Snort mailing list archives
Step by Step GUIDE Part I released
From: "S." <sleepy () maximumunix org>
Date: Fri, 13 Dec 2002 15:46:55 -0800
Hi, I wrote Part I of what I would like to be a series of tutorials both administrative and coding to SNORT it can be found at http://www.maximumunix.org/modules.php?name=News&file=article&sid=6 I will appreciate your feedback Thanks ----- Original Message ----- From: <snort-users-request () lists sourceforge net> To: <snort-users () lists sourceforge net> Sent: Friday, December 13, 2002 3:39 PM Subject: Snort-users digest, Vol 1 #2582 - 14 msgs
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: New Trend: Intrusion Prevention (twig les) 2. Re: stopping snort (Bennett Todd) 3. Re: New Trend: Intrusion Prevention (Alberto Gonzalez) 4. Re: stopping snort (Alberto Gonzalez) 5. No Traffic stats showing in my acid main php browser (Salloum,
Camile)
6. Re: New Trend: Intrusion Prevention (Erick Mechler) 7. RE: New Trend: Intrusion Prevention (Chris Eidem) 8. RE: No Traffic stats showing in my acid main php br owser (Axness, Bob) 9. Huge Amount of Port 1433 Scans From Asian IP's (Ibarra, Michael) 10. YASG :-) - yet another setup guide for snort (switched, Debian, MySQL, etc) (Anton A. Chuvakin) 11. Re: New Trend: Intrusion Prevention (Martin Roesch) 12. snorting SSL/TLS traffic? (Todd Holloway) --__--__-- Message: 1 Date: Fri, 13 Dec 2002 12:26:57 -0800 (PST) From: twig les <twigles () yahoo com> Subject: RE: [Snort-users] New Trend: Intrusion Prevention To: "Ibarra, Michael" <m.ibarra () cdcixis-na com>, "'Sheahan, Paul \(PCLN-NW\)'" <Paul.Sheahan () priceline com>, "Snort List \(E-mail\)" <snort-users () lists sourceforge net> I've seen a few of these for a couple years now, but generally I run into the host-based ones. Eeye makes one for that retarded MS web server here: http://www.eeye.com/html/Products/SecureIIS/index.html I believe it intercepts kernel calls and blocks/passes them, kinda playing middleman. Not sure though. Looks neat, but I don't see any silver bullet here either; not unless you want to slap this type of thing on your 500-5000 XP workstations too. --- "Ibarra, Michael" <m.ibarra () cdcixis-na com> wrote:-----Original Message----- From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com] Sent: Friday, December 13, 2002 12:31 PM To: Snort List (E-mail) Subject: [Snort-users] New Trend: Intrusion Prevention I attended Infosecurity 2002 yesterday and there was much talk about intrusion detection going away, and intrusion prevention replacing it. Does anyone know if there are any plans to include intrusion prevention functionality into Snort in the future? Thanks, Paul Sheahan Can you elaborate on this? Do they mean that a sensor will pro actively block IP's/attacks? -mike-------------------------------------------------------This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --__--__-- Message: 2 Date: Fri, 13 Dec 2002 15:46:44 -0500 From: Bennett Todd <bet () rahul net> To: Don <Don () WeberOnTheWeb com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] stopping snort --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline 2002-12-13-13:54:14 Don:Has anyone found a way to stop snort, automatically, [...]That's very much a platform-specific question. On platforms on which I'd try and support snort, when it's installed the way I'd install it, I can always stop it with "/etc/init.d/snort stop".what i want to do is have snort stop, if it gets more than 'x' alerts in a single hour, or some time frame, then of course email me that it has stopped.On the platorms where I'd support snort, I'd just use swatch with a rule to stop snort. No new engineering required. However, I wouldn't actually set this up; instead, I'd fix the underlying problem of looping errors.i do go to syslog with alerts. any suggestions. I have a particular sensor that periodically starts alerting on something, that just causes a round robin effect, and fills up the logs with the same error over and over and over, it gets really boring actually.Sounds like the snort alert is re-triggering the alarm. You've got several choices. - don't ship the snort alerts off-system - don't ship them through an interface that snort is watching - fix the signature so it doesn't re-signal on its own alarm data - encapsulate the alarm data in something like SSL or SSH so snort can't see the scary bits any more - write a BPF filter to blind snort to the traffic stream that's carrying the alarms off-system - disable the alarm that's looping and maybe there are more alternatives. -Bennett --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9+kc0HZWg9mCTffwRAh3eAKCZtpxYnIzDELE77aezgnDS2uO6SwCgmzOA MhrFfVgyDa1soZVQ6wD/mpI= =o9Zp -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND-- --__--__-- Message: 3 Date: Fri, 13 Dec 2002 15:58:30 -0800 From: Alberto Gonzalez <albertg () cerebro violating us> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] New Trend: Intrusion Prevention Why would you want to use an IPS to stop a SYN|FIN sweep? Portscans are the same ol thing nowadays. Not like in the past few years where new techniques would keep getting released. Your IPS software(appliance) should be tuned to defend against attacks not mere probes at your network. Heck there methods to trick nmap out there. I think if intrusion prevention is going to get anywhere, it needs to just concentrate on attacks, you don't want to overwhelm it. Or is it just me that hasn't seen anything interesting in a portscan in the last oh say
year?
These are my opinions, I would love to hear others but lets keep it off-list.. Cheers! - Alberto Bob Dehnhardt wrote:Everything I've seen about IPS is that it's intended as another facet of security, not as a replacement for IDS. IPS is useful for preventing
attacks
that can be identified with a high (99%+) degree of accuracy, like
SYN/FIN
sweeps. Attacks that may have a significant number of false positives are outside IPS's realm, since having that traffic dropped would likely
affect
normal network operations. IDS with a real live decision-making person
will
be used in those cases, just as today. There is no single solution, probably never will be. - Bob Bob Dehnhardt IT Operations Manager - Reno TriNet (775) 327-6407 -----Original Message----- From: Steve Halligan [mailto:giermo () geeksquad com] Sent: Friday, December 13, 2002 10:16 AM To: 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail) Subject: RE: [Snort-users] New Trend: Intrusion PreventionI attended Infosecurity 2002 yesterday and there was much talk about intrusion detection going away, and intrusion prevention replacing it. Does anyone know if there are any plans to include intrusion prevention functionality into Snort in the future?The future is now. http://www.snort.org/dl/contrib/patches/inline/ Also see Hogwash at: http://www.snort.org/dl/contrib/patches/hogwash/ Now one could (and I would) debate the premise that you stated, but that
is
a whole 'nother can of worms. -steve-- The secret to success is to start from scratch and keep on scratching. --__--__-- Message: 4 Date: Fri, 13 Dec 2002 16:06:36 -0800 From: Alberto Gonzalez <albertg () cerebro violating us> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] stopping snort daemontools? Bennett Todd wrote:2002-12-13-13:54:14 Don:Has anyone found a way to stop snort, automatically, [...]That's very much a platform-specific question. On platforms on which I'd try and support snort, when it's installed the way I'd install it, I can always stop it with "/etc/init.d/snort stop".what i want to do is have snort stop, if it gets more than 'x' alerts in a single hour, or some time frame, then of course email me that it has stopped.On the platorms where I'd support snort, I'd just use swatch with a rule to stop snort. No new engineering required. However, I wouldn't actually set this up; instead, I'd fix the underlying problem of looping errors.i do go to syslog with alerts. any suggestions. I have a particular sensor that periodically starts alerting on something, that just causes a round robin effect, and fills up the logs with the same error over and over and over, it gets really boring actually.Sounds like the snort alert is re-triggering the alarm. You've got several choices. - don't ship the snort alerts off-system - don't ship them through an interface that snort is watching - fix the signature so it doesn't re-signal on its own alarm data - encapsulate the alarm data in something like SSL or SSH so snort can't see the scary bits any more - write a BPF filter to blind snort to the traffic stream that's carrying the alarms off-system - disable the alarm that's looping and maybe there are more alternatives. -Bennett-- The secret to success is to start from scratch and keep on scratching. --__--__-- Message: 5 From: "Salloum, Camile" <SalloumC () Grangeinsurance com> To: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Date: Fri, 13 Dec 2002 16:07:21 -0500 Subject: [Snort-users] No Traffic stats showing in my acid main php
browser
Hi. I am at the point now where I have run the CIS Cerberus Scanner on my local host. The machine is not conected to a good switch just a simple linksys switch. I have ran the CIS Scanner and still get no traffic
stats.
Why? What am I missing here? Why doesn't the web browser automatically refresh itself? I am forced to refresh it manually. Where can I check to troubleshoot? Thank You. Camile L Salloum --__--__-- Message: 6 Date: Fri, 13 Dec 2002 13:14:07 -0800 From: Erick Mechler <emechler () techometer net> To: twig les <twigles () yahoo com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] New Trend: Intrusion Prevention :: I believe it intercepts kernel calls and blocks/passes :: them, kinda playing middleman. Not sure though. :: Looks neat, but I don't see any silver bullet here :: either; not unless you want to slap this type of thing :: on your 500-5000 XP workstations too. Okena makes one that my team is currently evaulating. Twig, you're right, it sits between the application and the OS level and looks at all system calls that the applications are making. Benefits of sitting this low: you can have extremely fine-grained control over what an application is
allowed
to use/modify/read/etc.; you can analyze encrypted data since the application has already decrypted it. Drawbacks: it takes a *lot* of
setup
time to figure out exactly what certain applications need. http://www.okena.com/areas/products/products_stormwatch.html Niels Provos also wrote something similar for UNIX, called systrace. http://www.citi.umich.edu/u/provos/systrace/ I'm not sure this is what Paul Sheahan was referring to when he was
talking
about Intrusion Prevention, though, seeing as this is a host-based solution. There are network-based Intrusion Prevention solutions, but in my opinion they're really not practial due to the fact that you need an extremely high degree of accuracy (as Bob already mentioned). Cheers - Erick --__--__-- Message: 7 Subject: RE: [Snort-users] New Trend: Intrusion Prevention Date: Fri, 13 Dec 2002 15:27:47 -0600 From: "Chris Eidem" <ceidem () Dexma com> To: "twig les" <twigles () yahoo com>, "Snort List (E-mail)" <snort-users () lists sourceforge net>-----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Friday, December 13, 2002 2:27 PM To: Ibarra, Michael; 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail) Subject: RE: [Snort-users] New Trend: Intrusion Prevention =20 =20 I've seen a few of these for a couple years now, but generally I run into the host-based ones. Eeye makes one for that retarded MS web server here: http://www.eeye.com/html/Products/SecureIIS/index.html =20 I believe it intercepts kernel calls and blocks/passes them, kinda playing middleman. Not sure though.=20 Looks neat, but I don't see any silver bullet here either; not unless you want to slap this type of thing on your 500-5000 XP workstations too.my retarded servers have enough trouble with their IIS miscommunicating with the kernal as it is. i really don't want add another layer that could muck things up even more... my basic thought is this (IPS - that is) is too dangerous right now for this to be used in a production network. the DOS potential against a system is way too high and you would have to 10000 rules to make sure that you have the right signature before you start blocking connections accurately. locking the doors and checking the windows is difficult enough without having to go out onto the sidewalk and chase any 'shady' looking person from your yard. - chris --__--__-- Message: 8 From: "Axness, Bob" <BAxness () stjosephswb com> To: "'Salloum, Camile'" <SalloumC () Grangeinsurance com>, "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Subject: RE: [Snort-users] No Traffic stats showing in my acid main php br
owser
Date: Fri, 13 Dec 2002 15:37:46 -0600
I am a newbie to Snort but I think your problem is...
The interface that is doing the listening needs to be on a hub or a switch
capable of doing port mirroring/monitoring.
If you are on a normal switch listening you won't see/hear anything. Swap
it out with a hub and I bet you'll see some stats.
Bob
-----Original Message-----
From: Salloum, Camile [mailto:SalloumC () Grangeinsurance com]
Sent: Friday, December 13, 2002 3:07 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] No Traffic stats showing in my acid main php
browser
Hi. I am at the point now where I have run the CIS Cerberus Scanner on my
local host. The machine is not conected to a good switch just a simple
linksys switch. I have ran the CIS Scanner and still get no traffic
stats.
Why? What am I missing here? Why doesn't the web browser automatically refresh itself? I am forced to refresh it manually. Where can I check to troubleshoot? Thank You. Camile L Salloum ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** --__--__-- Message: 9 From: "Ibarra, Michael" <m.ibarra () cdcixis-na com> To: snort-users () lists sourceforge net Date: Fri, 13 Dec 2002 16:50:17 -0500 Subject: [Snort-users] Huge Amount of Port 1433 Scans From Asian IP's Am I the only one who has seen an extremely large rise in scans to port 1433/ms-sql? While not a problem for me, we do not run this crap, just curious to find out why it hasn't stopped, the src addr's are mostly the same. -mike --__--__-- Message: 10 Date: Fri, 13 Dec 2002 17:17:42 -0500 (EST) From: "Anton A. Chuvakin" <anton () chuvakin org> To: snort-users () lists sourceforge net Subject: [Snort-users] YASG :-) - yet another setup guide for snort
(switched, Debian,
MySQL, etc) All, Covers Debian GNU/Linux based setup for single sensor and distributed environments, MySQL, ACID, etc. "Complete Snort-based IDS Architecture, Part One " http://online.securityfocus.com/infocus/1640 "Complete Snort-based IDS Architecture, Part Two" http://online.securityfocus.com/infocus/1643 Comments are welcome! Best, -- Anton A. Chuvakin, Ph.D., GCIA http://www.chuvakin.org http://www.info-secure.org --__--__-- Message: 11 Date: Fri, 13 Dec 2002 17:21:25 -0500 Subject: Re: [Snort-users] New Trend: Intrusion Prevention Cc: "Snort List (E-mail)" <snort-users () lists sourceforge net> To: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> From: Martin Roesch <roesch () sourcefire com> Hi Paul, I went into this on the Focus-IDS mailing list a month or so ago. Basically, I believe IPS to be more of a threat to (or the future of) firewalls. Network intrusion prevention devices sit in-line and provide permit/deny access control for packet streams based on whether or not they're attacks. Presumably it would be relatively easy as a subset of functionality to add stateful packet filtering that's just as good or better than any existing firewalling mechanisms. Netscreen and Checkpoint have figured this out which is why you see them making aggressive moves in the IPS space. Intrusion detection devices have a VERY different role in the network security hierarchy, they provide *awareness* of what's happening on your network, verification of policy compliance and detection of potential threats and anomalies. Let me lay out two scenarios that illustrate why intrusion prevention != intrusion detection and why it's unlikely that IPS will ever replace IDS (and how everyone who's trying to tell you it will is trying to sell you something): 1) IPS devices only guard the peering points (at best) of the network. In the case of an attack between hosts on the same broadcast network (inside the peering point) you have absolutely no coverage from the IPS. In that case you'll need to have an IDS to tell you what's going on. For example, someone in engineering decides to give him self a raise by hacking into the accounting department and making it so, your IPS has no visibility into this traffic so it's quite worthless. Your IDS can see this traffic, however, and collect the relevant information for detection/enforcement of policy and evidence for law enforcement. 2) No IPS is going to be perfect, so attacks are going to slip through them. It can be attacks that they don't know about (new buffer overflows, etc) or even traffic that's legitimate but hostile in your environment, like non-anonymous logins to your anonymous FTP server. If an attack gets by an IDS, how will you know? You better have a pretty good IDS to tell you, that's how. There are several other things I could highlight, but I think this illustrates the point pretty well and it's Friday and late and I feel like going home. :) -Marty On Friday, December 13, 2002, at 12:30 PM, Sheahan, Paul (PCLN-NW) wrote:I attended Infosecurity 2002 yesterday and there was much talk about intrusion detection going away, and intrusion prevention replacing it. Does anyone know if there are any plans to include intrusion prevention functionality into Snort in the future? Thanks, Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 12 Date: Fri, 13 Dec 2002 17:37:54 -0600 From: Todd Holloway <todd () duckland org> To: snort-users () lists sourceforge net Subject: [Snort-users] snorting SSL/TLS traffic? I've been playing with "ssldump" today and I've gotten it so that I can see (when giving it the proper private key) I can decrypt some traffic (how much I'm still not sure...but more than w/o the key). Is there a way I can get snort "see" the network the same way? Is somebody working on this...most of the traffic to our site is "https". thanks todd -- [It] contains "vegetable stabilizer" which sounds ominous. How unstable
are vegetables?
Jeff Zahn --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Step by Step GUIDE Part I released S. (Dec 13)