Snort mailing list archives
Snort-users digest, Vol 1 #796 - 11 msgs
From: snort-users () lists sourceforge net
Date: Tue, 10 Jul 2001 15:40:03 +0200
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. RE: Snort not working in a multi hub environment? (dave.goldsmith () intelsat com)
2. tcpdump && snort (Daniel Voyer)
3. Re: Snort FAQ 1.8 (Phil Wood)
4. Re: Snort FAQ 1.8 (Ramin Alidousti)
5. snort 1.8/solaris 8 (Jeff Ito)
6. RE: snort 1.8/solaris 8 (Kevin Brown)
7. RE: Snort FAQ 1.8 (Kohlenberg, Toby)
8. Re: Snort FAQ 1.8 (Dragos Ruiu)
9. Re: Snort FAQ 1.8 (Phil Wood)
10. Snortin @ Defcon9.....the final plan (Dr SuSE)
11. activate/dynamic bug with ruletypes.. (Erik Fichtner)
--__--__--
Message: 1
From: dave.goldsmith () intelsat com
To: Snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort not working in a multi hub environment?
Date: Tue, 10 Jul 2001 16:21:53 -0400
Two possible problems.
1) It is not purely a hub environment. You have shown a switch. Have you
configured the switch to span all traffic to/from any port to a monitor
port?
2) Your diagram shows a PC in the middle connected to both the switch and
one of the hubs. This looks like it is acting as a router. Is this the
case?
Also, in one of your responses you said that the machine you are running
scans from is one of the Linux systems. Where is the system running snort
located?
Dave Goldsmith
-----Original Message-----
From: Devdas Bhagat [mailto:devdas () worldgatein net]
Sent: Tuesday, July 10, 2001 8:15 AM
To: Snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort not working in a multi hub environment?
On Tue, 10 Jul 2001, Thomas Whipp spewed into the ether:
Are all the hubs the same speed? You might have problems if you are on a slow segment.
Yes, all hubs are the same speed. Essentially, its like (bad ASCII art):
PC--| |--PC
PC--|--HUB--HUB--|--PC--Switch--
PC--| |--PC
(Win) (Linux)
All Linux machines scans are caught, no scans of Win machines are
reported.
Devdas Bhagat
--__--__--
Message: 2
Date: Tue, 10 Jul 2001 16:37:26 -0400
From: Daniel Voyer <daniel.voyer () cgi ca>
To: snort-users () lists sourceforge net
Subject: [Snort-users] tcpdump && snort
Hi all,
I want to see the ip header and tcp/udp/icmp header in hexadecimal with
snort.
With tcpdump, the command is "tcpdump -x"
If I use snort as a sniffer ( snort -dv) i'm not be able to see any hex
of any headers, why ?
Is it possible to do this with snort ??
Am I missing somes options ?
- dan
--__--__--
Message: 3
From: Phil Wood <cpw () lanl gov>
Date: Tue, 10 Jul 2001 15:29:23 -0600
To: Ramin Alidousti <ramin () cannon eng us uu net>
Cc: Dragos Ruiu <dr () kyx net>, roesch () sourcefire com,
snort-users () lists sourceforge net, Denis.Ducamp () hsc fr
Subject: Re: [Snort-users] Snort FAQ 1.8
I just had to provide a longer and more nauseating answer to question 4.8:
4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these "ICMP destination unreachable" alerts?
A: ICMP is the acronym for Internet Control Message Protocol
The ICMP Destination Unreachable (message type 3) is sent back to the
originator when an IP packet could not be delivered to the destination
address. The ICMP Code indicates why the packet could not be delivered.
The original codes are:
0 net unreachable
1 host unreachable
2 protocol unreachable
3 port unreachable
4 fragmentation needed and DF bit set
5 source route failed
One source of port unreachable messages (code=3) is a successful
(icmp based) traceroute. A code of 3 tells the traceroute program that
it has finally reached the host in question (only because it picked a
service port that is NOT in use on the destination host).
The ICMP unreachable packet contains a data portion reserved for
the original IP header (normally 20 bytes, but possibly with IP options)
PLUS 64 bits (8 bytes) of whatever followed the IP header. If the offending
packet was TCP or UDP based, then the first 4 bytes (of the 8 bytes) will
contain the original source port and destination port (which are 16 bit
quantities).
For further information
about see
IP ftp://ftp.isi.edu/in-notes/rfc791.txt
ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt
TCP ftp://ftp.isi.edu/in-notes/rfc793.txt
UDP ftp://ftp.isi.edu/in-notes/rfc768.txt
On Tue, Jul 10, 2001 at 03:49:58PM -0400, Ramin Alidousti wrote:
The answer of 4.8 suggests that the ICMP carries the first 64 _bytes_ of the original datagram. I believe that it should be "the first 64 data _bits_" :-) Ramin On Mon, Jul 09, 2001 at 10:30:15PM -0700, Dragos Ruiu wrote:Send me your complaints. :-) Or translations... cheers, --dr_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov --__--__-- Message: 4 Date: Tue, 10 Jul 2001 17:38:05 -0400 From: Ramin Alidousti <ramin () cannon eng us uu net> To: Phil Wood <cpw () lanl gov> Cc: Ramin Alidousti <ramin () cannon eng us uu net>, Dragos Ruiu <dr () kyx net>, roesch () sourcefire com, snort-users () lists sourceforge net, Denis.Ducamp () hsc fr Subject: Re: [Snort-users] Snort FAQ 1.8 On Tue, Jul 10, 2001 at 03:29:23PM -0600, Phil Wood wrote:
I just had to provide a longer and more nauseating answer to question 4.8:
Excellent !!
4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these "ICMP destination unreachable" alerts?
A: ICMP is the acronym for Internet Control Message Protocol
The ICMP Destination Unreachable (message type 3) is sent back to the
originator when an IP packet could not be delivered to the destination
address. The ICMP Code indicates why the packet could not be delivered.
The original codes are:
0 net unreachable
1 host unreachable
2 protocol unreachable
3 port unreachable
4 fragmentation needed and DF bit set
5 source route failed
One source of port unreachable messages (code=3) is a successful
(icmp based) traceroute. A code of 3 tells the traceroute program that
it has finally reached the host in question (only because it picked a
service port that is NOT in use on the destination host).
The ICMP unreachable packet contains a data portion reserved for
the original IP header (normally 20 bytes, but possibly with IP options)
PLUS 64 bits (8 bytes) of whatever followed the IP header. If the offending
packet was TCP or UDP based, then the first 4 bytes (of the 8 bytes) will
contain the original source port and destination port (which are 16 bit
quantities).
For further information
about see
IP ftp://ftp.isi.edu/in-notes/rfc791.txt
ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt
TCP ftp://ftp.isi.edu/in-notes/rfc793.txt
UDP ftp://ftp.isi.edu/in-notes/rfc768.txt
--__--__-- Message: 5 Date: Tue, 10 Jul 2001 17:49:56 -0400 (EDT) From: Jeff Ito <jeffi () rcn com> To: snort-users () lists sourceforge net Subject: [Snort-users] snort 1.8/solaris 8 I am running Solaris 8, on a Netra X1. I know this is perhaps not the best place for this email but maybe someone out there can help me anyway. When trying to compile snort 1.8 on the X1 I get the following: Undefined first referenced symbol in file inet_aton spp_arpspoof.o ld: fatal: Symbol referencing errors. No output written to snort collect2: ld returned 1 exit status make: *** [snort] Error 1 other potentially useful info: SunOS idssnort 5.8 Generic_108528-06 sun4u sparc SUNW,UltraAX-i2 # gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/2.95.3/specs gcc version 2.95.3 20010315 (release) # make -v GNU Make version 3.79.1, by Richard Stallman and Roland McGrath. Built for sparc-sun-solaris2.8 ... any information would be greatly appreciated... Jeff --__--__-- Message: 6 Date: Tue, 10 Jul 2001 15:01:52 -0700 From: Kevin Brown <Kevin.M.Brown () asu edu> Subject: RE: [Snort-users] snort 1.8/solaris 8 To: 'Jeff Ito' <jeffi () rcn com>, snort-users () lists sourceforge net This error showed up earlier today. I believe the solution was to update from CVS to fix the problem.
-----Original Message----- From: Jeff Ito [mailto:jeffi () rcn com] Sent: Tuesday, July 10, 2001 14:50 To: snort-users () lists sourceforge net Subject: [Snort-users] snort 1.8/solaris 8 I am running Solaris 8, on a Netra X1. I know this is perhaps not the best place for this email but maybe someone out there can help me anyway. When trying to compile snort 1.8 on the X1 I get the following: Undefined first referenced symbol in file inet_aton spp_arpspoof.o ld: fatal: Symbol referencing errors. No output written to snort collect2: ld returned 1 exit status make: *** [snort] Error 1 other potentially useful info: SunOS idssnort 5.8 Generic_108528-06 sun4u sparc SUNW,UltraAX-i2 # gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/2.95.3/specs gcc version 2.95.3 20010315 (release) # make -v GNU Make version 3.79.1, by Richard Stallman and Roland McGrath. Built for sparc-sun-solaris2.8 .... any information would be greatly appreciated... Jeff _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__--
Message: 7
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
To: "'Phil Wood'" <cpw () lanl gov>,
Ramin Alidousti
<ramin () cannon eng us uu net>
Cc: Dragos Ruiu <dr () kyx net>, roesch () sourcefire com,
snort-users () lists sourceforge net, Denis.Ducamp () hsc fr
Subject: RE: [Snort-users] Snort FAQ 1.8
Date: Tue, 10 Jul 2001 15:07:22 -0700
I have found this to be an accurate source for ICMP codes:
http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
There are also similar ones for protocols and other good stuff.
I keep a full list of the ICMP codes in my PalmIII (I admit it,
I can't keep them all in my head without crib-notes. Oh the shame!)
I won't spam it to the list, but if anyone wants it, let me know.
It is better formatted for a PDA and I've got the RFCs listed as
well.
Toby
-----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Tuesday, July 10, 2001 2:29 PM To: Ramin Alidousti Cc: Dragos Ruiu; roesch () sourcefire com; snort-users () lists sourceforge net; Denis.Ducamp () hsc fr Subject: Re: [Snort-users] Snort FAQ 1.8 I just had to provide a longer and more nauseating answer to question 4.8: 4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these "ICMP destination unreachable" alerts? A: ICMP is the acronym for Internet Control Message Protocol The ICMP Destination Unreachable (message type 3) is sent back to the originator when an IP packet could not be delivered to the destination address. The ICMP Code indicates why the packet could not be delivered. The original codes are: 0 net unreachable 1 host unreachable 2 protocol unreachable 3 port unreachable 4 fragmentation needed and DF bit set 5 source route failed One source of port unreachable messages (code=3) is a successful (icmp based) traceroute. A code of 3 tells the traceroute program that it has finally reached the host in question (only because it picked a service port that is NOT in use on the destination host). The ICMP unreachable packet contains a data portion reserved for the original IP header (normally 20 bytes, but possibly with IP options) PLUS 64 bits (8 bytes) of whatever followed the IP header. If the offending packet was TCP or UDP based, then the first 4 bytes (of the 8 bytes) will contain the original source port and destination port (which are 16 bit quantities). For further information about see IP ftp://ftp.isi.edu/in-notes/rfc791.txt ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt TCP ftp://ftp.isi.edu/in-notes/rfc793.txt UDP ftp://ftp.isi.edu/in-notes/rfc768.txt On Tue, Jul 10, 2001 at 03:49:58PM -0400, Ramin Alidousti wrote:The answer of 4.8 suggests that the ICMP carries the first 64 _bytes_ of the original datagram. I believe that it should be "the first 64 data _bits_" :-) Ramin On Mon, Jul 09, 2001 at 10:30:15PM -0700, Dragos Ruiu wrote:Send me your complaints. :-) Or translations... cheers, --dr_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__--
Message: 8
From: Dragos Ruiu <dr () kyx net>
Organization: kyx.net
To: Phil Wood <cpw () lanl gov>,
Ramin Alidousti <ramin () cannon eng us uu net>
Subject: Re: [Snort-users] Snort FAQ 1.8
Date: Tue, 10 Jul 2001 15:14:37 -0700
Cc: roesch () sourcefire com, snort-users () lists sourceforge net,
Denis.Ducamp () hsc fr
On Tue, 10 Jul 2001, Phil Wood wrote:
I just had to provide a longer and more nauseating answer to question 4.8:
Alriight! I love nauseating answers. ;-)
To be included in next edits...
Thanks,
--dr
--__--__--
Message: 9
From: Phil Wood <cpw () lanl gov>
Date: Tue, 10 Jul 2001 16:21:49 -0600
To: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Cc: "'Phil Wood'" <cpw () lanl gov>, Ramin Alidousti <ramin () cannon eng us uu net>,
Dragos Ruiu <dr () kyx net>, roesch () sourcefire com,
snort-users () lists sourceforge net, Denis.Ducamp () hsc fr
Subject: Re: [Snort-users] Snort FAQ 1.8
Thanks!
It looks like that url has changed to:
http://www.iana.org/assignments/icmp-parameters
Actually, putting this URL somewhere handy is a good idea:
http://www.iana.org/
Later,
On Tue, Jul 10, 2001 at 03:07:22PM -0700, Kohlenberg, Toby wrote:
I have found this to be an accurate source for ICMP codes: http://www.isi.edu/in-notes/iana/assignments/icmp-parameters There are also similar ones for protocols and other good stuff. I keep a full list of the ICMP codes in my PalmIII (I admit it, I can't keep them all in my head without crib-notes. Oh the shame!) I won't spam it to the list, but if anyone wants it, let me know. It is better formatted for a PDA and I've got the RFCs listed as well. Toby-----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Tuesday, July 10, 2001 2:29 PM To: Ramin Alidousti Cc: Dragos Ruiu; roesch () sourcefire com; snort-users () lists sourceforge net; Denis.Ducamp () hsc fr Subject: Re: [Snort-users] Snort FAQ 1.8 I just had to provide a longer and more nauseating answer to question 4.8: 4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: What are all these "ICMP destination unreachable" alerts? A: ICMP is the acronym for Internet Control Message Protocol The ICMP Destination Unreachable (message type 3) is sent back to the originator when an IP packet could not be delivered to the destination address. The ICMP Code indicates why the packet could not be delivered. The original codes are: 0 net unreachable 1 host unreachable 2 protocol unreachable 3 port unreachable 4 fragmentation needed and DF bit set 5 source route failed One source of port unreachable messages (code=3) is a successful (icmp based) traceroute. A code of 3 tells the traceroute program that it has finally reached the host in question (only because it picked a service port that is NOT in use on the destination host). The ICMP unreachable packet contains a data portion reserved for the original IP header (normally 20 bytes, but possibly with IP options) PLUS 64 bits (8 bytes) of whatever followed the IP header. If the offending packet was TCP or UDP based, then the first 4 bytes (of the 8 bytes) will contain the original source port and destination port (which are 16 bit quantities). For further information about see IP ftp://ftp.isi.edu/in-notes/rfc791.txt ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt TCP ftp://ftp.isi.edu/in-notes/rfc793.txt UDP ftp://ftp.isi.edu/in-notes/rfc768.txt On Tue, Jul 10, 2001 at 03:49:58PM -0400, Ramin Alidousti wrote:The answer of 4.8 suggests that the ICMP carries the first 64 _bytes_ of the original datagram. I believe that it should be "the first 64 data _bits_" :-) Ramin On Mon, Jul 09, 2001 at 10:30:15PM -0700, Dragos Ruiu wrote:Send me your complaints. :-) Or translations... cheers, --dr_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov --__--__-- Message: 10 To: Snort Users <snort-users () lists sourceforge net> From: Dr SuSE <drsuse () drsuse org> Date: Tue, 10 Jul 2001 22:32:42 GMT Subject: [Snort-users] Snortin @ Defcon9.....the final plan Ok, I just wanted to send out one last email which details the final plan for us Snorters attending Defcon. Unless Marty's plans change, he will be joining us in the AM. We will meet in the lobby of the Alexis at 9:00 am. I figure that would give us plenty of time to meet one another and go out and grab some breakfast and a beer or two. During breakfast we can make plans on where and when to meet for some serious partying. If you are flying in later or for some other reason can not make it to the Snort breakfast that's ok. Just contact the front desk and ask them to ring my room, the reservation is under the name Stefan Puffer. I will have plenty of booze on hand and will be in my room by 8:00 pm waiting on phone calls and getting my drink on. If you have some cool techno tunes, bring em. Anyone know if they sell Tecate beer in Vegas? Marty, if your checking your email, let me know what time I should come by Friday morning to collect you. If you have a Snort T-shirt, sport it! --------------------------------------------- Microsoft ist nicht installiert. http://www.drsuse.org/ --__--__-- Message: 11 Date: Tue, 10 Jul 2001 18:38:43 -0400 From: Erik Fichtner <emf () servervault com> To: snort-users () lists sourceforge net Reply-To: emf () servervault com Subject: [Snort-users] activate/dynamic bug with ruletypes.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bug..... if I do this: activate tcp any any -> any 21 (msg: "test"; content: "user"; nocase; flags: A+; activates:1;) dynamic tcp any any <> any 21 (msg: "test"; flags: A+; activated_by:1; count:20;) everything works as expected. But, if I do this: ruletype foobar { type activate output log_tcpdump: foobar.log } foobar tcp any any -> any 21 (msg: "test"; content: "user"; nocase; flags: A+; activates:1;) dynamic tcp any any <> any 21 (msg: "test"; flags: A+; activated_by:1; count:20;) I get the following message: WARNING: an activation rule with no dynamic rules matched! and, yes, no further packets are logged. the same also goes for: ruletype blegh { type dynamic output log_tcpdump: foobar.log } the dynamic rules parse without errors as they load, but the new activation list chain is never linked to the dynamic list chain (or dynamic chains in the case of the latter) with SetLinks() in LinkDynamicRules() - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7S4PyQ7EzrewLMS0RAl19AKCaUhkBDrwlhUi3MvKAff+xHcgupgCfTLmy 2FNLKEeUJtU7K2IqjP1aEjQ= =FLPR -----END PGP SIGNATURE----- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-users digest, Vol 1 #796 - 11 msgs snort-users (Jul 11)