Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-sigs Digest, Vol 76, Issue 14

From: PR <oly562 () gmail com>
Date: Tue, 11 Sep 2012 12:06:36 -0700
in quotes?

also, what im trying to do is log and capture any sid/event from audit
software aimed at this snort server. i wish to capture it all, on base.

base works, but now that i enabled $RULES and removed the entry in
local.rules, when i fire up snort/barnyard2 with the same cmds - here
they are again - its not logging attacks/audits attempts to base
anymore.... i doubt i need to enter in all the stuff i want in
local.rules. that would be hard for me. i should be able to enable the
preproc so rules, regular 2.9.3.1 rules in /etc/snort/rules, so on so
forth... do i need to specify everything i want in snort.conf?
specificially? isn't this a Vanilla snort.conf minus specifying the home
net? or host system?

i need to read the manual for snort now.... 


more to follow... sighs...



On Tue, 2012-09-11 at 13:29 -0400, Joel Esler wrote:

Your HOME_NET should read "ipvar HOME_NET 192.168.1.0/24"

If that's what you are trying to do.

On Sep 11, 2012, at 1:24 PM, PR <oly562 () gmail com> wrote:


when i ran a script, bash simple with 2 lines just like i type them into
the cmdline, it said ipvar 192.168.1.0/24 cant be something... i have
since just ran the cmds one at a time, and i dont see that anymore, but
it said failed or errored... something like that. sorry i missed it...
maybe its in the logs? i cant read the logs as they are in unified
format. i guess... lol....

ls /var/log/snort/
alert                 snort.log.1347321601  snort.log.1347374349
snort.log.1347320873  snort.log.1347325626  snort.log.1347382370
snort.log.1347321584  snort.log.1347346937  snort.log.1347382486
snort.log.1347321592  snort.log.1347347097  snort.log.1347383400

this is what i mean, i can't less them:

less /var/log/snort/snort.log.1347320873 
"/var/log/snort/snort.log.1347320873" may be a binary file.  See it
anyway?

your thoughts?

thanks pete


On Tue, 2012-09-11 at 17:04 +0000,
snort-sigs-request () lists sourceforge net wrote:

Send Snort-sigs mailing list submissions to
   snort-sigs () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
   https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
   snort-sigs-request () lists sourceforge net

You can reach the person managing the list at
   snort-sigs-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

  1. Re: Couple sigs (lists () packetmail net)
  2. Re: Couple sigs (Alex Kirk)
  3. Re: Couple sigs (lists () packetmail net)
  4. Re: Up and Running (Joel Esler)


----------------------------------------------------------------------

Message: 1
Date: Mon, 10 Sep 2012 10:40:16 -0500
From: "lists () packetmail net" <lists () packetmail net>
Subject: Re: [Snort-sigs] Couple sigs
To: Alex Kirk <akirk () sourcefire com>
Cc: Snort-sigs <snort-sigs () lists sourceforge net>
Message-ID: <504E09E0.3080403 () packetmail net>
Content-Type: text/plain; charset="us-ascii"

On 09/10/12 10:30, Alex Kirk wrote:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION
hidden iframe - potential include of malicious content"; flow:to_client,
established; file_data; content:"<iframe "; nocase; content:"width=1"; nocase;
distance:0; within:50; content:"height=1"; nocase; distance:-40; within:80;
content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
classtype:bad-unknown;)


I've seen \x22 and \x27 being used occasionally to quote the in-line style
declaration.

Cheers,
Nathan




------------------------------

Message: 2
Date: Mon, 10 Sep 2012 12:00:04 -0400
From: Alex Kirk <akirk () sourcefire com>
Subject: Re: [Snort-sigs] Couple sigs
To: "lists () packetmail net" <lists () packetmail net>
Cc: Snort-sigs <snort-sigs () lists sourceforge net>
Message-ID:
   <CABed_ZcRBwOY4tP2-WcSHrQS8RO-5hvqwUbBQfewyxjvaVP+Rg () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

On Mon, Sep 10, 2012 at 11:40 AM, lists () packetmail net <lists () packetmail net

wrote:



On 09/10/12 10:30, Alex Kirk wrote:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any

(msg:"INDICATOR-OBFUSCATION

hidden iframe - potential include of malicious content"; flow:to_client,
established; file_data; content:"<iframe "; nocase; content:"width=1";

nocase;

distance:0; within:50; content:"height=1"; nocase; distance:-40;

within:80;

content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
classtype:bad-unknown;)


I've seen \x22 and \x27 being used occasionally to quote the in-line style
declaration.

Cheers,
Nathan


Which, of course, goes back to the whole issue of "HTML is such a

relatively free-form mockup language that there's a zillion ways to evade
any sort of detection."

If this concept isn't totally blown out of the water by lots of legitimate
web sites using hidden iframes, then it seems to me that the best way to
proceed is to figure out what's the least performance-intensive way of
accounting for all of the potential permutations. This may end up being
several rules, or potentially even a single rule with a PCRE; I'm honestly
agnostic as to how the end result is achieved, so long as it works when
we're done. Long-term, it might even make sense to have additional Snort
functionality to normalize cases like this (i.e. standardize how quotes
appear in a normalized buffer) to make things more sane, but that's
something we'd need to debate fairly extensively within the community
before implementing, I'm sure.

In the meantime, thanks for the input, you make a very good point.

-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Mon, 10 Sep 2012 11:09:41 -0500
From: "lists () packetmail net" <lists () packetmail net>
Subject: Re: [Snort-sigs] Couple sigs
To: Alex Kirk <akirk () sourcefire com>
Cc: Snort-sigs <snort-sigs () lists sourceforge net>
Message-ID: <504E10C5.70708 () packetmail net>
Content-Type: text/plain; charset="us-ascii"

On 09/10/12 11:00, Alex Kirk wrote:

single rule with a PCRE


I'm kind of partial to:

file_data; content:"<iframe "; nocase; content:"visibility|3a|hidden";
within:100; nocase; pcre:"/\x3ciframe[^\x3e]+[heigwdth]{5,6}[^\x3d]*?=[0-1][^\d]/i";

Not really sure though how to make that one performance friendly since the PCRE
engine may be invoked often.

Either way, good conversation James and Alex, I believe this theme to be very
useful.



------------------------------

Message: 4
Date: Tue, 11 Sep 2012 13:04:35 -0400
From: Joel Esler <jesler () sourcefire com>
Subject: Re: [Snort-sigs] Up and Running
To: PR <oly562 () gmail com>
Cc: snort-sigs <snort-sigs () lists sourceforge net>
Message-ID: <28EBC923-168A-4444-A8F7-34501E42481E () sourcefire com>
Content-Type: text/plain; charset="us-ascii"

On Sep 11, 2012, at 1:02 PM, PR <oly562 () gmail com> wrote:


4. only thing i see complaining so far was the ipvar option for
192.168.1.0/24, and the No White/Black_list.rules that are there.
maybe perms or chown needed on rules dir?


What complained about the ipvar option for HOME_NET?

But, white and black list rules are not in our standard ruleset at this time.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

End of Snort-sigs Digest, Vol 76, Issue 14
******************************************







------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: