Snort mailing list archives
unsubscribe
From: "Marty Hauser" <martyhauser () cox net>
Date: Thu, 30 Oct 2003 20:51:49 -0800
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-users-request () lists sourceforge net Sent: Thursday, October 30, 2003 9:26 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #3696 - 13 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: RPM config (Daniel Wittenberg) 2. Re: running oinkmaster - Error: unable to download..... (=?iso-8859-1?Q?Andreas_=D6stling?=) 3. Installation of Snort Sensor (edmund.li () alcatel com hk) 4. Hot to see how many packets my snort is droping (Philip Nedev) 5. Re: Hot to see how many packets my snort is droping (Mark Nipper) 6. Installation Problem (Aryan D) 7. Re: running oinkmaster - Error: unable to download..... (Snortty) 8. ids + umts (Roberto Bosticardo) 9. Re: running oinkmaster - Error: unable to download..... (Snortty) 10. /etc/passwd request increase (Sheahan, Paul) 11. perl script for snort (keith greenhill) 12. RPM config (JOHNSON DAVID R) 13. Snort Alerting Question (ACiD) --__--__-- Message: 1 Subject: Re: [Snort-users] RPM config From: Daniel Wittenberg <daniel-wittenberg () starken com> To: snort-users () lists sourceforge net Organization: The Starken Group Date: Wed, 29 Oct 2003 22:31:05 -0600 No, not on by default, to enable: rpmbuild --rebuild --with flexresp snort-2.0.2-6.src.rpm Dan On Wed, 2003-10-29 at 18:42, dvid johnson wrote:
Does the snort RPM come wiht the enable flex repsonse option already configured or should i use the tarball and enable the option manually? _________________________________________________________________ Cheer a special someone with a fun Halloween eCard from American
Greetings!
Go to
http://www.msn.americangreetings.com/index_msn.pd?source=msne134
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- ============================= Daniel Wittenberg RHCE+AS/IBM Certified Specialist President/CTO The Starken Group http://www.starken.com --__--__-- Message: 2 Date: Thu, 30 Oct 2003 08:02:36 +0100 (CET) From: =?iso-8859-1?Q?Andreas_=D6stling?= <andreaso () it su se> To: Snortty <cwcwcwg () yahoo com> Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] running oinkmaster - Error: unable to download..... On Wed, 29 Oct 2003, Snortty wrote:
Can anyone explain why please.
Add the "-v" argument and you should see a better error message. Maybe you need to setup proxy configuration first? /Andreas --__--__-- Message: 3 To: snort-users () lists sourceforge net From: edmund.li () alcatel com hk Date: Thu, 30 Oct 2003 16:20:31 +0800 Subject: [Snort-users] Installation of Snort Sensor This is a multipart message in MIME format. --=_alternative 002D77B548256DCF_= Content-Type: text/plain; charset="US-ASCII" Dear all, I have installed the snort server 2.0.2 on Redhat 9.0 with mysql, acid, snortcenter etc. It seems to be ok, (alert can be detected by scanning machine). Nowadays, I am starting the senor with another machine Redhat 7.3, however I do not see any good topic about this. Any suggest for creating a sensor properly. PS: (I installed snortcenter agent to Redhat 7.3) and it seems the senor can be controlled/watched by snort server 2.0.2 (with snortcenter) e.g, I can see the status of the sensor, however I can not see any alert detection from acid of snort server when I do the same scanning activities to the sensor. What I did for the sensor 1) install mysql 4.0.16 without-server option ( I do not create any database at all), do I miss something, or I need to have a full installation with mysql server option ? 2) install tcpdump.3.7.2 3) install libcap-0.7.2 4) install snort-2.0.2 5) snortcenter-agent-v1.0-RC1 Base on the Snort Enterprise implementation guide, it seems sensor with send sql info to snort server for analysing. Edmund --=_alternative 002D77B548256DCF_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">Dear all, </font> <br> <br><font size=2 face="sans-serif">I have installed the snort server 2.0.2 on Redhat 9.0 with mysql, acid, snortcenter etc. It seems to be ok, (alert can be detected by scanning machine). Nowadays, I am starting the senor with another machine Redhat 7.3, however I do not see any good topic about this. Any suggest for creating a sensor properly.</font> <br> <br><font size=2 face="sans-serif">PS: (I installed snortcenter agent to Redhat 7.3) and it seems the senor can be controlled/watched by snort server 2.0.2 (with snortcenter) e.g, I can see the status of the sensor, however I can not see any alert detection from acid of snort server when I do the same scanning activities to the sensor.</font> <br> <br><font size=2 face="sans-serif">What I did for the sensor</font> <br><font size=2 face="sans-serif">1) install mysql 4.0.16 without-server option ( I do not create any database at all), do I miss something, or I need to have a full installation with mysql server option ? </font> <br><font size=2 face="sans-serif">2) install tcpdump.3.7.2</font> <br><font size=2 face="sans-serif">3) install libcap-0.7.2</font> <br><font size=2 face="sans-serif">4) install snort-2.0.2</font> <br><font size=2 face="sans-serif">5) snortcenter-agent-v1.0-RC1</font> <br> <br><font size=2 face="sans-serif">Base on the Snort Enterprise implementation guide, it seems sensor with send sql info to snort server for analysing. </font> <br> <br><font size=2 face="sans-serif">Edmund</font> --=_alternative 002D77B548256DCF_=-- --__--__-- Message: 4 Date: Thu, 30 Oct 2003 00:58:28 -0800 (PST) From: Philip Nedev <philipsnedev () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] Hot to see how many packets my snort is droping --0-268360116-1067504308=:84214 Content-Type: text/plain; charset=us-ascii Hi all Sorry for this stupid question but i am new. Hot to see how many packets my snort is droping --------------------------------- Do you Yahoo!? Exclusive Video Premiere - Britney Spears --0-268360116-1067504308=:84214 Content-Type: text/html; charset=us-ascii <P>Hi all</P> <P>Sorry for this stupid question but i am new.</P> <P>Hot to see how many packets my snort is droping</P> <DIV></DIV><p><hr SIZE=1> Do you Yahoo!?<br> Exclusive Video Premiere - <a href="http://launch.yahoo.com/video/?1093432&fs=1&redirectURL=http://lau nch.yahoo.com/promos/britneyspears/">Britney Spears</a> --0-268360116-1067504308=:84214-- --__--__-- Message: 5 Date: Thu, 30 Oct 2003 05:55:00 -0600 From: Mark Nipper <nipsy () tamu edu> To: Philip Nedev <philipsnedev () yahoo com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Hot to see how many packets my snort is droping On 30 Oct 2003, Philip Nedev wrote:
Hot to see how many packets my snort is droping
Assuming you are running the Unix version of snort, you
can do 'kill -s USR1 PID' where PID is the process id of snort
(find it with 'ps xa | grep snort' or failing that maybe 'ps -ef
| grep snort' (maybe even just 'pidof snort' depending on your
OS)). This will tell snort to dump out some statistics to either
the console or if you have it running in daemon mode, it will
dump the info to syslog.
Hopefully that helps!
--
Mark Nipper e-contacts:
Computing and Information Services nipsy () tamu edu
Texas A&M University http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142 AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193 MSN: nipsy () tamu edu
-----BEGIN GEEK CODE BLOCK-----
GG/IT d- s++:+ a- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------
---begin random quote of the moment---
Information flows into the public domain as water to the sea.
Copyright is an increasingly ineffectual dam.
----end random quote of the moment----
--__--__--
Message: 6
From: "Aryan D" <aryan_912 () hotmail com>
To: snort-users () lists sourceforge net
Date: Thu, 30 Oct 2003 20:53:27 +0530
Subject: [Snort-users] Installation Problem
Hi ,
When i try to configure the Sensor it give me a Sensor message "Error -
Access denied <Sensor IP>"
This is while creating New Sensor on Snortcenter.
Please help ..this the second time i have installed Snort.
Also while i was tring to install Snortagent, i got an option to select
the
OS, but in the list i was not able to fing Redhat 9, so instead i
selected
Redhat 8. Is it ok ?
Aryan
_________________________________________________________________
Send instant messages to anyone on your contact list with MSN Messenger
6.0. Try it now FREE! http://msnmessenger-download.com
--__--__--
Message: 7
Date: Thu, 30 Oct 2003 07:43:28 -0800 (PST)
From: Snortty <cwcwcwg () yahoo com>
Subject: Re: [Snort-users] running oinkmaster - Error: unable to
download.....
To: "Andreas_Östling" <andreaso () it su se>, Paul Schmehl
<pauls () utdallas edu>
Cc: Snort-users () lists sourceforge net
Andreas, Paul, and All,
Here are two things I have tried:
# oinkmaster.pl -v -o /tmp/rules
Adding file to ignore list: local.rules.
Adding file to ignore list: snort.conf.
Downloading rules archive from
http://www.snort.org/dl/rules/snortrules-stable.tar.gz...
--15:30:46--
http://www.snort.org/dl/rules/snortrules-stable.tar.gz
=> `/tmp/oinkmaster.1767/snortrules.tar.gz'
Resolving www.snort.org... failed: Host not found.
/usr/local/bin/oinkmaster.pl: Error: unable to
download rules from
http://www.snort.org/dl/rules/snortrules-stable.tar.gz
(got error code from wget).
Oink, oink. Exiting...
#
--------------------------------
# wget -r
http://www.snort.org/dl/rules/snortrules-stable.tar.gz
--15:28:28--
http://www.snort.org/dl/rules/snortrules-stable.tar.gz
=>
`www.snort.org/dl/rules/snortrules-stable.tar.gz'
Resolving www.snort.org... failed: Host not found.
FINISHED --15:28:28--
Downloaded: 0 bytes in 0 files
-----------------------------------
Do I need to install anything such as web browser
(I.E.) or http software to make it work?
Firewall should not be an issue here, but is there a
way to quick test, such as a http commend to go to the
internet please (I'm really not close to an Unix guy,
so bear with me a little more please)?
Thanks so much.
--- Andreas_Östling <andreaso () it su se> wrote:
On Wed, 29 Oct 2003, Snortty wrote:Can anyone explain why please.Add the "-v" argument and you should see a better error message. Maybe you need to setup proxy configuration first? /Andreas
__________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ --__--__-- Message: 8 Date: Thu, 30 Oct 2003 16:50:48 +0100 From: Roberto Bosticardo <roberto.bosticardo () csp it> To: snort-users () lists sourceforge net Subject: [Snort-users] ids + umts Hi all i would like to find documentation on ids on GPRS/UMTS networks any idea ?? -- ------------------------------------- Roberto Bosticardo Intrusion Detection Systems --------------------------- SecureLAB - CSP Innovazione nelle ICT Viale Settimio Severo 63 10133 Torino Phone: +39 011 4815120 ICQ: 15260939 ------------------------------------- --__--__-- Message: 9 Date: Thu, 30 Oct 2003 08:27:37 -0800 (PST) From: Snortty <cwcwcwg () yahoo com> Subject: Re: [Snort-users] running oinkmaster - Error: unable to download..... To: "Andreas_Östling" <andreaso () it su se>, Paul Schmehl <pauls () utdallas edu> Cc: Snort-users () lists sourceforge net I think it's the FW and Proxy related. I tried below (using IP instead of www.snort.org): # wget -r http://199.107.65.177 --16:13:26-- http://199.107.65.177/ => `199.107.65.177/index.html' Connecting to 199.107.65.177:80... -------------------- Now, it dose not say "host not found", which indicated the proxy related issues. But can't connected to www.snort.org, so I checked firewall log, it did show drops http. Questions: where to check the proxy set up for my snort box? Any other ideas/suggestions, such as am I on the right track here? Thanks. --- Snortty <cwcwcwg () yahoo com> wrote:
Andreas, Paul, and All, Here are two things I have tried: # oinkmaster.pl -v -o /tmp/rules Adding file to ignore list: local.rules. Adding file to ignore list: snort.conf. Downloading rules archive from
http://www.snort.org/dl/rules/snortrules-stable.tar.gz...
--15:30:46--
http://www.snort.org/dl/rules/snortrules-stable.tar.gz
=> `/tmp/oinkmaster.1767/snortrules.tar.gz' Resolving www.snort.org... failed: Host not found. /usr/local/bin/oinkmaster.pl: Error: unable to download rules from
http://www.snort.org/dl/rules/snortrules-stable.tar.gz
(got error code from wget). Oink, oink. Exiting... # -------------------------------- # wget -r
http://www.snort.org/dl/rules/snortrules-stable.tar.gz
--15:28:28--
http://www.snort.org/dl/rules/snortrules-stable.tar.gz
=> `www.snort.org/dl/rules/snortrules-stable.tar.gz' Resolving www.snort.org... failed: Host not found. FINISHED --15:28:28-- Downloaded: 0 bytes in 0 files ----------------------------------- Do I need to install anything such as web browser (I.E.) or http software to make it work? Firewall should not be an issue here, but is there a way to quick test, such as a http commend to go to the internet please (I'm really not close to an Unix guy, so bear with me a little more please)? Thanks so much. --- Andreas_Östling <andreaso () it su se> wrote:On Wed, 29 Oct 2003, Snortty wrote:Can anyone explain why please.Add the "-v" argument and you should see a better error message. Maybe you need to setup proxy configuration first? /Andreas__________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/
__________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ --__--__-- Message: 10 Date: Thu, 30 Oct 2003 11:36:00 -0500 From: "Sheahan, Paul" <Paul.Sheahan () priceline com> To: "Snort List (E-mail)" <snort-users () lists sourceforge net> Subject: [Snort-users] /etc/passwd request increase Anyone else seeing an increased number of web requests for /etc/passwd = today? I'm seeing a large increase from a large number of different = sources. Thanks --__--__-- Message: 11 Date: Wed, 29 Oct 2003 09:17:24 -0800 (PST) From: keith greenhill <kkg0123 () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] perl script for snort Please give me a perl scprit command for starting and stopping snort for an hour at a time. Thanx __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ --__--__-- Message: 12 From: JOHNSON DAVID R <david.johnson () hamptonu edu> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Wed, 29 Oct 2003 19:06:44 -0500 Subject: [Snort-users] RPM config does the rpm come with the flexresponse option enabled by default or should i use the tarball and config snort with the --enable-flex-response option? --__--__-- Message: 13 From: "ACiD" <ACiD-0 () comcast net> To: <snort-users () lists sourceforge net> Date: Wed, 29 Oct 2003 19:58:56 -0500 Subject: [Snort-users] Snort Alerting Question This is a multi-part message in MIME format. ------=_NextPart_000_0038_01C39E57.1677F710 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit I am having a problem figuring why a certain packet will not alert under snort. Below is one such (malformed) packet. Any assistance is greatly appreciated and thanks in advance. Standard Rule (from default chat.rules): alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1; classtype:misc-activity; sid:540; rev:8;) Malformed Packet: 05:22:53.884488 xxx.xxx.xxx.xxx.61924 > yyy.yyy.yyy.yyy.1863: P [bad tcp cksum 4040!] 245:384(139) ack 1 win 16482 (DF) (ttl 122, id 127, len 179, bad cksum ff2a!) 0x0000 4500 00b3 007f 4000 7a06 ff2a 8a61 1258 E.....@.z..*.a.X 0x0010 4004 0c9e f1e4 0747 46f1 28b3 359a 173d @......GF.(.5..= 0x0020 5018 4062 37b4 0000 4d53 4720 3520 4e20 P. () b7 MSG.5.N. 0x0030 3132 360d 0a4d 494d 452d 5665 7273 696f 126..MIME-Versio 0x0040 6e3a 2031 2e30 0d0a 436f 6e74 656e 742d n:.1.0..Content- 0x0050 5479 7065 3a20 7465 7874 2f70 6c61 696e Type:.text/plain 0x0060 3b20 6368 6172 7365 743d 5554 462d 380d ;.charset=UTF-8. 0x0070 0a58 2d4d 4d53 2d49 4d2d 466f 726d 6174 .X-MMS-IM-Format 0x0080 3a20 464e 3d4d 5325 3230 5368 656c 6c25 :.FN=MS%20Shell% 0x0090 3230 446c 673b 2045 463d 3b20 434f 3d30 20Dlg;.EF=;.CO=0 0x00a0 3b20 4353 3d30 3b20 5046 3d30 0d0a 0d0a ;.CS=0;.PF=0.... 0x00b0 7965 73 yes I just cannot figure out why Snort will not alert on the packet. I understand that the tcp checksum is bad, therefore I am using the -k none option. The depth:4 should catch the MSG Any ideas ??? ------=_NextPart_000_0038_01C39E57.1677F710 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.0.4630.0"> <TITLE>Snort Alerting Question</TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <P><FONT SIZE=3D2 FACE=3D"Tahoma">I am having a problem figuring why a = certain packet will not alert under snort. Below is one such = (malformed) packet. Any assistance is greatly appreciated and thanks in = advance.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Tahoma">Standard Rule (from default = chat.rules):</FONT> <BR><FONT SIZE=3D2 FACE=3D"Tahoma">alert tcp $HOME_NET any <> = $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; = content:"MSG "; depth:4; content:"Content-Type\:"; = content:"text/plain"; distance:1; classtype:misc-activity; = sid:540; rev:8;)</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Tahoma">Malformed Packet:</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">05:22:53.884488 = xxx.xxx.xxx.xxx.61924 > yyy.yyy.yyy.yyy.1863: P [bad tcp cksum 4040!] = 245:384(139) ack 1 win 16482 (DF) (ttl 122, id 127, len 179, bad cksum = ff2a!)</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Courier New">0x0000 4500 00b3 007f = 4000 7a06 ff2a 8a61 1258 = E.....@.z..*.a.X</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0010 4004 0c9e = f1e4 0747 46f1 28b3 359a 173d = @......GF.(.5..=3D</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0020 5018 4062 = 37b4 0000 4d53 4720 3520 4e20 = P. () b7 MSG.5.N.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0030 3132 360d = 0a4d 494d 452d 5665 7273 696f = 126..MIME-Versio</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0040 6e3a 2031 = 2e30 0d0a 436f 6e74 656e 742d = n:.1.0..Content-</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0050 5479 7065 = 3a20 7465 7874 2f70 6c61 696e = Type:.text/plain</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0060 3b20 6368 = 6172 7365 743d 5554 462d 380d = ;.charset=3DUTF-8.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0070 0a58 2d4d = 4d53 2d49 4d2d 466f 726d 6174 = .X-MMS-IM-Format</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0080 3a20 464e = 3d4d 5325 3230 5368 656c 6c25 = :.FN=3DMS%20Shell%</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x0090 3230 446c = 673b 2045 463d 3b20 434f 3d30 = 20Dlg;.EF=3D;.CO=3D0</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x00a0 3b20 4353 = 3d30 3b20 5046 3d30 0d0a 0d0a = ;.CS=3D0;.PF=3D0....</FONT> <BR><FONT SIZE=3D2 FACE=3D"Courier New">0x00b0 7965 = 73 &nbs p= ;   ;= &= nbsp; yes</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Tahoma">I just cannot figure out why Snort = will not alert on the packet. I understand that the tcp checksum = is bad, therefore I am using the -k none option. The depth:4 = should catch the MSG</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Tahoma">Any ideas ???</FONT> </P> <BR> <BR> </BODY> </HTML> ------=_NextPart_000_0038_01C39E57.1677F710-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- unsubscribe Marty Hauser (Oct 30)