Re: Snort++ Build 239

[Jim Campbell <jim () w4bqp net>]

Sorry, should have included a record from the u2spewfoo output.

(Event)
        Snort ID: 0     Event ID: 207   Seconds: 1501355410.399061
        Policy ID:      Context: 0      Inspect: 0      Detect: 0
        Rule 1:2012887:2        Class: 33       Priority: 1
        MPLS Label: 0   VLAN ID: 0      IP Version: 0x44        IP 
Proto: 255
        Src IP: 192.168.254.2   Port: 62043
        Dst IP: 54.210.126.134  Port: 80
        App Name: none
        Status: allow   Action: dtop

Buffer
        sensor_id: 0    event_id: 207   event_second: 1501355410
        packet_second: 1501355410       packet_microsecond: 399061
        packet_length: 198
[    0] 5B 20 7B 20 22 75 72 6C 22 3A 22 68 74 74 70 3A  [ { "url":"http:
[   16] 2F 2F 64 79 6E 75 70 64 61 74 65 2E 6E 6F 69 70 //dynupdate.noip
[   32] 2E 63 6F 6D 2F 64 75 63 75 70 64 61 74 65 2E 70 .com/ducupdate.p
[   48] 68 70 3F 75 73 65 72 6E 61 6D 65 25 33 64 43 33 hp?username%3dC3
[   64] 41 33 32 36 31 32 34 38 31 25 32 36 68 25 35 62 A32612481%26h%5b
[   80] 25 35 64 25 33 64 6D 61 69 6C 2E 77 34 62 71 70 %5d%3dmail.w4bqp
[   96] 2E 6E 65 74 25 32 36 67 25 35 62 25 35 64 25 33 .net%26g%5b%5d%3
[  112] 64 47 65 6E 65 72 61 6C 25 32 36 69 70 25 33 64 dGeneral%26ip%3d
[  128] 31 37 33 2E 31 38 38 2E 31 37 30 2E 31 38 32 25 173.188.170.182%
[  144] 32 36 70 61 73 73 25 33 64 48 4D 41 43 25 37 62 26pass%3dHMAC%7b
[  160] 31 77 70 63 77 67 65 6E 36 6B 64 76 78 62 6C 66 1wpcwgen6kdvxblf
[  176] 76 72 31 69 65 73 75 64 34 6E 61 25 33 64 25 37 vr1iesud4na%3d%7
[  192] 64 22 20 7D 20 5D                                d" } ]

And the rule that triggered this event:

drop tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"ET POLICY Http Client 
Body contains pass= in cleartext"; flow:established,to_server; 
http_client_body; content:"pass=",nocase; classtype:policy-violation; 
sid:2012887; rev:2; )

Also, my Snort IPS is running inline between my DSL modem and my firewall.

On 7/29/2017 3:09 PM, Jim Campbell wrote:
> I built and installed DAQ v.2.2.2 and Snort++ Build 239. I used all 
> the configuration and rules files that had worked with the previous 
> build of Snort.
>
> jim@jim-IPS:~$ sudo /opt/snort/bin/snort -V
>
>    ,,_     -*> Snort++ <*-
>   o"  )~   Version 3.0.0-a4 (Build 239) from 2.9.8-383
>    ''''    By Martin Roesch & The Snort Team
>            http://snort.org/contact#team
>            Copyright (C) 2014-2017 Cisco and/or its affiliates. All 
> rights reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using DAQ version 2.2.2
>            Using libpcap version 1.7.4
>            Using LuaJIT version 2.0.4
>            Using PCRE version 8.40 2017-01-11
>            Using ZLIB version 1.2.8
>            Using LZMA version 5.1.0alpha
>            Using OpenSSL 1.1.0f  25 May 2017
>            Using Hyperscan version 4.4.0 2017-07-15
>
> Snort is outputting a Unified2 file and the u2spewfoo output of that 
> file looks normal.
>
> I had stopped and restarted Barnyard2 as part of my updating Snort. 
> Barnyard2 isn't happy and is outputting only the following type record 
> as per /var/log/syslog:
>
> "Jul 29 14:57:42 jim-IPS barnyard2[32016]: WARNING database 
> [Database()]: Called with Event[0x0] Event Type [0] (P)acket 
> [0x94de270], information has not been outputed."
>
> Any thoughts as to what I either didn't do or did incorrectly?
>
> Thanks,
>
> Jim

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!