Snort mailing list archives
Re: Snort-users digest, Vol 1 #4136 - 8 msgs
From: Donald G Meyett <dmeyett () csc com>
Date: Tue, 13 Apr 2004 13:14:44 -0400
http://www.realtor.com/FindHome/HomeListing.asp?snum=30&frm=bymap&pgnum=3&mls=xmls&js=on&fid=so&vtsort=&ss_aywr=&poe=realtor&areaid=110&ct=Sarasota&st=FL&zp=&mnprice=100000&mxprice=400000&mnbed=2&mnbath=2&typ=1&typ=6&typ=5&mnsqft=1400&exft=inewhome&exft=0&exft=0&exft=0&lid=&sid=029F98392896C&snumxlid=1035165030&lnksrc=00002 In case you didn't get the other email... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Don Meyett Sr. INFOSEC Engineer Managed Security Services Computer Sciences Corporation (240) 456-6203 dmeyett () csc com www.heatscanner.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ snort-users-request () lists sourceforge net Sent by: snort-users-admin () lists sourceforge net 04/13/2004 11:19 AM Please respond to snort-users () lists sourceforge net To snort-users () lists sourceforge net cc Subject Snort-users digest, Vol 1 #4136 - 8 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. ubject: Norman Internet Protection - Malware Warning! (jhaar () trimble co nz) 2. RE: Hot XXX Streaming Videos, FREE Clips (General Information) 3. Re: Flow-portscan oddity (Martin Roesch) 4. Error (DESH SRIVASTAVA) 5. Re: IDS provisioning site analysis tool? (Martin Roesch) 6. RE: IDS provisioning site analysis tool? (Williams Jon) 7. Re: IDS provisioning site analysis tool? (Martin Roesch) 8. Re: Error (Edin Dizdarevic) --__--__-- Message: 1 To: <snort-users () lists sourceforge net> Date: Tue, 13 Apr 2004 15:16:16 +0700 (WIT) From: jhaar () trimble co nz Subject: [Snort-users] ubject: Norman Internet Protection - Malware Warning! Message sender: <jhaar () trimble co nz> Message receiver: <snort-users () lists sourceforge net> Message subject: Hot XXX Streaming Videos, FREE Clips Malware found: File is blocked due to file name with double extension. Attachment file name: Sexual.MPEG_________________________________________________________.exe Status: blocked Remember to update your NVC installation regularly http://www.norman.com --__--__-- Message: 2 From: "General Information" <info () lucretia ca> To: "'jhaar'" <jhaar () trimble co nz>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Hot XXX Streaming Videos, FREE Clips Date: Tue, 13 Apr 2004 06:45:30 -0600 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Someone doesn't like you Jason... Blackmar trojan removed. - -----Original Message----- From: jhaar [mailto:jhaar () trimble co nz] Sent: Tuesday, April 13, 2004 2:06 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Hot XXX Streaming Videos, FREE Clips Check This ?ucking Babe ;D ?ucking = Sucking=Fucking _____ Trimble.co.nz servers automatically scanned for viruses using Norton AntiVirus-2004 ..Zipped Movie -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBQHvg6t2C41MIawl+EQLRbACgstkNK7SQ+Kw15KQU4FeyCanQKLMAn1l5 awYTE+KTgPIghn3PczAeXTHl =vg2l -----END PGP SIGNATURE----- --__--__-- Message: 3 Cc: "Snort Users" <snort-users () lists sourceforge net> From: Martin Roesch <roesch () sourcefire com> Subject: Re: [Snort-users] Flow-portscan oddity Date: Tue, 13 Apr 2004 09:56:09 -0400 To: "Guillaume Arcas" <guillaume.arcas () free fr> Check out README.flow-portscan in the doc directory of your snort=20 distro. -Marty On Apr 13, 2004, at 2:31 AM, Guillaume Arcas wrote:
Kreimendahl, Chad J a dit :Using the default configuration for flow and flow portscan... And testing it on an external interface... We're seeing absolutely no=20 alerts triggered. I've attempted using many output mechanisms, hoping
that=20=
it wasn't the method we were using, and the results are the same. I'm 100% positive there were several scans happening on this same=20 interface, as I ran portscan2 at the same time with a different snort, on the=20 same interface. Many noisy ugly alerts from portscan2... Nothing from flow-portscan.Same for me... Is there anywhere out of the code itself some documentation about this plugin and its configuration ? --=20 Guillaume Arcas -------------------------------------------------- Il faut nous quitter. Nous sommes deux enfants, nous avons fait une folie. (Yvonne de Galais) ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id638&op=3Dclick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
--=20 Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 4 Date: Tue, 13 Apr 2004 06:55:35 -0700 (PDT) From: DESH SRIVASTAVA <desh_deep () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] Error --0-308619558-1081864535=:51898 Content-Type: text/plain; charset=us-ascii While starting snort , I am getting following error " Error initializing network interface: " What may be the possible cause --------------------------------- Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway - Enter today --0-308619558-1081864535=:51898 Content-Type: text/html; charset=us-ascii <DIV>While starting snort , I am getting following error</DIV> <DIV>" Error initializing network interface: " What may be the possible cause</DIV> <DIV> </DIV><p> <hr size=1><font face=arial size=-1>Do you Yahoo!?<br> <a href=" http://us.rd.yahoo.com/evt=23609/*http://promotions.yahoo.com/design_giveaway/static/index2.html ">Yahoo! Small Business $15K Web Design Giveaway</a> - Enter today --0-308619558-1081864535=:51898-- --__--__-- Message: 5 Cc: "Snort Users List" <snort-users () lists sourceforge net>, Focus-Ids <focus-ids () securityfocus com> From: Martin Roesch <roesch () sourcefire com> Subject: Re: [Snort-users] IDS provisioning site analysis tool? Date: Tue, 13 Apr 2004 10:33:25 -0400 To: "Williams Jon" <WilliamsJonathan () JohnDeere com> Hi Jon, I think our RNA product can help you, it performs passive OS=20 identification, passive service protocol identification (including=20 vendor and version ID), flow logging, passive vulnerability inference,=20= target (host) modeling, etc. To address your "feature list", RNA can do the following things: - Connection summaries (flow logging/analysis) - Passive OS & Service fingerprinting including identification of=20 service vendor/version - List of services/vendors/versions & host models for rules selection It doesn't produce automatic rule tuning at this point, I think that=20 that feature will show up in the future though. RNA is a commercial product though, so I don't know how that might fit=20= with budgetary constraints you might have. One thing you might consider if you *do* have a budget is that=20 Sourcefire is offering a Snort Agent product now that can transport=20 event data from open source sensors up to the Sourcefire Management=20 Console (MC) for analysis/reporting/incident management. Our version=20 3.1.2 update for the MC that's coming out this week includes an Impact=20= Correlator that analyzes events coming from the IDSes against RNA's=20 network/vulnerability map and can gauge the impact of an event based on=20= the real-time assessment of your network environment. This is pretty=20 cool because it's independent of the arbitrary priority field in Snort=20= rules that may or may not have any relevance to your actual network. Anyway, enough marketing foo. If you want to try to wire something=20 together with open source parts you could probably do so with a variety=20= of pieces parts and a bunch of perl, depends on how much time you've=20 got... -Marty On Apr 12, 2004, at 12:43 PM, Williams Jon wrote:
I've been doing IDS work at one site for several years now and have found that a lack of knowledge about what network traffic is
supposed=20=
to exist, one spends the majority of their efforts researching =
non-issues.
Having spent the time on my local network, I've got that understanding here, but I'm considering locating sensors at other sites where that knowledge is lacking. Over the weekend, I got this wild hair that I'd like a tool that I could run on the new sensor box prior to kicking up the IDS. This tool would do the following things: - Monitor the network, displaying some form of a summary of=20 connections, probably organized by service port - Passive OS and server fingerprinting to help differentiate Apache on Linux from IIS on W2K, etc. - Through a keypress (like "i"), flag a given service to be ignored in the future and document what it is Additionally, I think that it might be useful to be able to produce=20 some form of output that lists the applications/OSes found for use in selecting IDS rules (i.e. use the file with some script that would deactivate any snort.org rule for which there isn't a corresponding target). I doubt that this feature would be in any current tool, although I think it could be useful. The way I'm thinking, I'd do a site survey, identify everything I =
could
as a known application. Whatever's left would need to be tracked down and either documented as a proper business app or terminated. Once that's done, this tool could produce the "My Environment" list for use in building IDS rulesets and/or continue running as a daily checkpoint for new, unknown/unauthorized traffic. So, does anyone know of a tool or a set of tools that can do this? If not, does anyone else see any value in such a beast? Thanks. Jon ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id638&op=3Dclick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
--=20 Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 6 Subject: RE: [Snort-users] IDS provisioning site analysis tool? Date: Tue, 13 Apr 2004 09:55:55 -0500 From: "Williams Jon" <WilliamsJonathan () JohnDeere com> To: "Martin Roesch" <roesch () sourcefire com> cc: "Snort Users List" <snort-users () lists sourceforge net>, Focus-Ids <focus-ids () securityfocus com> That's all well and good for an installed IDS product, but it sounds to me as if RNA is both a compensation for a lack of administrator knowledge and an ongoing false-positive reduction technique. I think what I'm looking for is more of a tool to help admins understand what their environment is prior to deploying IDS. Most of this is based on my experiences with my current IDS setup. If I only relied on the snort.org rulesets, I'd be missing a whole slew of traffic that, while not hostile from the signature standpoint, is at a minimum anomalous (i.e. IP addresses that are not our sourcing traffic that is destined to IP addresses which are also not our, etc.) and at worst point to serious chinks in our network armor. We've done a number of tcpdump experiments, gradually winnowing out stuff that we don't want to see and it has helped us develop custom rules that are extremely good at finding these oddities. I was hoping to find either a tool or enough people interested in such a tool to get one written. Jon -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com]=20 Sent: Tuesday, April 13, 2004 9:33 AM To: Williams Jon Cc: Snort Users List; Focus-Ids Subject: Re: [Snort-users] IDS provisioning site analysis tool? Hi Jon, I think our RNA product can help you, it performs passive OS identification, passive service protocol identification (including vendor and version ID), flow logging, passive vulnerability inference, target (host) modeling, etc. To address your "feature list", RNA can do the following things: - Connection summaries (flow logging/analysis) - Passive OS & Service fingerprinting including identification of service vendor/version - List of services/vendors/versions & host models for rules selection It doesn't produce automatic rule tuning at this point, I think that that feature will show up in the future though. RNA is a commercial product though, so I don't know how that might fit with budgetary constraints you might have. One thing you might consider if you *do* have a budget is that Sourcefire is offering a Snort Agent product now that can transport event data from open source sensors up to the Sourcefire Management Console (MC) for analysis/reporting/incident management. Our version 3.1.2 update for the MC that's coming out this week includes an Impact Correlator that analyzes events coming from the IDSes against RNA's network/vulnerability map and can gauge the impact of an event based on the real-time assessment of your network environment. This is pretty cool because it's independent of the arbitrary priority field in Snort rules that may or may not have any relevance to your actual network. Anyway, enough marketing foo. If you want to try to wire something together with open source parts you could probably do so with a variety of pieces parts and a bunch of perl, depends on how much time you've got... -Marty On Apr 12, 2004, at 12:43 PM, Williams Jon wrote:
I've been doing IDS work at one site for several years now and have=20 found that a lack of knowledge about what network traffic is supposed=20 to exist, one spends the majority of their efforts researching=20 non-issues. Having spent the time on my local network, I've got that understanding
here, but I'm considering locating sensors at other sites where that=20 knowledge is lacking. Over the weekend, I got this wild hair that I'd
like a tool that I could run on the new sensor box prior to kicking up
the IDS. This tool would do the following things: - Monitor the network, displaying some form of a summary of=20 connections, probably organized by service port - Passive OS and server fingerprinting to help differentiate Apache on
Linux from IIS on W2K, etc. - Through a keypress (like "i"), flag a given service to be ignored in
the future and document what it is Additionally, I think that it might be useful to be able to produce=20 some form of output that lists the applications/OSes found for use in=20 selecting IDS rules (i.e. use the file with some script that would=20 deactivate any snort.org rule for which there isn't a corresponding=20 target). I doubt that this feature would be in any current tool,=20 although I think it could be useful. The way I'm thinking, I'd do a site survey, identify everything I=20 could as a known application. Whatever's left would need to be=20 tracked down and either documented as a proper business app or=20 terminated. Once that's done, this tool could produce the "My=20 Environment" list for use in building IDS rulesets and/or continue=20 running as a daily checkpoint for new, unknown/unauthorized traffic. So, does anyone know of a tool or a set of tools that can do this? If
not, does anyone else see any value in such a beast? Thanks. Jon ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux=20 tutorial presented by Daniel Robbins, President and CEO of GenToo=20 technologies. Learn everything from fundamentals to system=20 administration.http://ads.osdn.com/?ad_id=1470&alloc_id638&op=3Dclick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 7 Cc: "Snort Users List" <snort-users () lists sourceforge net>, Focus-Ids <focus-ids () securityfocus com> From: Martin Roesch <roesch () sourcefire com> Subject: Re: [Snort-users] IDS provisioning site analysis tool? Date: Tue, 13 Apr 2004 11:17:51 -0400 To: "Williams Jon" <WilliamsJonathan () JohnDeere com> Hi Jon,
That's all well and good for an installed IDS product, but it sounds =
to
me as if RNA is both a compensation for a lack of administrator knowledge and an ongoing false-positive reduction technique. I think what I'm looking for is more of a tool to help admins understand what their environment is prior to deploying IDS.
RNA can also run as a stand alone process to do the things you=20 describe, we've just taken the additional step to integrate automated=20 analysis with it for a variety of uses for overloaded admins who don't=20= have the time/skill to properly tune their IDSes. RNA's basic=20 functionality is to provide you with a map of the network environment=20 including lots of data that's essential to deploying your IDS properly=20= like the OSes and services that are running on your hosts and the=20 topology of the network in addition to the existence of the hosts=20 themselves. You can run this before you deploy your IDS to understand=20= the protection profile you should be running and get the added benefit=20= of RNA letting you see changes that might be critical to your IDS=20 configuration in real-time.
Most of this is based on my experiences with my current IDS setup.
If=20=
I only relied on the snort.org rulesets, I'd be missing a whole slew of traffic that, while not hostile from the signature standpoint, is at a minimum anomalous (i.e. IP addresses that are not our sourcing traffic that is destined to IP addresses which are also not our, etc.) and at worst point to serious chinks in our network armor. We've done a=20 number of tcpdump experiments, gradually winnowing out stuff that we don't=20 want to see and it has helped us develop custom rules that are extremely=20 good at finding these oddities. I was hoping to find either a tool or=20 enough people interested in such a tool to get one written.
RNA can do flow tracking and analysis to help you build those "odd=20
ball" rules too, I guess it depends on what your specific requirements=20=
are but I think it would cover them better than you might think. After=20=
all, I originally built RNA to produce just that sort of data for=20
Snort...
-Marty
Jon -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Tuesday, April 13, 2004 9:33 AM To: Williams Jon Cc: Snort Users List; Focus-Ids Subject: Re: [Snort-users] IDS provisioning site analysis tool? Hi Jon, I think our RNA product can help you, it performs passive OS identification, passive service protocol identification (including vendor and version ID), flow logging, passive vulnerability inference, target (host) modeling, etc. To address your "feature list", RNA can do the following things: - Connection summaries (flow logging/analysis) - Passive OS & Service fingerprinting including identification of service vendor/version - List of services/vendors/versions & host models for rules selection It doesn't produce automatic rule tuning at this point, I think that that feature will show up in the future though. RNA is a commercial product though, so I don't know how that might fit with budgetary constraints you might have. One thing you might consider if you *do* have a budget is that Sourcefire is offering a Snort Agent product now that can transport event data from open source sensors up to the Sourcefire Management Console (MC) for analysis/reporting/incident management. Our version 3.1.2 update for the MC that's coming out this week includes an Impact Correlator that analyzes events coming from the IDSes against RNA's network/vulnerability map and can gauge the impact of an event based =
on
the real-time assessment of your network environment. This is pretty cool because it's independent of the arbitrary priority field in Snort rules that may or may not have any relevance to your actual network. Anyway, enough marketing foo. If you want to try to wire something together with open source parts you could probably do so with a =
variety
of pieces parts and a bunch of perl, depends on how much time you've got... -Marty On Apr 12, 2004, at 12:43 PM, Williams Jon wrote:I've been doing IDS work at one site for several years now and have found that a lack of knowledge about what network traffic is supposed to exist, one spends the majority of their efforts researching non-issues. Having spent the time on my local network, I've got that =
understanding
here, but I'm considering locating sensors at other sites where that knowledge is lacking. Over the weekend, I got this wild hair that =
I'd
like a tool that I could run on the new sensor box prior to kicking =
up
the IDS. This tool would do the following things: - Monitor the network, displaying some form of a summary of connections, probably organized by service port - Passive OS and server fingerprinting to help differentiate Apache =
on
Linux from IIS on W2K, etc. - Through a keypress (like "i"), flag a given service to be ignored =
in
the future and document what it is Additionally, I think that it might be useful to be able to produce some form of output that lists the applications/OSes found for use in selecting IDS rules (i.e. use the file with some script that would deactivate any snort.org rule for which there isn't a corresponding target). I doubt that this feature would be in any current tool, although I think it could be useful. The way I'm thinking, I'd do a site survey, identify everything I could as a known application. Whatever's left would need to be tracked down and either documented as a proper business app or terminated. Once that's done, this tool could produce the "My Environment" list for use in building IDS rulesets and/or continue running as a daily checkpoint for new, unknown/unauthorized traffic. So, does anyone know of a tool or a set of tools that can do this? =
If
not, does anyone else see any value in such a beast? Thanks. Jon ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id638&op=3Dclick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
--=20 Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 8 Date: Tue, 13 Apr 2004 17:17:57 +0200 From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Error Hi, DESH SRIVASTAVA schrieb:
While starting snort , I am getting following error " Error initializing network interface: " What may be the possible cause
You're using Snort on a computer without a network card? Regards, Edin -- Edin Dizdarevic --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
Current thread:
- Re: Snort-users digest, Vol 1 #4136 - 8 msgs Donald G Meyett (Apr 13)