Snort mailing list archives
RE: Snort-users digest, Vol 1 #1408 - 11 msgs
From: "Steve Smashnuk" <Steve () internetsecure com>
Date: Mon, 17 Dec 2001 11:06:54 -0500
Hey cutie, For whatever reason, your outlook is still using my old digital signature, so I can't read the encrypted poop. Can you open this up, right click on my name, and add to contacts again. Not sure why the last one didn't work. -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Monday, December 17, 2001 9:33 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #1408 - 11 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Test question (Paul Cardon) 2. Re: Test question (Jose Celestino) 3. Re: Test question (James) 4. Re: Test question (Paul Cardon) 5. Re: Test question (Erik Fichtner) 6. RE: Test question (Ronneil Camara) 7. help for snort with mysql (Gongya Yu) 8. Re: Test question (Ralf Hildebrandt) 9. How to exit Snort for Windows correctly? (Eder Fagundes da Silva) 10. IDScenter (v1.09) problems smmarized (Rich Adamson) 11. Re: How to exit Snort for Windows correctly? (John Sage) --__--__-- Message: 1 Date: Sun, 16 Dec 2001 22:39:37 -0500 From: Paul Cardon <paul () moquijo com> To: Jose Celestino <japc () co sapo pt> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Test question Jose Celestino wrote:
Thus spake Paul Cardon, on Sun, Dec 16, 2001 at 10:13:35PM -0500:Jose Celestino wrote:And how the hell did you intended to get a "uid=0(root)" out of an suposely encrypted connection?Wow, Jose. You just flunked the test. Good thing this was a practice
run. ;^)Wrong, this is exploit specific. The exploit that has been running around does a id after a successful exploit. Of course, the overflow occurs at key exchange and so no encryption yet to prevent
this
kind of data from being sniffed.
It doesn't matter where the overflow occurs actually. The encryption will only remain if the injected code is able to maintain it in some way. Typically it will just use the open socket and all communication will be in the clear. There may not be enough room to do more or it is too complex to be worth the trouble. -paul --__--__-- Message: 2 Date: Mon, 17 Dec 2001 03:32:42 +0000 From: Jose Celestino <japc () co sapo pt> To: Paul Cardon <paul () moquijo com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Test question True. But...do I pass now? Please please please... :))) Thus spake Paul Cardon, on Sun, Dec 16, 2001 at 10:39:37PM -0500:
Jose Celestino wrote:Thus spake Paul Cardon, on Sun, Dec 16, 2001 at 10:13:35PM -0500:Jose Celestino wrote:And how the hell did you intended to get a "uid=0(root)" out of an suposely encrypted connection?Wow, Jose. You just flunked the test. Good thing this was a
practice
run. ;^)Wrong, this is exploit specific. The exploit that has been running around does a id after a successful exploit. Of course, the overflow occurs at key exchange and so no encryption yet to prevent
this
kind of data from being sniffed.It doesn't matter where the overflow occurs actually. The encryption will only remain if the injected code is able to maintain it in some way. Typically it will just use the open socket and all communication
will be in the clear. There may not be enough room to do more or it
is
too complex to be worth the trouble. -paul
-- Jose Celestino <japc () co sapo pt> --------------------------------- --__--__-- Message: 3 From: "James" <the_saint_james () yahoo com> To: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Test question Date: Sun, 16 Dec 2001 20:50:40 -0700
Interesting - this email exchange triggered this rule in my system, giving me a moment's heart palpatation. :) It saw it on port 25 - so I knew it was either legit email, or a new hack of sendmail.
The same thing happened to me last night, the alert was on my mail server, and for a little while there I thought someone had root on mail, till I saw the port ! Glad to have confirmation on this issue. --__--__-- Message: 4 Date: Sun, 16 Dec 2001 22:50:36 -0500 From: Paul Cardon <paul () moquijo com> To: Greg Herlein <gherlein () herlein com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Test question Greg Herlein wrote:
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned
root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)
Interesting - this email exchange triggered this rule in my system, giving me a moment's heart palpatation. :) It saw it on port 25 - so I knew it was either legit email, or a new hack of sendmail. I'll probably add a new rule to turn this off if on port 25 or I'll get more similar false positives. I'm not sure how to trigger on it on port 25 if it's not in email.... gotta think about that.
Think about this. It was triggered when you saw it with a source of $EXTERNAL_NET and a destination of $HOME_NET. Do you care about it coming inbound? Swap the source and destination and you are more likely to trigger on a real compromise. Or you could just be replying to this e-mail. ;^) -paul --__--__-- Message: 5 Date: Mon, 17 Dec 2001 00:10:14 -0500 From: Erik Fichtner <emf () servervault com> To: Paul Cardon <paul () moquijo com> Cc: Jose Celestino <japc () co sapo pt>, Phil Wood <cpw () lanl gov>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Test question Reply-To: emf () servervault com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thus spake Phil Wood, on Sun, Dec 16, 2001 at 07:12:01PM -0700:
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned
root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)
I'd like to compliment the person who developed this rule. Secondly, I'd like to propose a question to tickle your fancy. If the second any were 22, and the first any was on your network, what would the classtype be?
I propose a new classtype: "game-over.you-lose.". [1] You know, the only thing wrong with that rule is that it falses every time anyone talks about that rule in an email and then you have to go dig up the packet to make sure that your mail relay hasn't been porked (unless, for some reason, you read your snort-users BEFORE you read your alarm messages, in which case, shame on you.) [1] Or maybe something with more of a new milennium feel to it, like "you-are-the-weakest-link-goodbye". More apropos for worm compromises. - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8HX41Q7EzrewLMS0RAlz1AKDJSXdVH5HJN1TI/m0ZZxNDQsyPIQCfSIu3 MJVgKVLvFb0xSklo5W4RoWA= =juc+ -----END PGP SIGNATURE----- --__--__-- Message: 6 Subject: RE: [Snort-users] Test question Date: Mon, 17 Dec 2001 00:23:30 -0600 From: "Ronneil Camara" <ronneilc () remingtonltd com> To: <snort-users () lists sourceforge net> Hi guys, It's only now that I checked my snort alerts. I found out that I had 35 "ATTACK RESPONSES id check returned root" alerts on port 25. How would I turn this false positive off? Thanks. -> -----Original Message----- -> From: Erik Fichtner [mailto:emf () servervault com] -> Sent: Sunday, December 16, 2001 11:10 PM -> To: Paul Cardon -> Cc: Jose Celestino; Phil Wood; snort-users () lists sourceforge net -> Subject: Re: [Snort-users] Test question ->=20 ->=20 -> -----BEGIN PGP SIGNED MESSAGE----- -> Hash: SHA1 ->=20 -> Thus spake Phil Wood, on Sun, Dec 16, 2001 at 07:12:01PM -0700: -> =20 -> >alert tcp any any -> any any (msg:"ATTACK RESPONSES id=20 -> check returned root"; flags:A+; content: "uid=3D0(root)";=20 -> classtype:bad-unknown; sid:498; rev:2;) -> > -> >I'd like to compliment the person who developed this rule. -> >Secondly, I'd like to propose a question to tickle your fancy. -> >If the second any were 22, and the first any was on your=20 -> network, what=20 -> >would the classtype be? =20 ->=20 -> I propose a new classtype: "game-over.you-lose.". [1] ->=20 ->=20 -> You know, the only thing wrong with that rule is that it=20 -> falses every time -> anyone talks about that rule in an email and then you have=20 -> to go dig up the -> packet to make sure that your mail relay hasn't been porked (unless,=20 -> for some reason, you read your snort-users BEFORE you read=20 -> your alarm=20 -> messages, in which case, shame on you.) ->=20 ->=20 -> [1] Or maybe something with more of a new milennium feel to it, like=20 -> "you-are-the-weakest-link-goodbye". More apropos for worm=20 -> compromises. ->=20 ->=20 ->=20 -> - --=20 -> Erik Fichtner -> Security Administrator, ServerVault, Inc. -> 703-333-5900 -> -----BEGIN PGP SIGNATURE----- -> Version: GnuPG v1.0.6 (FreeBSD) -> Comment: For info see http://www.gnupg.org ->=20 -> iD8DBQE8HX41Q7EzrewLMS0RAlz1AKDJSXdVH5HJN1TI/m0ZZxNDQsyPIQCfSIu3 -> MJVgKVLvFb0xSklo5W4RoWA=3D -> =3Djuc+ -> -----END PGP SIGNATURE----- ->=20 -> _______________________________________________ -> Snort-users mailing list -> Snort-users () lists sourceforge net -> Go to this URL to change user options or unsubscribe: -> https://lists.sourceforge.net/lists/listinfo/snort-users -> Snort-users list archive: -> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users ->=20 --__--__-- Message: 7 Date: Sun, 16 Dec 2001 22:21:10 -0800 From: Gongya Yu <yu () gongya net> To: snort-users () lists sourceforge net Subject: [Snort-users] help for snort with mysql Any suggestion is really appreciated. overtheway.gongya.net:/usr/local/snort # bin/snort -t /usr/local/snort -c /etc/snort.conf -l /log Log directory = /log Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = 12.230.80.112 database: mysql_error: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) Fatal Error, Quitting.. overtheway.gongya.net:/usr/local/snort # ls -l /tmp total 16 drwx------ 2 root root 4096 Dec 15 13:27 kde-root drwx------ 2 root root 4096 Dec 15 14:52 ksocket-root drwx------ 3 root root 4096 Dec 15 14:52 mcop-root srwxrwxrwx 1 mysql mysql 0 Dec 15 18:59 mysql.sock drwx------ 2 root root 4096 Dec 2 17:30 orbit-root It happens on Redhat 7.2 and FreeBSD 4.4 The following testing code works: #include "/usr/local/mysql/include/mysql/mysql.h" #include <stdio.h> #include <stdlib.h> int main() { MYSQL * mysql; mysql = mysql_init(NULL); if ( mysql_real_connect(mysql,"localhost","snort","pwd","snort",0,NULL,0)==0) { fprintf(stderr, "Failed to connect to database: Error: %s\n", mysql_error(mysql)); } mysql_close(mysql); printf ("Connection is successful\n"); return 0; } But the same code in spo_database.c does not work. #ifdef ENABLE_MYSQL if(!strcasecmp(data->shared->dbtype,MYSQL)) { mysql_sock = mysql_init(NULL); data->m_sock = mysql_init(NULL); if(data->m_sock == NULL) { FatalError("database: Connection to database '%s' failed\n", data->shared->dbname); } if(data->port != NULL) { x = atoi(data->port); } else { x = 0; } // if(!mysql_real_connect(mysql_sock, data->shared->host, data->user, data->password, data->shared->dbname, x, NULL, 0) ) if(!mysql_real_connect(mysql_sock, "localhost", "snort", "pwd","snort", 0, NULL, 0) ) { if(mysql_errno(mysql_sock)) { FatalError("database: mysql_error: %s\n", mysql_error(mysql_sock)); } FatalError("database: Failed to logon to database '%s'\n", data->shared->dbname); } printf("Connection is successful\n"); exit(0); } #endif Gongya Yu --__--__-- Message: 8 Date: Mon, 17 Dec 2001 07:30:24 +0100 From: Ralf Hildebrandt <Ralf.Hildebrandt () charite de> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Test question On Sun, Dec 16, 2001 at 08:50:40PM -0700, James wrote:
port 25 - so I knew it was either legit email, or a new hack of sendmail.The same thing happened to me last night, the alert was on my mail
server,
and for a little while there I thought someone had root on mail, till
I saw
the port ! Glad to have confirmation on this issue.
Don't use sendmail then... -- Ralf Hildebrandt (Im Auftrag des Referat V A) Ralf.Hildebrandt () charite de Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155 Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 What about the four lusers of the apocalypse? I nominate: "advertising", "can't log in", "power switch" and "what backup?" Runners-up: "But I only changed one line" and "What's the any key"? --__--__-- Message: 9 From: Eder Fagundes da Silva <eder.fagundes () minasbrasil com br> To: "Snort Users List (E-mail)" <snort-users () lists sourceforge net> Date: Mon, 17 Dec 2001 09:57:30 -0300 Subject: [Snort-users] How to exit Snort for Windows correctly? This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C186FA.62DB26C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello guys, I am a Win32 Snort recent user and I am evaluating the software. Excuse = my ignorance but I didn=B4t get find the answer for it at the Snort documentation. I would like to know the correct form to exit snort on a DOS prompt. = When I run snort from a dos prompt it keeps executing and my prompt stay = locked. So I type a "Control+C" to exit its processing. This way, when I run the command "snort -l ./log -b" it generate a = binary file with my log. But when I try to read it with a "snort -dv -r snort-1213 () 1732 log", snort give the following message: Log directory =3D log TCPDUMP file reading mode. Reading network traffic from "snort-1213 () 1732 log" file. ERROR =3D> unable to open file "snort-1213 () 1732 log" for readback: snort-1213 () 1732 log: No such file or directory Fatal Error, Quitting.. I guess it is because I am exiting the program by a wrong way and so it = is corrupting the output file. Somebody could give me some help? Thanks in advance Eder Fagundes ------_=_NextPart_001_01C186FA.62DB26C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>How to exit Snort for Windows correctly?</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hello guys,</FONT> </P> <P><FONT SIZE=3D2>I am a Win32 Snort recent user and I am evaluating = the software. Excuse my ignorance but I didn=B4t get find the answer = for it at the Snort documentation.</FONT></P> <P><FONT SIZE=3D2>I would like to know the correct form to exit snort = on a DOS prompt. When I run snort from a dos prompt it keeps executing = and my prompt stay locked. So I type a "Control+C" to exit = its processing.</FONT></P> <P><FONT SIZE=3D2>This way, when I run the command "snort -l ./log = -b" it generate a binary file with my log. But when I try to read = it with a "snort -dv -r snort-1213 () 1732 log", snort give the = following message:</FONT></P> <P><FONT SIZE=3D2>Log directory =3D log</FONT> <BR><FONT SIZE=3D2>TCPDUMP file reading mode.</FONT> <BR><FONT SIZE=3D2>Reading network traffic from = "snort-1213 () 1732 log" file.</FONT> <BR><FONT SIZE=3D2>ERROR =3D> unable to open file = "snort-1213 () 1732 log" for readback: snort-1213 () 1732 log: No = such file or directory</FONT> <BR><FONT SIZE=3D2>Fatal Error, Quitting..</FONT> </P> <P><FONT SIZE=3D2>I guess it is because I am exiting the program by a = wrong way and so it is corrupting the output file.</FONT> </P> <P><FONT SIZE=3D2>Somebody could give me some help?</FONT> </P> <P><FONT SIZE=3D2>Thanks in advance</FONT> </P> <P><FONT SIZE=3D2>Eder Fagundes</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C186FA.62DB26C0-- --__--__-- Message: 10 Date: Mon, 17 Dec 2001 06:53:15 -0600 From: Rich Adamson <radamson () routers com> To: Snort Developers Postings <snort-devel () lists sourceforge net>, Snort Users Postings <snort-users () lists sourceforge net> Subject: [Snort-users] IDScenter (v1.09) problems smmarized Windows users only... The IDScenter (v1.09) does not function properly given the latest SourceFire windows distribution of Snort (v1.8.3) due to: 1. The SourceFire installation now places the executables in the "\Program Files\Sourcefire\Snort" tree. The IDScenter software does not quote the -c option (as in "\Program Files\...."), which snort then parses as "\Proram" due the the space in the directory name. 2. The IDScenter button "Creat script" assumes that itself and snort reside on the C: drive. On a dual-boot system where Win2k is installed on the E: drive, the create script consistently inserts the C: drive designator where the E: drive has been specified. In addition, IDScenter forces the "Snort Commandline" to the "Program Files" location (regardless of what has been specified). The Snort Commandline is displayed as Read-Only, not allowing the user to correct the readily observed problems. As a result, since the script cannot be generated the IDScenter can never start Snort. 3. Given the above, if one can persude the Create Script funtion to acknowledge file locations, executing the "Test Configuration" results in a command-line window opening with Snort objecting to not finding the snort.conf file (due to #1 above). Exiting this command window causes the IDScenter to abort without recording any of the previously entered settings. Starting IDScenter again creates all new default values (as opposed to using the previously defined parameters). The above errors have been reported to the author at iuk () gmx ch as of this morning. There are no known work arounds. The normal Add/Remove programs (control panel) will not remove IDScenter from the system without first rebooting the system. Presumably this is due to the IDScenter not stopping properly, leaving the software executing without a tray icon giving one the impression that it actually had been stopped. Rich --__--__-- Message: 11 Date: Mon, 17 Dec 2001 06:31:43 -0800 From: John Sage <jsage () finchhaven com> To: Eder Fagundes da Silva <eder.fagundes () minasbrasil com br> CC: "Snort Users List (E-mail)" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] How to exit Snort for Windows correctly? Eder: I too have recently put on the Win32 version of snort after using snort on Linux for a while; the Win32 version works well but I haven't needed to do what you are doing, yet.. That said, did you try giving the full path to the log file on the command line? I would assume that your working directory is the snort directory. - John -- Computers: they're really just nothing but l's and O's Eder Fagundes da Silva wrote:
Hello guys, I am a Win32 Snort recent user and I am evaluating the software.
Excuse
my ignorance but I didnĀ“t get find the answer for it at the Snort documentation. I would like to know the correct form to exit snort on a DOS prompt. When I run snort from a dos prompt it keeps executing and my prompt
stay
locked. So I type a "Control+C" to exit its processing. This way, when I run the command "snort -l ./log -b" it generate a binary file with my log. But when I try to read it with a "snort -dv
-r
snort-1213 () 1732 log", snort give the following message: Log directory = log TCPDUMP file reading mode. Reading network traffic from "snort-1213 () 1732 log" file. ERROR => unable to open file "snort-1213 () 1732 log" for readback: snort-1213 () 1732 log: No such file or directory Fatal Error, Quitting.. I guess it is because I am exiting the program by a wrong way and so
it
is corrupting the output file. Somebody could give me some help? Thanks in advance Eder Fagundes
--__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
Attachment:
smime.p7s
Description:
Current thread:
- RE: Snort-users digest, Vol 1 #1408 - 11 msgs Steve Smashnuk (Dec 17)