Snort mailing list archives
Re:Snort-users digest, Vol 1 #3831 - 5 msgs
From: "Richard St John" <Richard.StJohn () gbe com>
Date: Wed, 17 Dec 2003 22:23:50 -0600
My mail box has received a message from you. I will be out of the office on vacation from December 17 through January 4, 2004. I will check E-mail occassionally but will not be in a position to check it routinely. If this is an emergency, please feel free to contact me via my cel phone Thanks for your understanding Richard S. St. John Graybar Electric Company Sr. ISDD Phone: 314-573-5907 Cel Phone: 636-448-5366 E-Mail: richard.stjohn () gbe com PGP Key ID: 0xC52419E2
"snort-users () lists sourceforge net" 12/17/03 22:12 >>>
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Another Not IPv4 Datagram (Mike Maki) 2. RE: Weird stuff when compiling snort w/ MySQL support (Michael Chapman) 3. CanSecWest/core04 Really Really Last CFP (Dragos Ruiu) 4. Re: Problem with "Established" keyword (Chris Green) 5. Re: Problem with "Established" keyword (Ryan Russell) --__--__-- Message: 1 From: "Mike Maki" <mmaki () adelphia net> To: <snort-users () lists sourceforge net> Date: Wed, 17 Dec 2003 15:25:13 -0800 Subject: [Snort-users] Another Not IPv4 Datagram I've found one of my OpenBSD 3.3 Samba file servers is broadcasting a bogus packet every 12 minutes (Header length: 0 bytes). It looks to me like an NT browser election request or response. Snort alerts it as "Not IPv4 datagram!" Is the packet actually malformed? My other OBSD Samba servers don't do this. The full packet is below. Thanks for any ideas. Mike Frame 4 (264 bytes on wire, 264 bytes captured) Packet Length: 264 bytes Capture Length: 264 bytes Ethernet II, Src: 00:30:6e:11:b1:73, Dst: ff:ff:ff:ff:ff:ff Destination: ff:ff:ff:ff:ff:ff (Broadcast) Source: 00:30:6e:11:b1:73 (HewlettP_11:b1:73) Type: IP (0x0800) Internet Protocol Version: 0 Header length: 0 bytes (bogus, must be at least 20) 0000 ff ff ff ff ff ff 00 30 6e 11 b1 73 08 00 00 00 .......0n..s.... 0010 00 00 00 00 00 00 00 11 00 e6 a5 53 4e 0c a5 53 ...........SN..S 0020 4e 7f 00 8a 00 8a 00 e6 00 00 11 0a 19 28 a5 53 N............(.S 0030 4e 0c 00 8a 00 d0 00 00 20 45 4a 45 4f 46 41 46 N....... EJEOFAF 0040 44 45 42 45 4e 45 50 43 4e 45 49 46 42 45 48 45 DEBENEPCNEIFBEHE 0050 4a 46 44 44 42 43 41 41 41 00 20 46 44 45 42 45 JFDDBCAAA. FDEBE 0060 4e 45 50 45 49 46 42 43 41 43 41 43 41 43 41 43 NEPEIFBCACACACAC 0070 41 43 41 43 41 43 41 43 41 42 4e 00 ff 53 4d 42 ACACACACABN..SMB 0080 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 %............... 0090 00 00 00 00 00 00 00 00 00 00 00 00 11 00 00 36 ...............6 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 00 36 00 56 00 03 00 01 00 01 00 02 00 47 ...6.V.........G 00c0 00 5c 4d 41 49 4c 53 4c 4f 54 5c 42 52 4f 57 53 .\MAILSLOT\BROWS 00d0 45 00 01 3a 80 fc 0a 00 49 4e 50 53 41 4d 4f 2d E..:....INPSAMO- 00e0 48 51 47 49 53 31 00 00 04 09 03 9b 00 00 0f 01 HQGIS1.......... 00f0 55 aa 47 49 53 20 53 61 6d 62 61 20 46 69 6c 65 U.GIS Samba File 0100 20 53 65 72 76 65 72 00 Server. --__--__-- Message: 2 Subject: RE: [Snort-users] Weird stuff when compiling snort w/ MySQL support Date: Wed, 17 Dec 2003 15:40:27 -0800 From: "Michael Chapman" <MChapman () ascentmedia com> To: <snort-users () lists sourceforge net> This is a multi-part message in MIME format. ------_=_NextPart_001_01C3C4F7.26954438 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Never mind folks ... my apologies ... I answered my own question by uninstalling the default MySQL distro with RH9, and installing from SRPM. =20 Thanks! =20 Michael =20 -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael Chapman Sent: Wednesday, December 17, 2003 2:48 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Weird stuff when compiling snort w/ MySQL support =20 Hi there: =20 I know I've done this before successfully ... but I cannot for the life of me figure out what is going wrong here. Givens: RH 9.0, all appropriate patches/updates, MySQL distribution that comes with RH 9.0, Snort 2.0.5 tarball. MySQL is running fine - database and tables have been created. Snort will compile with the appropriate switches successfully: =20 ./configure -with-mysql=3D/usr -with-openssl -prefix=3D/usr/local/snort =20 And make/make install of course do not have problems. Adding the following lines to snort.conf: =20 output database: log, mysql, user=3Dnickdanger password=3D***** = dbname=3Dsnort host=3Dlocalhost =20 When attempting to fire up Snort, it complains that it hasn't been compiled with MySQL support. ??? =20 Any ideas? =20 Thanks! =20 Michael Chapman ------_=_NextPart_001_01C3C4F7.26954438 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable <html> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)"> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} span.emailstyle17 {font-family:Arial; color:windowtext;} span.EmailStyle19 {font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Never mind folks ... my apologies = ... I answered my own question by uninstalling the default MySQL distro with = RH9, and installing from SRPM.</span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Thanks!</span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Michael</span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original = Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] <b><span = style=3D'font-weight: bold'>On Behalf Of </span></b>Michael Chapman<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> </span></font><font = size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt;font-family:Tahoma'>Wednesday, December 17, 2003</span></font><font size=3D2 face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> </span></font><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt;font-family:Tahoma'>2:48 PM</span></font><font size=3D2 face=3DTahoma><span = style=3D'font-size:10.0pt;font-family:Tahoma'><br> <b><span style=3D'font-weight:bold'>To:</span></b> snort-users () lists sourceforge net<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] = Weird stuff when compiling snort w/ MySQL support</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Hi there:</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>I know I’ve done this = before successfully ... but I cannot for the life of me figure out what is = going wrong here. Givens: RH 9.0, all appropriate patches/updates, MySQL distribution that comes with RH 9.0, Snort 2.0.5 tarball. MySQL is running fine – database and tables have been created. Snort = will compile with the appropriate switches successfully:</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>./configure = –with-mysql=3D/usr –with-openssl –prefix=3D/usr/local/snort</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>And make/make install of = course do not have problems. Adding the following lines to = snort.conf:</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>output database: log, = mysql, user=3Dnickdanger password=3D***** dbname=3Dsnort = host=3Dlocalhost</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>When attempting to fire up = Snort, it complains that it hasn’t been compiled with MySQL support. = ???</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Any = ideas?</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Thanks!</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>Michael Chapman</span></font></p> </div> </body> </html> =00 ------_=_NextPart_001_01C3C4F7.26954438-- --__--__-- Message: 3 From: Dragos Ruiu <dr () kyx net> Organization: All Terrain Ninjas To: snort-users () lists sourceforge net Date: Wed, 17 Dec 2003 15:46:12 -0800 Subject: [Snort-users] CanSecWest/core04 Really Really Last CFP LAST CALL FOR PAPERS CanSecWest/core04 Network Security Training Conference http://cansecwest.com April 21,22,23 - 2004 Vancouver, B.C. Canada CanSecWest would like to announce the final really, really, last call for papers of the spring, fifth annual, CanSecWest/core04 network security training conference. The conference will be held on April 21,22,23 at the Mariott Renaissance in downtown Vancouver, British Columbia, Canada. The conference focuses on emerging information security tutorials and technology. So many people have come in after the deadline because we did it earlier this year and asked for more time... That the deadline will be extended to: January 5, 2004. Preference will be given to earlier proposals. Resubmissions are not necessary for those who have submitted though they may resubmit at their option. LIGHTNING TALKS I would also like to announce the call for a second type of presentation. This year we will do a session of "lightning talks": 5 minutes max (BigHook/Gong enforced) and 1-3 slides. Selected "lightning talk" presenters will only receive registration discounts (or rebates) - travel and accomodations are their responsibility. "Ligntning talk" submissions should follow the same submission guidelines below. Deadline for "lightning talk" submissions is January 15th, 2004. Please make your paper proposal submissions on/before January 5, 2004! The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers, and speaking background to core04 () cansecwest com. Tutorials are one hour in length, Only slides will be needed for the March paper deadline, full text does not have to be submitted. The CanSecWest/core04 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of overt product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. Please forward the above information to core04 () cansecwest com to be considered for placement on the speaker roster. CanSecWest/core04 details can be found at http://cansecwest.com thanks, --dr -- Top security experts. Cutting edge tools, techniques and information. Vancouver, Canada April 21-23 2004 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp --__--__-- Message: 4 To: Ryan Russell <ryan () thievco com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Problem with "Established" keyword From: Chris Green <cmg () uab edu> Reply-To: snort-users () lists sourceforge net Date: Wed, 17 Dec 2003 19:48:57 -0500 Ryan Russell <ryan () thievco com> writes:
I did find the discussion about this in October, but I could find no real solution in that discussion. I just did a fresh install of Snort 2.0.5 on OpenBSD 3.4. Just a simple configure; make; make install, and copies the rules and config files to a directory, and started Snort from there. It appears that none of the rules with established will fire. If I take that keyword out of the rule, it works fine. Was there some change to Snort that borke this, or is some preprocessor not hadling it properly?
The most typical reason this happens is bad checksums on packets somewhere. It's not outside the realm of possibility that something else is screwed up. -- Chris Green <cmg () dok org> "Yeah, but you're taking the universe out of context." --__--__-- Message: 5 Date: Wed, 17 Dec 2003 17:04:20 -0800 From: Ryan Russell <ryan () thievco com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Problem with "Established" keyword Chris Green wrote:
The most typical reason this happens is bad checksums on packets somewhere. It's not outside the realm of possibility that something else is screwed up.
Jeremy from Sourcefire was trying to help me off-list. Unfortunately, my reproducable test case has stopped reproducing. The only difference (that I can see) is that the machine config outside of Snort has been changed. It's now also acting as a router and firewall. The test I was doing was with a standard browser on an external Windows client, and Apache running on the OpenBSD box itself. I was able to do the test several times, with and without the "established" in my rule, and the problem followed the "established" each time. The web server and browser were responsing appropriately for the tests I was doing, and this was with the OpenBSD box and Windows box plugged into the same hub. So, I believe that corrupt packets were not likely the cause, but I appreciate the suggestion. I can only think it may be some weirdness with the local IP stack and pcap? Ryan --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re:Snort-users digest, Vol 1 #3831 - 5 msgs Richard St John (Dec 17)