Snort mailing list archives

cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon

From: "Administrator"<administrator_at_awaatscsirc () faa gov>
Date: Tue, 06 Nov 2001 15:37:10 -0500

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Wrappers (Chris Green)
   2. Re: Ignoring ports (Chris Green)
   3. RE: snort on Linux works, on OpenBSD doesn\'t (Chris Eidem)
   4. RE: Barnyard and ACID question (Steve Halligan)
   5. RE: snort on Linux works, on OpenBSD doesn\'t (Ashley Thomas)
   6. (no subject) (Wells, Kenneth L)

--__--__--

Message: 1
To: "snortlst snortlst" <snortlst () hotmail com>
Cc: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Wrappers
From: Chris Green <cmg () uab edu>
Reply-To: snort-users () lists sourceforge net
Date: Tue, 06 Nov 2001 13:39:39 -0600

"snortlst snortlst" <snortlst () hotmail com> writes:

On which layer snort inspects incoming traffic? If it inspects it before
tcp/ip (like checkpoint firewall) then can I use tcp wrappers and deny all
traffic in tcp wrappers in order to secure linux machine?


It sniffs in promiscous mode so it can see traffic with no interaction
with the native tcp/ip stack  ( other than where it overlaps with BPF
).

Yes.  Using TCP wrappers will not affect snort.

 thx.


-- 
Chris Green <cmg () uab edu>
A good pun is its own reword.


--__--__--

Message: 2
To: "Joshua Thomas" <thomasj () engr uconn edu>
Cc: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Ignoring ports
From: Chris Green <cmg () uab edu>
Reply-To: snort-users () lists sourceforge net
Date: Tue, 06 Nov 2001 13:44:43 -0600

"Joshua Thomas" <thomasj () engr uconn edu> writes:

How do I ignore arbirtary ports with out rewriting all the rules?
For example, kazza runs on port 1214; how can I make all my rules not
trigger on port 1214 traffic?


pcap filter of 'not tcp and port 1214 '

or

pass tcp any any <-> any 1214
along with using snort -o

Beware that this will open one for attacks due to clever attackers
using 1214 as a source port for the attack.

Someday, snort might be able to tell what kinda traffic it is and
possibly ignore it based on that.
-- 
Chris Green <cmg () uab edu>
"I'm beginning to think that my router may be confused."


--__--__--

Message: 3
Subject: RE: [Snort-users] snort on Linux works, on OpenBSD doesn\'t
Date: Tue, 6 Nov 2001 13:46:51 -0600
From: "Chris Eidem" <jceidem () dexma com>
To: "Ashley Thomas" <athomas () unity ncsu edu>,
        <donegan () donegan org>
Cc: <snort-users () lists sourceforge net>

Not necessary, here is my setup:

[root@cubanelle /home/ceidem/src]# for i in /etc/hostname.*; do echo $i;
cat $i; done
/etc/hostname.fxp0
up
/etc/hostname.xl0
inet 10.70.0.108 255.255.255.0 NONE=20
/etc/hostname.xl1
up

-----Original Message-----
From: Ashley Thomas [mailto:athomas () unity ncsu edu]
Sent: Tuesday, November 06, 2001 1:08 PM
To: donegan () donegan org
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort on Linux works, on OpenBSD doesn\'t
=20
=20
One point to be noted:
in OpenBSD ifconfig rl0 up does'nt seem to work.
=20
So modify /etc/hostname.rl0
=20
inet 0.0.0.0 255.255.255.0 NONE
=20
That should do the trick :-)
=20
let me know if that works
=20
cheers
ashley
=20
=20
On Tue, 6 Nov 2001 donegan () donegan org wrote:
=20

I have just installed, from the same sources, snort on Linux and
OpenBSD. Both compile AOK, both appear to execute OK, the=20

Linux snort

catches all the nimda stuff that continues to provide test=20

data :-) and

the OpenBSD snort catches nothing. Both are connected to=20

the same hub

(not switch), both interfaces show PROMISC mode and UP.

A key difference here is that the OpenBSD snort is running on an
interface that has no IP address - i.e. ifconfig rl0 up.

Any pointers on waking the OpenBSD version up would be appreciated.

Thanks!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users

=20
=20
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
=20



--__--__--

Message: 4
From: Steve Halligan <agent33 () geeksquad com>
To: Steve Halligan <agent33 () geeksquad com>, "'Andrew R. Baker'"
         <andrewb () snort org>
Cc: "'snort-users () lists sourceforge net'"
         <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Barnyard and ACID question
Date: Tue, 6 Nov 2001 13:53:00 -0600 

One more piece of wierdness:  Barnyard popped up a few "Unknown Network
Header (0x0)" and inserted an alert with only a sig, no ip info, tcp info,
etc.

-----Original Message-----
From: Steve Halligan [mailto:agent33 () geeksquad com]
Sent: Tuesday, November 06, 2001 12:29 PM
To: 'Andrew R. Baker'; 'Wozz'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Barnyard and ACID question

PS:  The timestamps appear to be set to UTC.  Both the 
snort/barnyard box
and the database box are set to the correct time and timezone, but
timestamps logged in the database are +6 hours (which would 
be utc from
where I am).  Not a bug, but is there anyway to change this behaviour?

-----Original Message-----
From: Steve Halligan 
Sent: Tuesday, November 06, 2001 12:23 PM
To: 'Andrew R. Baker'; Wozz
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Barnyard and ACID question


I am having this problem also.  OpenBSD 2.9-release here.  
Barnyard from CVS today.  snort-unified-logfile is attached.
I also noticed that sometimes (although not in this logfile, 
I believe)  the ordering of the source ip address backwards 
also a.b.c.d becomes d.c.b.a.  The dest ip is unaffected.
-steve

-----Original Message-----
From: Andrew R. Baker [mailto:andrewb () snort org]
Sent: Monday, November 05, 2001 11:44 PM
To: Wozz
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Barnyard and ACID question


Wozz wrote:


I'm noticing some problems with barnyard and the mysql

output plugin.

After some correlation, here's the real headers for the

event (from the

barnyard log output plugin)

[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
Event ID: 692     Event Reference: 0
11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
***AP*** Seq: 0x6CA76E65  Ack: 0x636CB06B  Win: 0x2238

TcpLen: 32


For some reason, when using the mysql output plugin in

barnyard, the source

port is being munged from the correct 55776 to 57561, and

the destination

port from 80 to 20480.  I've confirmed that this is the

data that is being

inserted into mysql (as opposed to it being an ACID display

problem).


This is consistant across all alerts being inserted into

mysql (as far as I

can tell)

Is this a known bug?



Which version (and build) of snort are you using?  Do you

have a small

unified alert file you could send me for testing?  AFAIK,

this should

not occur.  I will look into it tomorrow.

-A

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

Message: 5
Date: Tue, 6 Nov 2001 14:55:52 -0500 (EST)
From: Ashley Thomas <athomas () unity ncsu edu>
To: Chris Eidem <jceidem () dexma com>
cc: <donegan () donegan org>, <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] snort on Linux works, on OpenBSD doesn\'t


Could you explain what you are doing.

thanks
ashley

On Tue, 6 Nov 2001, Chris Eidem wrote:

Not necessary, here is my setup:

[root@cubanelle /home/ceidem/src]# for i in /etc/hostname.*; do echo $i;
cat $i; done
/etc/hostname.fxp0
up
/etc/hostname.xl0
inet 10.70.0.108 255.255.255.0 NONE
/etc/hostname.xl1
up

-----Original Message-----
From: Ashley Thomas [mailto:athomas () unity ncsu edu]
Sent: Tuesday, November 06, 2001 1:08 PM
To: donegan () donegan org
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort on Linux works, on OpenBSD doesn\'t


One point to be noted:
in OpenBSD ifconfig rl0 up does'nt seem to work.

So modify /etc/hostname.rl0

inet 0.0.0.0 255.255.255.0 NONE

That should do the trick :-)

let me know if that works

cheers
ashley


On Tue, 6 Nov 2001 donegan () donegan org wrote:

I have just installed, from the same sources, snort on Linux and
OpenBSD. Both compile AOK, both appear to execute OK, the

Linux snort

catches all the nimda stuff that continues to provide test

data :-) and

the OpenBSD snort catches nothing. Both are connected to

the same hub

(not switch), both interfaces show PROMISC mode and UP.

A key difference here is that the OpenBSD snort is running on an
interface that has no IP address - i.e. ifconfig rl0 up.

Any pointers on waking the OpenBSD version up would be appreciated.

Thanks!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--__--__--

Message: 6
From: "Wells, Kenneth L" <kw151002 () exchange DAYTONOH NCR com>
To: snort-users () lists sourceforge net
Date: Tue, 6 Nov 2001 15:05:02 -0500 
Subject: [Snort-users] (no subject)

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C166FE.5206D3B0
Content-Type: text/plain

Thanks to whoever sent this to me.......Can anyone tell me if I'm missing
anything?

How can I tell if I have libpcap already installed?

Kenny

1.Search the web and install libpcap 
- unpack it 
Then run: 
- ./configure 
- make 
- make install 
2. download snort (www.snort.org <http://www.snort.org> ) 
- unpack it (gzip -d <snort file.tar.gzip>, then tar -xvf <snortfile.tar> 
Then run 
- ./configure 
- make 
- make install 
3. Make sure when you run snort it sets your nic to promiscuous mode. If it
doesn't then do the followingt manually before starting snort: ifconfig
<yournic> promisc 
4. In the installation directory find the snort.conf file and edit the
following values: 
- set $home_net to your lan 
- set external_net to !$home_net 
- set the logging to /var/snort/log 
- include your dns server addresses in the list of ignored hosts 
- in the bottom of the file (where you see a lot of 'include rules' provide
a path to the rules. You'll have to download the rules from snort.org) 
5. Create a 'snort' directory in the /var/log. Here IDS logs things. 
6. Download snort_stat.pl from snort.org. This perl script will parse alert
and portscan files and present it to you in nice html format. 
7. Connect snort machine to internet or to internal lan (depends what you
wanna sniff exactly) 
8. On the switch or hub mirror firewall (or whatever you want to sniff) port
to port where snort machine is connected. 
9.start snort like : snort -c /snort.conf 
(it will automatically use full loggong feature and and will use default log
directory /var/log/snort) 
10. after a while run: 
cat /var/log/snort | /snort_stat.pl -f -h > /alert.html (this one will
create and alert.html file in the / , you can open it later with browser) 
That's what I remember from the top of my head.This is a very basic setup,
you can do much more complicated things, especially regarding representation
of alert files. 
hope this helps. 
P.S. don't disregard reading FAQ on snort.org, though I think it misses
quite a lot of things for newbies and can't be very useful for the bigginer.

------_=_NextPart_001_01C166FE.5206D3B0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2654.19">
<TITLE></TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks to whoever sent this to =
me.......Can anyone tell me if I'm missing anything?</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">How can I tell if I have libpcap =
already installed?</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Kenny</FONT>
</P>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2 FACE=3D"Arial">1.Search the web and install =
libpcap</FONT><FONT FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- unpack it</FONT><FONT FACE=3D"Times =
New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Then run:</FONT><FONT FACE=3D"Times =
New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- ./configure</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- make</FONT><FONT FACE=3D"Times New =
Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- make install</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">2. download snort (</FONT><A =
HREF=3D"http://www.snort.org";><U><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">www.snort.org</FONT></U></A><FONT SIZE=3D2 =
FACE=3D"Arial">)</FONT><FONT FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- unpack it (gzip -d &lt;snort =
file.tar.gzip&gt;, then tar -xvf &lt;snortfile.tar&gt;</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Then run</FONT><FONT FACE=3D"Times =
New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- ./configure</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- make</FONT><FONT FACE=3D"Times New =
Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- make install</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">3. Make sure when you run snort it =
sets your nic to promiscuous mode. If it doesn't then do the followingt =
manually before starting snort: ifconfig &lt;yournic&gt; =
promisc</FONT><FONT FACE=3D"Times New Roman"> </FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">4. In the installation directory find =
the snort.conf file and edit the following values:</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- set $home_net to your =
lan</FONT><FONT FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- set external_net to =
!$home_net</FONT><FONT FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- set the logging to =
/var/snort/log</FONT><FONT FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- include your dns server addresses =
in the list of ignored hosts</FONT><FONT FACE=3D"Times New Roman"> =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">- in the bottom of the file (where =
you see a lot of 'include rules' provide a path to the rules. You'll =
have to download the rules from snort.org)</FONT><FONT FACE=3D"Times =
New Roman"> </FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">5. Create a 'snort' directory in the =
/var/log. Here IDS logs things.</FONT><FONT FACE=3D"Times New Roman"> =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">6. Download snort_stat.pl from =
snort.org. This perl script will parse alert and portscan files and =
present it to you in nice html format.</FONT><FONT FACE=3D"Times New =
Roman"> </FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">7. Connect snort machine to internet =
or to internal lan (depends what you wanna sniff exactly)</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">8. On the switch or hub mirror =
firewall (or whatever you want to sniff) port to port where snort =
machine is connected.</FONT><FONT FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">9.start snort like : snort -c =
/snort.conf</FONT>=20
<BR><FONT SIZE=3D2 FACE=3D"Arial">(it will automatically use full =
loggong feature and and will use default log directory /var/log/snort)</=
FONT><FONT FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">10. after a while run:</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">cat /var/log/snort | /snort_stat.pl =
-f -h &gt; /alert.html (this one will create and alert.html file in the =
/ , you can open it later with browser)</FONT><FONT FACE=3D"Times New =
Roman"> </FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">That's what I remember from the top of =
my head.This is a very basic setup, you can do much more complicated =
things, especially regarding representation of alert files.</FONT><FONT =
FACE=3D"Times New Roman"> </FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">hope this helps.</FONT><FONT =
FACE=3D"Times New Roman"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">P.S. don't disregard reading FAQ on =
snort.org, though I think it misses quite a lot of things for newbies =
and can't be very useful for the bigginer.</FONT></P>
<BR>

</BODY>
</HTML>
------_=_NextPart_001_01C166FE.5206D3B0--

--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users

End of Snort-users Digest

Attachment: RFC822.TXT
Description:

Current thread:

cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- <Possible follow-ups>
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)
- cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon Administrator (Nov 06)

(Thread continues...)