Snort mailing list archives

Re: Snort 2.9.4.5 rules using pp

From: James Lay <digitalx00 () gmail com>
Date: Wed, 24 Apr 2013 05:19:18 -0600

I'm assuming you only have something like this:

include $RULE_PATH/snort.rules
include $RULE_PATH/local.rules

in your snort.conf file…and not a bunch of these?  And that rules file you have should work fine.

James


On Apr 24, 2013, at 12:07 AM, Ashraf Ali <ashrafali.ibs () gmail com> wrote:


Can some body  pls check ...

Below are some the rules from snort.rules file , which PP has created.

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir.htr access"; 
flow:to_server,established; content:"/bdir.htr"; nocase; http_uri; metadata:service http; reference:bugtraq,2280; 
reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:22;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP carbo.dll access"; 
flow:to_server,established; content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase; metadata:policy 
security-ips drop, service http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; 
sid:1001; rev:16;)
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT Putty Server key exchange buffer overflow attempt"; 
flow:to_client,established,no_stream; content:"SSH-"; depth:4; isdataat:1000,relative; 
pcre:"/SSH-0*([2-9]\d*|1\d+)\.[^-]*-[^\n]*\n\x00\x00.{3}\x14.{1000}/s"; reference:bugtraq,6407; 
reference:cve,2002-1359; reference:url,www.rapid7.com/advisories/R7-0009.html; classtype:attempted-user; sid:10010; 
rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Novell NetMail APPEND command buffer overflow 
attempt"; flow:established,to_server; content:"AP"; nocase; isdataat:256,relative; 
pcre:"/\sAP[A-Za-z]{4}\s[^\n]{256}/smi"; metadata:policy security-ips drop, service imap; reference:bugtraq,21723; 
reference:cve,2006-6425; classtype:misc-attack; sid:10011; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CCRP FolderTreeView ActiveX clsid access"; 
flow:to_client,established; file_data; content:"19B7F2D6-1610-11D3-BF30-1AF820524153"; fast_pattern:only; 
pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*19B7F2D6-1610-11D3-BF30-1AF820524153\s*}?\s*\1/si";
 metadata:policy security-ips drop, service http; reference:bugtraq,22092; 
reference:url,ccrp.mvps.org/index.html?controls/ccrpftv6.htm; classtype:attempted-user; sid:10013; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle ORADC ActiveX clsid access"; 
flow:to_client,established; file_data; content:"EC4CF635-D196-11CE-9027-02608C4BF3B5"; fast_pattern:only; 
pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\4.*\3\.(UpdateRecord)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(UpdateRecord)\(/siO";
 metadata:policy security-ips drop, service http; reference:bugtraq,22026; classtype:attempted-user; sid:10015; 
rev:13;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle ORADC ActiveX function call 
access"; flow:to_client,established; file_data; content:"ORADC.ORADCCtrl"; fast_pattern:only; 
pcre:"/(\w+)\s*=\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\3\s*\.\s*(UpdateRecord)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\7\s*\.\s*(UpdateRecord)\s*\()/smi";
 metadata:policy security-ips drop, service http; reference:bugtraq,22026; classtype:attempted-user; sid:10017; 
rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt"; 
flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:38; metadata:policy 
balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; reference:cve,2006-6076; 
reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; 
sid:10018; rev:9;)
\d)?\x27)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=n)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)\s*\(/smiO";
 metadata:policy security-ips drop, service http; reference:bugtraq,22196; reference:bugtraq,33469; 
reference:cve,2007-0018; reference:url,www.kb.cert.org/vuls/id/292713; classtype:attempted-user; sid:10086; rev:10;)


and in the snort.conf file i have HOME_NET AND EXTERNAL_NET variables configured as below.
 
ipvar HOME_NET any

ipvar EXTERNAL_NET any

i have manually downloaded the latest snapshot of rules from snort.org and copied some of the rules files in to a 
single file called new.rules, then configured the snort.conf to use this rule file only, restarted the snort services 
,Its working fine. i can see the alerts , log file is also filling up.

But could not figure out what the problem with snort.rules file which PP has created.

Regards,
Ashraf





On Tue, Apr 23, 2013 at 4:44 PM, James Lay <jlay () slave-tothe-box net> wrote:
Let's see one of the rules, and what sdo your HOME_NET and EXTERNAL_NET look like?

James

On Apr 22, 2013, at 10:40 PM, Ashraf Ali <ashrafali.ibs () gmail com> wrote:

yes, if i use the command (snort -c /usr/local/snort/snort.conf -i eth0 -A)  and can see lots of traffic on the 
console but nothing is getting dump in the log file, it is still 0 Bytes.

i did a R&D , by creating a file called local.rules in the same rules folder and added a signature (alert tcp any 
any -> any any(msg:"Tcp traffic found" sid:1000001);
in the snort.conf file i put a # before include statement of snort.rules line and added local.rules 
later restarted both snort and barnyard2 Deamons , Guess what i can see log file filling up, and in GUI i can see 
the alerts.

There seems to be some problem with the snort.rules file which PP has created.

Regards,
Ashraf
Security System Engineer.


 


On Mon, Apr 22, 2013 at 9:37 PM, Y M <snort () outlook com> wrote:
If you run snort with -A console or -A cmg, do you see any alerts on the console?

Also run tcpdump against the interface you are listening from, simply

tcpdump -i ethX -v

Do you see any traffic? Replace ethX with your interface.
From: Ashraf Ali
Sent: 4/22/2013 3:37 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort 2.9.4.5 rules using pp

Hi All,

recently i have deployed snort in ubuntu 12.04 using Autosnort , during the installation PP asked for Oinkcode ,as i 
am a registered user so i have provided the same.
After completion of the installation, i have seen that snort and barnyard2 services are running in Deamon mode, and 
in /var/log/snort folder a file with name snort.u2.1366**** is also created but empty(0 bytes).

-rw-r--r--  1 snort snort    2056 Apr 22 17:54 barnyard2.waldo
-rw-------  1 snort snort         0 Apr 22 17:54 snort.u2.136662*****

there is a single rules file called snort.rules in /usr/local/snort/rules folder which has all the downloaded snort 
rules, and same is included in the snort.conf file.  
Even i have run the snort in test mode using -T , it does not shows up any problem, its working fine but not 
generating any logs.

I have formated the server , and re-installed every thing manually this time. still the same problem. file is 
getting created but no logs.

pls Advice.

Ashraf
Security System Egnineer

 

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! 
http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! 
http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort 2.9.4.5 rules using pp Ashraf Ali (Apr 22)
- <Possible follow-ups>
- Re: Snort 2.9.4.5 rules using pp Y M (Apr 22)
  - Re: Snort 2.9.4.5 rules using pp Ashraf Ali (Apr 22)
    - Re: Snort 2.9.4.5 rules using pp James Lay (Apr 23)
    - Message not available
    - Message not available
    - Fwd: Snort 2.9.4.5 rules using pp Ashraf Ali (Apr 23)
    - Fwd: Snort 2.9.4.5 rules using pp Ashraf Ali (Apr 23)
    - Re: Fwd: Snort 2.9.4.5 rules using pp waldo kitty (Apr 24)
    - Re: Fwd: Snort 2.9.4.5 rules using pp Ashraf Ali (Apr 24)
    - Re: Snort 2.9.4.5 rules using pp James Lay (Apr 24)
    - Re: Snort 2.9.4.5 rules using pp Ashraf Ali (Apr 24)
    - Re: Snort 2.9.4.5 rules using pp James Lay (Apr 24)