3............. 06 03 6E 73 34 C0 0C C0 0C 00 02 00 01 00 00 0B ..ns4........... 08 00 0C 03 6E 73 31 05 6A 73 6E 65 74 C0 14 C0 ....ns1.jsnet... 0C 00 01 00 01 00 00 0B 08 00 04 40 04 2C 07 C0 ...........@.,.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 2D 07 C0 ...........@.-.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 34 07 C0 ...........@.4.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 35 07 C0 ...........@.5.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 36 07 C0 ...........@.6.. 0C 00 01 00 01 00 00 0B 08 00 04 40 04 2B 07 C0 ...........@.+.. 0C 00 0F 00 01 00 00 0B 0B 00 0D 00 0A 03 6D 63 ..............mc 32 04 6C 61 77 35 C0 0C C0 0C 00 0F 00 01 00 00 2.law5.......... 0B 0B 00 0E 00 0A 03 6D 63 31 05 6C 61 77 31 33 .......mc1.law13 C0 0C C0 0C 00 0F 00 01 00 00 0B 0B 00 08 00 0A ................ 03 6D 63 32 C1 08 C0 0C 00 0F 00 01 00 00 0B 0B .mc2............ 00 08 00 0A 03 6D 63 33 C1 08 C0 0C 00 0F 00 01 .....mc3........ 00 00 0B 0B 00 08 00 0A 03 6D 63 34 C1 08 C0 0C .........mc4.... 00 0F 00 01 00 00 0B 0B 00 08 00 0A 03 6D 63 35 .............mc5 C1 08 C0 0C 00 0F 00 01 00 00 0B 0B 00 08 00 0A ................ 03 6D 63 36 C1 08 C0 0C 00 0F 00 01 00 00 0B 0B .mc6............ 00 08 00 0A 03 6D 63 34 C0 EF C0 0C 00 0F 00 01 .....mc4........ 00 00 0B 0B 00 08 00 0A 03 6D 63 35 C0 EF C0 0C .........mc5.... 00 0F 00 01 00 00 0B 0B 00 08 00 0A 03 6D 63 36 .............mc6 C0 EF C0 0C 00 0F 00 01 00 00 0B 0B 00 08 00 0A ................ 03 6D 63 37 C0 EF C0 0C 00 0F 00 01 00 00 0B 0B .mc7............ 00 08 00 0A 03 6D 63 31 C0 EF C0 0C 00 02 00 01 .....mc1........ 00 00 0B 08 00 02 C0 29 C0 0C 00 02 00 01 00 00 .......)........ 0B 08 00 02 C0 3B C0 0C 00 02 00 01 00 00 0B 08 .....;.......... 00 02 C0 4D C0 0C 00 02 00 01 00 00 0B 08 00 02 ...M............ C0 5F C0 0C 00 02 00 01 00 00 0B 08 00 02 C0 71 ._.............q C0 29 00 01 00 01 00 00 08 4C 00 04 D8 C8 CE 8C .).......L...... C0 3B 00 01 00 01 00 00 08 4C 00 04 D8 C8 CE 8B .;.......L...... C0 4D 00 01 00 01 00 00 08 4C 00 04 D1 B9 82 44 .M.......L.....D C0 5F 00 01 00 01 00 00 07 D0 00 04 40 04 1D 18 ._..........@... C0 71 00 01 00 01 00 00 05 BA 00 04 D1 01 71 03 .q............q. C0 EB 00 01 00 01 00 00 01 42 00 04 40 04 37 87 .........B..@.7. C1 04 00 01 00 01 00 00 01 42 00 04 40 04 31 07 .........B..@.1. C1 1E 00 01 00 01 00 00 01 42 00 04 40 04 31 47 .........B..@.1G C1 32 00 01 00 01 00 00 01 42 00 04 40 04 31 87 .2.......B..@.1. C1 46 00 01 00 01 00 00 01 42 00 04 40 04 31 C7 .F.......B..@.1. C1 5A 00 01 00 01 00 00 01 42 00 04 40 04 32 07 .Z.......B..@.2. C1 6E 00 01 00 01 00 00 01 42 00 04 40 04 32 47 .n.......B..@.2G C1 82 00 01 00 01 00 00 01 42 00 04 40 04 38 87 .........B..@.8. C1 96 00 01 00 01 00 00 01 42 00 04 40 04 38 C7 .........B..@.8. C1 AA 00 01 00 01 00 00 01 18 00 04 40 04 37 07 ............@.7. C1 BE 00 01 00 01 00 00 01 42 00 04 40 04 2A 07 .........B..@.*. C1 D2 00 01 00 01 00 00 01 42 00 04 40 04 37 47 .........B..@.7G
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Is this normal? It just started happending over th eweekend and the same rule has been in place for at least a week now. I have commented out the rule for now but would really like to
run
with it without having this high number of false positives. Are these really false positives or just large DNS queries (>484 bytes) that are triggering tcp port 53? Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org--__--__-- Message: 4 Date: Mon, 09 Jul 2001 17:17:39 +0100 From: Peter Bates <Peter.Bates () lshtm ac uk> To: snort-users <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Snort+database HOWTO??? Hello again all... User error, I suspect, caused my problems... I fiddled with so many things that I don't really know what I changed! First of all postgres(postmaster) wasn't starting with the -i option, and so was only opening a Unix domain socket... I presume, following that, that the snort db plugin explicitly uses TCP/IP sockets. I also might have had ipchains/iptables on the box filtering out the accesses (but that seems unlikely), but the real show-stopper was my strange combination of logging and command-line switches... For historical reasons, I've been logging to syslog (to watch, and to use snort-stat), to /var/log/snort (to contribute to the securityfocus ARIS project), and I was now trying to have a quick look at ACID to then remove one of the other logging forms... I was starting snort with: snort -u snort -g snort -de -D -o -i ethx -N -l /var/log/snort -c = /etc/snort.conf and the -N was making the merry thing segfault. Then in snort.conf I had: output alert_syslog: LOG_AUTH LOG_ALERT output alert_full: alert output database: log, postgresql, etc. etc. .etc A case of 'too many command-line options and outputs spoil the snort'. --------------------------------------------------------------------------
-=
-----------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362 --__--__-- Message: 5 From: Jed Haile <jed () grep net> Reply-To: jed () grep net Organization: Nitro Data Systems To: snort-devel () lists sourceforge net, snort-users () lists sourceforge net Date: Mon, 9 Jul 2001 12:11:34 -0600 Subject: [Snort-users] Introducing HogWash Fellow snorters, A new tool is available for your enjoyment! Hogwash, the snort based
inline
packet scrubber. It is basically a snort detection engine with the
ability
to drop or forward packets based on a rules decision. Needless to say you will need to select rules that are not prone to false positives. It uses libpcap for packet acquisition and libnet to do the packet forwarding, no ip stacks are needed, so the packet scrubber can be run in
a
nearly invisible configuration. It forwards packets without changing TTL,
mac
addresses or any other part of the packet. Unless you want it to. Hogwash has full access to the packet stream so you could write a plugin to, ahem, alter packets as well. Check out spp_uni_scrub.c for an example. It is still a little rough around the edges, and undergoing active development. In the finest open source tradition it is lightly documented.
It
is also very functional and in use on some production networks. Check it
out
at: http://hogwash.sourceforge.net We will be setting a Hogwash scrubber up on the CTF network at DefCon and
it
will be configured to protect a stock unpatched RH 6.2 box. We'll see how long it lasts. Bring your favorite kiddie tools and have a go at it! Give it a try and send any feedback, bug reports, etc to Jason Larsen <jason () grep net> or Jed Haile <jed () grep net>. Have fun! Jed --__--__-- Message: 6 From: gerhard () wtci net To: snort-users () lists sourceforge net Date: Mon, 9 Jul 2001 14:19:25 -0400 Subject: [Snort-users] Database logging Hi Guys, I'm trying to log to MySQL or Postgresql, but have no joy. This is my Setup : OS= Red Hat 7.1 Have MySQL + Postgresql working , did a recompile and it detected bothe
the
databases.
I can run SQL quaries on all my tqbles, and have no errors in any logs.
I modified the snort.conf to log to database (tried with either at atime)
Get this error :
snort.conf
######################
ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, postgresql, user=snort dbname=snort
host=localhost
password=abc } include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules ############################### [root@drsensor snort]# snort -Afull -c snort.conf --== Initializing Snort ==-- Initializing Network Interface eth0 Kernel filter, protocol ALL, TURBO mode (63 frames), raw packet socket Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... WARNING: command line overrides rules file alert plugin! WARNING: command line overrides rules file alert plugin! 634 Snort rules read... 634 Option Chains linked into 117 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->log->pass->redalert --== Initialization Complete ==-- -*> Snort! <*- Version 1.7 By Martin Roesch (roesch () clark net, www.snort.org) --__--__-- Message: 7 Reply-To: "Luca Mauri" <luca_mauri () tin it> From: "Luca Mauri" <luca_mauri () tin it> To: "snort-users" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Connection lost Date: Mon, 9 Jul 2001 20:20:49 +0200 ----- Original Message ----- From: "Dragos Ruiu" <dr () kyx net> To: "Luca Mauri" <luca.mauri () libero it>; "Luca Mauri" <luca.mauri () libero it>; "snort-users" <snort-users () lists sourceforge net> Sent: Monday, July 09, 2001 8:36 AM Subject: Re: [Snort-users] Connection lostYou need to tell us the version of snort and what kind of machine and OSyouare running it on. This is definitely not normal behaviour. The more information you can provide about how and where you are using snort the greater the chances are that someone here can provide assistance.Snort version is 1.7. My OS is Windows 2000 Pro SP2 Italian language, my machine is a genuine Intel PII 450MHz with 320 Mb ram and 10 Gb Hard Disk. Non-standard services normal running on my PC are: Norton AntiVirus auto protect, Tiny Personal Firewall, IIS 5.0. I have tried to shut them off
but
the problem with SNORT is the same. Please let me know if I have to provide more and much detailed
information.
-------------------------------------- Luca Mauri luca_mauri () tin it --__--__-- Message: 8 Date: Mon, 09 Jul 2001 11:28:59 -0700 From: Kevin Brown <Kevin.M.Brown () asu edu> Subject: RE: [Snort-users] Database logging To: "'gerhard () wtci net'" <gerhard () wtci net>,
snort-users () lists sourceforge net
[root@drsensor snort]# snort -Afull -c snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... WARNING: command line overrides rules file alert plugin! WARNING: command line overrides rules file alert plugin! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ That is why it won't log to the database. Your command line option of -Afull is overriding the snort.conf logging options. --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #787 - 8 msgs ORA (Jul 09)
- promiscious mode..and stuff. Franki (Jul 09)