Snort mailing list archives
help
From: "Hendry Fong" <hendry () csie nctu edu tw>
Date: Mon, 22 Mar 2004 23:19:29 +0800
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-users-request () lists sourceforge net Sent: Sunday, March 21, 2004 12:10 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #4065 - 8 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. FreeBSD install guide for Sguil 0.3.1 (Richard Bejtlich) 2. Re: Feature request: thresholds need another counter? (Jason Haar) 3. http_decode line in snort.conf gets garbled (Christophe Zwecker) 4. uricontent easily evaded on Apache (Kanatoko) 5. Exhausted - SNORT not logging to MySQL database (Your Name) 6. Re: Exhausted - SNORT not logging to MySQL database (Paul Schmehl) 7. RE: Exhausted - SNORT not logging to MySQL database (Michael Steele) 8. Promiscuous Mode (pfeito) --__--__-- Message: 1 Date: Fri, 19 Mar 2004 20:19:31 -0800 (PST) From: Richard Bejtlich <richard_bejtlich () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] FreeBSD install guide for Sguil 0.3.1 Hello, I released a new Sguil install guide using Sguil 0.3.1, FreeBSD 5.2.1 REL, Snort 2.1.1, Barnyard 0.2beta2, MySQL 4.0.18, and other updates. It's available in text form at: http://sguil.sourceforge.net/sguil_guide_0-3-1_02.txt Sguil is an open source interface to alert data from Snort, session data collected by Snort's stream4 preprocessor, and full content data collected by a second instance of Snort running in packet logging mode. Sguil is written in Tcl/Tk and stores its data in a MySQL database. The packages for FreeBSD 5.2.1 REL mentioned in the guide are available here (24 MB): http://sguil.sourceforge.net/sguil_0-3-1_f5-2-1_pkg.tar.gz Comments and feedback are welcome. Thank you, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html --__--__-- Message: 2 Date: Sat, 20 Mar 2004 21:07:32 +1300 From: Jason Haar <Jason.Haar () trimble co nz> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Feature request: thresholds need another counter? Organization: Trimble Navigation New Zealand Ltd. On Thu, Mar 18, 2004 at 11:22:44AM -0600, Paul Schmehl wrote:
Perhaps the ideal solution is to allow thresholding for *reporting* purposes, but log everything to the db? But again, that should be
backend What I'd like to see is if Snort sees 1 Nachi session, then capture the entire session as normal, but then just log the number of times that same IP is involved with Nachi sessions from then on (within limits set by the threshold settings). That way you know IP address X.x.x.x sent 10,000 Nachi sessions, but it only took up 1K of SQL dataspace. I don't care to see 10,000 packet captures all neatly logged by Snort - just the first one will show all I need to see (after all, if the attack type was different enough to matter, it either would have been missed by Snort or captured by a different rule anyway). I just can't see any downside? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --__--__-- Message: 3 Date: Sat, 20 Mar 2004 14:03:49 +0100 From: Christophe Zwecker <doc () zwecker de> To: snort-users () lists sourceforge net Subject: [Snort-users] http_decode line in snort.conf gets garbled hi, I cant enable http_decode snort starts and says like : preprocessor =B2code: bblabla like line gets broken. I ve tried with vim nano or emacs even. its strange its only with http_decode. anyone had this ? Chris -- Christophe Zwecker mail: doc () zwecker de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Who is General Failure ? And why is he reading my disk ??" --__--__-- Message: 4 Date: Sun, 21 Mar 2004 03:17:24 +0900 From: Kanatoko <anvil () jumperz net> To: snort-users () lists sourceforge net Subject: [Snort-users] uricontent easily evaded on Apache Apache web server allows clients to send blank line(CRLF)s *BEFORE* sending a HTTP request. So one can send a HTTP request like this: ----------------------------------------------- <CRLF> GET /wwwboard/passwd.txt HTTP/1.0 User-Agent: httpc Host: some.apache.host <CRLF> ------------------------------------------------ In this case, Snort should trigger SID807, But it can not detect this attack. -- Kanatoko<anvil () jumperz net> --__--__-- Message: 5 From: "Your Name" <rush () bythedrop com> To: snort-users () lists sourceforge net Date: Sat, 20 Mar 2004 19:02:53 +0000 Subject: [Snort-users] Exhausted - SNORT not logging to MySQL database After 2 days of searching mailing lists/FAQs/google I am at a loss as to why SNORT will not log to MySQL database and alert file remains at 0 bytes. I tried twice to set SNORT up on a fresh RedHat 9.0 install with all RHN updates per Patrick Harper's install guide (2/14/2004). The only variation; I used SNORT 2.1.1 I have installed SNORT on Fedora Core without a problem and would still use Fedora, except it won't compile libdnet-1.7 (for other stuff)...grrr. -- I can log into MySQL using the user "snort" without any problems, checking the event table returns: count(*) 0 Also double checked INSERT, SELECT, DELETE, etc permissions -- Network traffic is visable to eth0 using -v, including when NMAP'ing from another box on the network -- No abdnormal entries in .err or message file 040320 10:08:50 mysqld started 040320 10:08:56 InnoDB: Started /usr/local/mysql/libexec/mysqld: ready for connections. Version: '4.0.17-log' socket: '/tmp/mysql.sock' port: 3306 Puzzled beyond belief :) I'm probably missing the obvious, hopefully someone could point out what might be causing this. Much thanks! Rush ***additional info*** Linux localhost 2.4.20-30.9 ***ifconfig*** eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:34465 errors:0 dropped:0 overruns:0 frame:0 TX packets:4200 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2391900 (2.2 Mb) TX bytes:327793 (320.1 Kb) Interrupt:9 Base address:0x6000 ***Server initialization*** [root@localhost root]# /usr/local/bin/snort -de -i eth0 -c /etc/snort/snort.conf -l /var/log/snort Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf <snipped> database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = 192.168.1.20 database: sensor id = 1 database: schema version = 106 database: using the "alert" facility 1615 Snort rules read... 1615 Option Chains linked into 166 Chain Headers 0 Dynamic rules ***snort.conf*** Default file except var HOME_NET 192.168.1.1 output alert_syslog: LOG_AUTH LOG_ALERT output database: alert, mysql, user=snort password=xxxxx dbname=snort host=localhost port=3306 detail=full ***grep stuff*** [root@localhost root]# ps -ef |grep snort root 2176 1978 0 10:56 pts/0 00:00:01 /usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -l /var/log/snort root 2191 2074 0 11:16 pts/1 00:00:00 grep snort [root@localhost root]# ps -ef |grep mysql root 1670 1 0 10:08 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/var --pid-file=/usr/local/mysql/var/localhost.pid mysql 1718 1670 0 10:08 ? 00:00:00 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/var --user=mysql --pid-file=/usr/local/mysql/var/localhost.pid --skip-locking --port=3306 --socket=/tmp/mysql.sock root 2193 2074 0 11:17 pts/1 00:00:00 grep mysql -- --__--__-- Message: 6 Date: Sat, 20 Mar 2004 14:56:43 -0600 From: Paul Schmehl <pauls () utdallas edu> Reply-To: Paul Schmehl <pauls () utdallas edu> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Exhausted - SNORT not logging to MySQL database --On Saturday, March 20, 2004 7:02 PM +0000 Your Name <rush () bythedrop com> wrote:
After 2 days of searching mailing lists/FAQs/google I am at a loss as to why SNORT will not log to MySQL database and alert file remains at 0 bytes. I tried twice to set SNORT up on a fresh RedHat 9.0 install with all RHN updates per Patrick Harper's install guide (2/14/2004). The only variation; I used SNORT 2.1.1
What happens when you type: % snort -i eth0 in a terminal window? Do you see packets going by? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu --__--__-- Message: 7 From: "Michael Steele" <michaels () winsnort com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Exhausted - SNORT not logging to MySQL database Date: Sat, 20 Mar 2004 17:34:27 -0800 Is Snort even running? Have you checked the error logs? Snort will fail if it can't log into the MySQL database. Have you tried to run Snort in pack sniffing mode? Have you tried to manually run the Snort run line? Are you on a switch? If so you MUST be able to mirror. Try using a hub. There should be some errors showing up somewhere. Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Your Name Sent: Saturday, March 20, 2004 11:03 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Exhausted - SNORT not logging to MySQL database After 2 days of searching mailing lists/FAQs/google I am at a loss as to why SNORT will not log to MySQL database and alert file remains at 0 bytes. I tried twice to set SNORT up on a fresh RedHat 9.0 install with all RHN updates per Patrick Harper's install guide (2/14/2004). The only variation; I used SNORT 2.1.1 I have installed SNORT on Fedora Core without a problem and would still use Fedora, except it won't compile libdnet-1.7 (for other stuff)...grrr. -- I can log into MySQL using the user "snort" without any problems, checking the event table returns: count(*) 0 Also double checked INSERT, SELECT, DELETE, etc permissions -- Network traffic is visable to eth0 using -v, including when NMAP'ing from another box on the network -- No abdnormal entries in .err or message file 040320 10:08:50 mysqld started 040320 10:08:56 InnoDB: Started /usr/local/mysql/libexec/mysqld: ready for connections. Version: '4.0.17-log' socket: '/tmp/mysql.sock' port: 3306 Puzzled beyond belief :) I'm probably missing the obvious, hopefully someone could point out what might be causing this. Much thanks! Rush ***additional info*** Linux localhost 2.4.20-30.9 ***ifconfig*** eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx inet addr:192.168.1.20 Bcast:192.168.1.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34465 errors:0 dropped:0 overruns:0 frame:0
TX packets:4200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2391900 (2.2 Mb) TX bytes:327793 (320.1 Kb)
Interrupt:9 Base address:0x6000
***Server initialization***
[root@localhost root]# /usr/local/bin/snort -de -i eth0 -c
/etc/snort/snort.conf -l /var/log/snort Running in IDS mode
Log directory = /var/log/snort
Initializing Network Interface eth0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
<snipped>
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = 192.168.1.20
database: sensor id = 1
database: schema version = 106
database: using the "alert" facility
1615 Snort rules read...
1615 Option Chains linked into 166 Chain Headers
0 Dynamic rules
***snort.conf***
Default file except
var HOME_NET 192.168.1.1
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=snort password=xxxxx dbname=snort
host=localhost port=3306 detail=full
***grep stuff***
[root@localhost root]# ps -ef |grep snort
root 2176 1978 0 10:56 pts/0 00:00:01 /usr/local/bin/snort
-i
eth0 -c /etc/snort/snort.conf -l /var/log/snort root 2191 2074 0 11:16 pts/1 00:00:00 grep snort [root@localhost root]# ps -ef |grep mysql root 1670 1 0 10:08 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/var --pid-file=/usr/local/mysql/var/localhost.pid mysql 1718 1670 0 10:08 ? 00:00:00 /usr/local/mysql/libexec/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/var --user=mysql
--pid-file=/usr/local/mysql/var/localhost.pid --skip-locking --port=3306 --socket=/tmp/mysql.sock root 2193 2074 0 11:17 pts/1 00:00:00 grep mysql -- ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 8 From: "pfeito" <pfeito () netcabo pt> To: <snort-users () lists sourceforge net> Date: Sun, 21 Mar 2004 02:08:50 -0000 Subject: [Snort-users] Promiscuous Mode Hi, I've just installed snort on fedora core 1 with MySQL and ACID. Everything is looking cool. I've set the IDS box outside the firewall using an HUB. Something is bothering me though... if I do "ifconfig -a" my interface, (which as no IP or mask set) does not show the keyword PREMISC, but doing tail /var/log/messages, I can see a message like "... kernel: eth0: Setting promiscuous mode.". A quick look to ACID's data tells me that the interface is in fact in promiscuous mode, but shouldn't this be figured in "ifconfig -a" ? Also, how can I set manually an interface to promiscuous mode? Thanks, -pfeito --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users