Snort mailing list archives
Re: Snort-users digest, Vol 1 #659 - 15 msgs
From: "securgrl" <lsmith147 () nc rr com>
Date: Fri, 18 May 2001 16:41:46 -0400
have a great day mr.lucom ----- Original Message ----- From: <snort-users-request () lists sourceforge net> To: <snort-users () lists sourceforge net> Sent: Friday, May 18, 2001 3:05 PM Subject: Snort-users digest, Vol 1 #659 - 15 msgs
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. wont create any graphics in Graph Alert data (alexus) 2. Error in snort start (Duplicate processor keyword) (Denis Augusto A.
de Souza)
3. Re: Alert messages and rule identification (Subba Rao) 4. Name resolution (Subba Rao) 5. Re: Name resolution (Kendall Lister) 6. Guardian ENHANCED (fm () ern-e org) 7. Help with Adapter (mike huang) 8. RE: Help with Adapter (van Oosterom, Peter) 9. RE: Help with Adapter (Thomas Whipp) 10. Re: Help with Adapter (Chris Green) 11. Version 1.8-beta5 (Build 24) (Scott A. McIntyre) 12. Re: Name resolution (John Sage) 13. DNS TO 137 (Togan Muftuoglu) 14. Re: Error in snort start (Duplicate processor keyword) (Neil Dickey) 15. Re: Name resolution (Dan Cuthbert) --__--__-- Message: 1 From: "alexus" <ml () db nexgen com> To: <roman () danyliw com> Cc: <snort-users () lists sourceforge net> Date: Thu, 17 May 2001 16:07:21 -0400 Subject: [Snort-users] wont create any graphics in Graph Alert data i compiled php --with-gd (http://box.nexgen.com/info.php) i installed phplot, i specify in acid_conf.ph and when i go to http://box.nexgen.com/acid/acid_graph_main.php no mater which options i select i dont see any graphics any ideas? _/_/ _/ _/_/_/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/ _/ _/ _/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/_/_/ _/_/_/ (W)orld(W)ide(W)eb: http://box.nexgen.com/ (I)nternet(R)elay(C)hat: EFnet #aLeXuS
****************************************************************************
*** The information contained in this e-mail is confidential, may be
privileged
and is intended only for the use of the recipient named above. If you are
not
the intended recipient or a representative of the intended recipient, you have received this e-mail in error and must not copy, use or disclose the contents --__--__-- Message: 2 From: "Denis Augusto A. de Souza" <denis.souza () brisa org br> To: <snort-users () lists sourceforge net> Date: Thu, 17 May 2001 19:56:49 -0300 Subject: [Snort-users] Error in snort start (Duplicate processor keyword) Dear friends, I installed the snort 1.7 and I'm using the snort.conf sample of snort site. I'm stating the snort program with: snort -Afull -c /etc/snort.conf And the snort send me: --== Initializing Snort ==-- Initializing Network Interface eth0 Decoding Ethernet on Interface eth0 Initializing Preprocessors! ERROR (null) (0) => Duplicate preprocessor keyword! I don't found this duplicate in my snort.conf file!!!! There are a solution for me???? Thanks in advance, Denis --__--__-- Message: 3 Date: Thu, 17 May 2001 18:54:11 +0000 From: Subba Rao <subba9 () home com> To: Chris Green <cmg () uab edu> Cc: Snort Users <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Alert messages and rule identification Reply-To: Subba Rao <subba9 () home com> On 0, Chris Green <cmg () uab edu> wrote:The original datagram says it is a DNS query. I get notified via ICMP that the destination is unreachable. This looks normal to me. How do I find out which rule has triggered this alert. I am not going to remove that alert but will modify my DNS resolution. Is there a way to make snort dump the rule ID along with the alert
dump?
Any info appreciated. TIA.grep -n 'ICMP Destination Unreachable' *.rules There is no rule id field in snort rules ( something that would often come in handy )Thank you very for this tip. In my rules list, I do have several 'ICMP Destination Unreacable' filters. I had to use the icode and itype to
pinpoint
the rule. -- Subba Rao subba9 () home com http://members.home.net/subba9/ GPG public key ID 27FC9217 --__--__-- Message: 4 Date: Thu, 17 May 2001 19:12:56 +0000 From: Subba Rao <subba9 () home com> To: Snort Users <snort-users () lists sourceforge net> Reply-To: Subba Rao <subba9 () home com> Subject: [Snort-users] Name resolution Hi, This is going to be a very basic question. I do see (on daily basis)
attempts
to connect to the sunrpc services (port 111). When I try to resolve the IP address, I always get, *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain How are these hackers conducting the hacks? They should get some response
back
from my machine. If their host/domain does not exist, then where are the replies from my system going? Thanks for any info. -- Subba Rao subba9 () home com http://members.home.net/subba9/ GPG public key ID 27FC9217 --__--__-- Message: 5 Date: Fri, 18 May 2001 09:40:21 +1000 (EST) From: Kendall Lister <krl () cs mu OZ AU> To: Snort Users <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Name resolution On Thu, 17 May 2001, Subba Rao wrote:This is going to be a very basic question. I do see (on daily basis) attempts to connect to the sunrpc services (port 111). When I try to resolve the IP address, I always get, *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain How are these hackers conducting the hacks? They should get some response back from my machine. If their host/domain does not exist, then where are the replies from my system going?There is no need for a particular IP address to have a corresponding DNS host name; all TCP/IP traffic actually occurs between hosts identified by IP addresses. So, for example, you could "telnet aa.bb.cc.dd" to try to connetc to the systems that are probing you - you don't need to sue a host name to get through. Kendall krl () cs mu oz au --__--__-- Message: 6 Date: Thu, 17 May 2001 20:40:17 -0400 (EDT) From: <fm () ern-e org> To: snort-users () lists sourceforge net Subject: [Snort-users] Guardian ENHANCED Hi folks, I've been using the fine Guardian script by Anthony Stevens for a while now. The only shortcoming that I found was the unmanagable number of hosts that get put into denial in such a short period. To keep this number managable, I have added these features to the Guardian script: -Timer logic added to hosts in denial. Hosts will be removed from denial when timer expires. Set timeLimit in config file. -Gracefull shutdown (kill <pid>) will cause script to remove the hosts from denial on shutdown. This can be turned off. Set cleanRules in config file. -Sending the script a USR1 signal will cause it to flush all IP's from the denial list. This is useful when you want to flush the rules while the script is running. I have attempted to contact Anthony Stevens via email regarding these changes and have had no response. Thus, I offer it here. Full credit belongs to him. My changes are merely trivial hacks. Script can be found here: http://home.golden.net/~elim/guardian-1.1.0.tar.gz Please direct all comments to fm () ern-e org --__--__-- Message: 7 Reply-To: <mikeh () glopro com> From: "mike huang" <mikeh () glopro com> To: <snort-users () lists sourceforge net> Date: Fri, 18 May 2001 13:19:44 +1000 Subject: [Snort-users] Help with Adapter Hi all: I am having some problem when I trying to start snort. The error it
complain
is --== Initializing Snort ==-- Initializing Network Interface \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935 285} ERROR: OpenPcap() device \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935285} open: Error opening adapter thanks for your help mike --__--__-- Message: 8 From: "van Oosterom, Peter" <Peter.vanOosterom () nl origin-it com> To: "'mikeh () glopro com'" <mikeh () glopro com>,
snort-users () lists sourceforge net
Subject: RE: [Snort-users] Help with Adapter Date: Fri, 18 May 2001 09:06:12 +0200 Try using Tcpdump, to see whether it is an actual prbolem with the
Library,
and not Snort as it uses the same Library as Snort - Peter -----Original Message----- From: mike huang [mailto:mikeh () glopro com] Sent: Friday, May 18, 2001 5:20 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Help with Adapter Hi all: I am having some problem when I trying to start snort. The error it
complain
is --== Initializing Snort ==-- Initializing Network Interface \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935 285} ERROR: OpenPcap() device \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935285} open: Error opening adapter thanks for your help mike _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 9 From: Thomas Whipp <tkw () objectronix co uk> To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Help with Adapter Date: Fri, 18 May 2001 09:15:46 +0100 although that might not be a fair test as pcap is statically linked with snort (or at least it didn't show with a ldd on my binary)! To to a fair test you will probably need to compile TcpDump using the same library as you used to build snort. Tom-----Original Message----- From: van Oosterom, Peter[mailto:Peter.vanOosterom () nl origin-it com]Sent: 18 May 2001 08:06 To: 'mikeh () glopro com'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Help with Adapter Try using Tcpdump, to see whether it is an actual prbolem with the Library, and not Snort as it uses the same Library as Snort - Peter -----Original Message----- From: mike huang [mailto:mikeh () glopro com] Sent: Friday, May 18, 2001 5:20 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Help with Adapter Hi all: I am having some problem when I trying to start snort. Theerror it complain is --== Initializing Snort ==-- Initializing Network Interface \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935 285} ERROR: OpenPcap() device \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935285}open:Error opening adapter thanks for your help mike _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--__--__-- Message: 10 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Help with Adapter From: Chris Green <cmg () uab edu> Date: 18 May 2001 08:09:12 -0500 Thomas Whipp <tkw () objectronix co uk> writes:although that might not be a fair test as pcap is statically linked with snort (or at least it didn't show with a ldd on my binary)! To to a fair test you will probably need to compile TcpDump using the same library as you used to build snort.Just a note that it looked like the original poster was using snort under Windows where it's always linked against libpcap.dll AFAIK ( thought it was interesting that the error message looked like registry keys ). -- Chris Green <cmg () uab edu> A good pun is its own reword. --__--__-- Message: 11 Date: Fri, 18 May 2001 15:50:08 +0200 From: "Scott A. McIntyre" <scott () xs4all nl> To: Snort Mailing List <snort-users () lists sourceforge net> Subject: [Snort-users] Version 1.8-beta5 (Build 24) Hi, Is there any reason why the linux "-i any" argument to listen on any interface would break the VLAN parsing code? Using version 1.8-beta5 (Build 24) I can bind to one particular interface and it works fine, but if I bind to "any" then almost all traffic is recognized only as type "other" and snort doesn't snort. Thanks for any ideas. Scott --__--__-- Message: 12 Date: Fri, 18 May 2001 06:56:28 -0700 From: John Sage <jsage () finchhaven com> Organization: FinchHaven To: Subba Rao <subba9 () home com> CC: Snort Users <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Name resolution Subba: Subba Rao wrote:Hi, This is going to be a very basic question. I do see (on daily basis)
attempts
to connect to the sunrpc services (port 111). When I try to resolve the
IP
address, I always get, *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain How are these hackers conducting the hacks? They should get some
response back
from my machine. If their host/domain does not exist, then where are the replies from my system going?If you really want to determine as much as you can about who/where/what
these
IP's are, you need to use whois services at one of these: ARIN: ttp://whois.arin.net/whois/index.html Europe: http://www.ripe.net/cgi-bin/whois Asia/Pacific generally: http://www.apnic.net/ Japan NIC: http://whois.nic.ad.jp/cgi-bin/whois_gw Korea NIC: http://www.nic.or.kr/www/english/ Taiwan NIC: http://www.twnic.net/English/Index.htm Internic: http://www.internic.net/whois.html The appropriate whois service will get you to the netblock holder, and in many cases get you down to the specific administrative level of the
domain..
I've found that all URI's with more than the domain.tld (ie:
server.domain.tld)
will never resolve from an IP address under my local nslookup. HTH.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." --__--__-- Message: 13 Date: Fri, 18 May 2001 17:25:03 +0300 From: Togan Muftuoglu <toganm () users sourceforge net> To: snort <snort-users () lists sourceforge net> Subject: [Snort-users] DNS TO 137 Hi As you can see clearly below thre is a traffic from port 53 to 137 (netbios) now those two ips are the nameservers for my isp that I have an ADSL Connection which I use roaring penquin. I have my resolve.conf nameserver 127.0.0.1 search my.domain and there is no forwarding in the named.conf I do want to believe that this is indeed bad traffic but with five second intervals from two named servers to my pc on port 137 is questioning for me. TIA -- Togan Muftuoglu =-=-=-=-=-=-=-=-=-= May 18 16:10:03 gardiyan snort: MISC source port 53 to <1024
[Classification: Potentially Bad Traffic Priority: 2]: 212.156.4.4:53 -> 212.156.196.133:137
May 18 16:10:08 gardiyan snort: MISC source port 53 to <1024
[Classification: Potentially Bad Traffic Priority: 2]: 212.156.4.20:53 -> 212.156.196.133:137
--__--__-- Message: 14 Date: Fri, 18 May 2001 09:21:52 -0500 (CDT) From: Neil Dickey <neil () geol niu edu> Reply-To: Neil Dickey <neil () geol niu edu> Subject: Re: [Snort-users] Error in snort start (Duplicate processor
keyword)
To: snort-users () lists sourceforge net "Denis Augusto A. de Souza" <denis.souza () brisa org br> wrote asking:I installed the snort 1.7 and I'm using the snort.conf sample of snort site. I'm stating the snort program with: snort -Afull -c /etc/snort.conf And the snort send me: --== Initializing Snort ==-- Initializing Network Interface eth0 Decoding Ethernet on Interface eth0 Initializing Preprocessors! ERROR (null) (0) => Duplicate preprocessor keyword! I don't found this duplicate in my snort.conf file!!!! There are a solution for me????In order for us to help you, you'll have to post the relevant parts of your snort.conf file for us to look at. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 --__--__-- Message: 15 Date: Fri, 18 May 2001 15:29:40 +0100 From: Dan Cuthbert <dcuthbert () idsec co uk> To: John Sage <jsage () finchhaven com> Cc: Subba Rao <subba9 () home com>, Snort Users <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Name resolution Hi Ive found that whois.geektools.com searches all of those for you! Dan * John Sage (jsage () finchhaven com) scribbled away:Subba: Subba Rao wrote:Hi, This is going to be a very basic question. I do see (on daily basis)
attempts
to connect to the sunrpc services (port 111). When I try to resolve
the IP
address, I always get, *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain How are these hackers conducting the hacks? They should get some
response back
from my machine. If their host/domain does not exist, then where are
the
replies from my system going?If you really want to determine as much as you can about who/where/what
these
IP's are, you need to use whois services at one of these: ARIN: ttp://whois.arin.net/whois/index.html Europe: http://www.ripe.net/cgi-bin/whois Asia/Pacific generally: http://www.apnic.net/ Japan NIC: http://whois.nic.ad.jp/cgi-bin/whois_gw Korea NIC: http://www.nic.or.kr/www/english/ Taiwan NIC: http://www.twnic.net/English/Index.htm Internic: http://www.internic.net/whois.html The appropriate whois service will get you to the netblock holder, and
in
many cases get you down to the specific administrative level of the
domain..
I've found that all URI's with more than the domain.tld (ie:
server.domain.tld)
will never resolve from an IP address under my local nslookup. HTH.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersDan Cuthbert Network Security Consultant IdSec Key fingerprint = 9BFB 60F1 1B46 F9F0 4E2C 84A6 8D04 E771 54A6 1116 --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #659 - 15 msgs securgrl (May 18)