Snort mailing list archives

Re: snort 2.9.4.6 not logging

From: Maged Shenouda <maged67 () hotmail com>
Date: Fri, 19 Jul 2013 13:42:03 -0400

Date: Fri, 19 Jul 2013 13:10:17 -0400
From: wkitty42 () windstream net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.4.6 not logging

On 7/19/2013 08:45, Maged Shenouda wrote:

I changed the snort.conf as follow

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules


this is fine...

preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/RPP_white.rules, \
blacklist $BLACK_LIST_PATH/RPP_black.rules


ok... this is fine now... what was it before?  It was this one whitelist $WHITE_LIST_PATH/white_list.rules, \

blacklist $BLACK_LIST_PATH/black_list.rules

in the /etc/snort/rules I rename the files to RPP_black.rules & RPP_white.rules
but there was another file name blacklist.rules which is listed at the bottom of
the snort.conf file


ok... what does the following command return?

   ls -la /etc/snort/rules/*list*.rules -rwx------ 1 snort snort   1039 Jul 19 09:00 /etc/snort/rules/black_list.rules

-rw-r--r-- 1 snort snort 608573 May 22 15:45 /etc/snort/rules/blacklist.rules
-rwx------ 1 snort snort      0 Jun 17 13:09 /etc/snort/rules/white_list.rules

# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules


what are the contents of this blacklist.rules file? i suspect it may be the one 
that should have renamed as RPP_black.rules...
 Par of the content of the blacklist.rules

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23802; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23799; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain secuurity.net - Gauss "; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; fast_pattern:only; metadata:impact_flag red, 
policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23803; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain gowin7.com - Gauss "; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; fast_pattern:only; metadata:impact_flag red, 
policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23804; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss "; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23800; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss 
"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern:only; 
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23801; rev:2;)  The black_list.rules is blank


can you see the confusion between black_list.rules and blacklist.rules now? 
which one is which? ;)

there should also be a whitelist.rules OR white_list.rules file for the 
reputation processor... its name should be in the same format as the proper 
black list one for the reputation processor...  in other words...

   white_list.rules
   black_list.rules
 it is white_list.rules

black_list.rules

OR

   whitelist.rules
   blacklist.rules

one of those is proper for the reputation processor... what is the name of your 
white list file? we will see that in the "ls -la" output from above ;)

I restarted the snort but still get the same error

Processing blacklist file /etc/snort/rules/RPP_black.rules
Jul 19 08:13:34 mm-proxy snort[12340]:       (22) =>  Invalid IP Address: alert udp $HOME_NET any ->  any 53 
(msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23802; rev:2;)
Jul 19 08:13:34 mm-proxy snort[12340]:       (23) =>  Invalid IP Address: alert udp $HOME_NET any ->  any 53 
(msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; 
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; 
classtype:trojan-activity; sid:23799; rev:2;)


yes, this shows the format of that file is not the IP or IP/CIDR format 
expected... that file is a standard textual GID:1 rules file... we renamed the 
wrong black_?list.rules file...

All those rules are located in /etc/snort/rules

Here is part of the RPP_black.rules, not sure if this is the correct format

[trim]

yeah, definitely the standard textual rules format... not what the reputation 
processor wants... what was the original name of this file?

 > Date: Thu, 18 Jul 2013 20:47:02 -0400
 > From: wkitty42 () windstream net
 > To: snort-users () lists sourceforge net
 > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
 >
 > On 7/18/2013 14:28, Maged Shenouda wrote:
 > > Here is the snort.conf file configuration
 > >
 > > ipvar HOME_NET 192.168.0.0/24
 > > ipvar EXTERNAL_NET any
 > > ipvar SMTP_SERVERS $HOME_NET
 > >
 > > and so on,,,, don't think the format is worng?
 >
 > you are correct... but wait! what are the names of your blacklist and whitelist
 > files as defined for the reputation processor? there is known confusion between
 > (EG:) GID:1 blacklist.rules and reputation processor black_list.rules files and
 > that is exacerbated when both sets reside in the same directory...
 >
 > the ones for the reputation processor are in simple IP and/or IP/CIDR format
 > whereas the others are in the standard text rules format... looking closer at
 > the error message, it specifically states "invalid IP address" which leads me to
 > believe that the file name(s) for your reputation processor are incorrect...
 >
 > so, check your snort.conf at the reputation processor and see what those file
 > names are that are specified there... then make sure that those names are /not/
 > included in the list of rules files at the bottom of snort.conf...
 >
 > [HINT: more specifically, one set of file names has an underscore '_' in it and
 > the other does not... watch for this and do not get confused by it...
 >
 > RECOMMENDATION: name the files specific to the reputation processor to something
 > significantly different than the normal textual blacklist rules file... maybe
 > RPP_black.rules and RPP_white.rules where RPP stands for Reputation
 > Preprocessor... anything that is different from the others and will alleviate
 > the confusion]
 >
 >
 > > > Date: Thu, 18 Jul 2013 13:55:36 -0400
 > > > From: wkitty42 () windstream net
 > > > To: snort-users () lists sourceforge net
 > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
 > > >
 > > > On 7/18/2013 13:38, Maged Shenouda wrote:
 > > > > Snort logging still not working evev after rmoving the -A -b parameters
 > > > >
 > > > > Any other clue?
 > > >
 > > > looking at the reply below... what is your HOME_NET set to?? have you
fixed it
 > > > to accurately cover your actual protected network(s)??
 > > >
 > > > >
 > >
--------------------------------------------------------------------------------
 > > > > From: jesler () sourcefire com
 > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
 > > > > Date: Thu, 18 Jul 2013 11:55:25 -0400
 > > > > To: maged67 () hotmail com
 > > > >
 > > > > No, it looks like you have something messed up in your HOME_NET
 > > > >
 > > > >
 > > > > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 () hotmail com
 > > > > <mailto:maged67 () hotmail com>> wrote:
 > > > >
 > > > > Also when snort started, it checked the black list rules and here is
part of
 > > > > system log
 > > > >
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing whitelist file
 > > /etc/snort/rules/white_list.rules
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Reputation entries loaded: 0,
 > > invalid: 0, re-defined: 0 (from file /etc/snort/rules/white_list.rules)
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing blacklist file
 > > /etc/snort/rules/black_list.rules
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (22) => Invalid IP Address: alert
 > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
 > > domaindatajunction.org <http://datajunction.org/> - Gauss "; flow:to_server;
 > > byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|";
fast_pattern:only;
 > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
 > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
 > >
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
 > >
<http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
 > > classtype:trojan-activity; sid:23802; rev:2;)
 > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (23) => Invalid IP Address: alert
 > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
 > > domainguest-access.net <http://guest-access.net/> - Gauss "; flow:to_server;
 > > byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|";
fast_pattern:only;
 > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
 > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
 > >
reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
 > >
<http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
 > > classtype:trojan-activity; sid:23799; rev:2;)
 > > > >
 > > > > is there something wrong with the black list rules ??
 > > > >
 > > > >
 > >
--------------------------------------------------------------------------------
 > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
 > > > > From: jesler () sourcefire com <mailto:jesler () sourcefire com>
 > > > > Date: Wed, 17 Jul 2013 12:02:40 -0400
 > > > > CC: lists.sourceforge.net <http://lists.sourceforge.net>
 > > > > snort-users () lists sourceforge net
<mailto:snort-users () lists sourceforge net>
 > > > > To: maged67 () hotmail com <mailto:maged67 () hotmail com>
 > > > >
 > > > > Remove your “-A full -b” from your command line. Those are overriding your
 > > > > unified2 output line in your snort.conf.
 > > > >
 > > > >
 > > > > On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 () hotmail com
 > > > > <mailto:maged67 () hotmail com>> wrote:
 > > > >
 > > > > I properly configured the snort.conf and installed all the source files
 > > > > for snort, barnyard2, daq...
 > > > > The problem is when I run the snort from the console, I can see that it
 > > > > is working fine but when I run the snort to read the snort.conf it
 > > > > doesn't save the log file at all
 > > > >
 > > > > /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
 > > > > /etc/snort/snort.conf -l /var/log/snort
 > > > >
 > > > > and off course since there is no log files, barnyard2 read an empty file
 > > > > and does not transfer it so mysql
 > > > >
 > > > > I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help with
 > > > > this one
 > > > >
 > > > > Thanks
 >
 >
 >
 > --
 > NOTE: No off-list assistance is given without prior approval.
 > Please keep mailing list traffic on the list unless
 > private contact is specifically requested and granted.
 >
 > ------------------------------------------------------------------------------
 > See everything from the browser to the database with AppDynamics
 > Get end-to-end visibility with application monitoring from AppDynamics
 > Isolate bottlenecks and diagnose root cause in seconds.
 > Start your free trial of AppDynamics Pro today!
 > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
 > _______________________________________________
 > Snort-users mailing list
 > Snort-users () lists sourceforge net
 > Go to this URL to change user options or unsubscribe:
 > https://lists.sourceforge.net/lists/listinfo/snort-users
 > Snort-users list archive:
 > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
 >
 > Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort 2.9.4.6 not logging Maged Shenouda (Jul 17)
- Re: snort 2.9.4.6 not logging Joel Esler (Jul 17)
  - Message not available
    - Message not available
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 18)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 18)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 18)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 18)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 19)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 19)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 19)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 19)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 19)
    - Re: snort 2.9.4.6 not logging Maged Shenouda (Jul 19)
    - Re: snort 2.9.4.6 not logging waldo kitty (Jul 19)
    - Message not available
    - FW: snort 2.9.4.6 not logging Maged Shenouda (Jul 23)
    - Re: FW: snort 2.9.4.6 not logging waldo kitty (Jul 23)
    - Re: FW: snort 2.9.4.6 not logging Maged Shenouda (Jul 23)
    - Re: FW: snort 2.9.4.6 not logging waldo kitty (Jul 23)
    - Re: FW: snort 2.9.4.6 not logging Maged Shenouda (Jul 23)