Re: Snort-users Digest, Vol 15, Issue 4

[Tom Webb <webbtc () gwm sc edu>]

On Fri, 2007-08-03 at 12:46 -0700,
snort-users-request () lists sourceforge net wrote:
> Send Snort-users mailing list submissions to
>       snort-users () lists sourceforge net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>       https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>       snort-users-request () lists sourceforge net
>
> You can reach the person managing the list at
>       snort-users-owner () lists sourceforge net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. Re: [Snort-devel] Evasion Due to Multiple Instances     of SPAN
>       Traffic (Benjamin Small)
>    2. VRT Rules Subscription ? (John Hally)
>    3. Re: VRT Rules Subscription ? (David J. Bianco)
>    4. Re: VRT Rules Subscription ? (Mike Guiterman)
>    5. Re: VRT Rules Subscription ? (David J. Bianco)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 3 Aug 2007 11:45:28 -0400
> From: "Benjamin Small" <benjamin.small83 () gmail com>
> Subject: Re: [Snort-users] [Snort-devel] Evasion Due to Multiple
>       Instances       of SPAN Traffic
> To: "Steven Sturges" <steve.sturges () sourcefire com>
> Cc: snort-users () lists sourceforge net,
>       snort-devel () lists sourceforge net
> Message-ID:
>       <3882b8850708030845y7be9f1aeq4a872ed60812ea8e () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> This is not a problem when using stream5 and snort 2.7.0 - Go team!
>
> Thanks,
> Benjamin
>
> On 6/29/07, Steven Sturges <steve.sturges () sourcefire com> wrote:
> > Hi Benjamin--
> >
> > Thanks for the report.  We'll have a look into it.
> >
> > Cheers.
> > -steve
> >
> > Benjamin Small wrote:
> > > Hello,
> > >
> > > While working with Snort 2.6.1.5 I noticed a situation where snort was
> > > inadvertently being evaded.
> > > I have narrowed the root cause down to the stream4 preprocessor. When
> > > reassembling both to_client
> > > and to_server streams, it appears that duplicating certain packets
> > causes
> > > snort to miss an attack.
> > > I demonstrate this in an attack where I attempt an /etc/passwd grab.
> > > None of
> > > the attacker's packets
> > > are duplicated, but I send three instances of the first response from
> > the
> > > server containing a payload
> > > (and only the first packet with payload seems to matter). Oddly enough,
> > if
> > > you read the pcap as a file
> > > "snort -r evaded.pcap", Snort fires. However, if snort is reading this
> > > traffic from an interface it misses
> > > the attack. To test this I used tcpreplay on a separate host.
> > >
> > > This becomes a potential problem in IDS setups where traffic is being
> > > SPAN'd
> > > to a monitoring interface
> > > more than once. Since this can potentially cause every attack against an
> > > application that utilizes TCP
> > > to be missed, I wanted to bring this to the community's attention. This
> > is
> > > more common in environments
> > > where complex SPAN sessions are used to relay data from multiple sources
> > to
> > > an IDS for monitoring.
> > >
> > > I am attaching a pcap and the configuration used in my test. Disabling
> > the
> > > stream4 preprocessor or
> > > setting the "noinspect" option prevents the IDS from missing the attack.
> > > The
> > > pcap contains a series of
> > > 12 unique packets. The 8th unique packet is replicated twice, resulting
> > in
> > > three instances of the initial
> > > response from the webserver after the attempted /etc/passwd grab. I only
> > > replicated this packet since
> > > after trying different variations of duplicating other packets, it
> > appears
> > > this packet was key for missing
> > > the attack. I have attached a spreadsheet containing data surrounding my
> > > tests. Each column contains
> > > the number of times each packet in the sequence was transmitted.
> > >
> > > Regards,
> > > Benjamin Small
> > >
> > >
> > > ------------------------------------------------------------------------
> > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by DB2 Express
> > > Download DB2 Express C - the FREE version of DB2 express and take
> > > control of your XML. No limits. Just data. Click to get it now.
> > > http://sourceforge.net/powerbar/db2/
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel () lists sourceforge net
> > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Fri, 3 Aug 2007 14:06:43 -0400 
> From: John Hally <JHally () epnet com>
> Subject: [Snort-users] VRT Rules Subscription ?
> To: snort-users () lists sourceforge net
> Message-ID:
>       <9D3E489884294646B1627EFEACA86436056046 () exchange corp epnet com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello All,
>
> I recently subscribed to the VRT ruleset (personal subs) to try out.  One
> question that I couldn't really find a definitive answer on is how to
> incorporate the download into tools (IDS Policy Mgr).  I typically just put
> the oinkcode into the download url entry and I'm off and running, but I
> didn't find an oinkcode specific to the VRT ruleset.  Even generating a new
> one just generated the same exact oinkcode.  Is the version (subscription or
> non-subscription) linked based on the oinkcode and I have to do nothing, or
> is there different download codes/areas I need to use.  I looked all over
> snort.org and unless I'm just completely missing it...
>
> Thanks in advance.
>
> JH.
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Fri, 03 Aug 2007 15:32:04 -0400
> From: "David J. Bianco" <david () vorant com>
> Subject: Re: [Snort-users] VRT Rules Subscription ?
> To: John Hally <JHally () epnet com>
> Cc: snort-users () lists sourceforge net
> Message-ID: <46B382B4.8030909 () vorant com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Correct.  The oinkcode will be the same, and their backend will take
> care of figuring out which rulesets it's good for.
>
>       David
>
> John Hally wrote:
> > Hello All,
> >
> > I recently subscribed to the VRT ruleset (personal subs) to try out. 
> > One question that I couldn't really find a definitive answer on is how
> > to incorporate the download into tools (IDS Policy Mgr).  I typically
> > just put the oinkcode into the download url entry and I'm off and
> > running, but I didn't find an oinkcode specific to the VRT ruleset. 
> > Even generating a new one just generated the same exact oinkcode.  Is
> > the version (subscription or non-subscription) linked based on the
> > oinkcode and I have to do nothing, or is there different download
> > codes/areas I need to use.  I looked all over snort.org and unless I'm
> > just completely missing it...
> >
> > Thanks in advance.
> >
> > JH.
> >
> >
> > ------------------------------------------------------------------------
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 3 Aug 2007 15:43:54 -0400
> From: "Mike Guiterman" <mike.guiterman () sourcefire com>
> Subject: Re: [Snort-users] VRT Rules Subscription ?
> To: "David J. Bianco" <david () vorant com>
> Cc: John Hally <JHally () epnet com>, snort-users () lists sourceforge net
> Message-ID: <46B3857A.3080808 () sourcefire com>
> Content-Type: text/plain;     charset="ISO-8859-1";   format="flowed"
>
>
>
> You do have to update the URL in your oinkmaster conf file to download 
> the subscriber file.
>
> If you're using 2.7 the file name is: snortrules-snapshot-CURRENT_s.tar.gz
>
> If you're using 2.6.x the file name is:
> snortrules-snapshot-2.6_s.tar.gz
>
> regards,
>
> Mike
>
> David J. Bianco wrote:
> > Correct.  The oinkcode will be the same, and their backend will take
> > care of figuring out which rulesets it's good for.
> >
> >     David
> >
> > John Hally wrote:
> > > Hello All,
> > >
> > > I recently subscribed to the VRT ruleset (personal subs) to try out. 
> > > One question that I couldn't really find a definitive answer on is how
> > > to incorporate the download into tools (IDS Policy Mgr).  I typically
> > > just put the oinkcode into the download url entry and I'm off and
> > > running, but I didn't find an oinkcode specific to the VRT ruleset. 
> > > Even generating a new one just generated the same exact oinkcode.  Is
> > > the version (subscription or non-subscription) linked based on the
> > > oinkcode and I have to do nothing, or is there different download
> > > codes/areas I need to use.  I looked all over snort.org and unless I'm
> > > just completely missing it...
> > >
> > > Thanks in advance.
> > >
> > > JH.
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Splunk Inc.
> > > Still grepping through log files to find problems?  Stop.
> > > Now Search log events and configuration files using AJAX and a browser.
> > > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?  Stop.
> > Now Search log events and configuration files using AJAX and a browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -- 
> Mike Guiterman
>
> Snort Community Manager
>
> Sourcefire, Inc.
>
> mguiterman () sourcefire com
>
> (410)423-1930
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 03 Aug 2007 15:46:37 -0400
> From: "David J. Bianco" <david () vorant com>
> Subject: Re: [Snort-users] VRT Rules Subscription ?
> To: Mike Guiterman <mike.guiterman () sourcefire com>
> Cc: John Hally <JHally () epnet com>, snort-users () lists sourceforge net
> Message-ID: <46B3861D.6010605 () vorant com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> True.  I forgot that he might not know that part.  Bad geek!  No cookie!
>
>       David
>
> Mike Guiterman wrote:
> > You do have to update the URL in your oinkmaster conf file to download 
> > the subscriber file.
> >
> > If you're using 2.7 the file name is: snortrules-snapshot-CURRENT_s.tar.gz
> >
> > If you're using 2.6.x the file name is:
> > snortrules-snapshot-2.6_s.tar.gz
> >
> > regards,
> >
> > Mike
> >
> > David J. Bianco wrote:
> > > Correct.  The oinkcode will be the same, and their backend will take
> > > care of figuring out which rulesets it's good for.
> > >
> > >    David
> > >
> > > John Hally wrote:
> > > > Hello All,
> > > >
> > > > I recently subscribed to the VRT ruleset (personal subs) to try out. 
> > > > One question that I couldn't really find a definitive answer on is how
> > > > to incorporate the download into tools (IDS Policy Mgr).  I typically
> > > > just put the oinkcode into the download url entry and I'm off and
> > > > running, but I didn't find an oinkcode specific to the VRT ruleset. 
> > > > Even generating a new one just generated the same exact oinkcode.  Is
> > > > the version (subscription or non-subscription) linked based on the
> > > > oinkcode and I have to do nothing, or is there different download
> > > > codes/areas I need to use.  I looked all over snort.org and unless I'm
> > > > just completely missing it...
> > > >
> > > > Thanks in advance.
> > > >
> > > > JH.
> > > >
> > > >
> > > > ------------------------------------------------------------------------
> > > >
> > > > -------------------------------------------------------------------------
> > > > This SF.net email is sponsored by: Splunk Inc.
> > > > Still grepping through log files to find problems?  Stop.
> > > > Now Search log events and configuration files using AJAX and a browser.
> > > > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > > >
> > > >
> > > > ------------------------------------------------------------------------
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Splunk Inc.
> > > Still grepping through log files to find problems?  Stop.
> > > Now Search log events and configuration files using AJAX and a browser.
> > > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> ------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 15, Issue 4
> ******************************************
-- 
Tom Webb
Information Security Officer
University of South Carolina
803-777-1701


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users