Snort mailing list archives
RE: Snort-users digest, Vol 1 #2134 - 12 msgs
From: "Michael L. Capps" <Michael_L_Capps () attbi com>
Date: Wed, 31 Jul 2002 18:15:10 -0700
I have experienced the exact same thing with SMTP HELO overflow. I also am getting the FTP USER overflow alerts but I haven't gotten to them yet. Are you using binary or ascii logging? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-users-request () lists sourceforge net Sent: Wednesday, July 31, 2002 8:34 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2134 - 12 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. FTP USER overflow attempt alerts, no logged packets. (Dolfred Mascarenhas) 2. RE: snort can do this? (McCammon, Keith) 3. Re: Running SORT in Windows (Alexandre GIGLEUX) 4. RE: snort behavior in very high-load environment, B SD vs. linux (Cloppert, Michael) 5. Re: Running SORT in Windows (Laurent Grignet) 6. philosophical question (Eduard San Anselmo) 7. RE: philosophical question (McCammon, Keith) 8. RE: snort behavior in very high-load environment, B SD vs. linux (Williams Jon) 9. RE: philosophical question (RR) 10. Re: philosophical question (Marco Aurelio Valtas Cunha) --__--__-- Message: 1 Date: Wed, 31 Jul 2002 06:34:13 -0700 (PDT) From: Dolfred Mascarenhas <dolfredm () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] FTP USER overflow attempt alerts, no logged packets. Hi, My snort alerted on the FTP user overflow attempt, as detailed below. On checking the logs, I observed that no packets were recorded for this alert, despite the large number of entries in the alerts file. Offensive packets were logged on all other alerts, but not this one. My Snort version is 1.8.7 Any comments/ideas will be appreciated. Thanks, Dolfred. [**] [1:1734:4] FTP USER overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/29-10:04:20.610705 0:A0:8E:14:EC:E8 -> 0:0:C:7:AC:0 type:0x800 len:0xAA x.x.x.x:1349 -> x.x.x.x:21 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:156 ***AP*** Seq: 0xC7BB95C1 Ack: 0xC7BB95C1 Win: 0x0 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/4638] [Snort log] __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com --__--__-- Message: 2 Subject: RE: [Snort-users] snort can do this? Date: Wed, 31 Jul 2002 10:00:03 -0400 From: "McCammon, Keith" <Keith.McCammon () eadvancemed com> To: "gohometa" <gohome97 () tatung com>, <snort-users () lists sourceforge net> This is a multi-part message in MIME format. ------_=_NextPart_001_01C2389A.911EE527 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Yes. It's in the Users Manual under "Tag."=20 -----Original Message----- From: gohometa [mailto:gohome97 () tatung com] Sent: Wednesday, July 31, 2002 4:32 AM To: snort-users () lists sourceforge net Subject: [Snort-users] snort can do this? I f we detect a intrusion by just detect a packet,may be it is not = correct If I want to detect sequential packet to decide wether they are from same source,and assure some one intrude me ,How can T do? snort can do this? =20 ------_=_NextPart_001_01C2389A.911EE527 Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dbig5"> <META content=3D"MSHTML 5.50.4916.2300" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20 class=3D058545813-31072002>Yes. It's in the Users Manual under=20 "Tag." </SPAN></FONT></DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px = solid; MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> gohometa=20 [mailto:gohome97 () tatung com]<BR><B>Sent:</B> Wednesday, July 31, 2002 = 4:32=20 AM<BR><B>To:</B> snort-users () lists sourceforge net<BR><B>Subject:</B>=20 [Snort-users] snort can do this?<BR><BR></FONT></DIV> <DIV><FONT size=3D2>I f we detect a intrusion by just detect a = packet,may=20 be it is not correct</FONT></DIV> <DIV><FONT size=3D2>If I want to detect sequential packet to = decide=20 wether</FONT></DIV> <DIV><FONT size=3D2>they are from same source,and = assure some one=20 intrude me</FONT> <FONT size=3D2>,How can T do?</FONT></DIV> <DIV><FONT size=3D2> snort can do this?</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C2389A.911EE527-- --__--__-- Message: 3 From: "Alexandre GIGLEUX" <Alexandre.Gigleux () loria fr> To: "Roger Niken" <rogern () grintek com>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Running SORT in Windows Date: Wed, 31 Jul 2002 16:15:34 +0200 This is a multi-part message in MIME format. ------=_NextPart_000_004A_01C238AD.7F8F7180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Running SORT in WindowsHello, Go to : http://www.snort.org/dl/contrib/ and download WinPCap ... Alex ----- Original Message -----=20 From: Roger Niken=20 To: snort-users () lists sourceforge net=20 Sent: Wednesday, July 31, 2002 10:58 AM Subject: [Snort-users] Running SORT in Windows Hi=20 I have downloaded SNORT for Win32 and keep getting an error "unable to = locate DLL-wpcap.dll" when trying to execute the file. The manual that = came with the installation only explains how to use SNORT in Linux. = Please assist. Regards=20 =20 Roger Niken=20 Syrinx Communications=20 Network Management: Systems Manager=20 +27 (0)11 616 0701 (Office)=20 +27 (0)82 376 5193 (Mobile)=20 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by Sophos AntiVirus Interface for the presence of computer viruses. www.sophos.com ********************************************************************** ------=_NextPart_000_004A_01C238AD.7F8F7180 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Running SORT in Windows</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hello,</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Go to : <A=20 href=3D"http://www.snort.org/dl/contrib/">http://www.snort.org/dl/contri b= /</A> and=20 download WinPCap ...</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Alex</FONT></DIV> <BLOCKQUOTE=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Drogern () grintek com href=3D"mailto:rogern () grintek com">Roger = Niken</A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20 title=3Dsnort-users () lists sourceforge net=20 = href=3D"mailto:snort-users () lists sourceforge net">snort-users () lists sour c= eforge.net</A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Wednesday, July 31, 2002 = 10:58=20 AM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] Running = SORT in=20 Windows</DIV> <DIV><BR></DIV> <P><FONT face=3DArial size=3D2>Hi</FONT> </P> <P><FONT face=3DArial size=3D2>I have downloaded SNORT for Win32 and = keep getting=20 an error "unable to locate DLL-wpcap.dll" when trying to execute the = file. The=20 manual that came with the installation only explains how to use SNORT = in=20 Linux. Please assist.</FONT></P> <P><FONT face=3DArial size=3D2>Regards</FONT> <BR><FONT face=3DArial=20 size=3D2> </FONT> <BR><FONT face=3DArial size=3D2>Roger = Niken</FONT><FONT=20 face=3DArial> </FONT><BR><FONT face=3DArial size=3D2>Syrinx=20 Communications</FONT><FONT face=3DArial> </FONT><BR><FONT face=3DArial = size=3D2>Network Management: Systems Manager</FONT><FONT face=3DArial> = </FONT><BR><FONT face=3DArial size=3D2>+27 (0)11 616 0701 =20 (Office)</FONT><FONT face=3DArial> </FONT><BR><FONT face=3DArial = size=3D2>+27 (0)82=20 376 5193 (Mobile)</FONT><FONT face=3DArial> </FONT></P><CODE><FONT=20 = size=3D3><BR><BR>******************************************************* *= **************<BR>This=20 email and any files transmitted with it are confidential = and<BR>intended=20 solely for the use of the individual or entity to whom they<BR>are = addressed.=20 If you have received this email in error please notify<BR>the system=20 manager.<BR><BR>This footnote also confirms that this email message = has been=20 swept<BR>by Sophos AntiVirus Interface for the presence of computer=20 = viruses.<BR><BR>www.sophos.com<BR>************************************** *= *******************************<BR></BLOCKQUOTE></FONT></CODE></BODY></H T= ML> ------=_NextPart_000_004A_01C238AD.7F8F7180-- --__--__-- Message: 4 From: "Cloppert, Michael" <Michael.Cloppert () 53 com> To: 'Adam D'Amico' <adamico () speakeasy net>, snort-users () lists sourceforge net Subject: RE: [Snort-users] snort behavior in very high-load environment, B SD vs. linux Date: Wed, 31 Jul 2002 10:16:11 -0400 Okay, I'm not going to be able to address all of your issues/concerns here as I'm fairly new with snort myself, BUT here are my thoughts...
Now, I've read/heard for a long time that the BSD packet capture ability is far better than that in linux, even with the new 2.4 optimizations.
I've heard this too, this is the first attempt at verifying such claims with regard to snort that I've read. Kudos!
I've got two identical boxes with two identical gig-e feeds running into them. The hardware is dual P3 1.26GHz, 1GB RAM, plenty of 7200rpm IDE disk, and Intel pro1000-T adapters. On the copper there is a steady stream from our backbone of around 55-70kpps, weighing in at between 300-400Mbps, depending on time of day.
Okay, first thing to consider is your processors. Keep in mind snort is single-threaded, so unless you're running barnyard (I think that's what it's called), which handles output processors in a separate thread, this likely won't help your performance. Second, the point you make about your PCI bus being 32 as opposed to 64 bit is valid. Remember, you have not only your gig ethernet card trying to talk across this bus, but also all the data going to your disk array, and if you have two NIC's (one for capture and one for management), you're cramming that data onto the bus as well. Whether or not LINUX & BSD handle pushing data across the bus differently I don't know, but something to think about.
Snort analyzed -906323712 out of -843192947 packets, The kernel dropped
<snip>
Snort analyzed -1634877952 out of -796656885 packets, The kernel dropped 793215694(22.674%) packets
<snip>
Snort analyzed -249022464 out of -1275082956 packets, The kernel dropped 1452753881(113.934%) packets How do I drop more than 100%?
I'd bet you're seeing integer wraparound. Snort's using a signed integer for keeping track of how many packets it's captured and when it attempts to count high enough, you will begin to see negative numbers. If you're not a coder, here's basically how it works. IF a signed integer is used, the high-order bit is reserved as the negative indicator. For example, 0000 0010 is a positive number, but 1000 0111 is a negative number (because the high-order bit is set). When you're counting, if you get high enough and you add 1 to 0111 1111, you get 1000 0000, which then puts you in the negative realm! You may simply need to regulate the number of packets you're capturing by doing so for a shorter period of time, so you avoid this problem - maybe do this a number of times and add up your results? It's a thought... Hope this helps. Definitely post any other results you get - this is very useful information!! Mike --__--__-- Message: 5 Date: Wed, 31 Jul 2002 16:49:23 +0200 From: Laurent Grignet <lgrignet () ulg ac be> Reply-To: unif <lgrignet () ulg ac be> Organization: ulg To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Running SORT in Windows
Hi
Hello,
I have downloaded SNORT for Win32 and keep getting an error "unable to locate DLL-wpcap.dll" when trying to execute the file. The manual that
came
with the installation only explains how to use SNORT in Linux. Please assist.
did you install winpcap ? If not it's why snort doesn't work see http://winpcap.polito.it/ for information
Regards
Hope This Helps,
Roger Niken
Laurent --__--__-- Message: 6 Date: Wed, 31 Jul 2002 17:00:17 +0200 From: Eduard San Anselmo <esananselmo () albasoft com> To: snort-users () lists sourceforge net Subject: [Snort-users] philosophical question I've just installed snort and everything seems to work fine. Too fine, I would say: my sensor is informing of many alerts that aren't so, I mean, there are lots of false positives that I'm supposed to tune. That's my question: what does tuning mean? The way I see it is that I have to look at the alerts and change some things in the rules that triggered those alerts, so they won't bother me again. Is that a good point of view? Thank you. --__--__-- Message: 7 Subject: RE: [Snort-users] philosophical question Date: Wed, 31 Jul 2002 10:59:10 -0400 From: "McCammon, Keith" <Keith.McCammon () eadvancemed com> To: "Eduard San Anselmo" <esananselmo () albasoft com>, <snort-users () lists sourceforge net> Correct. You need to examine what you believe to be FP, and adjust your = rules files accordingly. The popular method is to pass on the sig in = local.rules or the like, or write BPF statements to correct the issue.
-----Original Message----- From: Eduard San Anselmo [mailto:esananselmo () albasoft com] Sent: Wednesday, July 31, 2002 11:00 AM To: snort-users () lists sourceforge net Subject: [Snort-users] philosophical question =20 =20 I've just installed snort and everything seems to work fine.=20 Too fine, I=20 would say: my sensor is informing of many alerts that aren't=20 so, I mean,=20 there are lots of false positives that I'm supposed to tune.=20 That's my=20 question: what does tuning mean? The way I see it is that I=20 have to look=20 at the alerts and change some things in the rules that=20 triggered those=20 alerts, so they won't bother me again. Is that a good point of view? Thank you. =20 =20 =20 ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=3D31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users =20
--__--__-- Message: 8 From: "Williams Jon" <WilliamsJon () JohnDeere com> To: "'Adam D'Amico'" <adamico () speakeasy net>, snort-users () lists sourceforge net Subject: RE: [Snort-users] snort behavior in very high-load environment, B SD vs. linux Date: Wed, 31 Jul 2002 10:13:56 -0500 While I haven't got nearly the load you've got, I'll share what I've found in my testing. First, I don't remember if it was Linux or another OS (Solaris?), but there's at least one Unix out there that lies about its packet drop rate, as it its hard coded to 0 in the kernel. In my testing of Slowaris vs. FreeBSD, this appears to be the case. Second, the single threading problem can be minimized if you use BSD and can segment your snort processes using command line BPF. For example, if you've got three /24 subnets, 10.0.1.0, 10.0.2.0, and 10.0.3.0, run one snort process for each with the BPF on the command line of "net 10.0.1.0" or whatever. By doing that, you can gain some of the benefits of having multiple processors (if your kernel is built for it) even with a single-threaded snort. As a side note, I've also found it worth running an N+1 process with a BPF of "not net 10.0.1.0 and not net 10.0.2.0 and not net 10.0.3.0" and alerting on any packet I see. This has been one of the most useful rules I've put together, since it shows me things that theoretically shouldn't be on my network. <grin> Next, depending on the traffic loads, you can run into performance issues based on the capabilities of your system. At really high speeds, things like your PCI bus width and disk write speeds are always an issue, but your memory bandwidth can also become an issue. As for rules, I'm actually getting to the point where I think I've got some of my networks profiled fairly well. I know basically what types of network traffic are allowed, what applications run there, things like that. Once you have that information, I believe that it is more useful to look for violations to normal than to spend time looking for what unknown "experts out there" say you should look for. For example, if I know that only TCP traffic is allowed on a WAN link, then create a rule that alerts when the protocol field is not TCP. Not only will you run fewer rules, I believe that this will give a better chance at detecting new viruses, as well. Finally, if you do use external rules, such as from snort.org, take a hard look at what rules you run. Get rid of as many as you can, try very hard not to use the address list construct (i.e. [1.1.1.1,2.2.2.2,3.3.3.3]), and try to optimize the order of the rules such that the most specific rules (specific addresses and ports) that don't have content: options are at the top and the least specific ones (any any -> any any) that use content: options are at the bottom. This helps break out of the critical path faster, so you waste less time looking at most packets. I hope this helps. Please let us know what your results are, since this information is very useful to many of us :-) Jon -----Original Message----- From: Adam D'Amico [mailto:adamico () speakeasy net] Sent: Tuesday, July 30, 2002 5:43 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort behavior in very high-load environment, BSD vs. linux Hello, I've been working with snort for a while now in an environment that seems to be on the bleeding edge of what should be snortable. I've gotten predictable results in some spots and weirdness in others. I thought I would share my results with everyone here, in the hope that someone might get use out of them, and maybe even have decent explanations for the weirdness. I've read through a lot of the previous threads having to do with packet loss and system tuning, but not much of it was applicable, given the network environment I'm running in. --__--__-- Message: 9 From: "RR" <rehmanr () dedicatedtech com> To: "Eduard San Anselmo" <esananselmo () albasoft com>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] philosophical question Date: Wed, 31 Jul 2002 11:25:10 -0400 I would say yes. That is a good starting point. However you may need to write your own rules as well for some specific things that you want to monitor. Remember, pre-defined rules don't do "everything". HTH -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Eduard San Anselmo Sent: Wednesday, July 31, 2002 11:00 AM To: snort-users () lists sourceforge net Subject: [Snort-users] philosophical question I've just installed snort and everything seems to work fine. Too fine, I would say: my sensor is informing of many alerts that aren't so, I mean, there are lots of false positives that I'm supposed to tune. That's my question: what does tuning mean? The way I see it is that I have to look at the alerts and change some things in the rules that triggered those alerts, so they won't bother me again. Is that a good point of view? Thank you. ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 10 Date: Wed, 31 Jul 2002 11:33:07 -0400 From: Marco Aurelio Valtas Cunha <mavcunha () bit fmrp usp br> Organization: =?ISO-8859-1?Q?Funda=E7=E3o_Hemocentro?= To: Eduard San Anselmo <esananselmo () albasoft com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] philosophical question Yeah, that's a good point of view, but tunning means more like "know what is the data in your network, then update only the rules that apply to it." It's better have false positives than miss real alerts. Marco. Eduard San Anselmo wrote:
I've just installed snort and everything seems to work fine. Too fine,
I
would say: my sensor is informing of many alerts that aren't so, I
mean,
there are lots of false positives that I'm supposed to tune. That's my
question: what does tuning mean? The way I see it is that I have to
look
at the alerts and change some things in the rules that triggered those
alerts, so they won't bother me again. Is that a good point of view? Thank you. ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- ############################################################## # Atenção meu email mudou para mavcunha () bit fmrp usp br # # Veja porque http://scarecrow.fmrp.usp.br/~mavcunha/public # # Attention my email changed to mavcunha () bit fmrp usp br # # See why here http://scarecrow.fmrp.usp.br/~mavcunha/public # ############################################################## Marco Aurélio Valtas Cunha Laboratório de Bioinformática Hemocentro de Ribeirão Preto Faculdade de Medicina de Ribeirão Preto Universidade de São Paulo Tel 55 16 3963-9300 R: 9603 homepage http://bit.fmrp.usp.br email: mavcunha () bit fmrp usp br --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #2134 - 12 msgs Michael L. Capps (Jul 31)