Snort mailing list archives
Re: Snort-users Digest, Vol 15, Issue 4
From: Tom Webb <webbtc () gwm sc edu>
Date: Mon, 06 Aug 2007 10:31:13 -0400
On Fri, 2007-08-03 at 12:46 -0700, snort-users-request () lists sourceforge net wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: [Snort-devel] Evasion Due to Multiple Instances of SPAN Traffic (Benjamin Small) 2. VRT Rules Subscription ? (John Hally) 3. Re: VRT Rules Subscription ? (David J. Bianco) 4. Re: VRT Rules Subscription ? (Mike Guiterman) 5. Re: VRT Rules Subscription ? (David J. Bianco) ---------------------------------------------------------------------- Message: 1 Date: Fri, 3 Aug 2007 11:45:28 -0400 From: "Benjamin Small" <benjamin.small83 () gmail com> Subject: Re: [Snort-users] [Snort-devel] Evasion Due to Multiple Instances of SPAN Traffic To: "Steven Sturges" <steve.sturges () sourcefire com> Cc: snort-users () lists sourceforge net, snort-devel () lists sourceforge net Message-ID: <3882b8850708030845y7be9f1aeq4a872ed60812ea8e () mail gmail com> Content-Type: text/plain; charset="utf-8" This is not a problem when using stream5 and snort 2.7.0 - Go team! Thanks, Benjamin On 6/29/07, Steven Sturges <steve.sturges () sourcefire com> wrote:Hi Benjamin-- Thanks for the report. We'll have a look into it. Cheers. -steve Benjamin Small wrote:Hello, While working with Snort 2.6.1.5 I noticed a situation where snort was inadvertently being evaded. I have narrowed the root cause down to the stream4 preprocessor. When reassembling both to_client and to_server streams, it appears that duplicating certain packetscausessnort to miss an attack. I demonstrate this in an attack where I attempt an /etc/passwd grab. None of the attacker's packets are duplicated, but I send three instances of the first response fromtheserver containing a payload (and only the first packet with payload seems to matter). Oddly enough,ifyou read the pcap as a file "snort -r evaded.pcap", Snort fires. However, if snort is reading this traffic from an interface it misses the attack. To test this I used tcpreplay on a separate host. This becomes a potential problem in IDS setups where traffic is being SPAN'd to a monitoring interface more than once. Since this can potentially cause every attack against an application that utilizes TCP to be missed, I wanted to bring this to the community's attention. Thisismore common in environments where complex SPAN sessions are used to relay data from multiple sourcestoan IDS for monitoring. I am attaching a pcap and the configuration used in my test. Disablingthestream4 preprocessor or setting the "noinspect" option prevents the IDS from missing the attack. The pcap contains a series of 12 unique packets. The 8th unique packet is replicated twice, resultinginthree instances of the initial response from the webserver after the attempted /etc/passwd grab. I only replicated this packet since after trying different variations of duplicating other packets, itappearsthis packet was key for missing the attack. I have attached a spreadsheet containing data surrounding my tests. Each column contains the number of times each packet in the sequence was transmitted. Regards, Benjamin Small -------------------------------------------------------------------------------------------------------------------------------------------------This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Fri, 3 Aug 2007 14:06:43 -0400 From: John Hally <JHally () epnet com> Subject: [Snort-users] VRT Rules Subscription ? To: snort-users () lists sourceforge net Message-ID: <9D3E489884294646B1627EFEACA86436056046 () exchange corp epnet com> Content-Type: text/plain; charset="us-ascii" Hello All, I recently subscribed to the VRT ruleset (personal subs) to try out. One question that I couldn't really find a definitive answer on is how to incorporate the download into tools (IDS Policy Mgr). I typically just put the oinkcode into the download url entry and I'm off and running, but I didn't find an oinkcode specific to the VRT ruleset. Even generating a new one just generated the same exact oinkcode. Is the version (subscription or non-subscription) linked based on the oinkcode and I have to do nothing, or is there different download codes/areas I need to use. I looked all over snort.org and unless I'm just completely missing it... Thanks in advance. JH. -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Fri, 03 Aug 2007 15:32:04 -0400 From: "David J. Bianco" <david () vorant com> Subject: Re: [Snort-users] VRT Rules Subscription ? To: John Hally <JHally () epnet com> Cc: snort-users () lists sourceforge net Message-ID: <46B382B4.8030909 () vorant com> Content-Type: text/plain; charset=ISO-8859-1 Correct. The oinkcode will be the same, and their backend will take care of figuring out which rulesets it's good for. David John Hally wrote:Hello All, I recently subscribed to the VRT ruleset (personal subs) to try out. One question that I couldn't really find a definitive answer on is how to incorporate the download into tools (IDS Policy Mgr). I typically just put the oinkcode into the download url entry and I'm off and running, but I didn't find an oinkcode specific to the VRT ruleset. Even generating a new one just generated the same exact oinkcode. Is the version (subscription or non-subscription) linked based on the oinkcode and I have to do nothing, or is there different download codes/areas I need to use. I looked all over snort.org and unless I'm just completely missing it... Thanks in advance. JH. ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------ Message: 4 Date: Fri, 3 Aug 2007 15:43:54 -0400 From: "Mike Guiterman" <mike.guiterman () sourcefire com> Subject: Re: [Snort-users] VRT Rules Subscription ? To: "David J. Bianco" <david () vorant com> Cc: John Hally <JHally () epnet com>, snort-users () lists sourceforge net Message-ID: <46B3857A.3080808 () sourcefire com> Content-Type: text/plain; charset="ISO-8859-1"; format="flowed" You do have to update the URL in your oinkmaster conf file to download the subscriber file. If you're using 2.7 the file name is: snortrules-snapshot-CURRENT_s.tar.gz If you're using 2.6.x the file name is: snortrules-snapshot-2.6_s.tar.gz regards, Mike David J. Bianco wrote:Correct. The oinkcode will be the same, and their backend will take care of figuring out which rulesets it's good for. David John Hally wrote:Hello All, I recently subscribed to the VRT ruleset (personal subs) to try out. One question that I couldn't really find a definitive answer on is how to incorporate the download into tools (IDS Policy Mgr). I typically just put the oinkcode into the download url entry and I'm off and running, but I didn't find an oinkcode specific to the VRT ruleset. Even generating a new one just generated the same exact oinkcode. Is the version (subscription or non-subscription) linked based on the oinkcode and I have to do nothing, or is there different download codes/areas I need to use. I looked all over snort.org and unless I'm just completely missing it... Thanks in advance. JH. ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Mike Guiterman Snort Community Manager Sourcefire, Inc. mguiterman () sourcefire com (410)423-1930 ------------------------------ Message: 5 Date: Fri, 03 Aug 2007 15:46:37 -0400 From: "David J. Bianco" <david () vorant com> Subject: Re: [Snort-users] VRT Rules Subscription ? To: Mike Guiterman <mike.guiterman () sourcefire com> Cc: John Hally <JHally () epnet com>, snort-users () lists sourceforge net Message-ID: <46B3861D.6010605 () vorant com> Content-Type: text/plain; charset=ISO-8859-1 True. I forgot that he might not know that part. Bad geek! No cookie! David Mike Guiterman wrote:You do have to update the URL in your oinkmaster conf file to download the subscriber file. If you're using 2.7 the file name is: snortrules-snapshot-CURRENT_s.tar.gz If you're using 2.6.x the file name is: snortrules-snapshot-2.6_s.tar.gz regards, Mike David J. Bianco wrote:Correct. The oinkcode will be the same, and their backend will take care of figuring out which rulesets it's good for. David John Hally wrote:Hello All, I recently subscribed to the VRT ruleset (personal subs) to try out. One question that I couldn't really find a definitive answer on is how to incorporate the download into tools (IDS Policy Mgr). I typically just put the oinkcode into the download url entry and I'm off and running, but I didn't find an oinkcode specific to the VRT ruleset. Even generating a new one just generated the same exact oinkcode. Is the version (subscription or non-subscription) linked based on the oinkcode and I have to do nothing, or is there different download codes/areas I need to use. I looked all over snort.org and unless I'm just completely missing it... Thanks in advance. JH. ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 15, Issue 4 ******************************************
-- Tom Webb Information Security Officer University of South Carolina 803-777-1701 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users Digest, Vol 15, Issue 4 Tom Webb (Aug 06)