Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.9.4.5 rules using pp

From: Ashraf Ali <ashrafali.ibs () gmail com>
Date: Wed, 24 Apr 2013 17:08:14 +0530
i have just

include $RULE_PATH/snort.rules




On Wed, Apr 24, 2013 at 4:49 PM, James Lay <digitalx00 () gmail com> wrote:


I'm assuming you only have something like this:

include $RULE_PATH/snort.rules
include $RULE_PATH/local.rules

in your snort.conf fileā€¦and not a bunch of these?  And that rules file you
have should work fine.

James


On Apr 24, 2013, at 12:07 AM, Ashraf Ali <ashrafali.ibs () gmail com> wrote:


Can some body  pls check ...

Below are some the rules from snort.rules file , which PP has created.

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SERVER-IIS bdir.htr access"; flow:to_server,established;
content:"/bdir.htr"; nocase; http_uri; metadata:service http;
reference:bugtraq,2280; reference:nessus,10577;
classtype:web-application-activity; sid:1000; rev:22;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established;
content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase;
metadata:policy security-ips drop, service http; reference:bugtraq,2126;
reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:16;)
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT Putty Server
key exchange buffer overflow attempt";
flow:to_client,established,no_stream; content:"SSH-"; depth:4;
isdataat:1000,relative;
pcre:"/SSH-0*([2-9]\d*|1\d+)\.[^-]*-[^\n]*\n\x00\x00.{3}\x14.{1000}/s";
reference:bugtraq,6407; reference:cve,2002-1359; reference:url,
www.rapid7.com/advisories/R7-0009.html; classtype:attempted-user;
sid:10010; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Novell
NetMail APPEND command buffer overflow attempt";
flow:established,to_server; content:"AP"; nocase; isdataat:256,relative;
pcre:"/\sAP[A-Za-z]{4}\s[^\n]{256}/smi"; metadata:policy security-ips drop,
service imap; reference:bugtraq,21723; reference:cve,2006-6425;
classtype:misc-attack; sid:10011; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS
CCRP FolderTreeView ActiveX clsid access"; flow:to_client,established;
file_data; content:"19B7F2D6-1610-11D3-BF30-1AF820524153";
fast_pattern:only;
pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*19B7F2D6-1610-11D3-BF30-1AF820524153\s*}?\s*\1/si";
metadata:policy security-ips drop, service http; reference:bugtraq,22092;
reference:url,ccrp.mvps.org/index.html?controls/ccrpftv6.htm;
classtype:attempted-user; sid:10013; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS
Oracle ORADC ActiveX clsid access"; flow:to_client,established; file_data;
content:"EC4CF635-D196-11CE-9027-02608C4BF3B5"; fast_pattern:only;
pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\4.*\3\.(UpdateRecord)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(UpdateRecord)\(/siO";
metadata:policy security-ips drop, service http; reference:bugtraq,22026;
classtype:attempted-user; sid:10015; rev:13;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS
Oracle ORADC ActiveX function call access"; flow:to_client,established;
file_data; content:"ORADC.ORADCCtrl"; fast_pattern:only;
pcre:"/(\w+)\s*=\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\3\s*\.\s*(UpdateRecord)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\7\s*\.\s*(UpdateRecord)\s*\()/smi";
metadata:policy security-ips drop, service http; reference:bugtraq,22026;
classtype:attempted-user; sid:10017; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC
NCACN-IP-TCP brightstor-arc ReserveGroup attempt";
flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837;
dce_opnum:38; metadata:policy balanced-ips drop, policy connectivity-ips
drop, policy security-ips drop, service dcerpc; reference:cve,2006-6076;
reference:cve,2006-6917; reference:url,
www.lssec.com/advisories/LS-20061001.pdf;
classtype:protocol-command-decode; sid:10018; rev:9;)
\d)?\x27)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=n)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)\s*\(/smiO";
metadata:policy security-ips drop, service http; reference:bugtraq,22196;
reference:bugtraq,33469; reference:cve,2007-0018; reference:url,
www.kb.cert.org/vuls/id/292713; classtype:attempted-user; sid:10086;
rev:10;)


and in the snort.conf file i have HOME_NET AND EXTERNAL_NET variables
configured as below.

ipvar HOME_NET any

ipvar EXTERNAL_NET any

i have manually downloaded the latest snapshot of rules from snort.organd copied some of the rules files in to a 
single file called new.rules,
then configured the snort.conf to use this rule file only, restarted the
snort services ,Its working fine. i can see the alerts , log file is also
filling up.

But could not figure out what the problem with snort.rules file which PP
has created.

Regards,
Ashraf





On Tue, Apr 23, 2013 at 4:44 PM, James Lay <jlay () slave-tothe-box net>wrote:


Let's see one of the rules, and what sdo your HOME_NET and EXTERNAL_NET
look like?

James

On Apr 22, 2013, at 10:40 PM, Ashraf Ali <ashrafali.ibs () gmail com> wrote:

yes, if i use the command (snort -c /usr/local/snort/snort.conf -i eth0
-A)  and can see lots of traffic on the console but nothing is getting dump
in the log file, it is still 0 Bytes.

i did a R&D , by creating a file called local.rules in the same rules
folder and added a signature (alert tcp any any -> any any(msg:"Tcp traffic
found" sid:1000001);
in the snort.conf file i put a # before include statement of snort.rules
line and added local.rules
later restarted both snort and barnyard2 Deamons , Guess what i can see
log file filling up, and in GUI i can see the alerts.

There seems to be some problem with the snort.rules file which PP has
created.

Regards,
Ashraf
Security System Engineer.





On Mon, Apr 22, 2013 at 9:37 PM, Y M <snort () outlook com> wrote:


 If you run snort with -A console or -A cmg, do you see any alerts on
the console?

Also run tcpdump against the interface you are listening from, simply

tcpdump -i ethX -v

Do you see any traffic? Replace ethX with your interface.
 ------------------------------
From: Ashraf Ali <ashrafali.ibs () gmail com>
Sent: 4/22/2013 3:37 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort 2.9.4.5 rules using pp

    Hi All,

 recently i have deployed snort in ubuntu 12.04 using Autosnort , during
the installation PP asked for Oinkcode ,as i am a registered user so i have
provided the same.
 After completion of the installation, i have seen that snort and
barnyard2 services are running in Deamon mode, and in /var/log/snort folder
a file with name snort.u2.1366**** is also created but empty(0 bytes).

-rw-r--r--  1 snort snort    2056 Apr 22 17:54 barnyard2.waldo
*-rw-------  1 snort snort         0 Apr 22 17:54 snort.u2.136662******

 there is a single rules file called snort.rules in
/usr/local/snort/rules folder which has all the downloaded snort rules, and
same is included in the snort.conf file.
 Even i have run the snort in test mode using -T , it does not shows up
any problem, its working fine but not generating any logs.

 I have formated the server , and re-installed every thing manually
this time. still the same problem. file is getting created but no logs.

 pls Advice.

 Ashraf
 Security System Egnineer






------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring
service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt!
http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring
service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt!
http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!







------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring
service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt!
http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: