Snort mailing list archives
RE: Snort-users digest, Vol 1 #3302 - 13 msgs
From: edward.hawkins () acuitysp com
Date: Thu, 26 Jun 2003 12:22:55 -0400
How is Home_Net defined when using SnortCenter. I have installed acid and snortcenter and based on the install process how do you specifically define your home_net in snortcenter? I know how to manually do it but how do you do it in snortcenter? -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, June 26, 2003 12:01 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #3302 - 13 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: fatal error starting snort (Jason K. Boykin) 2. Re: Log vs Alert (Erek Adams) 3. Re: Snort rule question (Erek Adams) 4. Re: re: snortcenter/using a sensor with no ip address (Erek Adams) 5. Re: fatal error starting snort (Erek Adams) 6. RE: Snort Sensor Placement Outside Firewall (Erek Adams) 7. RE: Re.: Snort Sensor Placement Outside Firewall (Michael Steele) 8. Fw: [Snort-users] Snort Sensor Placement Outside Firewall (Tom Sevy) 9. Re: Log vs Alert (list) 10. trouble specifying more than one HOME_NET variable (Philip Davidson) 11. hardware requirements (Brei, Matt) 12. Alerts not Detected during Import? (Dusty Hall) 13. Re: trouble specifying more than one HOME_NET variable (Erek Adams) --__--__-- Message: 1 From: "Jason K. Boykin" <jboykin () summit-research-corp com> Organization: Summit Research Corp. To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] fatal error starting snort Date: Thu, 26 Jun 2003 08:21:24 -0500
Erek, I'm afraid that you'r wrong here- snortcenter doesn't seem to support Snort 2.0 properly, and although there are submitted patches they'r not included into snortcenter yet. Cheers, Joerg
If you look here http://users.pandora.be/larc/ the page says there is support for snortcenter with snort 2.0 Ive got a friend running it with mysql and it works great for him. I how= ever=20 tried getting it to run with postgres and no luck there so far. Gotta fi= nd=20 more time to play with it though. It appears to be timing out or freezin= g on=20 some of the java menu functions for me on 3 different browsers. --__--__-- Message: 2 Date: Thu, 26 Jun 2003 09:28:54 -0400 (EDT) From: Erek Adams <erek () snort org> To: Matt Geiger <geigerreal () hotmail com> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Log vs Alert On Wed, 25 Jun 2003, Matt Geiger wrote:
What is the difference between output database: log and output database: alert? I looked in the readme.database and that was no help. This is a newbie question I know, but alert just seems to do more and take longer.
http://www.theadamsfamily.net/~erek/snort/logging_methods.txt Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 3 Date: Thu, 26 Jun 2003 09:31:31 -0400 (EDT) From: Erek Adams <erek () snort org> To: James Lay <slave_tothe_box () yahoo com> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rule question On Thu, 26 Jun 2003, James Lay wrote:
So ok....trying to catch those naughty spammers using: alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"Open Mail Relay
Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)
Now the above rule works. I originally had: alert tcp $EXTERNAL_NET any <- $SMTP_SERVERS 25 (msg:"Open Mail Relay
Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)
And it did not work. Any reason the two aren't equivalent?
Well logically they are.... The <- operator never really worked and was removed from the code. What version of Snort are you running? Recent versions should have said that the <- was invalid. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 4 Date: Thu, 26 Jun 2003 09:38:15 -0400 (EDT) From: Erek Adams <erek () snort org> To: lindsay.hunt () ustug net cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] re: snortcenter/using a sensor with no ip address On Thu, 26 Jun 2003 lindsay.hunt () ustug net wrote:
I am running Snort 2.0 with Acid on Redhat 8. The Snort box has 2 interfaces; eth0 has an ip address and is used to administer the box; eth1 doesn't have an ip address and is plugged into a mirror port. I am
running
snort with the '-i eth1' option. I have installed Snortcenter and would like to use it to simplify rule management. When I attempt to add the sensor eth1 (no ip address) in Snortcenter, it appears that Snortcenter wants an ip address for the sensor. When I attempt to push the rule set to the sensor and then reload, Snortcenter complains that it cannot connect
to
eth1 due to the fact that it doesn't have an ip address. Is there a way around this?
<smart_ass_answer_mode> Sure! It's an easy fix! Don't use Snortcenter. </smart_ass_answer_mode> Seriously, don't use it. There seems to be a few issues with Snortcenter and v2.0. I'd suggest that until they are worked out, that it's not used. If this truly is an error with SC, then you'll need to see if the author(s) can get that fixed. If it's a problem with your startup script, then that's a different issue. What are the specifics of your error? Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 5 Date: Thu, 26 Jun 2003 09:43:13 -0400 (EDT) From: Erek Adams <erek () snort org> To: Joerg Weber <j.weber () infos de> cc: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] fatal error starting snort On Thu, 26 Jun 2003, Joerg Weber wrote:
I'm afraid that you'r wrong here- snortcenter doesn't seem to support Snort 2.0 properly, and although there are submitted patches they'r not included into snortcenter yet.
Hrm... I guess the Snortcenter webpage needs an update to that fact then. Besides, with Snortcenter and IDSCenter is it any wonder that I get confused?! ;-) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 6 Date: Thu, 26 Jun 2003 09:51:25 -0400 (EDT) From: Erek Adams <erek () snort org> To: Michael Steele <michaels () winsnort com> cc: 'Rich Lichvar' <rlichvar () knowledgeresourcecenter com>, "'Snort Users List (E-mail)'" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Snort Sensor Placement Outside Firewall On Wed, 25 Jun 2003, Michael Steele wrote:
You forgot to mention the time that may be involved in sorting through the massive amount of data with a sensor on the outside.
More like "didn't mention" vs. "forgot". Usually unless someone is just feeling masochistic, the information overload from outside the firewall is usually changed/toned down ASAP.
What could be some of the possibilities that make that scenario a possible solution, when the IDS could or should in most cases be placed on the near side of the firewall?
http://www.theadamsfamily.net/~erek/snort/ids_placement.txt That one has been beaten to death so many times it's not even funny. You can place it before or after the FW, but I think that's a choice that has to be made after testing. I don't think there is a hard and fast answer to 'where?'. You're going to almost always have to test/retest to check out how it works and how you want to handle it. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 7 From: "Michael Steele" <michaels () winsnort com> To: <rlichvar () knowledgeresourcecenter com>, "'Snort Users List \(E-mail\)'" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Re.: Snort Sensor Placement Outside Firewall Date: Thu, 26 Jun 2003 07:23:14 -0700 Rich, Thanks for the acknowledgements :) Even though companies sell commercial sensors and they have great = support, they don't know everything, and it is a very good idea to seek = alternative answers elsewhere, like in the snort-users forum. That list has a wealth = of knowledge behind it and should be utilized whenever possible. You took the incentive to go outside the box and seek other alternatives = and my hat goes off to you, most would have settled with the canned answer = from the support department. Cheers... -Michael Steele --=20 System Engineer / Security Support Technician =20 mailto:michaels () winsnort com =20 Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich = Lichvar Sent: Thursday, June 26, 2003 6:11 AM To: Snort Users List (E-mail) Subject: [Snort-users] Re.: Snort Sensor Placement Outside Firewall We decided to dump the idea for now. Given the massive amount of data = that would be collected and the lack of time to analyze it, this seems to be = the best path for us (and probably a bad idea anyway). BTW, many thanks to Michael Steele of Silicon Defense. We're using the Silicon Defense Sentrus boxes and are, on the whole, quite happy with = them. (Any problems we've had have been ours, not theirs.) Michael has been a great help to us in getting our Sentrus boxes and Snort running on them, back up to snuff. Richard L. Lichvar Director, Operations Knowledge Resource Center, Inc. Phone: 703-848-2100 x228 Fax: 703-848-4747 Mobile: 571-221-3430 ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users --__--__-- Message: 8 From: "Tom Sevy" <tsevy () epx com> To: <Snort-users () lists sourceforge net> Subject: Fw: [Snort-users] Snort Sensor Placement Outside Firewall Date: Thu, 26 Jun 2003 10:52:16 -0400 Put it on the outside for testing -- you should get more data than on the inside. Then decide after the testing about where to position it as Erek said. On Wed, 25 Jun 2003, Michael Steele wrote:
You forgot to mention the time that may be involved in sorting through the massive amount of data with a sensor on the outside.
More like "didn't mention" vs. "forgot". Usually unless someone is just feeling masochistic, the information overload from outside the firewall is usually changed/toned down ASAP.
What could be some of the possibilities that make that scenario a possible solution, when the IDS could or should in most cases be placed on the near side of the firewall?
http://www.theadamsfamily.net/~erek/snort/ids_placement.txt That one has been beaten to death so many times it's not even funny. You can place it before or after the FW, but I think that's a choice that has to be made after testing. I don't think there is a hard and fast answer to 'where?'. You're going to almost always have to test/retest to check out how it works and how you want to handle it. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 9 From: "list" <list () diverdown cc> To: Erek Adams <erek () snort org>, Matt Geiger <geigerreal () hotmail com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Log vs Alert Date: Thu, 26 Jun 2003 08:48:37 -0600 After reading the link below...can I have snort write both logs and alerts to the database..??? Thanks GSR
On Wed, 25 Jun 2003, Matt Geiger wrote:What is the difference between output database: log and output database: alert? I looked in the readme.database and that was no help. This is a newbie question I know, but alert just seems to do more and take longer.http://www.theadamsfamily.net/~erek/snort/logging_methods.txt Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Open WebMail Project (http://openwebmail.org) --__--__-- Message: 10 From: Philip Davidson <Philip () dpc-paris com> To: "Snort Users (snort-users () lists sourceforge net)" <snort-users () lists sourceforge net> Date: Thu, 26 Jun 2003 10:44:26 -0500 Subject: [Snort-users] trouble specifying more than one HOME_NET variable Hello all, I am trying to specify my $HOME_NET variable to be two separate internal LANs. After making the below change, I tried to start snort back up and it would not start. After issuing a "/etc/init.d/snort start", my startup script tells me that it is up and running. But then I issue a "ps -ef|grep snort" and there is no snort. Any idears? Here is a section of my conf: var HOME_NET [192.168.1.0/24,192.168.5.0/24] # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET !$HOME_NET # Configure your server lists. This allows snort to only look for attacks # to systems that have a service up. Why look for HTTP attacks if you are # not running a web server? This allows quick filtering based on IP addresses # These configurations MUST follow the same configuration scheme as defined # above for $HOME_NET. # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # Configure your service ports. This allows snort to look for attacks # destined to a specific application only on the ports that application # runs on. For example, if you run a web server on port 8081, set your # HTTP_PORTS variable like this: # # var HTTP_PORTS 8081 # # Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. # We will adding support for a real list of ports in the future. # Ports you run web servers on var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 Thanks in advance Philip Davidson DPC, Inc. 1015 Maurice Fields Dr. Paris, TN 38242 731-642-8627 --__--__-- Message: 11 Date: Thu, 26 Jun 2003 11:56:11 -0400 From: "Brei, Matt" <mbrei () medclaiminc com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] hardware requirements This is a multi-part message in MIME format. ------_=_NextPart_001_01C33BFB.76C05906 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Greetings, =20 I would like to get an idea on what type of hardware you are all running snort on and what size network it services. I plan on using snort/MySQL/acid to monitor internet usage and log policy violation on a network with about 100 users. I have the same basic set up at home with snort running on a 450 K6-2 logging to MySQL/acid on a 1100 Athlon both using PC133 and standard IDE drives (ATA100 and UDMA66). With this many users and having all of the components (snort/MySQL/acid) all on 1 machine, would It be a good idea to go with SCSI, DDR and 10/100/1000? This setup also needs to be scalable up to about 250 users. =20 =20 Thanks, Matt Brei =20 ------_=_NextPart_001_01C33BFB.76C05906 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)"> <style> <!-- /* Font Definitions */ @font-face {font-family:"Comic Sans MS"; panose-1:3 15 7 2 3 3 2 2 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EmailStyle17 {font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Greetings,</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I would like to get an idea on what type of hardware = you are all running snort on and what size network it services. I plan on = using snort/MySQL/acid to monitor internet usage and log policy violation on a = network with about 100 users. I have the same basic set up at home with = snort running on a 450 K6-2 logging to MySQL/acid on a 1100 Athlon both using = PC133 and standard IDE drives (ATA100 and UDMA66). With this many users = and having all of the components (snort/MySQL/acid) all on 1 machine, would = It be a good idea to go with SCSI, DDR and 10/100/1000? This setup also = needs to be scalable up to about 250 users.</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Thanks,</span></font></p> <p class=3DMsoNormal><strong><b><font size=3D2 color=3D"#0000a0" = face=3D"Comic Sans MS"><span style=3D'font-size:10.0pt;font-family:"Comic Sans = MS";color:#0000A0'>Matt Brei</span></font></b></strong></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> </span></font></p> </div> </body> </html> =00 ------_=_NextPart_001_01C33BFB.76C05906-- --__--__-- Message: 12 Date: Thu, 26 Jun 2003 10:58:50 -0500 From: "Dusty Hall" <halljer () auburn edu> To: <Snort-users () lists sourceforge net> Subject: [Snort-users] Alerts not Detected during Import? We are experiencing a problem with Snort not reporting Alerts that we have in our rules files. Here's some background: We copy our Snort tcpdump logs from our sniffer to our MySQL/ACID system and then import the tcpdump logs into ACID/MySQL. From the looks of our alert files the Specific alerts were detected by our sniffer but not by Snort on our DB box. So what I'm trying to ask is, does the tcpdump log files from our sniffer box have all detected alerts in tcpdump format that were sniffed on the wire? Is there enough information from the tcpdump files from our sniffer to process again and pull out the same alerts? Here's the steps we use: (Yes we have identicial rules on both systems and both have the same version of Snort.) Sniffer: snort.conf output snip -> "output log_tcpdump: snort-log" /usr/local/bin/snort -c /usr/local/snort/etc/snort.conf -D -b -o -i eth1 -A fast ------- DB Import: snort.conf output snip -> "output database: alert, mysql, user=snort password=xxxxxxx dbname=snort host=localhost" /usr/local/bin/snort -N -dve -c /usr/local/snort/etc/snort.conf -l /usr/local/snort/logs -dr /usr/local/snort_logs/tcplogs/snort-logifle.log Note: After I run the import and look at the newly created "alert" file, it is much smaller than the "alert" file from our sniffer. Any help would be greatly appreciated. I'm open to new ways of doing this! Thanks, -Dusty --__--__-- Message: 13 Date: Thu, 26 Jun 2003 12:00:18 -0400 (EDT) From: Erek Adams <erek () snort org> To: Philip Davidson <Philip () dpc-paris com> cc: "Snort Users (snort-users () lists sourceforge net)" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] trouble specifying more than one HOME_NET variable On Thu, 26 Jun 2003, Philip Davidson wrote:
I am trying to specify my $HOME_NET variable to be two separate internal LANs.
Easily done.
After making the below change, I tried to start snort back up and it would not start. After issuing a "/etc/init.d/snort start", my startup script tells me that it is up and running. But then I issue a "ps -ef|grep snort" and there is no snort. Any idears? Here is a section of my conf: var HOME_NET [192.168.1.0/24,192.168.5.0/24]
[...snip...] That's fine. It sounds like there is another error in your snort.conf. I'll also bet that your startup script calls Snort with the '-D' parameter. To check for your real error, just start Snort as your script does just without the '-D'. Then you should see your true error. Once you have that, let us know and we'll see what we can do. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #3302 - 13 msgs edward . hawkins (Jun 27)
- Re: RE: Snort-users digest, Vol 1 #3302 - 13 msgs Rodrigo Goya (Jun 27)