Snort mailing list archives
RE: Snort-users digest, Vol 1 #4222 - 9 msgs
From: "Danista R. Lata" <dlata001 () itc gov fj>
Date: Tue, 11 May 2004 15:48:25 +1200
Where can I find info on slowing down packet traffic -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-users-request () lists sourceforge net Sent: Tuesday, May 11, 2004 3:08 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #4222 - 9 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Log file owned by root problem (SRH-Lists) 2. Re: Snort and reserved words (Matt Kettler) 3. different logging options. (Timothy W Morrison) 4. Re: snort >= 2.1.2 on OpenBSD -current and memory limits (Jon Hart) 5. Re: Is there such a thing as a morning after IDS? (M. Morgan) 6. Re: How do I convert a snort source IP Number to IP address in Microsoft SQL Server (b311b-snort () theotherbell com) 7. Re: different logging options. (Jason Monroe "JC") 8. RE: about some error (Harper, Patrick) 9. RE: Snort sensor and mysql setup (Harper, Patrick) --__--__-- Message: 1 From: SRH-Lists <giermo () 333tech com> To: "'bitless () rcn com'" <bitless () rcn com>, snort-users () lists sourceforge net Subject: RE: [Snort-users] Log file owned by root problem Date: Mon, 10 May 2004 12:28:36 -0500
Hi, Snort seems to start fine but the problem is when the log files are written the uid/gid is root/root I need them to be snort/snort. My startup line is as follows, snort -c /etc/snort/snort_eth0/snort.conf -i eth0 -u snort -g snort Shouldn't this output a log file with uid/gid snort/snort. All dirs and files are uid/gid snort/snort and anything else I could think of. If anyone has any suggestion I would greatly appreciate them. TIA Dan
snort opens the log file for writing prior to dropping privs to the UID/GID specified on the commandline. There is a long explanation as to why this is, but I am not the one to explain it. There is, however, a workaround. add a -m 022 to tell snort to use a umask of 022 for the logfile. -steve --__--__-- Message: 2 Date: Mon, 10 May 2004 14:38:09 -0400 To: "PATENAUDE, PATRICK" <patrick.patenaude () bell ca>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Snort and reserved words At 11:34 AM 5/10/2004, PATENAUDE, PATRICK wrote:
Can anybody tell me what are snorts reserved words?
In what context? The list of "reserved" words varies depending on where you are in the middle of a rule. Clearly in the middle of a quoted text string, most words which are reserved elsewhere won't matter. Probably your best source of info is going to be the manual: http://www.snort.org/docs/snort_manual/ --__--__-- Message: 3 To: snort-users () lists sourceforge net From: Timothy W Morrison <morriswt () us ibm com> Date: Mon, 10 May 2004 13:39:17 -0500 Subject: [Snort-users] different logging options. This is a multipart message in MIME format. --=_alternative 0066605905256E90_= Content-Type: text/plain; charset="US-ASCII" I was wondering what people are using as far as logging options go. I would like to have alerts generated and emailed in real-time and have the full packet detail logged to a mysql database. Is this asking too much and is there a better way to do this? I am using barnyard right now and logging to a mysql database. I appreciate your input on these questions. Tim Morrison --=_alternative 0066605905256E90_= Content-Type: text/html; charset="US-ASCII" <br><font size=2 face="sans-serif">I was wondering what people are using as far as logging options go. I would like to have alerts generated and emailed in real-time and have the full packet detail logged to a mysql database. Is this asking too much and is there a better way to do this? I am using barnyard right now and logging to a mysql database. I appreciate your input on these questions.</font> <br> <br><font size=2 face="sans-serif">Tim Morrison</font> --=_alternative 0066605905256E90_=-- --__--__-- Message: 4 Date: Mon, 10 May 2004 14:40:57 -0400 From: Jon Hart <warchild () spoofed org> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort >= 2.1.2 on OpenBSD -current and memory limits On Fri, Apr 30, 2004 at 09:36:28AM -0400, Jon Hart wrote:
If anyone has run into this problem, or has suggestions regarding how this can be fixed, I'm all ears.
Thanks to some clues from qru and srh from #snort and a few others elsewhere, I've fixed my problem. See the email at misc () openbsd org: http://marc.theaimsgroup.com/?l=openbsd-misc&m=108420932715604&w=2 -jon --__--__-- Message: 5 Date: Mon, 10 May 2004 14:42:43 -0400 (GMT-04:00) From: "M. Morgan" <mikemorgan () mindspring com> Reply-To: "M. Morgan" <mikemorgan () mindspring com> To: "Jacob,Raymond A Jr" <raymond.jacob () navy mil>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Is there such a thing as a morning after IDS? you can probably modify the code for SnortSlinger. http://www.venom600.org/code/SnortSlinger/ -----Original Message----- From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil> Sent: May 8, 2004 2:54 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Is there such a thing as a morning after IDS? I am looking for a tool that will report the number of attacks the associated source ip addresses and destination network addresses that occurred on the previous day. Number of attacks | Signature | Source IP | Source port | Destination IP | Destination Port -----------------------+------------------------------------------------ ------------------------ 128 | P2P |172.16.82.3| 443 | 127.0.0.1 | 443 ... ------------------------------------------------------------------------ ------------------------ 1400 |Grand Total Number of attacks | Signature | Source IP | Source port | Destination IP | Destination Port -----------------------+------------------------------------------------ ------------------------ 128 | Web Traver|192.99.32.7|445 | 128.23.45.8 | 80 ... ------------------------------------------------------------------------ ------------------------ 15000 |Grand Total ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 6 Date: Mon, 10 May 2004 14:57:05 -0400 From: b311b-snort () theotherbell com To: snort-users () lists sourceforge net Subject: Re: [Snort-users] How do I convert a snort source IP Number to IP address in Microsoft SQL Server
The ACID web page has a FAQ which describes how this should
theoretically
work: http://acidlab.sourceforge.net/acid_faq.html#faq_e1 Let IP = the 32-bit unsigned integer representation of the IP
address
ip1 = octet 1 of 4 (high-order) ip2 = octet 2 of 4 ip3 = octet 3 of 4 ip4 = octet 4 of 4 (low-order) >> = bitwise shift right operator; takes an operand of the
number
bits to shift AND = bitwise AND operator Then, ip1 = IP >> 24 ip2 = (IP AND 00000000 11111111 00000000 00000000) >> 16 ip3 = (IP AND 00000000 00000000 11111111 00000000) >> 8 ip4 = (IP AND 00000000 00000000 00000000 11111111) IP = ip1 . ip2 . ip3 . ip4 ***problem*** There is no >> operator in Microsoft SQL.
I don't know MS-SQL and I'm sure there's an easier way, but basically: 3232236087/2^24 = 192 and 3232236087 mod (192*2^24) = 11010615 11010615/2^16 = 168 and 11010615 mod (168*2^16) = 567 567/2^8 = 2 and 567 mod (2*2^8) = 55 3232236087 = 192.168.2.55 Brenda Bell Henniker (the only one on earth) New Hampshire (the state with 5 seasons: black fly, tourist, foliage, ski and mud) --__--__-- Message: 7 Subject: Re: [Snort-users] different logging options. From: "Jason Monroe \"JC\"" <monroe () nas nasa gov> To: Timothy W Morrison <morriswt () us ibm com>, snort-users () lists sourceforge net Date: Mon, 10 May 2004 12:14:46 -0700 We don't have that requirement, but I would suggest making use of another output module and then using swatch, logwatch, or any other app to watch growing files for entries of interest. See: http://www.linuxsecurity.com/feature_stories/feature_story-144-2.html Ps: use the archives Luke On Mon, 2004-05-10 at 11:39, Timothy W Morrison wrote:
I was wondering what people are using as far as logging options go. I would like to have alerts generated and emailed in real-time and have the full packet detail logged to a mysql database. Is this asking too much and is there a better way to do this? I am using barnyard right now and logging to a mysql database. I appreciate your input on these questions. Tim Morrison
--__--__-- Message: 8 From: "Harper, Patrick" <patrick.harper () phns com> To: "ajay sahasrabudhe" <ajay_sahasrabudhe2001 () yahoo com>, <snort-users () lists sourceforge net> Date: Mon, 10 May 2004 11:03:29 -0500 Subject: RE: [Snort-users] about some error This is a multi-part message in MIME format. ----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable did you copy the unicode.map file to /etc/snort? =20 _____ =20 From: ajay sahasrabudhe [mailto:ajay_sahasrabudhe2001 () yahoo com]=20 Sent: Wednesday, May 05, 2004 8:22 AM To: snort-users () lists sourceforge net Subject: [Snort-users] about some error Hi, i have configured snort to work on windows 2000 machine.Its working ok in packet logging mode.i have also configured the snort.conf file.However while running snort in IDS mode i am getting alert as=20 ERROR: snort.conf(285) =3D> Invalid file name for IIS Unicode Map file. Fatal Error, Quitting.. =20 What is the problem?.Can anyone help me out. =20 regards, ajay sahasrabudhe =20 =20 _____ =20 Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs <http://pa.yahoo.com/*http://us.rd.yahoo.com/hotjobs/hotjobs_mail_signat ure_footer_textlink/evt=3D23983/*http://hotjobs.sweepstakes.yahoo.com/ca re ermakeover>=20 Disclaimer: This electronic message, including any attachments, is confidential and int= ended solely for use of the intended recipient(s). This message may contain= information that is privileged or otherwise protected from disclosure by a= pplicable law. Any unauthorized disclosure, dissemination, use or reproduct= ion is strictly prohibited. If you have received this message in error, ple= ase delete it and notify the sender immediately.=20 ----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2900.2096" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><SPAN class=3D410080316-10052004></SPAN><FONT size=3D2>d<SPAN class=3D410080316-10052004>id you copy the unicode.map file= to=20 /etc/snort?</SPAN><BR></FONT></DIV> <DIV> </DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> ajay sahasrabudhe=20 [mailto:ajay_sahasrabudhe2001 () yahoo com] <BR><B>Sent:</B> Wednesday, May 05= ,=20 2004 8:22 AM<BR><B>To:</B> snort-users () lists sourceforge net<BR><B>Subject:= </B>=20 [Snort-users] about some error<BR></FONT><BR></DIV> <DIV></DIV> <DIV>Hi,</DIV> <DIV>i have configured snort to work on windows 2000 machine.Its working ok= in=20 packet logging mode.i have also configured the snort.conf file.However whil= e=20 running snort in IDS mode i am getting alert as </DIV> <DIV>ERROR: snort.conf(285) =3D> Invalid file name for IIS Unicode Map file.<BR>Fatal Error, Quitting..</DIV> <DIV> </DIV> <DIV>What is the problem?.Can anyone help me out.</DIV> <DIV> </DIV> <DIV>regards,</DIV> <DIV>ajay sahasrabudhe</DIV> <DIV> </DIV> <DIV> </DIV> <P> <HR SIZE=3D1> <FONT face=3Darial size=3D-1>Do you Yahoo!?<BR><A=20 href=3D"http://pa.yahoo.com/*http://us.rd.yahoo.com/hotjobs/hotjobs_mail _si= gnature_footer_textlink/evt=3D23983/*http://hotjobs.sweepstakes.yahoo.co m/c= areermakeover">Win=20 a $20,000 Career Makeover at Yahoo! HotJobs </A></FONT><br><br><br><br>Disc= laimer:<br>This electronic message, including any attachments, is confident= ial and intended solely for use of the intended recipient(s). This message = may contain information that is privileged or otherwise protected from disc= losure by applicable law. Any unauthorized disclosure, dissemination, use o= r reproduction is strictly prohibited. If you have received this message in= error, please delete it and notify the sender immediately. <br><br><br></B= ODY></HTML> ----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761-- --__--__-- Message: 9 From: "Harper, Patrick" <patrick.harper () phns com> To: "Lance Boon" <lbtf73_99 () yahoo com>, <snort-users () lists sourceforge net> Date: Mon, 10 May 2004 11:03:35 -0500 Subject: RE: [Snort-users] Snort sensor and mysql setup That should do it for you. After you give the remote snort user permissions on the mysql box (make sure you have the port open for mysql) then it should work fine. I will be adding this to the next revision of that document. -----Original Message----- From: Lance Boon [mailto:lbtf73_99 () yahoo com]=20 Sent: Thursday, May 06, 2004 9:45 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort sensor and mysql setup I'm having a problem getting snort Version 2.1.2 (Build 25)set to log to a remote mysql server, I've followed Patrick Harpers guide in setting up the apache, mysql server, now I want the sensor setup on a seperate machine to log back to the mysql/apache server. I know where the problem lies, just unsure on how to correct it.=20 ERROR: database: mysql_error: Access denied for user: 'snort@10.0.16.18' (Using password: YES) Fatal Error, Quitting.. I understand that snort can't login to the remote mysql server, If I try to enter the following [root@worsen01 snortcenter]# mysql -h10.0.16.16 -usnort -p snort Enter password: ERROR 1045: Access denied for user: 'snort@10.0.16.18' (Using password: YES) If I would login to the mysql server directly and=20 SET PASSWORD FOR snort@10.0.16.18=3DPASSWORD 'new_password'); Then grant the permissions that are needed: grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@10.0.16.18; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort; Would that take care of my problem? If anybody has a better suggestion for setting this up any assistance would be greatly appreciated, I'm using snort Version 2.1.2 on Fedora core 1. Eventually I would like to have 6 sensors logging to this database. But right now just need to get the one working. Thanks Lance =09 =09 __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover=20 ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=3Dosdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users Disclaimer: This electronic message, including any attachments, is confidential and int= ended solely for use of the intended recipient(s). This message may contain= information that is privileged or otherwise protected from disclosure by a= pplicable law. Any unauthorized disclosure, dissemination, use or reproduct= ion is strictly prohibited. If you have received this message in error, ple= ase delete it and notify the sender immediately.=20 --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #4222 - 9 msgs Danista R. Lata (May 12)