Snort mailing list archives
Re: Snort++ Build 239
From: Jim Campbell <jim () w4bqp net>
Date: Sat, 29 Jul 2017 15:50:53 -0400
Sorry, should have included a record from the u2spewfoo output. (Event) Snort ID: 0 Event ID: 207 Seconds: 1501355410.399061 Policy ID: Context: 0 Inspect: 0 Detect: 0 Rule 1:2012887:2 Class: 33 Priority: 1MPLS Label: 0 VLAN ID: 0 IP Version: 0x44 IP Proto: 255
Src IP: 192.168.254.2 Port: 62043 Dst IP: 54.210.126.134 Port: 80 App Name: none Status: allow Action: dtop Buffer sensor_id: 0 event_id: 207 event_second: 1501355410 packet_second: 1501355410 packet_microsecond: 399061 packet_length: 198 [ 0] 5B 20 7B 20 22 75 72 6C 22 3A 22 68 74 74 70 3A [ { "url":"http: [ 16] 2F 2F 64 79 6E 75 70 64 61 74 65 2E 6E 6F 69 70 //dynupdate.noip [ 32] 2E 63 6F 6D 2F 64 75 63 75 70 64 61 74 65 2E 70 .com/ducupdate.p [ 48] 68 70 3F 75 73 65 72 6E 61 6D 65 25 33 64 43 33 hp?username%3dC3 [ 64] 41 33 32 36 31 32 34 38 31 25 32 36 68 25 35 62 A32612481%26h%5b [ 80] 25 35 64 25 33 64 6D 61 69 6C 2E 77 34 62 71 70 %5d%3dmail.w4bqp [ 96] 2E 6E 65 74 25 32 36 67 25 35 62 25 35 64 25 33 .net%26g%5b%5d%3 [ 112] 64 47 65 6E 65 72 61 6C 25 32 36 69 70 25 33 64 dGeneral%26ip%3d [ 128] 31 37 33 2E 31 38 38 2E 31 37 30 2E 31 38 32 25 173.188.170.182% [ 144] 32 36 70 61 73 73 25 33 64 48 4D 41 43 25 37 62 26pass%3dHMAC%7b [ 160] 31 77 70 63 77 67 65 6E 36 6B 64 76 78 62 6C 66 1wpcwgen6kdvxblf [ 176] 76 72 31 69 65 73 75 64 34 6E 61 25 33 64 25 37 vr1iesud4na%3d%7 [ 192] 64 22 20 7D 20 5D d" } ] And the rule that triggered this event:drop tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"ET POLICY Http Client Body contains pass= in cleartext"; flow:established,to_server; http_client_body; content:"pass=",nocase; classtype:policy-violation; sid:2012887; rev:2; )
Also, my Snort IPS is running inline between my DSL modem and my firewall. On 7/29/2017 3:09 PM, Jim Campbell wrote:
I built and installed DAQ v.2.2.2 and Snort++ Build 239. I used all the configuration and rules files that had worked with the previous build of Snort.jim@jim-IPS:~$ sudo /opt/snort/bin/snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.0.0-a4 (Build 239) from 2.9.8-383 '''' By Martin Roesch & The Snort Team http://snort.org/contact#teamCopyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 2.2.2 Using libpcap version 1.7.4 Using LuaJIT version 2.0.4 Using PCRE version 8.40 2017-01-11 Using ZLIB version 1.2.8 Using LZMA version 5.1.0alpha Using OpenSSL 1.1.0f 25 May 2017 Using Hyperscan version 4.4.0 2017-07-15Snort is outputting a Unified2 file and the u2spewfoo output of that file looks normal.I had stopped and restarted Barnyard2 as part of my updating Snort. Barnyard2 isn't happy and is outputting only the following type record as per /var/log/syslog:"Jul 29 14:57:42 jim-IPS barnyard2[32016]: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x94de270], information has not been outputed."Any thoughts as to what I either didn't do or did incorrectly? Thanks, Jim
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort++ Build 239 Jim Campbell (Jul 29)
- Re: Snort++ Build 239 Jim Campbell (Jul 29)
- Re: Snort++ Build 239 Russ via Snort-users (Jul 31)
- Re: Snort++ Build 239 Jim Campbell (Jul 31)
- Re: Snort++ Build 239 Jim Campbell (Jul 31)
- Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
- Re: Snort++ Build 239 Marcin Dulak via Snort-users (Aug 07)
- Re: Snort++ Build 239 Jim Campbell (Aug 07)
- Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
- Re: Snort++ Build 239 Jim Campbell (Aug 07)
- Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
- Re: Snort++ Build 239 Jim Campbell (Aug 08)
- Re: Snort++ Build 239 Russ via Snort-users (Jul 31)
- Re: Snort++ Build 239 Jim Campbell (Jul 29)