Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re:Snort-users digest, Vol 1 #3831 - 5 msgs

From: "Richard St John" <Richard.StJohn () gbe com>
Date: Wed, 17 Dec 2003 22:23:50 -0600
My mail box has received a message from you.

I will be out of the office on vacation from December 17 through January 4, 2004. I will check E-mail occassionally but 
will not be in a position to check it routinely.

If this is an emergency, please feel free to contact me via my cel phone

Thanks for your understanding

Richard S. St. John
Graybar Electric Company
Sr. ISDD
Phone: 314-573-5907
Cel Phone: 636-448-5366
E-Mail: richard.stjohn () gbe com
PGP Key ID: 0xC52419E2


"snort-users () lists sourceforge net" 12/17/03 22:12 >>>


Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Another Not IPv4 Datagram (Mike Maki)
   2. RE: Weird stuff when compiling snort w/ MySQL support (Michael Chapman)
   3. CanSecWest/core04 Really Really Last CFP (Dragos Ruiu)
   4. Re: Problem with "Established" keyword (Chris Green)
   5. Re: Problem with "Established" keyword (Ryan Russell)

--__--__--

Message: 1
From: "Mike Maki" <mmaki () adelphia net>
To: <snort-users () lists sourceforge net>
Date: Wed, 17 Dec 2003 15:25:13 -0800
Subject: [Snort-users] Another Not IPv4 Datagram

I've found one of my OpenBSD 3.3 Samba file servers is broadcasting a bogus
packet every 12 minutes (Header length: 0 bytes). It looks to me like 
an NT browser election request or response. Snort alerts it as
"Not IPv4 datagram!" Is the packet actually malformed?
My other OBSD Samba servers don't do
this. The full packet is below. Thanks for any ideas.

Mike

Frame 4 (264 bytes on wire, 264 bytes captured)
    Packet Length: 264 bytes
    Capture Length: 264 bytes
Ethernet II, Src: 00:30:6e:11:b1:73, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source: 00:30:6e:11:b1:73 (HewlettP_11:b1:73)
    Type: IP (0x0800)
Internet Protocol
    Version: 0
    Header length: 0 bytes (bogus, must be at least 20)

0000  ff ff ff ff ff ff 00 30 6e 11 b1 73 08 00 00 00   .......0n..s....
0010  00 00 00 00 00 00 00 11 00 e6 a5 53 4e 0c a5 53   ...........SN..S
0020  4e 7f 00 8a 00 8a 00 e6 00 00 11 0a 19 28 a5 53   N............(.S
0030  4e 0c 00 8a 00 d0 00 00 20 45 4a 45 4f 46 41 46   N....... EJEOFAF
0040  44 45 42 45 4e 45 50 43 4e 45 49 46 42 45 48 45   DEBENEPCNEIFBEHE
0050  4a 46 44 44 42 43 41 41 41 00 20 46 44 45 42 45   JFDDBCAAA. FDEBE
0060  4e 45 50 45 49 46 42 43 41 43 41 43 41 43 41 43   NEPEIFBCACACACAC
0070  41 43 41 43 41 43 41 43 41 42 4e 00 ff 53 4d 42   ACACACACABN..SMB
0080  25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   %...............
0090  00 00 00 00 00 00 00 00 00 00 00 00 11 00 00 36   ...............6
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 36 00 56 00 03 00 01 00 01 00 02 00 47   ...6.V.........G
00c0  00 5c 4d 41 49 4c 53 4c 4f 54 5c 42 52 4f 57 53   .\MAILSLOT\BROWS
00d0  45 00 01 3a 80 fc 0a 00 49 4e 50 53 41 4d 4f 2d   E..:....INPSAMO-
00e0  48 51 47 49 53 31 00 00 04 09 03 9b 00 00 0f 01   HQGIS1..........
00f0  55 aa 47 49 53 20 53 61 6d 62 61 20 46 69 6c 65   U.GIS Samba File
0100  20 53 65 72 76 65 72 00                            Server.


--__--__--

Message: 2
Subject: RE: [Snort-users] Weird stuff when compiling snort w/ MySQL support
Date: Wed, 17 Dec 2003 15:40:27 -0800
From: "Michael Chapman" <MChapman () ascentmedia com>
To: <snort-users () lists sourceforge net>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C3C4F7.26954438
Content-Type: text/plain;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

Never mind folks ... my apologies ... I answered my own question by
uninstalling the default MySQL distro with RH9, and installing from
SRPM.

=20

Thanks!

=20

Michael

=20

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael
Chapman
Sent: Wednesday, December 17, 2003 2:48 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Weird stuff when compiling snort w/ MySQL support

=20

Hi there:

=20

I know I've done this before successfully ... but I cannot for the life
of me figure out what is going wrong here.  Givens:  RH 9.0, all
appropriate patches/updates, MySQL distribution that comes with RH 9.0,
Snort 2.0.5 tarball.  MySQL is running fine - database and tables have
been created.  Snort will compile with the appropriate switches
successfully:

=20

./configure -with-mysql=3D/usr -with-openssl -prefix=3D/usr/local/snort

=20

And make/make install of course do not have problems.  Adding the
following lines to snort.conf:

=20

output database: log, mysql, user=3Dnickdanger password=3D***** =
dbname=3Dsnort
host=3Dlocalhost

=20

When attempting to fire up Snort, it complains that it hasn't been
compiled with MySQL support.  ???

=20

Any ideas?

=20

Thanks!

=20

Michael Chapman


------_=_NextPart_001_01C3C4F7.26954438
Content-Type: text/html;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
span.emailstyle17
        {font-family:Arial;
        color:windowtext;}
span.EmailStyle19
        {font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Never mind folks ... my apologies =
... I
answered my own question by uninstalling the default MySQL distro with =
RH9, and
installing from SRPM.</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Thanks!</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Michael</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b>
snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] <b><span =
style=3D'font-weight:
bold'>On Behalf Of </span></b>Michael Chapman<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> </span></font><font =
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma'>Wednesday,
 December 17, 2003</span></font><font size=3D2 face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'> </span></font><font
 size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma'>2:48 PM</span></font><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma'><br>
<b><span style=3D'font-weight:bold'>To:</span></b>
snort-users () lists sourceforge net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] =
Weird stuff
when compiling snort w/ MySQL support</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Hi there:</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I know I&#8217;ve done this =
before
successfully ... but I cannot for the life of me figure out what is =
going wrong
here.&nbsp; Givens:&nbsp; RH 9.0, all appropriate patches/updates, MySQL
distribution that comes with RH 9.0, Snort 2.0.5 tarball.&nbsp; MySQL is
running fine &#8211; database and tables have been created.&nbsp; Snort =
will
compile with the appropriate switches successfully:</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>./configure =
&#8211;with-mysql=3D/usr
&#8211;with-openssl &#8211;prefix=3D/usr/local/snort</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>And make/make install of =
course do
not have problems.&nbsp; Adding the following lines to =
snort.conf:</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>output database: log, =
mysql,
user=3Dnickdanger password=3D***** dbname=3Dsnort =
host=3Dlocalhost</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>When attempting to fire up =
Snort, it
complains that it hasn&#8217;t been compiled with MySQL support.&nbsp; =
???</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Any =
ideas?</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Thanks!</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>&nbsp;</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>Michael Chapman</span></font></p>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C3C4F7.26954438--


--__--__--

Message: 3
From: Dragos Ruiu <dr () kyx net>
Organization: All Terrain Ninjas
To: snort-users () lists sourceforge net
Date: Wed, 17 Dec 2003 15:46:12 -0800
Subject: [Snort-users] CanSecWest/core04 Really Really Last CFP

LAST CALL FOR PAPERS

CanSecWest/core04
Network Security Training Conference
http://cansecwest.com
April 21,22,23 - 2004
Vancouver, B.C.
Canada

CanSecWest would like to announce the final really, really,
last call for papers of the spring, fifth annual,
CanSecWest/core04 network security training conference.  The
conference will be held on April 21,22,23 at the Mariott
Renaissance in downtown Vancouver, British Columbia, Canada.
The conference focuses on emerging information security
tutorials and technology.

So many people have come in after the deadline because we
did it earlier this year and asked for more time...
That the deadline will be extended to: January 5, 2004.

Preference will be given to earlier proposals.
Resubmissions are not necessary for those who have
submitted though they may resubmit at their option.

LIGHTNING TALKS
I would also like to announce the call for a second type of
presentation. This year we will do a session of "lightning
talks": 5 minutes max (BigHook/Gong enforced) and 1-3 slides.
Selected "lightning talk" presenters will only receive
registration discounts (or rebates) - travel and accomodations
are their responsibility. "Ligntning talk" submissions
should follow the same submission guidelines below.
Deadline for "lightning talk" submissions is January 15th, 2004.

Please make your paper proposal submissions on/before January 5, 2004!
The conference is responsible for travel and accomodations for
the speakers. If you have a proposal for a tutorial session then
please email a synopsis of the material and your biography,
papers, and speaking background to core04 () cansecwest com.
Tutorials are one hour in length,  Only slides will be needed for
the March paper deadline, full text does not have to be submitted.

The CanSecWest/core04 conference consists of tutorials
on technical details about current issues, innovative
techniques and best practices in the information security
realm. The audiences are a multi-national mix of professionals
involved on a daily basis with security work: security product
vendors, programmers, security officers, and network
administrators. We give preference to technical details
and education for a technical audience.

The conference itself is a single track series of presentations
in a lecture theater environment.  The presentations offer
speakers the opportunity to showcase on-going research
and collaborate with peers while educating and highlighting
advancements in security products and techniques.
The focus is on innovation, tutorials, and education
instead of overt product pitches. Some commercial content
is tolerated, but it needs to be backed up by a technical
presenter - either giving a valuable tutorial and best
practices instruction or detailing significant new
technology in the products.

Paper proposals should consist of the following information:

1) Presenter, and geographical location (country of origin/passport)
   and contact info (e-mail, postal address, phone, fax).
2) Employer and/or affiliations.
3) Brief biography, list of publications and papers.
4) Any significant presentation and educational experience/background.
5) Topic synopsis, Proposed paper title, and a one paragraph description.
6) Reason why this material is innovative or significant or an
    important tutorial.
7) Optionally, any samples of prepared material or outlines ready.

Please forward the above information to core04 () cansecwest com to
be considered for placement on the speaker roster.

CanSecWest/core04 details can be found at http://cansecwest.com

thanks,
--dr

-- 
Top security experts.  Cutting edge tools, techniques and information.
Vancouver, Canada       April 21-23 2004  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp


--__--__--

Message: 4
To: Ryan Russell <ryan () thievco com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Problem with "Established" keyword
From: Chris Green <cmg () uab edu>
Reply-To: snort-users () lists sourceforge net
Date: Wed, 17 Dec 2003 19:48:57 -0500

Ryan Russell <ryan () thievco com> writes:


I did find the discussion about this in October, but I could find no
real solution in that discussion.

I just did a fresh install of Snort 2.0.5 on OpenBSD 3.4.  Just a
simple configure; make; make install, and copies the rules and config
files to a directory, and started Snort from there.

It appears that none of the rules with established will fire.  If I
take that keyword out of the rule, it works fine.

Was there some change to Snort that borke this, or is some
preprocessor not hadling it properly?



The most typical reason this happens is bad checksums on packets
somewhere. It's not outside the realm of possibility that something
else is screwed up.
-- 
Chris Green <cmg () dok org>
"Yeah, but you're taking the universe out of context."



--__--__--

Message: 5
Date: Wed, 17 Dec 2003 17:04:20 -0800
From: Ryan Russell <ryan () thievco com>
To:  snort-users () lists sourceforge net
Subject: Re: [Snort-users] Problem with "Established" keyword

Chris Green wrote:

The most typical reason this happens is bad checksums on packets
somewhere. It's not outside the realm of possibility that something
else is screwed up.


Jeremy from Sourcefire was trying to help me off-list.  Unfortunately, 
my reproducable test case has stopped reproducing.

The only difference (that I can see) is that the machine config outside 
of Snort has been changed.  It's now also acting as a router and firewall.

The test I was doing was with a standard browser on an external Windows 
client, and Apache running on the OpenBSD box itself.  I was able to do 
the test several times, with and without the "established" in my rule, 
and the problem followed the "established" each time.  The web server 
and browser were responsing appropriately for the tests I was doing, and 
this was with the OpenBSD box and Windows box plugged into the same hub. 
  So, I believe that corrupt packets were not likely the cause, but I 
appreciate the suggestion.

I can only think it may be some weirdness with the local IP stack and pcap?

                                        Ryan




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest





-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: