Snort mailing list archives
Re: help with file bpf and ip 0.0.0.0
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 12 Feb 2016 13:59:19 +0000
Not sure if you saw this before but I sent you a message back on 1/22/16. Your issue is probably with BASE summarizing events or your logging format. Have you looked at the log files from snort directly and not from within BASE? Can you run snort with "-Acmg -H -U -k none" and see if you get any alerts with this address? I have a rule with " alert tcp $HOME_NET any -> any any (sid:1000001; msg:"TEST")" using your ' ipvar HOME_NET [192.168.1.66/24]' I don't get any alerts with 0.0.0.0 in them. I do get a TON of these (see below I clipped a bunch off) which could be the output logging is summarizing. [root@onetwo snort-2.9.8.0-build_229]# ./bin/snort -c etc/ZERO.conf -r etc/ZERO.pcap -Acmg -H -U -k none -q | grep -i TEST 01/22-16:38:11.806576 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:11.896482 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:11.896600 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.184956 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.218249 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.226693 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.245704 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80 01/22-16:38:12.246559 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80 01/22-16:38:12.267310 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80 01/22-16:38:12.345081 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.354908 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.360292 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 01/22-16:38:12.382499 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80 Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: hernani coelho [mailto:hernani_coelho () msn com] Sent: Saturday, January 23, 2016 12:49 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] help with file bpf and ip 0.0.0.0 i install snorby for to see alerts and i have alerts from src 64.4.8.0 to dst 0.0.0.0 how can i stop alerts from 64.4.8.0 or to dst 0.0.0.0 i send a photo snorby thanks hernani On 21-01-2016 12:11, Joel Esler (jesler) wrote: Port 80 is not something you want to ignore. Considering a large number of attacks take place on port 80. Sent from my iPhone On Jan 21, 2016, at 6:05 AM, hernani coelho <hernani_coelho () msn com<mailto:hernani_coelho () msn com>> wrote: On 20-01-2016 21:52, Joel Esler (jesler) wrote: On Jan 20, 2016, at 1:10 PM, hernani coelho <hernani_coelho () msn com<mailto:hernani_coelho () msn com>> wrote: On 20-01-2016 17:55, wkitty42 () windstream net<mailto:wkitty42 () windstream net> wrote: On 01/20/2016 12:03 PM, hernani coelho wrote: now i see if i search an web page snort give me alerts like this --> #0-(1-7731) <http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=> [snort <http://www.snort.org/search/sid/119-15>] http_inspect: OVERSIZE REQUEST-URI DIRECTORY 2016-01-20 16:59:34 192.168.1.66 <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:57514 95.172.94.15 <http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80 TCP is safe to ignore port 80?? IMHO, absolutely not... if you are getting oversize reports like that, you can increase the size of your oversize_dir_length setting in the http_inspect preprocessor section of your snort.conf file... we use 750 here but you may need a larger or smaller value depending on the traffic on your network... i have lots of alert from port 80, how can i stop alerts from port 80? #41-(1-30)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%2341-%281-30%29&sort_order=time_d> [snort<http://www.snort.org/search/sid/129-12>] stream5: TCP Small Segment Threshold Exceeded 2016-01-21 10:46:46 195.23.51.104<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=195.23.51.104&netmask=32>:80 192.168.1.66<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask32>:60009 TCP ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: help with file bpf and ip 0.0.0.0, (continued)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 wkitty42 (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 wkitty42 (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Joel Esler (jesler) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 Joel Esler (jesler) (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Feb 12)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Feb 12)