Snort mailing list archives
unsubscribe
From: Francois Le Bec <flebec () unis org>
Date: Tue, 2 Apr 2002 16:04:31 -0500
-----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Tuesday, April 02, 2002 3:48 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #1751 - 8 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Snort Solaris 8 with quad card (Chris Frazier - PA) 2. RE: how to upgrade to schema 105? (Kreimendahl, Chad J) 3. Re: OT: Deciphering log entry(iptables) (Matt Kettler) 4. Re: configure --with-mysql= ? (___cliff rayman___) 5. Re: Snort Working Mechanism (Scott Nursten) 6. Re: Snort Solaris 8 with quad card (Erek Adams) 7. Re: configure --with-mysql= ? (Jason Yates) 8. Re: OT: Deciphering log entry(iptables) (Chris Green) --__--__-- Message: 1 From: Chris Frazier - PA <Chris_Frazier () GMACM COM> To: snort-users () lists sourceforge net Date: Tue, 2 Apr 2002 13:35:00 -0500 Subject: [Snort-users] Snort Solaris 8 with quad card This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1DA75.18B5A1F0 Content-Type: text/plain; charset="iso-8859-1" Greetings, I have Snort running on a Ultra 5 with Solaris 8. I bring up interfaces qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and have Snort listen on those interfaces using separate commands: snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2 snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3 When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does nothing. If I kill the snort running on qfe3, and just do a tcpdump -i qfe3, and run tthe scans again, I see the traffic. So am I doing something completely wrong, or am I trying to do something that is not possible. Any help is greatly appreciated. Thanks Chris ------_=_NextPart_001_01C1DA75.18B5A1F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>Snort Solaris 8 with quad card</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">Greetings,</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">I have Snort running on a Ultra 5 = with Solaris 8. I bring up interfaces qfe2 and qfe3 without IP = addresses being assigned on differnet VLANs, and have Snort listen on = those interfaces using separate commands:</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">snort -D -c conf.file -l = /var/log/snort/qfe2 -i qfe2</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">snort -D -c conf.file -l = /var/log/snort/qfe3 -i qfe3</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">When I trigger scans on those VLANs, = qfe2 logs the results, but qfe3 does nothing. If I kill the snort = running on qfe3, and just do a tcpdump -i qfe3, and run tthe scans = again, I see the traffic.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">So am I doing something completely = wrong, or am I trying to do something that is not possible.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Any help is greatly = appreciated.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thanks</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Chris</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C1DA75.18B5A1F0-- --__--__-- Message: 2 From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> To: "'Michael Scheidell'" <scheidell () secnap net>, snort-users () lists sourceforge net Subject: RE: [Snort-users] how to upgrade to schema 105? Date: Tue, 2 Apr 2002 12:49:48 -0600 No changes were made from 104 to 105 in MySQL... All that's necessary is to change vseq from 104 to 105 in the 'schema' table. -----Original Message----- From: Michael Scheidell [mailto:scheidell () secnap net] Sent: Saturday, March 30, 2002 10:01 AM To: snort-users () lists sourceforge net Subject: [Snort-users] how to upgrade to schema 105? Ok, must have been asleep at the switch. How do I upgrade an existing mysql schema (104) to 105? I would prefer to keep the existing data. -- Michael Scheidell SECNAP Network Security, LLC _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 3 Date: Tue, 02 Apr 2002 13:54:33 -0500 To: "Scott Taylor" <scottt () soccer com>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] OT: Deciphering log entry(iptables) You said there was no outbound syn packet.. but in this case I suspect there would be an *inbound* syn... This would appear that someone tried to connect to a webserver on your machine, and your machine responded with a reset since it was not running one. This is extraordinarily common due to the number of web-server infecting worms floating around. typical expected sequence to generate this: someone:someport -> you:80 syn you:80 -> someone:someport rst - "get lost buddy." or possibly: someone_running_portscaners:someport -> you:80 (no flags, fake fin/ack, or a xmas tree) you:80 -> someone:someport rst - "get lost buddy." Of course what kinds of traffic would generate a RST instead of an ICMP error message will vary with how you have iptables configured. At 09:24 AM 4/2/2002 -0800, you wrote:
This isn't related to snort (yet) I havn't installed it on this network. I was going through my log files on this firewall and have a ton(literally) of this entry. The only thing that changes is the destination ip's last two octets. eth0 is the external interface. There is no initiating SYN packet out bound.(that I know of need to run tcpdump on it for a bit) Has anyone seen this or know what it may be related to? Mar 31 04:19:35 xxxxfw1 kernel: IN= OUT=eth0 SRC=aa.bb.cc.ddd(me) DST=aa.bb.ee.ff(them) LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=2418 WINDOW=0 RES=0x00 ACK RST URGP=0 Cheers, Scott Oh yea, I think this is good for a drink or possibly two. THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 4 Date: Tue, 02 Apr 2002 11:09:02 -0800 From: ___cliff rayman___ <cliff () genwax com> Organization: general wax, inc. To: John Sage <jsage () finchhaven com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] configure --with-mysql= ? John Sage wrote:
In /usr/local/snort-1.8.4/ I say: ./configure --with-mysql=/usr/include/mysql/ or I say: ./configure --with-mysql=/usr/include/mysql and I get "checking for mysql... no"
on my system, i entered: --with-mysql=/usr/libexec/ that is the location of my mysql daemon, not the header file. i think if you do a: ./configure --help | less you will see some switches that ask for header file locations and they have a different format. i know i confused this when i built php for acid, which had the same switch, but with a different usage. go figure or rather go configure. ;-) -- ___cliff rayman___cliff@genwax.com___http://www.genwax.com/ --__--__-- Message: 5 Date: Tue, 02 Apr 2002 19:09:57 +0100 Subject: Re: [Snort-users] Snort Working Mechanism From: Scott Nursten <scottn () s2s ltd uk> To: Sonika Malhotra <sonikam () magnum barc ernet in>, Snort <snort-users () lists sourceforge net> Answers inline:
1. I believe Stealth mode scan is a type of slow scan say 1 port/hr. how does snort manage to find out such types of scans.
Snort will detect these attacks if YOU configure it to. This would be done by defining the right *NET statements and configuring rules that catch TCP SYN or UDP packets to any ports OTHER then legit. publicly accessible ports on your network. Log it into a database, use ACID and a little event correlation and tadah - stealth portscan capture...! Remember, a computer is just a high speed idiot :)
2. the logging facility of snort ie
snort -dev -l /var/log/snort --doesn't see any rule file , so
will this log 'ALL' the packets on the network completely.?
From what I see in the help, yes. Let's go through it shall we?
-d Dump the Application Layer
-e Display the second layer header info
-v Be verbose
-l <ld> Log to directory <ld>
Now, I'm on a train, so I can't really test it, but I'm pretty sure that
A) it will be verbose and display all the packets (including application and
second layer info) to STDOUT
B) it will also log it all into the <ld> directory.
3. I have found that in NIDS mode ie
snort -deD -l /var/log/snort -c /etc/snort.conf
logs only part of complete data.ie maybe the current
packet.What if i want to log "everything " if attack is found.
i have gone thru the log-documents.plz clear these points.
Ehheh, well, for a start, take a look at the stream4 preprocessor. Having said that, I'm pretty sure it doesn't log the whole stream. I haven't looked into this in more depth, but a quick 'grep stream4' in the snort-1.8.4 dir revealed * added new config keyword to stream4, "log_flushed_streams", which causes all buffered packets in the stream reassembler for that session to be logged in the event of an event on that stream (must be used in conjunction with spo_log_tcpdump) So, I guess that'll sort it...! If it doesn't, then use tcpdump in conjunction with it and throw man-hours at it...! :) HTH, Scott --__--__-- Message: 6 Date: Tue, 2 Apr 2002 11:28:54 -0800 (PST) From: Erek Adams <erek () theadamsfamily net> To: Chris Frazier - PA <Chris_Frazier () GMACM COM> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Solaris 8 with quad card On Tue, 2 Apr 2002, Chris Frazier - PA wrote:
I have Snort running on a Ultra 5 with Solaris 8. I bring up interfaces qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and have Snort listen on those interfaces using separate commands: snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2 snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3 When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does nothing. If I kill the snort running on qfe3, and just do a tcpdump -i qfe3, and run tthe scans again, I see the traffic.
Ok, lets check this a bit more. If you use a 'snort -vade -i qfe2' and run scans, do you see the traffic? Where does this traffic come from? A third machine? If just run the qfe3 instance (as above), does it log? Running a 'snort -vade -i qfe3' while scanning--Does that show any data?
So am I doing something completely wrong, or am I trying to do something that is not possible.
It all depends. :) 'Not Possible' just means someone else hasn't done it yet. ;-)
Any help is greatly appreciated.
Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- Message: 7 Subject: Re: [Snort-users] configure --with-mysql= ? From: Jason Yates <jyates () dataservice org> To: ___cliff rayman___ <cliff () genwax com> Cc: John Sage <jsage () finchhaven com>, snort-users () lists sourceforge net Date: 02 Apr 2002 14:34:36 -0500 Try, ./configure --with-mysql -Jason Yates --__--__-- Message: 8 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] OT: Deciphering log entry(iptables) From: Chris Green <cmg () sourcefire com> Reply-To: snort-users () lists sourceforge net Date: Tue, 02 Apr 2002 14:47:11 -0500
Has anyone seen this or know what it may be related to? Mar 31 04:19:35 xxxxfw1 kernel: IN= OUT=eth0 SRC=aa.bb.cc.ddd(me) DST=aa.bb.ee.ff(them) LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80 DPT=2418 WINDOW=0 RES=0x00 ACK RST URGP=0
It's very possible that someone is synflooding someone else using your IP as the spoofed src. -- Chris Green <cmg () sourcefire com> Fame may be fleeting but obscurity is forever. --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- unsubscribe Francois Le Bec (Apr 02)
- Re: unsubscribe Erek Adams (Apr 02)
- <Possible follow-ups>
- unsubscribe Martin Claesson (Apr 23)
- unsubscribe Markt (Jun 03)
- unsubscribe Taylor Lewick (Jun 11)
- Re: unsubscribe Erek Adams (Jun 11)
- unsubscribe Robbie Lee (Jun 18)
- unsubscribe Mark Palmer, CCNA (Jun 29)