Snort mailing list archives
RE: Snort-users digest, Vol 1 #1490 - 13 msgs
From: "Stephen Shepherd" <StephenShepherd () tac-denver com>
Date: Wed, 16 Jan 2002 09:33:48 -0700
I think you can do this with Unix ODBC, but I don't know of anyone doing it. Seems most of the nix users are logging to MySQL or PostGRES.. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort-users-request () lists sourceforge net Sent: Tuesday, January 15, 2002 21:40 To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #1490 - 13 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Having Snort log to a remote SQL server... (ALEX RAMS) 2. RE: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet (Dan Hollis) 3. WHy no alerts using eth0_ADDRESS? (Dr. Richard W. Tibbs) 4. RE: WHy no alerts using eth0_ADDRESS? (Hutchinson, Andrew) 5. RE: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet (Matt Kettler) 6. Flex but no response .... (skill2die4) 7. ICMP Fragment Reassembly time exceeded (Sheahan, Paul (PCLN-NW)) 8. Re: Flex but no response .... (Joe McAlerney) 9. Puzzled with snort rules... (Edwin Gaton Pua, Engineer BIE,SCV) 10. RE: Red Hat or Mandrake? (Abe L. Getchell) 11. RE: Snort and Synflood alerts (Abe L. Getchell) 12. Newbie Question.. (Edwin Pua) 13. segfault caused by double free in spo_database.c (Kervin Pierre) --__--__-- Message: 1 From: "ALEX RAMS" <alex_rams () hotmail com> To: snort-users () lists sourceforge net Date: Tue, 15 Jan 2002 14:13:17 -0600 Subject: [Snort-users] Having Snort log to a remote SQL server... I have three computers using Snort in Network Intrusion Detection Mode running Linux. Yet, I'd like to have the Linux boxes running Snort log to a Windows 2000 Sever Box running a SQL server. The goal is to log to this central console and than run ACID through IIS. Can this be done and if so please link me in the right direction. To anyone who helps - Thank you, in advance. ALEX RAMS _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com --__--__-- Message: 2 Date: Tue, 15 Jan 2002 12:26:13 -0800 (PST) From: Dan Hollis <goemon () anime net> To: "Austad, Jay" <austad () marketwatch com> cc: "'Matt Kettler'" <mkettler () evi-inc com>, =?iso-8859-1?Q?=27Lars_J=F8rgensen_IT=27?= <Lars.Jorgensen () pol dk>, "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net>, "'bugtraq () securityfocus com'" <bugtraq () securityfocus com> Subject: RE: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet On Tue, 15 Jan 2002, Austad, Jay wrote:
Here's a description of the probe from the help provided in the configuration interface for the 3dns units: DNS_DOT (DNS Dot) [...] DNS_REV (Reverse IP address lookup) [...]
The mysterious malformed packets described in incidents are neither of these. The f5 seems to be sending malformed DNS packets, and the DNS servers are responding (correctly) with a format error. Is this a bug or intentional on behalf of f5? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-] --__--__-- Message: 3 Date: Tue, 15 Jan 2002 15:37:58 -0500 From: "Dr. Richard W. Tibbs" <ccamp () oakcitysolutions com> To: snort-users () lists sourceforge net Subject: [Snort-users] WHy no alerts using eth0_ADDRESS? I am puzzled mildly by some remarks in the snort.conf file: .... # # or use global variable $<interfacename>_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: #var HOME_NET any By the comments above, I am led to believe that snort will always initialize the $eth0_ADDRESS variable to the home net. Snort has always worked "out of the shrink wrap" with no mods to snort.conf and finds eth0, my only active NIC; snort -v reports packet as usual. However ...... In an exploration with snort, I tried var HOME_NET $eth0_ADDRESS output alert_unixsock alert icmp $HOME_NET any -> any any (msg: "OUT" ;) alert icmp any any -> $HOME_NET any (msg: "IN" ;) and I, when I ping another machine I get no alerts, although the snort summary output counts as many packets as ping sends & receives. (i.e., the snort output is like: Breakdown by protocol: Action Stats: ... Akerts: 0 ICMP: 12 ... But when I use var HOME_NET 192.168.1.0/32 output alert_unixsock alert icmp $HOME_NET any -> any any (msg: "OUT" ;) alert icmp any any -> $HOME_NET any (msg: "IN" ;) I get the appropriate equal amounts of INs and OUTs alerted to the socket. How come no alerts in the first case? Do I actually have to set the eth0_ADDRESS variable myself? --__--__-- Message: 4 Subject: RE: [Snort-users] WHy no alerts using eth0_ADDRESS? Date: Tue, 15 Jan 2002 15:08:26 -0600 From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu> To: <snort-users () lists sourceforge net> Cc: "Dr. Richard W. Tibbs" <ccamp () oakcitysolutions com> I believe that the issue is this: when you use var HOME_NET $eth0_ADDRESS then your $HOME_NET is set to the _single_ ip address of eth0. For = instance, if eth0 is 192.168.1.1/32, then snort will _only_ alert when = the ICMP packet is coming from or headed to eth0 on the sensor itself. = So, if your ping was from the sensor, I would expect alerts, whereas if = the ping is simply passing through the sensor, the $HOME_NET is not = matched and thus no alert generated. However, when you have=20 var HOME_NET 192.168.1.0/24 or the like, the entire subnet is matched by $HOME_NET, and the = signature is matched and an alert generated. Hope this helps, Andrew Andrew Hutchinson CNE MCSE Informatics/NCS/Network Security Vanderbilt University Medical Center 615.936.2856 - voice 615.936.0643 - fax andrew.hutchinson () mcmail vanderbilt edu -----Original Message----- From: Dr. Richard W. Tibbs [mailto:ccamp () oakcitysolutions com] Sent: Tuesday, January 15, 2002 2:38 PM To: snort-users () lists sourceforge net Subject: [Snort-users] WHy no alerts using eth0_ADDRESS? I am puzzled mildly by some remarks in the snort.conf file: .... # # or use global variable $<interfacename>_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: #var HOME_NET any By the comments above, I am led to believe that snort will always initialize the $eth0_ADDRESS variable to the home net. Snort has always worked "out of the shrink wrap" with no mods to=20 snort.conf and finds eth0, my only active NIC; snort -v reports packet as usual. However ...... In an exploration with snort, I tried var HOME_NET $eth0_ADDRESS output alert_unixsock alert icmp $HOME_NET any -> any any (msg: "OUT" ;) alert icmp any any -> $HOME_NET any (msg: "IN" ;) and I, when I ping another machine I get no alerts, although the snort summary output counts as many packets as ping sends & = receives. (i.e., the snort output is like: Breakdown by protocol: Action Stats: ... Akerts: 0 ICMP: 12 ... But when I use var HOME_NET 192.168.1.0/32 output alert_unixsock alert icmp $HOME_NET any -> any any (msg: "OUT" ;) alert icmp any any -> $HOME_NET any (msg: "IN" ;) I get the appropriate equal amounts of INs and OUTs alerted to the = socket. How come no alerts in the first case? Do I actually have to set the eth0_ADDRESS variable myself? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users --__--__-- Message: 5 Date: Tue, 15 Jan 2002 16:40:40 -0500 To: Dan Hollis <goemon () anime net>, "Austad, Jay" <austad () marketwatch com> From: Matt Kettler <mkettler () evi-inc com> Subject: RE: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet Cc: "'Lars =?iso-8859-1?Q?J=F8rgensen?= IT'" <Lars.Jorgensen () pol dk>, "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net>, "'bugtraq () securityfocus com'" <bugtraq () securityfocus com> Yes, what you say is true, but if you scroll down, not only are they invalid DNS packets, they are also TCP syn packets to port 53 which contain data. ------------------------------------ digging deeper, it appears they are also using TCP: 20:30:15.070616 172.20.78.202.3000 > dns-server.53: S 1839760761:1839760825(64) win 2048 aaaa 0300 0000 0800 4500 0068 7985 0000 f406 9cb9 ac14 4eca c0a8 1004 0bb8 0035 6da8 8579 0000 0000 5002 0800 f842 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ------------------------------- At 12:26 PM 1/15/2002 -0800, Dan Hollis wrote:
On Tue, 15 Jan 2002, Austad, Jay wrote:Here's a description of the probe from the help provided in the configuration interface for the 3dns units: DNS_DOT (DNS Dot) [...] DNS_REV (Reverse IP address lookup) [...]The mysterious malformed packets described in incidents are neither of these. The f5 seems to be sending malformed DNS packets, and the DNS servers
are
responding (correctly) with a format error. Is this a bug or intentional on behalf of f5? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
--__--__-- Message: 6 From: "skill2die4" <skill2die4 () yahoo com> To: <snort-users () lists sourceforge net> Date: Tue, 15 Jan 2002 17:28:50 -0500 Subject: [Snort-users] Flex but no response .... +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= snort and related utilities version numbers : libnet-1.0.2a-1snort.i386.rpm libnet.tar.gz (1.0.2a) libpcap (0.6) snort -1.8.3 (built 88) [configured option=flexResp] snort-plain+flexresp.1.8.3-5-i386.rpm +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= scenario : ----------- 10.0.0.3 --- pings to ---> 10.0.0.3 rule file :: -------------- flexRESP.rules alert icmp 10.0.0.3 any ---> any any (msg:"Not allowed";resp:icmp_host;) snort activation ------------------- snort -A full -c flexRESP.rules Observation ------------- a. snort intialization reads --> 1 snort rules read .... 1 option chain linked into 1 chain header 0 dynamic rules b. the PING from 10.0.0.3 works and gets back a result from 10.0.0.2; snort only WRITES to the ALERT file I tried using the REACT with "TCP && BLOCK , MSG" options and telnet from 10.0.0.3,the connect was refused ... however i didnt got any VISIBLE BLOCK MESSAGE from the other side. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com --__--__-- Message: 7 From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> To: "Snort List (E-mail)" <snort-users () lists sourceforge net> Date: Tue, 15 Jan 2002 17:52:59 -0500 Subject: [Snort-users] ICMP Fragment Reassembly time exceeded Hello, In my Snort logs I am seeing "ICMP Fragment Reassembly time exceeded" on a daily basis being sent as a response from our web servers to random clients on the Internet. I am running Snort Version 1.8.1-RELEASE (Build 78) under Red Hat Linux 7.0. Can anyone tell me or point me in the right direction on how a client is able to force a web server to respond with this ICMP message? I assume it is a means of a client gathering information from a server but want to get more information. Thanks! Paul --__--__-- Message: 8 Date: Tue, 15 Jan 2002 15:22:04 -0800 From: Joe McAlerney <joey () SiliconDefense com> To: skill2die4 <skill2die4 () yahoo com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Flex but no response .... You might want to try sniffing the line with tcpdump or snort -v to see if the spoofed ICMP message is actually being sent. Most people using flex resp on a speedy network (I.E, one that does not have the latency inherent on the Internet) will find that while the spoofed packet is being created, the actual one makes it back to the sender. There's more on this in the archives. HTH, -Joe M. -- Joe McAlerney Software Developer / Security Consultant joey () SiliconDefense com Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/ skill2die4 wrote:
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= snort and related utilities version numbers : libnet-1.0.2a-1snort.i386.rpm libnet.tar.gz (1.0.2a) libpcap (0.6) snort -1.8.3 (built 88) [configured option=flexResp] snort-plain+flexresp.1.8.3-5-i386.rpm +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= scenario : ----------- 10.0.0.3 --- pings to ---> 10.0.0.3 rule file :: -------------- flexRESP.rules alert icmp 10.0.0.3 any ---> any any (msg:"Not
allowed";resp:icmp_host;)
snort activation ------------------- snort -A full -c flexRESP.rules Observation ------------- a. snort intialization reads --> 1 snort rules read .... 1 option chain linked into 1 chain header 0 dynamic rules b. the PING from 10.0.0.3 works and gets back a result from 10.0.0.2; snort only WRITES to the ALERT file I tried using the REACT with "TCP && BLOCK , MSG" options and telnet from 10.0.0.3,the connect was refused ... however i didnt got any VISIBLE BLOCK MESSAGE from the other side. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 9 From: "Edwin Gaton Pua, Engineer BIE,SCV" <EDWIN () scv com sg> To: hoagland () SiliconDefense com Cc: snort-users () lists sourceforge net Date: Wed, 16 Jan 2002 09:55:18 +0800 Subject: [Snort-users] Puzzled with snort rules...
Hi, I've installed the snort-1.8.3-5.i386.rpm into my RH7.2 box as my
ID
sensor and it works so far when i ran commands in sniffer and packet logger mode (with -dv and -l) switches. It shows the real time packets
and
logged them into /var/log/snort directory. But i want to run snort in NIDS mode and i am just puzzled on
how to
configure my snort.conf to communicate with the default snort rules located in /etc/snort/ddos.rules, /etc/snort/exploit.rules, etc... do
you
have sample config of snort.conf that communicates properly with snort rules? Grateful to your response. Regards, Edwin
Subscribe to 6 mths of SCV MaxTV & get a Free Dining voucher worth $128! Minimum subscription of $30 required. Call 873 3333 to subscribe now. Ts & Cs apply. ************************************************************************ *** This e-mail is confidential and may also be privileged. If you are not the intended recipient, please delete it and notify us at itsyteam () scv com sg immediately. You should not copy or use it for any purpose, nor disclose its contents to any other person. Thank you. ************************************************************************ *** --__--__-- Message: 10 Reply-To: <abegetchell () home com> From: "Abe L. Getchell" <abegetchell () home com> To: "'Erek Adams'" <erek () theadamsfamily net> Cc: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Red Hat or Mandrake? Date: Tue, 15 Jan 2002 22:39:10 -0500 Organization: -
Hello Abe! Glad to see you're still alive and kickin'!
Hey Erek! Yeah, still alive and kickin', just been lurking for the last month or so. Time is scarce these days between work, working out, and spending time with my girlfriend. Can't say I mind though, at least about the latter! 8D
*cough* *cough* I'm sorry, I couldn't hear that, I've got a security hole in my RPMs. ;-)
D'oh! =D
<snip> "Use the _best_ OS for the job." <snip>
This is _the best_ advice someone could take when trying to decide on what OS to run Snort. Use what you know _you_ (or your client) can manage, secure, and squeeze all the performance out of... unless of course it's Solaris x86. I'm kidding! I'm kidding! ;-) Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com --__--__-- Message: 11 Reply-To: <abegetchell () home com> From: "Abe L. Getchell" <abegetchell () home com> To: "'Scott Teeters Jr'" <steeters () microsolved com> Cc: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Snort and Synflood alerts Date: Tue, 15 Jan 2002 22:59:02 -0500 Organization: - Hi Scott! Well, since a SYN is a SYN is a SYN, there's really no way of saying that one SYN packet is part of a SYN flood attack and one isn't. There _are_ special characteristics you'll see _occasionally_ with poorly written SYN flood DoS and DDoS software such as a static IP identification number, a static source port, a static TCP sequence number, or even data on the SYN (which is discussed in a different capacity in another thread on the list right now); I've seen all of these in the wild. Snort has all the rules you need to detect the control channels for the zombie processes which generate the DoS packets, but Snort really can't tell you if you're experiencing a SYN flood. It seems that the portscan preprocessor could be pretty easily modified to allow it to detect X number of SYN packets, instead of packets to X number of ports, in a specified amount of time. Kind of sort of a SYN flood packet rate detector type thingy. I might just have to add this too the list of projects I'll never get time to complete... <sigh> Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Scott Teeters Jr Sent: Tuesday, January 15, 2002 11:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort and Synflood alerts I am working on implementing Snort as our defacto IDS. One of the items my manager wants to see is our synflood activity. Synfloods have been a pain in our side in the past and we want to be able to break out the synflood activity as a separate item in our reporting. I need to know if anyone has seen a Snort signature that specifically targets synfloods? Thanks, Scott Teeters, Jr. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 12 From: "Edwin Pua" <edwin1118 () hotmail com> To: bmc () snort org, snort-users () lists sourceforge net Date: Wed, 16 Jan 2002 04:11:28 +0000 Subject: [Snort-users] Newbie Question.. Hi, How will i enable my snort rules to communicate with snort.conf file and run in NIDS mode? I edited my snort.conf file to call my snort rules under /etc/snort/ddos.rules, /etc/snort/porn.rules, etc. The default before in the snort.conf file is without the/etc/snort path. Is this right to enable my snort rules? # under /etc/snort/snort.conf include /etc/snort/bad-traffic.rules include /etc/snort/ddos.rules include /etc/snort/porn.rules Thanx in advace. rgds, Edwin _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. --__--__-- Message: 13 Date: Tue, 15 Jan 2002 23:44:22 -0500 From: Kervin Pierre <kpierre () fit edu> To: snort-users () lists sourceforge net Subject: [Snort-users] segfault caused by double free in spo_database.c Hi, I'm not a snort programmer but, it seems you have a double free in spo_datase.c ( snort 1.8.3 ) In the listing below, if sig_id is 0, select0 is going to be free'ed twice, line 748 and line 751 . This has crashed snort a few times on my box. -Kervin #1 0x0805fd32 in Database (p=0xbfffef70, msg=0x85735c8 "MISC Large UDP Packet", arg=0x81b8868, event=0x8573394) at spo_database.c:751 751 free(select0); (gdb) l 746 if(sig_id == 0) 747 { 748 free(select0); 749 ErrorMessage("database: Problem inserting a new signature '%s'\n", msg); 750 } 751 free(select0); 752 753 /* add the external rule references */ 754 if(otn_tmp) 755 { -- http://linuxquestions.org/ - Ask linux questions, give linux help. --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #1490 - 13 msgs Stephen Shepherd (Jan 16)