Snort mailing list archives
Detecting FTP Hacks
From: "Michael Pickert" <Michael.Pickert () semikron com>
Date: Fri, 22 Mar 2002 11:21:48 +0100
Hi, is there any chance to get snort alerting me if someone access our ftp server as user anonymous or when he is creating a dir named, lets say tagged? I tried a bit arround, but it doesn`t work, because snort isn`t able to check ftp traffic. Any ideas? Thanks. Michael Pickert michael.pickert () semikron com
snort-users-request () lists sourceforge net 22.03.02 06:49:05 >>>
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. ge iface snort (Christian Kuhtz)
2. disabling portscan false alarms for a certain port (137)
(Steve.Evans () irusa com)
3. Re: How to install LibNetNT (SkatFiend () aol com)
4. Re: Generating SSHD Alerts (Scott Taylor)
5. RE: Alert Based on MAC Address (Wirth, Jeff)
6. Re: in or out this is the problem!! (Matt Kettler)
7. Re: Linux Snort Stealth Interface Help Request (Chris Green)
8. Re: Alert Based on MAC Address (Matt Kettler)
9. RE: How to install LibNetNT (Michael Steele)
10. Detecting source routing packets (Sheahan, Paul (PCLN-NW))
11. Increasing Packet (Kevin L Pawloski)
12. [Snort-users]Newbie needs help!! (lsd kuyeh)
13. Re: portscans and ACID (Omar McKenzie)
14. Re: MySQLOutput database & No logging (Omar McKenzie)
--__--__--
Message: 1
From: "Christian Kuhtz" <christian () kuhtz com>
To: <snort-users () lists sourceforge net>
Date: Thu, 21 Mar 2002 11:46:38 -0500
Subject: [Snort-users] ge iface snort
hey there,
who around here has used snort on ge ifaces? i'd like to swap some
experiences...
thanks,
chris
--__--__--
Message: 2
From: Steve.Evans () irusa com
To: snort-users () lists sourceforge net
Date: Thu, 21 Mar 2002 11:15:26 -0700
Subject: [Snort-users] disabling portscan false alarms for a certain
port (137)
Hi all.
I'm getting the following :
Mar 21 10:01:03 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:07 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 3 connections across 3 hosts: TCP(0), UDP(3)
Mar 21 10:01:11 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Mar 21 10:01:15 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Mar 21 10:01:20 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:24 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:28 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Etc..
This node is not a DNS server.. and it's not the only node that I get
notified about.
The portscan.log looks like :
Mar 21 12:01:11 192.168.1.3:137 -> 192.168.1.130:137 UDP
Mar 21 12:01:13 192.168.1.3:137 -> 192.168.1.21:137 UDP
Mar 21 12:01:16 192.168.1.3:137 -> 192.168.1.21:137 UDP
Mar 21 12:01:18 192.168.1.3:137 -> 192.168.1.130:137 UDP
Mar 21 12:01:21 192.168.1.3:137 -> 192.168.1.130:137 UDP
Mar 21 12:01:24 192.168.1.3:137 -> 192.168.1.21:137 UDP
Mar 21 12:01:26 192.168.1.3:137 -> 192.168.1.21:137 UDP
Mar 21 12:01:29 192.168.1.3:137 -> 192.168.1.130:137 UDP
Mar 21 12:01:31 192.168.1.3:137 -> 192.168.1.130:137 UDP
Mar 21 12:01:34 192.168.1.3:137 -> 192.168.1.21:137 UDP
Mar 21 12:01:35 192.168.1.3:137 -> 192.168.1.21:137 UDP
Mar 21 12:01:38 192.168.1.3:137 -> 192.168.1.130:137 UDP
Etc..
Rather than ignoring all portscans from/to this host, I'd like to just
be
able to ignore portscans on UDP port 137 (netbios?)
Is there a way to do this with snort (Version 1.8.1-RELEASE (Build
74))?
Thanks!
Steve..
PS, please reply directly, I'm not on the mailing list..
--__--__--
Message: 3
From: SkatFiend () aol com
Date: Thu, 21 Mar 2002 16:47:10 EST
Subject: Re: [Snort-users] How to install LibNetNT
To: dr () kyx net
CC: snort-users () lists sourceforge net
--part1_c6.8825cc5.29cbaede_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Thanks for the help all. I did some clean up, updated to ACID b21, and
a
scandisk to correct a few disk errors, bounced the box and up it came
without
the memory error I was getting b4, go figure, don't know what the
problem
was. I'm using a copy of LibNetNT from Eeye and it seems to be fine
now.
Maybe it was just having a bad hair day ;)
Thanks again, Cliff
If you use the Win32 installer and select the flexresp option in the installer it will install libnetnt.dll along with snort, and you will be able to use flexresp. I assume this is for use with snort since you asked the question in snort-users... Otherwise libnetNT for use in a program by itself can be gotten from the port of it at: http://www.eeye.com/html/Research/Tools/libnetnt.html cheers, --dr On Tue, 19 Mar 2002 20:55:45 EST SkatFiend () aol com wrote:Hi all, Can someone point me in the right direction for install
instructions for
LibNet on a Win2K box????? Thanks, Cliff-- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--part1_c6.8825cc5.29cbaede_boundary Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: 7bit <HTML><FONT FACE=arial,helvetica><FONT SIZE=2 FAMILY="SANSSERIF" FACE="Arial" LANG="0">Thanks for the help all. I did some clean up, updated to ACID b21, and a scandisk to correct a few disk errors, bounced the box and up it came without the memory error I was getting b4, go figure, don't know what the problem was. I'm using a copy of LibNetNT from Eeye and it seems to be fine now.<BR> <BR> Maybe it was just having a bad hair day ;)<BR> <BR> Thanks again, Cliff<BR> <BR> <BR> <BLOCKQUOTE TYPE=CITE style="BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px">If you use the Win32 installer and select the flexresp option<BR> in the installer it will install libnetnt.dll along with snort,<BR> and you will be able to use flexresp.<BR> <BR> I assume this is for use with snort since you asked the question in<BR> snort-users...<BR> <BR> Otherwise libnetNT for use in a program by itself can<BR> be gotten from the port of it at:<BR> <BR> http://www.eeye.com/html/Research/Tools/libnetnt.html<BR> <BR> cheers,<BR> --dr<BR> <BR> On Tue, 19 Mar 2002 20:55:45 EST<BR> SkatFiend () aol com wrote:<BR> <BR> > Hi all,<BR> > <BR> > Can someone point me in the right direction for install instructions for <BR> > LibNet on a Win2K box?????<BR> > <BR> > Thanks, Cliff<BR> > <BR> <BR> <BR> -- <BR> --dr pgpkey: http://draagos.com/dr-dursec.asc<BR> CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com<BR> <BR> <BR> _______________________________________________<BR> Snort-users mailing list<BR> Snort-users () lists sourceforge net<BR> Go to this URL to change user options or unsubscribe:<BR> https://lists.sourceforge.net/lists/listinfo/snort-users<BR> Snort-users list archive:<BR> http://www.geocrawler.com/redir-sf.php3?list=snort-users<BR> </BLOCKQUOTE><BR> <BR> </FONT></HTML> --part1_c6.8825cc5.29cbaede_boundary-- --__--__-- Message: 4 From: "Scott Taylor" <scottt () soccer com> Date: Thu, 21 Mar 2002 14:15:40 -0800 To: kpawloski () juno com Subject: Re: [Snort-users] Generating SSHD Alerts CC: snort-users () lists sourceforge net You can do this one: Add this line to your local.rules file. alert tcp any any -> any any (msg:"TCP traffic";) ---- Begin Original Message ---- From: kpawloski () juno com Sent: Tue, 19 Mar 2002 21:06:53 GMT To: Snort-users () lists sourceforge net Subject: [Snort-users] Generating SSHD Alerts OK, so I'll admit this is a newbie related question. Right now I have one snort sensor installed behind a heaving ACL'd network so traffic behind my firewall is rather quiet alert wise. How can I generate some alerts on my own to make sure my rules aren't whacked? I have a bastion box that I was thinking I can try and set off some false SSH alerts on my own. Any ideas? Thanks in advance. Kevin _________________________________________________ _______________ GET INTERNET ACCESS FROM JUNO! Juno offers FREE or PREMIUM Internet access for less! Join Juno today! =A0For your FREE software, visit: http://dl.www.juno.com/get/web/. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snor t-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3? list=3Dsnort-users ---- End Original Message ---- THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com --__--__-- Message: 5 From: "Wirth, Jeff" <WirthJe () DNB com> To: "'Bamberger, Marc (M.A.)'" <mbamberg () visteon com>, "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Alert Based on MAC Address Date: Thu, 21 Mar 2002 17:47:14 -0500
Am I misunderstanding the content keyword or is there another way to
accomplish this? hmmm...I don't think snort in IDS mode can help you here. The MAC lives in the link-level header and the content keyword looks in the packet payload. You may want to consider crafting something up with snort in sniffer mode (or tcpdump) using the filter option. i.e. # snort -v ether host <Enter your MAC here> This would trigger output anytime snort came across a packet with the MAC in question. Hope this helps.. - Jeff --__--__-- Message: 6 Date: Thu, 21 Mar 2002 18:13:15 -0500 To: "Federico Lombardo" <egopfe () hotmail com>, <snort-users () lists sourceforge net> From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] in or out this is the problem!! Both interfaces should see the packet, unless the router that routes between your DMZ and your LAN does not allow them to pass, in which case only the DMZ one will see the syn packet. So if you want to see all syn's sent from the DMZ to the lan, watch on the DMZ interface. If you want to see all syns sent from the DMZ which actually get to the lan, watch on the lan interface. If your router is properly configured only syn packets which are explicitly allowed should make it from the DMZ to the LAN. Otherwise you don't really have a very effective DMZ (one of the main points of having a DMZ is so that a compromise of a machine there won't easily lead to a compromise of your lan). I'd recommend adding rules to both snort sensors and comparing. At 02:59 PM 3/21/2002 +0100, Federico Lombardo wrote:
I've two interfaces. 1) is the LAN interface 2) is the DMZ interface Each interface has a snort sensor. if I want for example log syn packets from dmz to lan... where I must
put
this rules ? in the LAN interface or in the DMZ one ?
--__--__-- Message: 7 To: markgannon () rcsis com Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Linux Snort Stealth Interface Help Request From: Chris Green <cmg () sourcefire com> Reply-To: snort-users () lists sourceforge net Date: Thu, 21 Mar 2002 18:33:54 -0500 "Mark Gannon" <markgannon () rcsis com> writes:
Hello, I'm having difficulty implementing a stealth inteface per Snort FAQs
3.1 and
3.2 on a Linux (SuSE 7.3 with kernel 2.4.14) system using a regular
straight
through cable. I start snort and no traffic is displayed to stdout
even
though another interface on the same segment shows traffic via
tcpdump.
Eth1 is connected to a Netgear Dual Speed Hub (DS 106) that has a
link light
Is the traffic that you are monitoring at 10 or 100. You can't do both. I really wish the Netgear 100bt-only hub was more popular because thats the most common problem. -- Chris Green <cmg () sourcefire com> Eschew obfuscation. --__--__-- Message: 8 Date: Thu, 21 Mar 2002 18:39:40 -0500 To: "Bamberger, Marc (M.A.)" <mbamberg () visteon com>, "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Alert Based on MAC Address As Jeff W already said, the content option of a rule looks at the application layer content, not the headers. you might consider using tcpdump for this purpose: tcpdump ether src <mac address> or run arpwatch. Snort is major overkill for only trying to catch packets with a single, static feature of the header. Snort is designed for applying a few hundred different test cases (including application layer content searches) to each packet and logging matches. Tcpdump is designed for dumping packets which match a relatively simple header content pattern. Choose your tool that best fits the scope of your task. At 03:34 PM 3/21/2002 -0500, Bamberger, Marc (M.A.) wrote:
I'm interested in tracking a PC that keeps changing it's IP address by
it's
MAC (Ethernet) address. I would like to write a rule that would alert whenever a certain MAC address appears in a packet. It looks like the content keyword only scans the data of the packet
and
doesn't match against headers. Am I misunderstanding the content
keyword or
is there another way to accomplish this?
--__--__-- Message: 9 From: "Michael Steele" <michaels () silicondefense com> To: <snort-users () lists sourceforge net> Cc: <SkatFiend () aol com> Subject: RE: [Snort-users] How to install LibNetNT Date: Thu, 21 Mar 2002 16:14:27 -0800 Try here: http://www.securitybugware.org/libnetnt/ I'd be more the happy to walk you through the install if you are having problems. If you already have your IDS setup and are just lacking this part then there is no need to roll back and start all over. I'm assuming that you are using FlexResp and if not then there is no need for LibnetNT.dll to be installed. - Michael Steele Hi all, Can someone point me in the right direction for install instructions for LibNet on a Win2K box????? Thanks, Cliff --__--__-- Message: 10 From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> To: "Snort List (E-mail)" <snort-users () lists sourceforge net> Date: Thu, 21 Mar 2002 19:42:00 -0500 Subject: [Snort-users] Detecting source routing packets Hello, I'm looking to detect source routing packets and was wondering if anyone could assist with creating a Snort rule? I'm running Snort 1.9dev on RHLinux7.0 Thanks! Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com --__--__-- Message: 11 To: snort-users () lists sourceforge net Date: Thu, 21 Mar 2002 17:39:56 -0800 From: Kevin L Pawloski <kpawloski () juno com> Subject: [Snort-users] Increasing Packet I noticed that in both Acid and Demarc that for some Alerts only part of the packet is captured and reported in the payload. Is there any way to increase this size in Snort? Thanks! Kevin ________________________________________________________________ GET INTERNET ACCESS FROM JUNO! Juno offers FREE or PREMIUM Internet access for less! Join Juno today! For your FREE software, visit: http://dl.www.juno.com/get/web/. --__--__-- Message: 12 Date: Thu, 21 Mar 2002 17:56:26 -0800 (PST) From: lsd kuyeh <kuyehdee () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] [Snort-users]Newbie needs help!! Dear all users, I shifted my SnortSnarf directory to my /var/log/snort folder and I run snortsnarf as below and the following message appears: [root@dee snort]# nice ./snortsnarf.pl alert portscan.log syntax error at ./snortsnarf.pl line 155, near "}" Execution of ./snortsnarf.pl aborted due to compilation errors. Why is this error message appears? Please give your opinion about this. Regards, Sean __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards« http://movies.yahoo.com/ --__--__-- Message: 13 Reply-To: "Omar McKenzie" <omckenzi () nyc rr com> From: "Omar McKenzie" <omckenzi () nyc rr com> To: "Mike Macias" <mike.macias () caci-nsg com>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] portscans and ACID Date: Fri, 22 Mar 2002 00:00:36 -0500 Organization: Omar McKenzie This is a multi-part message in MIME format. ------=_NextPart_000_0173_01C1D134.981DF810 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable you don't need the first output statement ----- Original Message -----=20 From: Mike Macias=20 To: snort-users () lists sourceforge net=20 Sent: Tuesday, March 19, 2002 3:58 PM Subject: [Snort-users] portscans and ACID I've been looking through the snort users archive and found plenty of = documentation on how to get ACID to see portscans. I've finally got = things working, however I'm a little concerned about my solution. In = snort.conf I have 2 output plugins specified: output database: log, mysql, user=3Dsnort password=3Dabcdef = dbname=3Dsnort_db host=3Dlocalhost=20 output database: alert, mysql, user=3Dsnort password=3Dabcdef = dbname=3Dsnort_db host=3Dlocalhost (so that ACID can see portscans) Will having 2 outputs specified adversely affect any data in the MySQL = db? ------=_NextPart_000_0173_01C1D134.981DF810 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>you don't need the first output=20 statement</FONT></DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Dmike.macias () caci-nsg com = href=3D"mailto:mike.macias () caci-nsg com">Mike=20 Macias</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20 title=3Dsnort-users () lists sourceforge net=20 = href=3D"mailto:snort-users () lists sourceforge net">snort-users@lists.sourc= eforge.net</A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, March 19, 2002 = 3:58=20 PM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] = portscans and=20 ACID</DIV> <DIV><BR></DIV> <DIV><FONT face=3DArial size=3D2>I've been looking through the snort = users archive=20 and found plenty of documentation on how to get ACID to see = portscans. =20 I've finally got things working, however I'm a little concerned about = my=20 solution. In snort.conf I have 2 output plugins = specified:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>output database: log, mysql, = user=3Dsnort=20 password=3Dabcdef dbname=3Dsnort_db host=3Dlocalhost <BR>output = database: alert,=20 mysql, user=3Dsnort password=3Dabcdef dbname=3Dsnort_db = host=3Dlocalhost (so that ACID=20 can see portscans)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Will having 2 outputs specified = adversely affect=20 any data in the MySQL db?</FONT></DIV></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0173_01C1D134.981DF810-- --__--__-- Message: 14 Reply-To: "Omar McKenzie" <omckenzi () nyc rr com> From: "Omar McKenzie" <omckenzi () nyc rr com> To: "Ryan Swenson" <Ryan.Swenson () togethersoft com>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] MySQLOutput database & No logging Date: Fri, 22 Mar 2002 00:41:31 -0500 Organization: Omar McKenzie ----- Original Message ----- From: "Ryan Swenson" <Ryan.Swenson () togethersoft com> To: <snort-users () lists sourceforge net> Sent: Monday, March 18, 2002 11:29 AM Subject: [Snort-users] MySQLOutput database & No logging
Hello,
Does anyone know how to only output to a database and avoid any or all
file output? I do not want any alert files or files in general. Define only one output plugin in your snort.conf. (database plugin)
Can Multiple sensors report to a single database?
yes
Has anyone tried writing a backend utility to manage the Database
itself. That is perhaps if we develop a utility which can manage an IDS database we can >monitor for event correlation throughout a snort deployment of several sensors. When we for example see a bunch of useless IIS exploit attempts made on >Apache servers in our global sensor arrangement we can through the utility delete all such alerts single-handingly over a number of IDS sensors where the alerts >were found. Take a look at ACID. It can delete alerts from the database and also archive to another database.
I am writing such a utility in C/C++ and Java. Need Help (Anybody have
good Select Statements & such???) Perhaps to the developer of the Database Portion - >if I cannot make autojoins in Mysql what are my options.
Why didn't they develop snort to alternatively output packets & layers
to a Database and based on the incremental counter of the DB input perform analysis with >the detection engine, and support modular filter analysis to support both IDS & Network Centric routines?
EG: Use Snort's incredible decoding and libpcap development to show
not only security but real in-depth analysis of network issues. Do this within context of a >MySQL or Oracle DB and toss the file output...! Gruesse/ Kind Regards, Ryan S. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting FTP Hacks Michael Pickert (Mar 27)
- Re: Detecting FTP Hacks Bamm Visscher (Mar 27)