Snort mailing list archives
RE: Snort-users digest, Vol 1 #4222 - 9 msgs
From: "Danista R. Lata" <dlata001 () itc gov fj>
Date: Tue, 11 May 2004 15:48:25 +1200
Where can I find info on slowing down packet traffic -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-users-request () lists sourceforge net Sent: Tuesday, May 11, 2004 3:08 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #4222 - 9 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Log file owned by root problem (SRH-Lists) 2. Re: Snort and reserved words (Matt Kettler) 3. different logging options. (Timothy W Morrison) 4. Re: snort >= 2.1.2 on OpenBSD -current and memory limits (Jon Hart) 5. Re: Is there such a thing as a morning after IDS? (M. Morgan) 6. Re: How do I convert a snort source IP Number to IP address in Microsoft SQL Server (b311b-snort () theotherbell com) 7. Re: different logging options. (Jason Monroe "JC") 8. RE: about some error (Harper, Patrick) 9. RE: Snort sensor and mysql setup (Harper, Patrick) --__--__-- Message: 1 From: SRH-Lists <giermo () 333tech com> To: "'bitless () rcn com'" <bitless () rcn com>, snort-users () lists sourceforge net Subject: RE: [Snort-users] Log file owned by root problem Date: Mon, 10 May 2004 12:28:36 -0500
Hi, Snort seems to start fine but the problem is when the log files are written the uid/gid is root/root I need them to be snort/snort. My startup line is as follows, snort -c /etc/snort/snort_eth0/snort.conf -i eth0 -u snort -g snort Shouldn't this output a log file with uid/gid snort/snort. All dirs and files are uid/gid snort/snort and anything else I could think of. If anyone has any suggestion I would greatly appreciate them. TIA Dan
snort opens the log file for writing prior to dropping privs to the UID/GID specified on the commandline. There is a long explanation as to why this is, but I am not the one to explain it. There is, however, a workaround. add a -m 022 to tell snort to use a umask of 022 for the logfile. -steve --__--__-- Message: 2 Date: Mon, 10 May 2004 14:38:09 -0400 To: "PATENAUDE, PATRICK" <patrick.patenaude () bell ca>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Snort and reserved words At 11:34 AM 5/10/2004, PATENAUDE, PATRICK wrote:
Can anybody tell me what are snorts reserved words?
In what context? The list of "reserved" words varies depending on where you are in the middle of a rule. Clearly in the middle of a quoted text string, most words which are reserved elsewhere won't matter. Probably your best source of info is going to be the manual: http://www.snort.org/docs/snort_manual/ --__--__-- Message: 3 To: snort-users () lists sourceforge net From: Timothy W Morrison <morriswt () us ibm com> Date: Mon, 10 May 2004 13:39:17 -0500 Subject: [Snort-users] different logging options. This is a multipart message in MIME format. --=_alternative 0066605905256E90_= Content-Type: text/plain; charset="US-ASCII" I was wondering what people are using as far as logging options go. I would like to have alerts generated and emailed in real-time and have the full packet detail logged to a mysql database. Is this asking too much and is there a better way to do this? I am using barnyard right now and logging to a mysql database. I appreciate your input on these questions. Tim Morrison --=_alternative 0066605905256E90_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">I was wondering what people are using as far as logging options go. I would like to have alerts generated and emailed in real-time and have the full packet detail logged to a mysql database. Is this asking too much and is there a better way to do this? I am using barnyard right now and logging to a mysql database. I appreciate your input on these questions.</font> <br> <br><font size=2 face="sans-serif">Tim Morrison</font> --=_alternative 0066605905256E90_=-- --__--__-- Message: 4 Date: Mon, 10 May 2004 14:40:57 -0400 From: Jon Hart <warchild () spoofed org> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort >= 2.1.2 on OpenBSD -current and memory limits On Fri, Apr 30, 2004 at 09:36:28AM -0400, Jon Hart wrote:
If anyone has run into this problem, or has suggestions regarding how this can be fixed, I'm all ears.
Thanks to some clues from qru and srh from #snort and a few others elsewhere, I've fixed my problem. See the email at misc () openbsd org: http://marc.theaimsgroup.com/?l=openbsd-misc&m=108420932715604&w=2 -jon --__--__-- Message: 5 Date: Mon, 10 May 2004 14:42:43 -0400 (GMT-04:00) From: "M. Morgan" <mikemorgan () mindspring com> Reply-To: "M. Morgan" <mikemorgan () mindspring com> To: "Jacob,Raymond A Jr" <raymond.jacob () navy mil>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Is there such a thing as a morning after IDS? you can probably modify the code for SnortSlinger. http://www.venom600.org/code/SnortSlinger/ -----Original Message----- From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil> Sent: May 8, 2004 2:54 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Is there such a thing as a morning after IDS? I am looking for a tool that will report the number of attacks the associated source ip addresses and destination network addresses that occurred on the previous day. Number of attacks | Signature | Source IP | Source port | Destination IP | Destination Port -----------------------+------------------------------------------------ ------------------------ 128 | P2P |172.16.82.3| 443 | 127.0.0.1 | 443 ... ------------------------------------------------------------------------ ------------------------ 1400 |Grand Total Number of attacks | Signature | Source IP | Source port | Destination IP | Destination Port -----------------------+------------------------------------------------ ------------------------ 128 | Web Traver|192.99.32.7|445 | 128.23.45.8 | 80 ... ------------------------------------------------------------------------ ------------------------ 15000 |Grand Total ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 6 Date: Mon, 10 May 2004 14:57:05 -0400 From: b311b-snort () theotherbell com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] How do I convert a snort source IP Number to IP address in Microsoft SQL Server
The ACID web page has a FAQ which describes how this should
theoretically
work: http://acidlab.sourceforge.net/acid_faq.html#faq_e1 Let IP = the 32-bit unsigned integer representation of the IP
address
ip1 = octet 1 of 4 (high-order) ip2 = octet 2 of 4 ip3 = octet 3 of 4 ip4 = octet 4 of 4 (low-order) >> = bitwise shift right operator; takes an operand of the
number
bits to shift AND = bitwise AND operator Then, ip1 = IP >> 24 ip2 = (IP AND 00000000 11111111 00000000 00000000) >> 16 ip3 = (IP AND 00000000 00000000 11111111 00000000) >> 8 ip4 = (IP AND 00000000 00000000 00000000 11111111) IP = ip1 . ip2 . ip3 . ip4 ***problem*** There is no >> operator in Microsoft SQL.
I don't know MS-SQL and I'm sure there's an easier way, but basically:
3232236087/2^24 = 192 and 3232236087 mod (192*2^24) = 11010615
11010615/2^16 = 168 and 11010615 mod (168*2^16) = 567
567/2^8 = 2 and 567 mod (2*2^8) = 55
3232236087 = 192.168.2.55
Brenda Bell
Henniker (the only one on earth)
New Hampshire (the state with 5 seasons: black fly, tourist, foliage,
ski and mud)
--__--__--
Message: 7
Subject: Re: [Snort-users] different logging options.
From: "Jason Monroe \"JC\"" <monroe () nas nasa gov>
To: Timothy W Morrison <morriswt () us ibm com>,
snort-users () lists sourceforge net
Date: Mon, 10 May 2004 12:14:46 -0700
We don't have that requirement, but I would suggest making use of
another output module and then using swatch, logwatch, or any other app
to watch growing files for entries of interest.
See:
http://www.linuxsecurity.com/feature_stories/feature_story-144-2.html
Ps: use the archives Luke
On Mon, 2004-05-10 at 11:39, Timothy W Morrison wrote:
I was wondering what people are using as far as logging options go. I would like to have alerts generated and emailed in real-time and have the full packet detail logged to a mysql database. Is this asking too much and is there a better way to do this? I am using barnyard right now and logging to a mysql database. I appreciate your input on these questions. Tim Morrison
--__--__--
Message: 8
From: "Harper, Patrick" <patrick.harper () phns com>
To: "ajay sahasrabudhe" <ajay_sahasrabudhe2001 () yahoo com>,
<snort-users () lists sourceforge net>
Date: Mon, 10 May 2004 11:03:29 -0500
Subject: RE: [Snort-users] about some error
This is a multi-part message in MIME format.
----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
did you copy the unicode.map file to /etc/snort?
=20
_____ =20
From: ajay sahasrabudhe [mailto:ajay_sahasrabudhe2001 () yahoo com]=20
Sent: Wednesday, May 05, 2004 8:22 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] about some error
Hi,
i have configured snort to work on windows 2000 machine.Its working ok
in packet logging mode.i have also configured the snort.conf
file.However while running snort in IDS mode i am getting alert as=20
ERROR: snort.conf(285) =3D> Invalid file name for IIS Unicode Map file.
Fatal Error, Quitting..
=20
What is the problem?.Can anyone help me out.
=20
regards,
ajay sahasrabudhe
=20
=20
_____ =20
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
<http://pa.yahoo.com/*http://us.rd.yahoo.com/hotjobs/hotjobs_mail_signat
ure_footer_textlink/evt=3D23983/*http://hotjobs.sweepstakes.yahoo.com/ca
re
ermakeover>=20
Disclaimer:
This electronic message, including any attachments, is confidential and
int=
ended solely for use of the intended recipient(s). This message may
contain=
information that is privileged or otherwise protected from disclosure
by a=
pplicable law. Any unauthorized disclosure, dissemination, use or
reproduct=
ion is strictly prohibited. If you have received this message in error,
ple=
ase delete it and notify the sender immediately.=20
----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html;
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2096" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><SPAN
class=3D410080316-10052004></SPAN><FONT
size=3D2>d<SPAN class=3D410080316-10052004>id you copy the unicode.map
file=
to=20
/etc/snort?</SPAN><BR></FONT></DIV>
<DIV> </DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> ajay sahasrabudhe=20
[mailto:ajay_sahasrabudhe2001 () yahoo com] <BR><B>Sent:</B> Wednesday, May
05=
,=20
2004 8:22 AM<BR><B>To:</B>
snort-users () lists sourceforge net<BR><B>Subject:=
</B>=20
[Snort-users] about some error<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Hi,</DIV>
<DIV>i have configured snort to work on windows 2000 machine.Its working
ok=
in=20
packet logging mode.i have also configured the snort.conf file.However
whil=
e=20
running snort in IDS mode i am getting alert as </DIV>
<DIV>ERROR: snort.conf(285) =3D> Invalid file name for IIS Unicode
Map
file.<BR>Fatal Error, Quitting..</DIV>
<DIV> </DIV>
<DIV>What is the problem?.Can anyone help me out.</DIV>
<DIV> </DIV>
<DIV>regards,</DIV>
<DIV>ajay sahasrabudhe</DIV>
<DIV> </DIV>
<DIV> </DIV>
<P>
<HR SIZE=3D1>
<FONT face=3Darial size=3D-1>Do you Yahoo!?<BR><A=20
href=3D"http://pa.yahoo.com/*http://us.rd.yahoo.com/hotjobs/hotjobs_mail
_si=
gnature_footer_textlink/evt=3D23983/*http://hotjobs.sweepstakes.yahoo.co
m/c=
areermakeover">Win=20
a $20,000 Career Makeover at Yahoo! HotJobs
</A></FONT><br><br><br><br>Disc=
laimer:<br>This electronic message, including any attachments, is
confident=
ial and intended solely for use of the intended recipient(s). This
message =
may contain information that is privileged or otherwise protected from
disc=
losure by applicable law. Any unauthorized disclosure, dissemination,
use o=
r reproduction is strictly prohibited. If you have received this message
in=
error, please delete it and notify the sender immediately.
<br><br><br></B=
ODY></HTML>
----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761--
--__--__--
Message: 9
From: "Harper, Patrick" <patrick.harper () phns com>
To: "Lance Boon" <lbtf73_99 () yahoo com>,
<snort-users () lists sourceforge net>
Date: Mon, 10 May 2004 11:03:35 -0500
Subject: RE: [Snort-users] Snort sensor and mysql setup
That should do it for you. After you give the remote snort user
permissions on the mysql box (make sure you have the port open for
mysql) then it should work fine. I will be adding this to the next
revision of that document.
-----Original Message-----
From: Lance Boon [mailto:lbtf73_99 () yahoo com]=20
Sent: Thursday, May 06, 2004 9:45 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort sensor and mysql setup
I'm having a problem getting snort Version 2.1.2 (Build 25)set to log to
a remote mysql server, I've followed Patrick Harpers guide in setting up
the apache, mysql server, now I want the sensor setup on a seperate
machine to log back to the mysql/apache server. I know where the problem
lies, just unsure on how to correct it.=20
ERROR: database: mysql_error: Access denied for user:
'snort@10.0.16.18' (Using password: YES) Fatal Error, Quitting..
I understand that snort can't login to the remote mysql server, If I try
to enter the following
[root@worsen01 snortcenter]# mysql -h10.0.16.16 -usnort -p snort Enter
password:
ERROR 1045: Access denied for user: 'snort@10.0.16.18'
(Using password: YES)
If I would login to the mysql server directly and=20
SET PASSWORD FOR snort@10.0.16.18=3DPASSWORD 'new_password');
Then grant the permissions that are needed:
grant CREATE, INSERT, SELECT, DELETE, UPDATE on
snort.* to snort@10.0.16.18;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on
snort.* to snort;
Would that take care of my problem?
If anybody has a better suggestion for setting this up any assistance
would be greatly appreciated, I'm using snort Version 2.1.2 on Fedora
core 1. Eventually I would like to have 6 sensors logging to this
database.
But right now just need to get the one working.
Thanks
Lance
=09
=09
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover=20
-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software Learn developer
strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher
performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=3Dosdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
Disclaimer:
This electronic message, including any attachments, is confidential and
int=
ended solely for use of the intended recipient(s). This message may
contain=
information that is privileged or otherwise protected from disclosure
by a=
pplicable law. Any unauthorized disclosure, dissemination, use or
reproduct=
ion is strictly prohibited. If you have received this message in error,
ple=
ase delete it and notify the sender immediately.=20
--__--__--
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #4222 - 9 msgs Danista R. Lata (May 12)