Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-devel Digest, Vol 65, Issue 3

From: Parbat Bhatiya via Snort-devel <snort-devel () lists snort org>
Date: Fri, 11 Nov 2022 03:01:19 +0530
hello

here attached screenshots


[image: munabhaimbbs-munabhaimbbs-com-Services-Snort-Alerts.png][image:
munabhaimbbs-munabhaimbbs-com-Services-Snort-Global-Settings.png][image:
munabhaimbbs-munabhaimbbs-com-Services-Snort-Interface-Settings-WAN-Rules.png][image:
munabhaimbbs-munabhaimbbs-com-Services-Snort-Interface-Settings-WAN-Categories.png][image:
munabhaimbbs-munabhaimbbs-com-Services-Snort-WAN-Interface-Settings.png][image:
munabhaimbbs-munabhaimbbs-com-Services-Snort-Interfaces.png]

On Fri, Nov 11, 2022 at 1:11 AM <snort-devel-request () lists snort org> wrote:


Send Snort-devel mailing list submissions to
        snort-devel () lists snort org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request () lists snort org

You can reach the person managing the list at
        snort-devel-owner () lists snort org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. Re: Snort-devel Digest, Vol 65, Issue 1
      (Adrian Mamolea (admamole))


----------------------------------------------------------------------

Message: 1
Date: Wed, 9 Nov 2022 18:39:07 +0000
From: "Adrian Mamolea (admamole)" <admamole () cisco com>
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: Re: [Snort-devel] Snort-devel Digest, Vol 65, Issue 1
Message-ID:
        <
SN6PR11MB32299E0E5C012CD87C4B27C0C23E9 () SN6PR11MB3229 namprd11 prod outlook com




Content-Type: text/plain; charset="utf-8"

Hello Parbat,

What version of Snort is pfsense using?
Could you:
- describe what you are trying to do,
- provide a copy of the snort configuration including policy files
- provide a log extract for the issue.

Thanks,
Adrian

From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of
Parbat Bhatiya via Snort-devel
Sent: Monday, November 7, 2022 4:15 PM
To: snort-devel () lists snort org
Subject: Re: [Snort-devel] Snort-devel Digest, Vol 65, Issue 1

hello anybody can help me

or guide me i have pfsense installed with public ip

if i transfer one vm to another vm or other network to vm ssh copy or some
activity

even my ip getting blocked  like


T SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or
Infec

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

ET SCAN Potential SSH Scan

misc activity misc unknow traffic

detection of network scan

ET POLICY RDP connection confirm

like this all more i have anyone can guide me or something i can do normal
behaviour only critical or risky operation can block possible ?




On Tue, Nov 8, 2022 at 12:22 AM <snort-devel-request () lists snort org
<mailto:snort-devel-request () lists snort org>> wrote:
Send Snort-devel mailing list submissions to
        snort-devel () lists snort org<mailto:snort-devel () lists snort org>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request () lists snort org<mailto:
snort-devel-request () lists snort org>

You can reach the person managing the list at
        snort-devel-owner () lists snort org<mailto:
snort-devel-owner () lists snort org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. Snort 3 output to linux journal is buffered? (Neville, Andrew)


----------------------------------------------------------------------

Message: 1
Date: Mon, 7 Nov 2022 15:08:59 +0000
From: "Neville, Andrew" <Andrew.Neville () fujitsu co uk<mailto:
Andrew.Neville () fujitsu co uk>>
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <
snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Subject: [Snort-devel] Snort 3 output to linux journal is buffered?
Message-ID:
        <
CWLP123MB46741BEB8A47A238FF834F2FDE3C9 () CWLP123MB4674 GBRP123 PROD OUTLOOK COM
<mailto:
CWLP123MB46741BEB8A47A238FF834F2FDE3C9 () CWLP123MB4674 GBRP123 PROD OUTLOOK COM




Content-Type: text/plain; charset="us-ascii"

Hi,

I'm looking for some help with a slightly odd behaviour we see when
running Snort 3 as a systemd service.

When Snort3 is started from a simple systemd service definition it does
not immediately show its normal full startup information into the journal.
I'm expecting approximately 300 lines ending with "Commencing packet
processing" and then the list of interfaces its monitoring, but I don't get
all lines - only around 230 ish lines.

The only way to get the remaining output seems to be to make Snort write
something else to the journal,   like send it a USR1 signal.

And actually,  in response to the USR1 signal again we see only some of
the USR1 runtime information is written to the journal.  We have to send
the USR1 signal twice in order to make sure we immediately get all the
output from the first signal.

When running Snort in the foreground, all the expected output is displayed
to the terminal immediately. Similarly, starting Snort3 at the command
line, but putting it into the background, still allows all the startup and
USR1 information to display fully.

The most recent test I've tried is with Snort3 compiled on a basic CentOS
8 stream VM, following the guide from the snort.org<http://snort.org>,
with a really vanilla configuration as far as I can tell (registered rules
were loaded).

snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.43.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights
reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.9
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1k  FIPS 25 Mar 2021
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.42 2018-03-20
           Using ZLIB version 1.2.11
           Using Hyperscan version 5.3.0 2020-08-10
           Using LZMA version 5.2.4

As far as I know this behaviour is not as a result of  any journald
configuration (I just have the default)  and we have seen the same
behaviour with Alma and Ubuntu too.

Anyone have any pointers please??

Thanks,

Andrew.


Andrew Neville

Defence & National Security

Fujitsu
Jays Close, Viables Industrial Estate, Basingstoke, Hampshire, RG22 4BY
Email: andrew.neville () fujitsu co uk<mailto:andrew.neville () fujitsu co uk

<mailto:andrew.neville () fujitsu co uk<mailto:andrew.neville () fujitsu co uk




[cid:image001.jpg@01D8F2BA.E208B550]<
https://www.fujitsu.com/uk/solutions/industry/defence-national-security/>


Unless otherwise stated, this email has been sent from Fujitsu Services
Limited (registered in England No 96056); Fujitsu EMEA PLC (registered in
England No 2216100) both with registered offices at: 22 Baker Street,
London W1U 3BW; PFU (EMEA) Limited, (registered in England No 1578652)
registered offices at: Belmont, Belmont Road, Uxbridge, England, UB8 1HE
and Fujitsu Research of Europe Ltd (registered in England No. 4153469) 4th
Floor, Building 3, Hyde Park Hayes, 11 Millington Road, Hayes, UB3 4AZ.

This email is only for the use of its intended recipient. Its contents are
subject to a duty of confidence and may be privileged. Fujitsu does not
guarantee that this email has not been intercepted and amended or that it
is virus-free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.snort.org/pipermail/snort-devel/attachments/20221107/7481e8b1/attachment.htm



-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 19594 bytes
Desc: image001.jpg
URL: <
https://lists.snort.org/pipermail/snort-devel/attachments/20221107/7481e8b1/attachment.jpg




------------------------------

Subject: Digest Footer

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel


------------------------------

End of Snort-devel Digest, Vol 65, Issue 1
******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
https://lists.snort.org/pipermail/snort-devel/attachments/20221109/a8f3831c/attachment.htm




------------------------------

Subject: Digest Footer

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel


------------------------------

End of Snort-devel Digest, Vol 65, Issue 3
******************************************



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: