Snort mailing list archives
SRI Emerlad Project/ACID-XML Status Update
From: "S." <sleepy () maximumunix org>
Date: Wed, 22 Jan 2003 23:51:13 -0800
Hello every one : I just wanted to let you know I am getting ready to release ACID-XML for unix by the end of th week. I had completely rewrote it, used expat for XML parsing, and QT for GUI. it builds on Linux and OpenBSD, written in C++, clean code and looks pretty nice. I will explain the data structure later this week when I release it. but I just want some feedback specially from people who downloaded the win32 version. it currently features the Events Table, but in addition to features that were in the win32 version, I added 6 maps to show Src/Dst Occurrences frequency in ICMP/UDP/TCP protocols.if you have any suggestions, go ahead and post it on the site, if it is not too complicated , I might push it in as long as it would not be major testing. I am sure the elders know about this, but I thought maybe the newcomers like me would like to read a bit about it. The Emerald project, being developed in Stanford Research institute has been working on an intrusion detection and network sensors project since 1996. They have recently acquired a patent it seems. it is overall interesting, Take a look http://www.sdl.sri.com/projects/emerald/ Sleepy Do you Unix? http://www.maximumunix.org ----- Original Message ----- From: <snort-users-request () lists sourceforge net> To: <snort-users () lists sourceforge net> Sent: Wednesday, January 22, 2003 1:34 PM Subject: Snort-users digest, Vol 1 #2702 - 15 msgs
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Problems with local host .. (David Alonso De La Vega Tapage) 2. $HOME_NET question (Ralph Churchill) 3. Re: Problems with local host .. (Matt Kettler) 4. Re: Problems with local host .. (Eli Stair) 5. Attention ALL Windows Users : Install Complete IDS Solution on
Windows - Major Update v2! (Michael Steele)
6. Re: $HOME_NET question (Matt Kettler) 7. Re: $HOME_NET question (Erek Adams) 8. Re: Problems with local host .. (Erick Mechler) 9. Re: Classifications (Peter VE) 10. Re: $HOME_NET question (twig les) 11. Hogwash Compile (JOHN R BLACKMORE) 12. RE: $HOME_NET question (Michael Steele) 13. Re: Snort Rules for LOKI Daemon (Matt Kettler) 14. mysql_error (Darrin Powell) 15. Re: Snort Rules for LOKI Daemon (twig les) --__--__-- Message: 1 Date: Wed, 22 Jan 2003 15:09:08 -0500 From: David Alonso De La Vega Tapage <delavegad () bancoaliado com> To: snort-users () lists sourceforge net Subject: [Snort-users] Problems with local host .. Maybe is a simple thing .. but last day, recompile my php and now when try to contact http://localhost/acid/acid_main.php have this error .. The conection was refused when atemptin conect to local host .. Some idea about it .. Thanx for all siguestions in advance .. David Alonso --__--__-- Message: 2 Date: Wed, 22 Jan 2003 12:13:31 -0800 (PST) From: Ralph Churchill <mrchucho () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] $HOME_NET question I have snort 1.8.7. I have set my $HOME_NET to be $eth0_ADDRESS and my external net set to !$HOME_NET. However, I still get alerts from other computers on my subnet! For example, the "SNMP public access udp" rule says: alert udp $EXTERNAL_NET any -> $HOME_NET 161... For this example, assume my IP is 192.168.1.2. I'm getting alerts for a packet from 172.20.39.32 to 192.168.1.3. Why? I'm totally confused. I thought $HOME, if set to $eth0_ADDRESS would only give alerts for things coming into my IP?!?! Am I wrong? RMC __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --__--__-- Message: 3 Date: Wed, 22 Jan 2003 15:44:40 -0500 To: David Alonso De La Vega Tapage <delavegad () bancoaliado com>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Problems with local host .. I assume you're trying to do this on the box that PHP and whatever webserver your using is installed on, instead of some other machine. Did you check to see if the httpd is up and running? Try netstat -l, you should see a line like: tcp 0 0 *:http *:* LISTEN At 03:09 PM 1/22/2003 -0500, David Alonso De La Vega Tapage wrote:Maybe is a simple thing .. but last day, recompile my php and now when try to contact http://localhost/acid/acid_main.php have this error .. The conection was refused when atemptin conect to local host .. Some idea about it .. Thanx for all siguestions in advance .. David Alonso--__--__-- Message: 4 Date: Mon, 20 Jan 2003 18:11:57 -0500 From: Eli Stair <estair () tardis ath cx> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Problems with local host .. Try doing a google search for "The conection was refused when atemptin
conect to local host"
or checking on the Apache or PHP mailing lists. On Wed, 22 Jan 2003 15:09:08 -0500 David Alonso De La Vega Tapage <delavegad () bancoaliado com> wrote:Maybe is a simple thing .. but last day, recompile my php and now when try to contact http://localhost/acid/acid_main.php have this error .. The conection was refused when atemptin conect to local host .. Some idea about it .. Thanx for all siguestions in advance .. David Alonso-- CAUTION: Repeated use of finger can cause a system to become overloaded,
which can cause it to stop responding.
--Infinite wisdom from the font that is ISS 6.2.1 --__--__-- Message: 5 From: "Michael Steele" <michaels () silicondefense com> To: <snort-users () lists sourceforge net> Date: Wed, 22 Jan 2003 12:48:14 -0800 Subject: [Snort-users] Attention ALL Windows Users : Install Complete IDS
Solution on Windows - Major Update v2!
To all Windows users of Snort: Please read all the notices below. Yesterday, with the latest released my documentation, I found several = minor to moderate buuuugs. If you have used that documentation please go back = and update with the newly released version. New Stuff..... I have completed the documentation for have creating a complete IDS = solution for Windows using Apache as the webserver. Right now the documentation ONLY addresses installing Snort, IIS or = Apache, MySQL, and Acid. Note: All support programs are cutting edge, so precautions are always = wise. Note: I will be addressing Snortsnarf in the very near future. Note: This is a major rewrite of my previous documentation. I would like to thank two very brave people for testing this = installation: Steve Konde Robert Birkely Also, great thanks to; Michael Davis & Chris Reid for porting this great program, "SNORT"; to windows. The future of security :-) (Please, No = flames) Finally, the link: http://www.silicondefense.com/techsupport/windows-acid.htm -Michael --=20 Michael Steele | System Engineer / Support Technician =20 mailto:michaels () silicondefense com =20 Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 6 Date: Wed, 22 Jan 2003 15:54:16 -0500 To: Ralph Churchill <mrchucho () yahoo com>,
snort-users () lists sourceforge net
From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] $HOME_NET question As per the comments in snort.conf, if you use $eth0_ADDRESS it uses the IP *and* netmask of eth0. # or use global variable $<interfacename>_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. # # var HOME_NET $eth0_ADDRESS This in your case your home_net is likely going to be 192.168.1.2/24 which means that 192.168.1.* will be recognized as part of it. At 12:13 PM 1/22/2003 -0800, Ralph Churchill wrote:I have snort 1.8.7. I have set my $HOME_NET to be $eth0_ADDRESS and my external net set to !$HOME_NET. However, I still get alerts from other computers on my subnet! For example, the "SNMP public access udp" rule says: alert udp $EXTERNAL_NET any -> $HOME_NET 161... For this example, assume my IP is 192.168.1.2. I'm getting alerts for a packet from 172.20.39.32 to 192.168.1.3. Why? I'm totally confused. I thought $HOME, if set to $eth0_ADDRESS would only give alerts for things coming into my IP?!?! Am I wrong? RMC--__--__-- Message: 7 Date: Wed, 22 Jan 2003 15:42:30 -0500 (EST) From: Erek Adams <erek () snort org> To: Ralph Churchill <mrchucho () yahoo com> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] $HOME_NET question On Wed, 22 Jan 2003, Ralph Churchill wrote:I have snort 1.8.7. I have set my $HOME_NET to be $eth0_ADDRESS and my external net set to !$HOME_NET. However, I still get alerts from other computers on my subnet! For example, the "SNMP public access udp" rule says: alert udp $EXTERNAL_NET any -> $HOME_NET 161... For this example, assume my IP is 192.168.1.2. I'm getting alerts for a packet from 172.20.39.32 to 192.168.1.3. Why? I'm totally confused. I thought $HOME, if set to $eth0_ADDRESS would only give alerts for things coming into my IP?!?! Am I wrong?Depends. Where are the alerts coming from? From rules or from one of the preprocessors? Can you post a copy of the error? Can you post your HOME_NET statement? ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 8 Date: Wed, 22 Jan 2003 12:53:03 -0800 From: Erick Mechler <emechler () techometer net> To: David Alonso De La Vega Tapage <delavegad () bancoaliado com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Problems with local host .. :: Maybe is a simple thing .. but last day, recompile my php and now when :: try to contact http://localhost/acid/acid_main.php have this error .. :: :: The conection was refused when atemptin conect to local host .. Sounds like your web server isn't running. Try restarting it. --__--__-- Message: 9 From: "Peter VE" <peter.ve () pandora be> To: <snort-users () lists sourceforge net>, "Kenneth G. Arnold" <bkarnold () cbu edu> Subject: Re: [Snort-users] Classifications Date: Wed, 22 Jan 2003 21:57:17 +0100 interesting idea... I'll try that thanks a lot !!! P ----- Original Message ----- From: "Kenneth G. Arnold" <bkarnold () cbu edu> To: <snort-users () lists sourceforge net> Sent: Wednesday, January 22, 2003 8:14 PM Subject: Re: [Snort-users] ClassificationsThe classification is stored in the database so you could use sql tochangeor set the classification of a preprocessor for ACID. Snortsnarf is another matter since it uses the alerts file directly. Ken At 07:05 AM 1/22/03 +0100, Peter VE wrote:Hi all, Is it possibe to assign a classification to a preprocessor ? (e.g. to
the
portscan preprocessors; all of the log entries do not carry a classification, and it would beeasierto maintain with ACID or another frontend if the preprocessor has a classification... Does anyone know how to assign classtypes to a preprocessor ? Or is this a matter of re-programming the preprocessor so it wouldsupport aclasstype thanks P ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--__--__-- Message: 10 Date: Wed, 22 Jan 2003 12:57:16 -0800 (PST) From: twig les <twigles () yahoo com> Subject: Re: [Snort-users] $HOME_NET question To: Ralph Churchill <mrchucho () yahoo com>,
snort-users () lists sourceforge net
If I remember correctly from a previous post on this issue, 1.8.7 had a parsing problem. I'd just upgrade to 1.9 --- Ralph Churchill <mrchucho () yahoo com> wrote:I have snort 1.8.7. I have set my $HOME_NET to be $eth0_ADDRESS and my external net set to !$HOME_NET. However, I still get alerts from other computers on my subnet! For example, the "SNMP public access udp" rule says: alert udp $EXTERNAL_NET any -> $HOME_NET 161... For this example, assume my IP is 192.168.1.2. I'm getting alerts for a packet from 172.20.39.32 to 192.168.1.3. Why? I'm totally confused. I thought $HOME, if set to $eth0_ADDRESS would only give alerts for things coming into my IP?!?! Am I wrong? RMC __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com-------------------------------------------------------This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --__--__-- Message: 11 Date: Wed, 22 Jan 2003 15:59 -0500 From: JOHN R BLACKMORE <JBLACKMORE () ATPCO NET> To: snort-users () lists sourceforge net Subject: [Snort-users] Hogwash Compile Stupid question- What's the syntax to compile hogwash with libnet? Thanks! --__--__-- Message: 12 From: "Michael Steele" <michaels () silicondefense com> To: "'Ralph Churchill'" <mrchucho () yahoo com>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] $HOME_NET question Date: Wed, 22 Jan 2003 13:10:12 -0800 RMC, If you are using 'var EXTERNAL_NET !$HOME_NET', then short should pass on everything defined in 'var HOME_NET blah' on that sensor. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ralph Churchill Sent: Wednesday, January 22, 2003 12:14 PM To: snort-users () lists sourceforge net Subject: [Snort-users] $HOME_NET question I have snort 1.8.7. I have set my $HOME_NET to be $eth0_ADDRESS and my external net set to !$HOME_NET. However, I still get alerts from other computers on my subnet! For example, the "SNMP public access udp" rule says: alert udp $EXTERNAL_NET any -> $HOME_NET 161... For this example, assume my IP is 192.168.1.2. I'm getting alerts for a packet from 172.20.39.32 to 192.168.1.3. Why? I'm totally confused. I thought $HOME, if set to $eth0_ADDRESS would only give alerts for things coming into my IP?!?! Am I wrong? RMC __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 13 Date: Wed, 22 Jan 2003 16:22:25 -0500 To: "kevin reynolds" <kevinreynolds2525 () hotmail com>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Snort Rules for LOKI Daemon Well, a detection using this method would have to be a snort preprocessor. A simple snort rule cannot be stateful, thus can't compare the number of echo replies with the number of echo requests... Of course, if there's something significant in the data contents of the echo reply packets themselves, then a simple snort rule would work great. At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:What rules, if any, does snort use to detect the lokid? If there the default rule set does not include one, does anyone have a custom rule? Cisco IDS fires the lokid signature when it sees more incoming echo
replys
than outbound echo requests. This rule depends on the foreign host sending more echo replies to the local host than the local host has sent echo requests to it. With this logic, you could assume that you will see less than half of all possible loki intrusions. Thanks. Kevin--__--__-- Message: 14 From: Darrin Powell <dpowell () lssi net> To: snort-users () lists sourceforge net Date: 22 Jan 2003 16:29:56 -0500 Subject: [Snort-users] mysql_error I just installed snort 1.9 on Red Hat 8.0. Used the create_mysql found in /usr/local/src/snort-1.9.0/contrib/create_mysql. When I try to start snort I get the following error: Jan 22 17:11:36 snortr0 snort: Portscan2 config: Jan 22 17:11:36 snortr0 snort: log: /var/log/snort/scan.log Jan 22 17:11:36 snortr0 snort: scanners_max: 3200 Jan 22 17:11:36 snortr0 snort: targets_max: 5000 Jan 22 17:11:36 snortr0 snort: target_limit: 5 Jan 22 17:11:37 snortr0 snort: port_limit: 20 Jan 22 17:11:37 snortr0 snort: timeout: 60 Jan 22 17:11:37 snortr0 snort: FATAL ERROR: database: mysql_error: Lost connection to MySQL server during query Jan 22 17:11:37 snortr0 kernel: device eth0 left promiscuous mode Any help would be greatly appreciated. Thanks Darrin --__--__-- Message: 15 Date: Wed, 22 Jan 2003 13:33:01 -0800 (PST) From: twig les <twigles () yahoo com> Subject: Re: [Snort-users] Snort Rules for LOKI Daemon To: Matt Kettler <mkettler () evi-inc com>, kevin reynolds <kevinreynolds2525 () hotmail com>, snort-users () lists sourceforge net Didn't classic loki use something stupid in the packet that gave it away? I believe it was the same sequence number for every packet. The reason I bring this up is I am curious as to how you know what triggers an alert in Cisco IDS. I thought the signatures were off-limits...am I wrong? --- Matt Kettler <mkettler () evi-inc com> wrote:Well, a detection using this method would have to be a snort preprocessor. A simple snort rule cannot be stateful, thus can't compare the number of echo replies with the number of echo requests... Of course, if there's something significant in the data contents of the echo reply packets themselves, then a simple snort rule would work great. At 02:38 PM 1/22/2003 +0000, kevin reynolds wrote:What rules, if any, does snort use to detect thelokid? If there thedefault rule set does not include one, does anyonehave a custom rule?Cisco IDS fires the lokid signature when it seesmore incoming echo replysthan outbound echo requests. This rule depends onthe foreign hostsending more echo replies to the local host thanthe local host has sentecho requests to it. With this logic, you couldassume that you will seeless than half of all possible loki intrusions.Thanks.Kevin-------------------------------------------------------This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SRI Emerlad Project/ACID-XML Status Update S. (Jan 23)