Snort mailing list archives
Re: Snort-users Digest, Vol 99, Issue 12
From: mehdi maleki <mehdimlk2003 () yahoo com>
Date: Wed, 6 Aug 2014 00:58:32 -0700
I’ve read faq but there is any solution for my problem. I’ve used registered user rule set. my command line and part of output and config-file are as below: ./snort -A fast -r /home/mahdi/darpa/outside.tcpdump -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort --pcap-show -k none =============================================================================== Packet I/O Totals: Received: 1337777 Analyzed: 1337777 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 1340992 (100.000%) VLAN: 0 ( 0.000%) IP4: 1266758 ( 94.464%) Frag: 241 ( 0.018%) ICMP: 1341 ( 0.100%) UDP: 17029 ( 1.270%) TCP: 1248147 ( 93.076%) ============================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 1276213 ( 95.398%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 61564 ( 4.602%) Blacklist: 0 ( 0.000%) part of config-file: # Setup the network addresses you are protecting ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET any # List of DNS servers on your network ipvar DNS_SERVERS $HOME_NET # List of SMTP servers on your network ipvar SMTP_SERVERS $HOME_NET # List of web servers on your network ipvar HTTP_SERVERS $HOME_NET # List of sql servers on your network ipvar SQL_SERVERS $HOME_NET # List of telnet servers on your network ipvar TELNET_SERVERS $HOME_NET # List of ssh servers on your network ipvar SSH_SERVERS $HOME_NET # List of ftp servers on your network ipvar FTP_SERVERS $HOME_NET # List of sip servers on your network ipvar SIP_SERVERS $HOME_NET # List of ports you run web servers on portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712] # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 # List of ports you might see oracle attacks on portvar ORACLE_PORTS 1024: # List of ports you want to look for SSH connections on: portvar SSH_PORTS 22 # List of ports you run ftp servers on portvar FTP_PORTS [21,2100,3535] # List of ports you run SIP servers on portvar SIP_PORTS [5060,5061,5600] # List of file data ports for file inspection portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] # List of GTP ports for GTP preprocessor portvar GTP_PORTS [2123,2152,3386] # other variables, these should not be modified ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules # If you are using reputation preprocessor set these var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ################################################### # Step #2: Configure the decoder. For more information, see README.decode ################################################### # Stop generic decode events: config disable_decode_alerts # Stop Alerts on experimental TCP options config disable_tcpopt_experimental_alerts # Stop Alerts on obsolete TCP options config disable_tcpopt_obsolete_alerts # Stop Alerts on T/TCP alerts config disable_tcpopt_ttcp_alerts # Stop Alerts on all other TCPOption type events: config disable_tcpopt_alerts # Stop Alerts on invalid ip options config disable_ipopt_alerts # Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet # config enable_decode_oversized_alerts # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts) # config enable_decode_oversized_drops # Configure IP / TCP checksum mode config checksum_mode: all # Configure maximum number of flowbit references. For more information, see README.flowbits # config flowbits_size: 64 # Configure ports to ignore # config ignore_ports: tcp 21 6667:6671 1356 # config ignore_ports: udp 1:17 53 # Configure active response for non inline operation. For more information, see REAMDE.active # config response: eth0 attempts 2 # Configure DAQ related options for inline operation. For more information, see README.daq # # config daq: <type> # config daq_dir: <dir> # config daq_mode: <mode> # config daq_var: <var> # # <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw # <mode> ::= read-file | passive | inline # <var> ::= arbitrary <name>=<value passed to DAQ # <dir> ::= path as to where to look for DAQ module so's # Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options # # config set_gid: # config set_uid: # Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README # # config snaplen: # # Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F) # # config bpf_file: # # Configure default log directory for snort to log to. For more information see snort -h command line options (-l) # # config logdir: ################################################### # Step #3: Configure the base detection engine. For more information, see README.decode ################################################### # Configure PCRE match limitations config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 # Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config config detection: search-method ac-split search-optimize max-pattern-len 20 # Configure the event queue. For more information, see README.event_queue config event_queue: max_queue 8 log 5 order_events content_length On Tuesday, August 5, 2014 10:46 PM, "snort-users-request () lists sourceforge net" <snort-users-request () lists sourceforge net> wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. FW: Yumato (usuarionuevo nuevo nuevo) 2. Re: darpa dataset problem(zero alert) (waldo kitty) 3. Re: FW: Yumato (waldo kitty) 4. Re: Event mismatch (Anshuman Anil Deshmukh) ---------------------------------------------------------------------- Message: 1 Date: Tue, 5 Aug 2014 16:57:37 +0200 From: usuarionuevo nuevo nuevo <estoesnuevo () outlook es> Subject: [Snort-users] FW: Yumato To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <BLU182-W7375FC4936A50C89E2FF40D7E30 () phx gbl> Content-Type: text/plain; charset="iso-8859-1" Hi, I'm new on this list, Anyone knows something about this snort signature: ET TROJAN Dropper-497 (Yumato) Initial Checkin What does this alert means? Thx usuarionuevo -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Tue, 05 Aug 2014 14:08:48 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] darpa dataset problem(zero alert) To: snort-users () lists sourceforge net Message-ID: <53E11DB0.6060306 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 8/5/2014 6:36 AM, mehdi maleki wrote:
hi I've installed snort 2.9.6.2 on fedora 20 (vmware)and used as input file darpa dataset1999. I have not changed the default rule. Surprisingly it does not generate any alert.
have you checked the FAQ?? https://github.com/vrtadmin/snort-faq/blob/master/README.md https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 3 Date: Tue, 05 Aug 2014 14:10:31 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] FW: Yumato To: snort-users () lists sourceforge net Message-ID: <53E11E17.5050802 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 8/5/2014 10:57 AM, usuarionuevo nuevo nuevo wrote:
Hi, I'm new on this list, Anyone knows something about this snort signature: ET TROJAN Dropper-497 (Yumato) Initial Checkin What does this alert means?
i responded on your other topic of this... please continue over there... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 4 Date: Tue, 5 Aug 2014 18:10:58 +0000 From: Anshuman Anil Deshmukh <anshuman () cybage com> Subject: Re: [Snort-users] Event mismatch To: 'JJC' <cummingsj () gmail com>, "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <B6C975E672AF804EA892285F67BB885BA78AD227 () ct1-mailbox-1-1 cybage com> Content-Type: text/plain; charset="utf-8" ok. I know my config for barnyard & snort is referring the same file which is produced by pulledpork. But where do I tell Snorby to use the same sid-msg.map file? It is already configured to generate version 1 of sid-msg.map. Regards, Anshuman From: JJC [mailto:cummingsj () gmail com] Sent: Tuesday, August 5, 2014 8:22 PM To: Anshuman Anil Deshmukh Cc: Joel Esler (jesler); snort-users () lists sourceforge net Subject: Re: [Snort-users] Event mismatch Snorby needs to be using the sid-msg.map that pulledpork produces, you also need to be sure that you have your pulledpork configured to generate a version 1 (one) sid-msg.map as I do not think that Snorby is compatible with the new version that was designed for use with Barnyard. JJC On Tue, Aug 5, 2014 at 7:27 AM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote: Can anybody reply on this? Regards, Anshuman From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com<mailto:anshuman () cybage com>] Sent: Monday, August 4, 2014 10:59 PM To: 'Joel Esler (jesler)'; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Event mismatch Sorry for the encrypted mail which was recently sent by mistake. My apologies. What I was saying was - which configuration file does Snorby refer in which the sid-msg.map file is specified? Regards, Anshuman From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Monday, August 4, 2014 8:42 PM To: Anshuman Anil Deshmukh Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Event mismatch Looks like Snorby is not reading from the correct sid-msg.map file. On Aug 4, 2014, at 9:34 AM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote: Anybody on this? Is there any fix for this? Regards, Anshuman From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com] Sent: Wednesday, July 30, 2014 5:23 PM To: snort-users mailinglist Subject: [Snort-users] Event mismatch Hi, I am observing that an event shown in the snort terminal window appears in the Snorby console with a different description. Kindly see below output in the terminal window and refer attachment for same event how it appears in Snorby. This event appears in Snorby as ?ssh: Gobbles exploit?. SIG & GID is same for both. Has anybody encountered this issue? Snort terminal window [**] [128:1:1] (spp_ssh) Challenge-Response Overflow exploit [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/29-11:38:33.588575 <IP address removed>:53198 -> <IP address removed>:22 TCP TTL:64 TOS:0x8 ID:27261 IpLen:20 DgmLen:4180 DF ***A**** Seq: 0x6DCCC579 Ack: 0xFD13066A Win: 0xEA80 TcpLen: 20 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640][Xref<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640%5d%5bXref> => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0639] I have recently upgraded from Snort version 2.9.5 to 2.9.6.1 (it was compiled from source). After upgrade I have replaced the older version of files classification.config, gen.msg.map, reference.config & unicode.map. Am I missing something which is causing this issue? I use pulledpork version 0.7.0 to update my rules. I update text based rules & so_rules with pulledpork. I use barnyard 2.1.9 (Build 263) - XFF patch (version 2). I am using mysql ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1. Let me know in case any other information regarding my setup is needed. Thanks. Regards, Anshuman "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/> <Appearing in Snorbyt_mismatch.jpg>------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com> ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 99, Issue 12 *******************************************
------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 99, Issue 12 mehdi maleki (Aug 06)
- Re: Snort-users Digest, Vol 99, Issue 12 waldo kitty (Aug 06)