Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users Digest, Vol 66, Issue 25

From: Matthew Meersman <mmeersman () ndi org>
Date: Wed, 30 Nov 2011 15:42:28 -0500
On 11/30/11, snort-users-request () lists sourceforge net
<snort-users-request () lists sourceforge net> wrote:

Send Snort-users mailing list submissions to
      snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
      https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
      snort-users-request () lists sourceforge net

You can reach the person managing the list at
      snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim
your response.

Today's Topics:

   1. CanSecWest 2012 Mar 7-9;        2nd call for papers, closes next
      week, Monday. Dec 5 2011 (Dragos Ruiu)
   2. Re: Some alerts not logging packet data (James Lay)
   3. How to best do DB *and* syslog logging? (Miguel Alvarez)
   4. Re: How to best do DB *and* syslog logging? (Joel Esler)
   5. Re: How to best do DB *and* syslog logging? (Eoin Miller)
   6. Re: How to best do DB *and* syslog logging? (beenph)
   7. Re: How to best do DB *and* syslog logging? (Martin Holste)


----------------------------------------------------------------------

Message: 1
Date: Tue, 29 Nov 2011 17:59:54 -0800
From: Dragos Ruiu <dr () kyx net>
Subject: [Snort-users] CanSecWest 2012 Mar 7-9;       2nd call for papers,
      closes next week, Monday. Dec 5 2011
To: snort-users () lists sourceforge net
Message-ID: <201111291759.54537.dr () kyx net>
Content-Type: text/plain;  charset="iso-8859-1"

So after a dozen years or so organizing conferences, you
get the urge to pull levers and try experimenting with
things. So this year I sent out the CanSecWest CFP
only over Twitter, and G+ publicly. Just curious as to the
adoption and information dispersion rate, and some
estimate of the attention these newer channels are getting.

So after this experiment I hear about people having
submissions and missing ?the CFP. So for my control set,
here is the normal announce message to different e-mail
lists. We'll do a Second CanSecWest CFP, but a brief one.
Send us your proposal by the end of Monday next week,
December 5, 2011.

The questions and information needed is the same as
usual (see website), also for my curiosity could you
include:

12. Where did you hear about the CFP from?

cheers,
--dr

--
World Emerging Security Technology
Vancouver, March 7-9  http://cansecwest.com
pgpkey http://cansecwest.com/ kyxpgp



------------------------------

Message: 2
Date: Wed, 30 Nov 2011 07:08:37 -0700
From: James Lay <jlay () slave-tothe-box net>
Subject: Re: [Snort-users] Some alerts not logging packet data
To: Snort <snort-users () lists sourceforge net>
Message-ID: <CAFB85A8.EA48%jlay () slave-tothe-box net>
Content-Type: text/plain; charset="us-ascii"

Haven't received much on this, so I thought I'd try and add some more info.
Here's the hit:
11/27-10:52:18.548118  [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
[**] [Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2] {TCP} INT_IP:51126 -> EX_IP:25


u2spewfoo output:
(Event)
        sensor id: 0    event id: 1312  event second: 1322416338
event microsecond: 548118
        sig id: 2       gen id: 138     revision: 1      classification: 35
        priority: 2     ip source: IN_IP     ip destination: EXT_IP
        src port: 51126 dest port: 25   protocol: 6     impact_flag: 0
blocked: 0

There's no information in the tcpdump.log file.

Not sure this matters or not, but here is smtp relevant entries:
preprocessor smtp: ports { 25 465 587 691 } \
    inspection_type stateful \
    b64_decode_depth 0 \
    qp_decode_depth 0 \
    bitenc_decode_depth 0 \
    uu_decode_depth 0 \
    log_mailfrom \
    log_rcptto \
    log_filename \
    log_email_hdrs \
    normalize cmds \
    normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
ESOM ETRN EVFY } \
    normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
RSET
SAML SEND SOML } \
    normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
X-ERCP X-EXCH50 } \
    normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
XLICENSE XQUE XSTA XTRN XUSR } \
    max_command_line_len 512 \
    max_header_line_len 1000 \
    max_response_line_len 512 \
    alt_max_command_line_len 260 { MAIL } \
    alt_max_command_line_len 300 { RCPT } \
    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM
ESND ESOM EVFY IDENT NOOP RSET } \
    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET
QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
XAUTH
XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
    valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
ESOM
ETRN EVFY } \
    valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
SAML SEND SOML } \
    valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
X-ERCP X-EXCH50 } \
    valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
XQUE XSTA XTRN XUSR } \
    xlink2state { enabled }

Does anyone have any hints or ideas?  Thank you.

James


-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Wed, 30 Nov 2011 09:45:00 -0700
From: Miguel Alvarez <miguellvrz9 () gmail com>
Subject: [Snort-users] How to best do DB *and* syslog logging?
To: Snort Users <snort-users () lists sourceforge net>
Message-ID:
      <CAMCxHFTm8wv_bJCFJ-s8KW+ETw2s2nJ+zWfuSWc7XfFxmrrbFg () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

Right now, I'm logging my snort alerts back to a syslog server but I'd
like to start playing with Snorby.  Please correct me if I'm wrong but
I think the ideal way to do this would be to log via unified2 and use
barnyard to send the alert data to snorby's DB but I can't lose my
syslog functionality.  I really wish barnyard was able to do this on
non-Windows boxes!  But what would be the best way to achieve this
short of running two separate snort instances?



------------------------------

Message: 4
Date: Wed, 30 Nov 2011 11:53:19 -0500
From: Joel Esler <jesler () sourcefire com>
Subject: Re: [Snort-users] How to best do DB *and* syslog logging?
To: Miguel Alvarez <miguellvrz9 () gmail com>
Cc: Snort Users <snort-users () lists sourceforge net>
Message-ID: <C1B2AFFC-E894-455B-B636-705922F50873 () sourcefire com>
Content-Type: text/plain; charset=us-ascii

Snorby reads the unified2 file directly.  No need for barnyard2

J

On Nov 30, 2011, at 11:45 AM, Miguel Alvarez wrote:


Right now, I'm logging my snort alerts back to a syslog server but I'd
like to start playing with Snorby.  Please correct me if I'm wrong but
I think the ideal way to do this would be to log via unified2 and use
barnyard to send the alert data to snorby's DB but I can't lose my
syslog functionality.  I really wish barnyard was able to do this on
non-Windows boxes!  But what would be the best way to achieve this
short of running two separate snort instances?





------------------------------

Message: 5
Date: Wed, 30 Nov 2011 16:55:16 +0000
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Subject: Re: [Snort-users] How to best do DB *and* syslog logging?
To: snort-users () lists sourceforge net
Message-ID: <4ED65FF4.4050105 () trojanedbinaries com>
Content-Type: text/plain; charset=ISO-8859-1

Barnyard2 does multiple outputs simultaneously.

http://www.securixlive.com/barnyard2/

-- Eoin

On 11/30/2011 4:45 PM, Miguel Alvarez wrote:

Right now, I'm logging my snort alerts back to a syslog server but I'd
like to start playing with Snorby.  Please correct me if I'm wrong but
I think the ideal way to do this would be to log via unified2 and use
barnyard to send the alert data to snorby's DB but I can't lose my
syslog functionality.  I really wish barnyard was able to do this on
non-Windows boxes!  But what would be the best way to achieve this
short of running two separate snort instances?







------------------------------

Message: 6
Date: Wed, 30 Nov 2011 14:03:17 -0500
From: beenph <beenph () gmail com>
Subject: Re: [Snort-users] How to best do DB *and* syslog logging?
To: Miguel Alvarez <miguellvrz9 () gmail com>
Cc: barnyard2-users () googlegroups com,      Snort Users
      <snort-users () lists sourceforge net>
Message-ID:
      <CAFU9AX91KN3zDfoa8dQTzsu5z+B9mvODzm4YrD5mRzaB+DEqAQ () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 () gmail com>
wrote:

Right now, I'm logging my snort alerts back to a syslog server but I'd
like to start playing with Snorby. ?Please correct me if I'm wrong but
I think the ideal way to do this would be to log via unified2 and use
barnyard to send the alert data to snorby's DB but I can't lose my
syslog functionality. ?I really wish barnyard was able to do this on
non-Windows boxes! ?But what would be the best way to achieve this
short of running two separate snort instances?


If you need local syslog and forward them, barnyard2 currently support
this on windows and non windows system.

If you need remote syslog logging

You can access the feature in its current branch branch via

https://github.com/binf/barnyard2/tree/RemoteSyslogFix

Also
If you look in the provided barnyard2.conf you can see output plugin
conf example.

Note that it use a slightly different logging message format from the
default snort format,
but you have the possibility to configure field delimiters and
separators from the config file.

Configuration example for remote syslog
# alert_syslog
#
----------------------------------------------------------------------------
#
# Purpose:
# This output module provides the abilty to output alert information
to local syslog
#
# severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
# facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
# output alert_syslog
# output alert_syslog: LOG_AUTH LOG_INFO
#
# syslog_full
#-------------------------------
# Available as both a log and alert output plugin. Used to output data
via TCP/UDP
# Arguments:
# sensor_name $sensor_name - unique sensor name
# server $server - server the device will report to
# protocol $protocol - protocol device will report over (tcp/udp)
# port $port - destination port device will report to (default: 514)
# detail $detail_threshold - specify full/complete log reporting or
only summaries.
# delimiters - define a character that will delimit message sections
ex: "|", will use | as message section delimiters. (default: |)
# separators - define field separator included in each message ex: " "
, will use space as field separator. (default: [:space:])
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol tcp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol tcp, port 514

If you have barnyard2 related question, your also welcome to send it
over the by2 ML's.

-elz



------------------------------

Message: 7
Date: Wed, 30 Nov 2011 13:32:41 -0600
From: Martin Holste <mcholste () gmail com>
Subject: Re: [Snort-users] How to best do DB *and* syslog logging?
To: beenph <beenph () gmail com>
Cc: barnyard2-users () googlegroups com,      Snort Users
      <snort-users () lists sourceforge net>
Message-ID:
      <CANpnLHj=mPnts5iGNPQ1MScVFoouw4KFR8S-=9jC=VWYB6RE9w () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

It's tough to beat Snorby for just Snort data, but if you'd also like
your console to contain URL data and router/server logs, and since
you're already doing syslog, you may want to check out my ELSA
project: http://code.google.com/p/enterprise-log-search-and-archive/ .

On Wed, Nov 30, 2011 at 1:03 PM, beenph <beenph () gmail com> wrote:

On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 () gmail com>
wrote:

Right now, I'm logging my snort alerts back to a syslog server but I'd
like to start playing with Snorby. ?Please correct me if I'm wrong but
I think the ideal way to do this would be to log via unified2 and use
barnyard to send the alert data to snorby's DB but I can't lose my
syslog functionality. ?I really wish barnyard was able to do this on
non-Windows boxes! ?But what would be the best way to achieve this
short of running two separate snort instances?


If you need local syslog and forward them, barnyard2 currently support
this on windows and non windows system.

If you need remote syslog logging

You can access the feature in its current branch branch via

https://github.com/binf/barnyard2/tree/RemoteSyslogFix

Also
If you look in the provided barnyard2.conf you can see output plugin
conf example.

Note that it use a slightly different logging message format from the
default snort format,
but you have the possibility to configure field delimiters and
separators from the config file.

Configuration example for remote syslog
# alert_syslog
#
----------------------------------------------------------------------------
#
# Purpose:
# This output module provides the abilty to output alert information
to local syslog
#
# severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
# facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
#
# Examples:
# output alert_syslog
# output alert_syslog: LOG_AUTH LOG_INFO
#
# syslog_full
#-------------------------------
# Available as both a log and alert output plugin. Used to output data
via TCP/UDP
# Arguments:
# sensor_name $sensor_name - unique sensor name
# server $server - server the device will report to
# protocol $protocol - protocol device will report over (tcp/udp)
# port $port - destination port device will report to (default: 514)
# detail $detail_threshold - specify full/complete log reporting or
only summaries.
# delimiters - define a character that will delimit message sections
ex: "|", will use | as message section delimiters. (default: |)
# separators - define field separator included in each message ex: " "
, will use space as field separator. (default: [:space:])
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol udp, port 514
# output alert_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol tcp, port 514
# output log_syslog_full: sensor_name snortIds1-eth2, server
xxx.xxx.xxx.xxx, protocol tcp, port 514

If you have barnyard2 related question, your also welcome to send it
over the by2 ML's.

-elz

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!





------------------------------

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 66, Issue 25
*******************************************



-- 
Sent from my mobile device


***********************************************************

Matthew Meersman

Senior Systems Engineer

National Democratic Institute for International Affairs

455 Mass. Ave., NW, Eighth Floor

Washington, DC 20001-2621

Direct:                  (202) 728-5621

Main:                    (202) 728-5500

Cell:                      (202) 302-1594

Fax:                      (202) 728-5523

Email:                   mmeersman () ndi org

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: