Snort mailing list archives
Re: Snort-users digest, Vol 1 #753 - 13 msgs
From: "ORA" <LSMITH147 () nc rr com>
Date: Mon, 25 Jun 2001 19:07:26 -0400
KDB is the biggest snort of all. I'm having loads of fun how's the blowy cty? snort snort...I'm doing fine thank you and so are the kids...thanks for asking....got class info on this snort person and I can't wait to give them that surprise... ----- Original Message ----- From: <snort-users-request () lists sourceforge net> To: <snort-users () lists sourceforge net> Sent: Monday, June 25, 2001 6:33 PM Subject: Snort-users digest, Vol 1 #753 - 13 msgs
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Unix Review writeup on Snort (Erek Adams) 2. cachemgr.cgi (Max Vision) 3. A script to store ips and hostnames in the event table
(=?iso-8859-1?Q?Alain_T=E9sio?=)
4. Different Rel DB for snort? (Patrick Smallwood) 5. Re: Tcpdump, alerts and portscans (Erik Fichtner) 6. Re: Stopping particular rules (Joe McAlerney) 7. Re: Stopping particular rules (GeEk) 8. RE: Tcpdump, alerts and portscans (Jason Lewis) 9. Re: Tcpdump, alerts and portscans (Erik Fichtner) 10. Re: [ACID] - trying to keep up (Ian Jones) 11. RE: Tcpdump, alerts and portscans (Jason Lewis) 12. VECNA name (Jenkinson, John P (SAIC)) 13. Re: VECNA name (Joe McAlerney) --__--__-- Message: 1 Date: Mon, 25 Jun 2001 12:06:31 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: Snorters Anonymous <snort-users () lists sourceforge net> Subject: [Snort-users] Unix Review writeup on Snort http://www.unixreview.com/articles/2001/0106/0106j/0106j.htm :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- Message: 2 Date: Mon, 25 Jun 2001 12:14:24 -0700 (PDT) From: Max Vision <vision () whitehats com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] cachemgr.cgi All, I am under an *enormous* amount of pressure right now and I don't want to blow up over some stupid flame... so I'll keep it really short. A user posted a question about a couple of exploits: http://whitehats.com/cgi/forum/messages.cgi?bbs=get_topic&f=2&t=000040 I asked for clarification... then went and searched for information about the Squid cachemgr.cgi vulnerability, and then ran the query/attack and grabbed the packet, then wrote up the signature. I posted it to the forum. No big deal. Take care, Max ---------- Forwarded message ---------- Date: Mon, 25 Jun 2001 11:19:40 -0700 (PDT) From: feedback <info () whitehats com> To: vision () whitehats com Subject: ** Whitehats FEEDBACK ** comments: I would like to thank you for not giving credit where credit is due. Since credit is such an important thing to arachNIDS, I feel it is important to relay the signatures that I have written for snort in informed manor. If you check the snort CVS logs, I added the latest cachemgr.cgi signature on 2001/05/20. While this signature was not complicated, I still added it over a month before arachNIDS. Since Max felt justified in bitching about my stealing credit (which I never done) I feel it is important to bring this up. IP Info: 129.83.19.1 Via: by http://webproxy1.mitre.org:80 (Netscape-Proxy/3.52) Referer: http://www.whitehats.com/contact.html --__--__-- Message: 3 From: =?iso-8859-1?Q?Alain_T=E9sio?= <alain () onesite org> To: "ML Snort" <snort-users () lists sourceforge net> Date: Mon, 25 Jun 2001 21:25:52 +0200 Subject: [Snort-users] A script to store ips and hostnames in the event
table
Hi, I'm not sure if anyone is interested in this, I've added the ips and the hostnames in the event table, the fields are updated by a script, see below for an example. Get the scripts from ftp://onesite.org/pub/snort.tar.gz change the connection parameters and launch snort.py, it updates new rows. Apply the patch in a comment at the top of snort.py first to add new columns and indexes. It doesn't reuse already stored resolved hostnames (they should be in the dns cache, right ?) If anyone is using it tell me. I wrote in on Linux Debian with Python 2.1 and MySQLdb Alain mysql> select * from event limit 3;
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-----------------
--
---+ | sid | cid | signature | timestamp
|
ip_src | ip_dst | dns_src | dns_dst |
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-----------------
--
---+ | 1 | 1 | ICMP Echo Request CyberKit 2.2 Windows | 2001-05-26 16:28:23
|
172.173.75.254 | 64.242.40.20 | ACAD4BFE.ipt.aol.com | ns.floc.net | | 1 | 2 | ICMP Echo Reply | 2001-05-26 16:28:23
|
64.242.40.20 | 172.173.75.254 | ns.floc.net | ACAD4BFE.ipt.aol.com | | 1 | 3 | ICMP Echo Request Windows | 2001-05-26 16:44:06
|
172.173.75.254 | 64.242.40.20 | ACAD4BFE.ipt.aol.com | ns.floc.net |
+-----+-----+----------------------------------------+---------------------+
----------------+----------------+----------------------+-----------------
--
---+ 3 rows in set (0.01 sec) --__--__-- Message: 4 To: snort-users () lists sourceforge net From: "Patrick Smallwood" <smalwood () us ibm com> Date: Mon, 25 Jun 2001 12:32:13 -0700 Subject: [Snort-users] Different Rel DB for snort? Hello, for some testing/experience, I would like to run snort on SQL 7.0 for a while. Since they (SQL 7 and mySQL) are both relational DB's, can I build the same db schema in SQL Server and run snort using it? I have done some searching around, but didnt find anything on this. THanks Pat --__--__-- Message: 5 Date: Mon, 25 Jun 2001 16:17:02 -0400 From: Erik Fichtner <emf () servervault com> To: Jason Lewis <jlewis () jasonlewis net> Cc: snort-users () lists sourceforge net, "'Phil Wood'" <cpw () lanl gov> Subject: Re: [Snort-users] Tcpdump, alerts and portscans Reply-To: emf () servervault com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:Maybe I can log portscans to a file and then insert those into ACID? It doesn't look like there is anything fancy happening with portscans when
they
are put into ACID normally? Does that sound like it might work?Nope. Take a look at the code for spp_portscan.c It doesn't insert the actual packets. It does call
Call(Alert|Log)Funcs()
with status messages (eg. begin/end portscan from ...). Frankly, this
doesn't
at all resemble a well-behaved plugin. Now then, I did spend a couple of hours a while back trying to fix this,
but
I got mired in a maze of twisty pointers all alike, and then got
sidetracked
and have not completed the work. This does really annoy me, though, and if no one else does it, I'll probably end up finishing it at some point, although no guarantees when. Although, I'm happy to pass off my current code to whoever wants to take
it...
the short version of the story is that in struct ConnectionInfo, you take out the unused u_char *packetData, and you put in a Packet *packet, then in NewConnection() and RemoveConnection() you play the malloc/bcopy/free game to stash copies of the packets until later on when you actually call LogScanInfoToSeparateFile() where you then CallLogFuncs(currentConnection->packet, "portscan data", NULL, &event); right around the same place that you sprintf() to the portscan.log file (I didn't want to take out any current functionality at the moment,
although
in the long term, portscan.log is useless IMHO) ...whew..... And I suspect that it's slow and memory intensive in
addition
to it's current buggy state. The real problem is that *packet points to half a dozen other things, and it becomes a memory tracking mess. If anyone has better ideas, I'm open to suggestion.. - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7N5w9Q7EzrewLMS0RArGjAJ9ImBkh+CSWg4JraRl52WDLl/3l9ACfTmm0 K6a81mIUTd/x9g4pX9msigg= =azPS -----END PGP SIGNATURE----- --__--__-- Message: 6 Date: Mon, 25 Jun 2001 10:20:38 -0700 From: Joe McAlerney <joey () SiliconDefense com> To: Bennett Samowich <brs () ben-tech com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Stopping particular rules Hello Bennett, I'm not sure why you are still seeing them when the includes are commented out. Perhaps there are some hidden in other .rules files like Kiira said. As far as your pass rule, you must use -o to change the rule ordering, or the "alert" icmp rules will take precedence. Happy Snorting, -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ Bennett Samowich wrote:Greetings, I am getting an exorbitant amount of ICMP alerts and want to temporarily turn them off. I have tried commenting our the include for the ICMP
rules
from snort.conf as well as adding a pass line to local.rules. Neither
of
these seem to stop the influx of ICMP alerts. Any ideas on what I am
doing
wrong? My local.rules has: # Pass any ICMP traffic temporarily pass icmp any any -> any any (msg: "temporarily disabled";) My snort.conf has: ...snip... # Pass any local ICMP traffic # Be sure you have created a local.rules file # for your includes/ignores, etc. #=============================================== include local.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include sql.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-misc.rules include web-iis.rules # include icmp.rules include misc.rules include policy.rules include info.rules include virus.rules # Include the WhiteHats Vision rules here # include vision.rules ...snip... - Bennett _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--__--__-- Message: 7 Date: Mon, 25 Jun 2001 13:58:23 -0400 (EDT) From: "GeEk" <koolman () visi0n net> To: "Joe McAlerney" <joey () SiliconDefense com> Cc: "Bennett Samowich" <brs () ben-tech com>,
snort-users () lists sourceforge net
Reply-To: <bcarpio () qwest net> Subject: Re: [Snort-users] Stopping particular rules Like Joe said you need you're -o option to get the custom ICMP rule you created to work (because the -o option make pass rules take presidence) . Also not all of the rules pertaning to ICMP are in the some are in misc.rules and info.rules -- LinSys ----- When you die and your life flashes before your eyes does that include the part where your life flashes before your eyes? ----- On Mon, 25 Jun 2001, Joe McAlerney wrote:Hello Bennett, I'm not sure why you are still seeing them when the includes are commented out. Perhaps there are some hidden in other .rules files like Kiira said. As far as your pass rule, you must use -o to change the rule ordering, or the "alert" icmp rules will take precedence. Happy Snorting, -Joe M.--__--__-- Message: 8 Reply-To: <jlewis () jasonlewis net> From: "Jason Lewis" <jlewis () jasonlewis net> To: <snort-users () lists sourceforge net> Cc: "'Phil Wood'" <cpw () lanl gov>, <emf () servervault com> Subject: RE: [Snort-users] Tcpdump, alerts and portscans Date: Mon, 25 Jun 2001 17:02:13 -0400 Hmmmm....... Well how about something that does analysis on the tcpdump file to detect portscans? Maybe even something to correlate data once it
is
in ACID? Is anyone doing any work along these lines? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erik Fichtner Sent: Monday, June 25, 2001 4:17 PM To: Jason Lewis Cc: snort-users () lists sourceforge net; 'Phil Wood' Subject: Re: [Snort-users] Tcpdump, alerts and portscans -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:Maybe I can log portscans to a file and then insert those into ACID? It doesn't look like there is anything fancy happening with portscans whentheyare put into ACID normally? Does that sound like it might work?Nope. Take a look at the code for spp_portscan.c It doesn't insert the actual packets. It does call
Call(Alert|Log)Funcs()
with status messages (eg. begin/end portscan from ...). Frankly, this doesn't at all resemble a well-behaved plugin. Now then, I did spend a couple of hours a while back trying to fix this,
but
I got mired in a maze of twisty pointers all alike, and then got
sidetracked
and have not completed the work. This does really annoy me, though, and if no one else does it, I'll probably end up finishing it at some point, although no guarantees when. Although, I'm happy to pass off my current code to whoever wants to take it... the short version of the story is that in struct ConnectionInfo, you take out the unused u_char *packetData, and you put in a Packet *packet, then in NewConnection() and RemoveConnection() you play the malloc/bcopy/free game to stash copies of the packets until later on when you actually call LogScanInfoToSeparateFile() where you then CallLogFuncs(currentConnection->packet, "portscan data", NULL, &event); right around the same place that you sprintf() to the portscan.log file (I didn't want to take out any current functionality at the moment,
although
in the long term, portscan.log is useless IMHO) ...whew..... And I suspect that it's slow and memory intensive in
addition
to it's current buggy state. The real problem is that *packet points to half a dozen other things, and it becomes a memory tracking mess. If anyone has better ideas, I'm open to suggestion.. - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7N5w9Q7EzrewLMS0RArGjAJ9ImBkh+CSWg4JraRl52WDLl/3l9ACfTmm0 K6a81mIUTd/x9g4pX9msigg= =azPS -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 9 Date: Mon, 25 Jun 2001 17:20:30 -0400 From: Erik Fichtner <emf () servervault com> To: Jason Lewis <jlewis () jasonlewis net> Cc: snort-users () lists sourceforge net, "'Phil Wood'" <cpw () lanl gov> Subject: Re: [Snort-users] Tcpdump, alerts and portscans Reply-To: emf () servervault com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 25, 2001 at 05:02:13PM -0400, Jason Lewis wrote:Hmmmm....... Well how about something that does analysis on the tcpdump file to detect portscans? Maybe even something to correlate data once
it is
in ACID?Uh.. I don't think you want to do that. You'd have to basically capture
all
your network traffic and stash it in the db and then have tools grovelling over it... you'd never catch up.. (Hmm. sounds like WebTr***s...) - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7N6seQ7EzrewLMS0RAlXGAKDNYYIUSB3jcwE+35afId/GsKHBAACfQHUI 6zH4iQ9Pv/JVJEWjNFCpCKw= =T0Bz -----END PGP SIGNATURE----- --__--__-- Message: 10 From: "Ian Jones" <ian () dsl081-056-052 dsl-isp net> To: <rdanyliw () voicenet com> Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] [ACID] - trying to keep up Date: Mon, 25 Jun 2001 14:20:46 -0700 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Creating database: bash# mysql snort< create_mysql ERROR 1121 at line 34: Column 'sig_class_id' is used with UNIQUE or INDEX but is not defined as NOT NULLWhen I try to click on and use acid_stat_ipaddr.php: Database ERROR:You have an error in your SQL syntax near 'ON (event.sid=iphdr.sid AND event.cid=iphdr.cid) WHERE ( (ip_src=1079064628) OR ' at line 1Both of the above errors were corrected by MySQL upgrade to latest. Sorry to have wasted your time. Perhaps it might be useful to make a table on the ACID website listing version dependencies (or known working configurations). This might help to avoid stupid questions. Of course it would be even nicer if you could get users to read the README :) Thanks for responding. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: Making the world safe for geeks. iQA/AwUBOzerLMAVSpfzXItKEQI0DACdEM11WOX7DlOTqUf+2sKi/rkMfk8AnimX IKFSm2eOL9P/hiX/bKT/jUkz =P7yT -----END PGP SIGNATURE----- --__--__-- Message: 11 Reply-To: <jlewis () jasonlewis net> From: "Jason Lewis" <jlewis () jasonlewis net> To: <emf () servervault com> Cc: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Tcpdump, alerts and portscans Date: Mon, 25 Jun 2001 17:50:05 -0400 Actually that is what I want to do. I am the middle of writing a paper on configuring multiple sensors with a central console box. The sensors are logging in tcpdump format and the master console pulls that info from the sensors and replays it through snort. The master console is running ACID and all the sensor data is
stored
in the db. This removes any extra load on the sensors and the master console is dedicated to crunching data. I have successfully done the replay but the portscan info isn't showing
up.
It isn't that important to me, but I know I will get questions. So, I am looking for an alternative way of getting portscan info into ACID. I
don't
like the other methods of consolidating sensor data. I think tcpdump is
the
way to go, the portscan stuff is a detail. I can't believe I am the first to have this problem. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: Erik Fichtner [mailto:emf () servervault com] Sent: Monday, June 25, 2001 5:21 PM To: Jason Lewis Cc: snort-users () lists sourceforge net; 'Phil Wood' Subject: Re: [Snort-users] Tcpdump, alerts and portscans -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 25, 2001 at 05:02:13PM -0400, Jason Lewis wrote:Hmmmm....... Well how about something that does analysis on the tcpdump file to detect portscans? Maybe even something to correlate data once
it
isin ACID?Uh.. I don't think you want to do that. You'd have to basically capture
all
your network traffic and stash it in the db and then have tools grovelling over it... you'd never catch up.. (Hmm. sounds like WebTr***s...) - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7N6seQ7EzrewLMS0RAlXGAKDNYYIUSB3jcwE+35afId/GsKHBAACfQHUI 6zH4iQ9Pv/JVJEWjNFCpCKw= =T0Bz -----END PGP SIGNATURE----- --__--__-- Message: 12 From: "Jenkinson, John P (SAIC)" <JenkinJp () BP com> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Mon, 25 Jun 2001 17:11:38 -0500 Subject: [Snort-users] VECNA name Jun 25 11:28:34 a.b.c.78:57144 -> x.y.z.12:1100 VECNA 12U***** i see the conditions for the VECNA name from spp_portscan.c what is the reason for the name VECNA? --__--__-- Message: 13 Date: Mon, 25 Jun 2001 15:32:53 -0700 From: Joe McAlerney <joey () SiliconDefense com> To: "Jenkinson, John P (SAIC)" <JenkinJp () BP com> Cc: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Subject: Re: [Snort-users] VECNA name The person credited with discovering those types of scans. More on this... http://marc.theaimsgroup.com/?l=snort-users&m=97561905506520&w=2 -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ "Jenkinson, John P (SAIC)" wrote:Jun 25 11:28:34 a.b.c.78:57144 -> x.y.z.12:1100 VECNA 12U***** i see the conditions for the VECNA name from spp_portscan.c what is the reason for the name VECNA? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #753 - 13 msgs ORA (Jun 25)