Snort mailing list archives
Re: Snort-users digest, Vol 1 #1394 - 16 msgs
From: Aaron Urbain <aaronurbain1 () yahoo com>
Date: Tue, 11 Dec 2001 12:51:05 -0800 (PST)
where is the movie place in s.norlwak? snort-users-request () lists sourceforge net wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Disable local logging (Frank Reid) 2. Re: Disable local logging (Guillaume) 3. Re: Disable local logging (Erek Adams) 4. RE: Disable local logging (Frank Reid) 5. Difficulty with Obfuscate option (David F. Severski) 6. Re: content |00| (Ryan Russell) 7. Proxy scan 8080 (Wooi Koay) 8. Re: Disable local logging (Martin Roesch) 9. Multiple Interfaces not supported? (Jeff Newton) 10. SNORT Reporting Question (Bradley, Paul) 11. Re: Multiple Interfaces not supported? (Bruno Gimenes Pereti) 12. Re: Multiple Interfaces not supported? (Erek Adams) 13. Re: SNORT Reporting Question (pbsarnac () ThoughtWorks com) 14. Re: Multiple Interfaces not supported? (Brian) 15. Complex network + Multi-interface sensor = trouble (Jeff Newton) 16. RE: ACID error w/ mysql db (Ronneil Camara) --__--__-- Message: 1 From: "Frank Reid" To: Date: Tue, 11 Dec 2001 07:42:11 -0500 Subject: [Snort-users] Disable local logging Is there a way to disable local logging (to /var/log/snort) entirely, or does that break normal operations? (It may be something simple in snort.conf, but I can't find it.) On my active sensors, I've found the log directory fills up quickly to a point where Snort can no longer add directory entries. It may be unrelated, but it also appears Snort occasionally stops reporting upstream to the MySQL database under heavy traffic volume. The Snort process doesn't die on the sensor, so the demarc wrapper does not know to restart it. Frank --__--__-- Message: 2 To: Frank Reid Subject: Re: [Snort-users] Disable local logging Date: Tue, 11 Dec 2001 16:09:51 +0100 (CET) From: Guillaume Cc: snort-users () lists sourceforge net En r=E9ponse =E0 Frank Reid :
Is there a way to disable local logging (to /var/log/snort) entirely, or does that break normal operations? (It may be something simple in snort.conf, but I can't find it.) On my active sensors, I've found the log directory fills up quickly to a point where Snort can no longer add directory entries. It may be unrelated, but it also appears Snort occasionally stops reporting upstream to the MySQL database under heavy traffic volume. The Snort process doesn't die on the sensor, so =
the
demarc wrapper does not know to restart it.
I also noticed that: I use MySQL output plugin, but snort does log some s= tuff under /var/log/snort although. I think (but it is perfectly empiric!) tha= t when too heavyly stressed, MySQL timeouts make snort logging locally. Maybe a = MySQL related issue... Anyway, I planned to switch from direct MySQL logging to some kind of post-log-processing (i.e. alerts locally logged and periodically extracte= d and sent to the MySQL db by some PERL script). Guillaume *********************************** Sent with HORDE/IMP (www.horde.org) --__--__-- Message: 3 Date: Tue, 11 Dec 2001 07:57:20 -0800 (PST) From: Erek Adams To: Frank Reid cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Disable local logging On Tue, 11 Dec 2001, Frank Reid wrote:
Is there a way to disable local logging (to /var/log/snort) entirely, or does that break normal operations? (It may be something simple in snort.conf, but I can't find it.) On my active sensors, I've found the log directory fills up quickly to a point where Snort can no longer add directory entries. It may be unrelated, but it also appears Snort occasionally stops reporting upstream to the MySQL database under heavy traffic volume. The Snort process doesn't die on the sensor, so the demarc wrapper does not know to restart it.
Sounds like you need to use Barnyard. Grab the beta from http://www.snort.org/downloads/ (I don't have the full URL ATM, snort.org is flaked right now....). It's designed to handle DB logging when/if snort can't connect to the DB. No wrapper needed.... ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- Message: 4 From: "Frank Reid" To: "Erek Adams" Cc: Subject: RE: [Snort-users] Disable local logging Date: Tue, 11 Dec 2001 11:16:20 -0500 Thanks. I'd read about Barnyard on the list periodically, but haven't played with it yet. As soon as snort.org is back online, I'll snag it and have a look. I'm guessing it uses the same db schema as Snort, so it's compatible with both ACID and demarc on the management console? Also, I wonder if it will integrate fully with demarc if I disable the database preprocessor on the sensors. Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams Sent: Tuesday, December 11, 2001 10:57 AM To: Frank Reid Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Disable local logging On Tue, 11 Dec 2001, Frank Reid wrote:
Is there a way to disable local logging (to /var/log/snort) entirely, or does that break normal operations? (It may be something simple in snort.conf, but I can't find it.) On my active sensors, I've found the
log
directory fills up quickly to a point where Snort can no longer add directory entries. It may be unrelated, but it also appears Snort occasionally stops reporting upstream to the MySQL database under heavy traffic volume. The Snort process doesn't die on the sensor, so the
demarc
wrapper does not know to restart it.
Sounds like you need to use Barnyard. Grab the beta from http://www.snort.org/downloads/ (I don't have the full URL ATM, snort.org is flaked right now....). It's designed to handle DB logging when/if snort can't connect to the DB. No wrapper needed.... ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 5 Date: Tue, 11 Dec 2001 09:14:46 -0800 From: "David F. Severski" To: snort-users () lists sourceforge net Subject: [Snort-users] Difficulty with Obfuscate option --h3LYUU6HlUDSAOzy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm having a hard time getting the obfuscate (-O) option to work the way I= =20 believe it should. As I understand the option, when logging with the homen= et=20 (-h) and obfustace (-O) flags, the dumps in the log directory (-l) should h= ave=20 any non-homenet IPs obfuscated. Despite my best efforts, every option I tr= y=20 results in the obfuscation of _both_ the source and destination addresses. Envrionment: snort 1.8.3-Build 88, built with no options from snort-daily.= tar as of approx. 8:30 PST, FreeBSD 4.4-STABLE To test, I've used the following command to generate a binary dump of some= =20 sample traffic: './snort -b -l /var/log/temp -L test.log -i xl0'. This traffic was then read back to verify a good capture with the=20 command: ./snort -r /var/log/temp/test.log I then tried to obfuscate this to my logging directories with the=20 command: ./snort -r /var/log/temp/test.log -h 216.162.200.43/32 -v -O -l /= var/log/temp Note: 216.162.200.43 is the address of the xl0 interface being monitored. = =20 I've also tried to expand the home net with 216.162.200.43/24 and=20 216.162.200.0/24 with identical results. Checking /var/log/temp shows that the directories are being created as=20 expected, but both the source and destination IP addresses are obfuscated. = =20 What I had expected to happen was to have only the address of my xl0 interf= ace=20 be sanitized, leaving the remote IP untouched. Am I not understanding the obfuscate option correctly or missing a=20 configuration step here? Thanks for the help! David --h3LYUU6HlUDSAOzy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwWPwUACgkQlTJ+DI1JK1uD6wCfV2buhaXPjdNDElTFWMTCNkKm Id8AoJGFr/ZgBH4NFEHysSS5p8ImsMbv =Eq/q -----END PGP SIGNATURE----- --h3LYUU6HlUDSAOzy-- --__--__-- Message: 6 Date: Tue, 11 Dec 2001 10:20:54 -0700 (MST) From: Ryan Russell To: RAMALINGA Reddy cc: 'snort' Subject: Re: [Snort-users] content |00| On Tue, 11 Dec 2001, RAMALINGA Reddy wrote:
Hello Gurus, I came across somany snort rules which contain "|00|" in the content. Can any one explain what it means ? Is it a kind of NOOP? thanks in advance, Rali
That's how Snort does hexadecimal character in rules, between vertical bars, "|". So |00| is just a byte containing zero. Yes, it's used in a number of rules, such as those looking for unicode, which will look like u|00|n|00|i|00|c|00|d|00|e|00|. There are also rules which look for null bytes being passsed to web apps. Some cgi parsers will will recognize |00| as a string terminator, but when it gets handed to a perl interpreter, it will not, allowing for a hole in some cases. Ryan --__--__-- Message: 7 From: "Wooi Koay" To: Date: Tue, 11 Dec 2001 12:59:19 -0500 Subject: [Snort-users] Proxy scan 8080 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Snort has been running on my machine for a while, and I installed acid last night. What I've found is that I saw my own machine (which snort is running on) scans websites that I visited, any idea why? TIA, wooi. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwWSXcACgkQEEX9AGS2HCZ67gCgnnfiqD/4JgEhbHV/cSZmx4/+ o7MAnRYAxmGx9OkBxF86MmdTvQUwAsC1 =ajCo -----END PGP SIGNATURE----- --__--__-- Message: 8 Date: Tue, 11 Dec 2001 14:08:20 -0500 From: Martin Roesch To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Disable local logging What version of Snort are you using? This sounds like a bug that cropped up in 1.8.1. Can you read the BUGS file and get back to us with the info that we need? -Marty Frank Reid wrote:
Is there a way to disable local logging (to /var/log/snort) entirely, or does that break normal operations? (It may be something simple in snort.conf, but I can't find it.) On my active sensors, I've found the log directory fills up quickly to a point where Snort can no longer add directory entries. It may be unrelated, but it also appears Snort occasionally stops reporting upstream to the MySQL database under heavy traffic volume. The Snort process doesn't die on the sensor, so the demarc wrapper does not know to restart it. Frank _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 9 Date: Tue, 11 Dec 2001 11:23:46 -0800 From: Jeff Newton To: snort-users () lists sourceforge net Subject: [Snort-users] Multiple Interfaces not supported? Is there something I need to do to enable multiple interface support in 1.8.3 on RedHat7.2? /usr/sbin/snort -i eth0 -i eth1 -c /etc/snort/snort.conf -b -o -A fast -z est Multiple interfaces are not supported. eth0 is used Both interfaces work fine individually. Cheers, -- Jeff Newton --__--__-- Message: 10 From: "Bradley, Paul" To: "'snort-users () lists sourceforge net'" Date: Tue, 11 Dec 2001 12:23:55 -0700 Subject: [Snort-users] SNORT Reporting Question A bit of a SNORT newbie here...I have setup SNORT successfully and it is logging to a MySQL database and I am using ACID to view alerts and what-not. What is a good utility to use to generate a daily report of events logged by SNORT? Any suggestions would be greatly appreciated. Thanks, Paul --__--__-- Message: 11 From: "Bruno Gimenes Pereti" To: "Snort-Users" Subject: Re: [Snort-users] Multiple Interfaces not supported? Date: Tue, 11 Dec 2001 17:36:34 -0200 You can start two process. One for each interface. Bruno. ----- Original Message ----- From: "Jeff Newton" To: Sent: Tuesday, December 11, 2001 5:23 PM Subject: [Snort-users] Multiple Interfaces not supported?
Is there something I need to do to enable multiple interface support in 1.8.3 on RedHat7.2? /usr/sbin/snort -i eth0 -i eth1 -c /etc/snort/snort.conf -b -o -A fast -z est Multiple interfaces are not supported. eth0 is used Both interfaces work fine individually. Cheers, -- Jeff Newton _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 12 Date: Tue, 11 Dec 2001 11:33:26 -0800 (PST) From: Erek Adams To: Jeff Newton cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Multiple Interfaces not supported? On Tue, 11 Dec 2001, Jeff Newton wrote:
Is there something I need to do to enable multiple interface support in 1.8.3 on RedHat7.2?
Yep.
/usr/sbin/snort -i eth0 -i eth1 -c /etc/snort/snort.conf -b -o -A fast -z est Multiple interfaces are not supported. eth0 is used Both interfaces work fine individually.
Read the FAQ. http://www.snort.org/docs/faq.html#3.4 ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- Message: 13 Subject: Re: [Snort-users] SNORT Reporting Question To: paulb () cta com Cc: "'snort-users () lists sourceforge net'" , snort-users-admin () lists sourceforge net From: pbsarnac () ThoughtWorks com Date: Tue, 11 Dec 2001 13:40:24 -0600 Try signing up for ARIS. Their latest version can send out nightly summaries. They can do a host of other cool stuff for you as well, such as abuse notifications, trend graphing, and alert archiving. http://aris.securityfocus.com "Bradley, Paul" To: "'snort-users () lists sourceforge net'" Sent by: cc: snort-users-admin@lists.sourc Subject: [Snort-users] SNORT Reporting Question eforge.net 12/11/2001 01:23 PM A bit of a SNORT newbie here...I have setup SNORT successfully and it is logging to a MySQL database and I am using ACID to view alerts and what-not. What is a good utility to use to generate a daily report of events logged by SNORT? Any suggestions would be greatly appreciated. Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 14 Date: Tue, 11 Dec 2001 14:47:37 -0500 From: Brian To: Jeff Newton Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Multiple Interfaces not supported? According to Jeff Newton:
Is there something I need to do to enable multiple interface support in 1.8.3 on RedHat7.2? /usr/sbin/snort -i eth0 -i eth1 -c /etc/snort/snort.conf -b -o -A fast -z est Multiple interfaces are not supported. eth0 is used
1) install pcap from www.tcpdump.org. Redhat's pcap sucks. 2) snort -i any -- the best analogy between cracking and hacking seems to be a hacker can design a car, and a cracker knows how to crash it into a house. --__--__-- Message: 15 Date: Tue, 11 Dec 2001 11:49:50 -0800 From: Jeff Newton To: snort-users () lists sourceforge net Subject: [Snort-users] Complex network + Multi-interface sensor = trouble I want to monitor multiple subnets (internet, DMZ, internal, etc) with a single multi-interface sensor and have a few implementation questions: 1) Is it best/possible to run on all interfaces using a single snort.conf? My initial sensor test fired constantly on detected RPC traffic and I imagine tuning this out, only on specific interfaces will be a real challenge. 2) Can EXTERNAL_NET be defined as any not-equal-to HOME_NET? I suspect this isn't the default , which is why the RPC rule was firing on HOME_NET to HOME_NET traffic - the rpc rule fires on any -> HOME_NET. Any other multi-interface sensor implementation help/suggestions would be greatly appreciated. Cheers, -- Jeff Newton --__--__-- Message: 16 Subject: RE: [Snort-users] ACID error w/ mysql db Date: Tue, 11 Dec 2001 13:51:42 -0600 From: "Ronneil Camara" To: You have to create a database, in your case, it's gonna be acid_event. What I usually use is snortdb. Then on the contrib folder of snort, this is what I execute mysql -u root -p snortdb < create_mysql You also have to apply it to snort_archive database. Then make sure that your php scripts are pointing to snortdb Hope this helps.
-----Original Message----- From: Byron [mailto:snail945 () yahoo com] Sent: Monday, December 10, 2001 1:48 PM To: snort-users () lists sourceforge net Subject: [Snort-users] ACID error w/ mysql db =20 =20 System: Snort 1.8.2 (win32) MySQL 3.23.40-nt ADODB v1.54 PHP 4.0.6 ACID v0.9.6b18 =20 I'm getting the error below when querying ACID to search for=20 a specific IP. Was wondering if I'm doing something wrong or if this is a=20 bug of sort. =20 =20 Database ERROR:Database ERROR:Unknown table=20 'acid_event.acid_event' in where clause =20 =20 Thx for any help! Byron =20 =20 _________________________________________________________
=== message truncated === --------------------------------- Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctionsfor all of your holiday gifts!
Current thread:
- Re: Snort-users digest, Vol 1 #1394 - 16 msgs Aaron Urbain (Dec 11)