Re: Snort-users Digest, Vol 96, Issue 62

[Friska Ambarita <friskaasnitha () gmail com>]

Hello guys..
need ur help..
I've a research how to make snort as anti netcut ( or anti arpspoofing
attack)
i've looking for many script to configure snort but it didin't works.
anyone knows? or any idea what should i add to my snort  for make it as
anti netcut?
thankyou



2014-05-29 20:03 GMT+07:00 <snort-users-request () lists sourceforge net>:

> Send Snort-users mailing list submissions to
>         snort-users () lists sourceforge net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request () lists sourceforge net
>
> You can reach the person managing the list at
>         snort-users-owner () lists sourceforge net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Re: How to threshold ALL sigs (waldo kitty)
>    2. Re: How to threshold ALL sigs (waldo kitty)
>    3. Re: blacklist vs black_list :: pulledpork overwrites the
>       files with a list of IP addresses (waldo kitty)
>    4. Re: Snort spikes to 100% CPU followed by network  latency
>       (waldo kitty)
>    5. Re: How to threshold ALL sigs (Joel Esler (jesler))
>    6. Re: How to threshold ALL sigs (Russ Combs (rucombs))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 28 May 2014 22:32:23 -0400
> From: waldo kitty <wkitty42 () windstream net>
> Subject: Re: [Snort-users] How to threshold ALL sigs
> To: snort-users () lists sourceforge net
> Message-ID: <53869C37.6080108 () windstream net>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 5/28/2014 2:49 PM, Turnbough, Bradley E. wrote:
>
> > After thresholding:
> >
> > sourceipA ------> destipA  ---- Alert A #1 10:29:15
> > sourceipA ------> destipA  ---- Alert A #2 10:29:26 ------ not logged
> (thresholded)
> > sourceipA ------> destipA  ---- Alert A #3 10:29:39 ------ not logged
> (thresholded)
> > sourceipB ------> destipA  ---- Alert A #4 10:29:42
> > sourceipB ------> destipA  ---- Alert A #5 10:29:55 ------ not logged
> (thresholded)
> > sourceipB ------> destipA  ---- Alert A #6 10:30:12------ not logged
> (thresholded)
> > I want to basically write one rule / threshold for this.  I don't want
> to maintain a huge library of thresholds.  Any ideas?
>
> you can threshold in each rule... it isn't called threshold any more,
> though...
>
> eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
> Brute-Force login attempt (1) -- BLOCKED DESTINATION";
> flow:from_server,established; dsize:<100; content:"530 "; depth:4;
> pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
> detection_filter: track by_dst, count 5, seconds 300; sid:100000001;
> rev:5;)
>
> note the "detection_filter" section then follow up in the docs ;)
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 28 May 2014 22:34:05 -0400
> From: waldo kitty <wkitty42 () windstream net>
> Subject: Re: [Snort-users] How to threshold ALL sigs
> To: snort-users () lists sourceforge net
> Message-ID: <53869C9D.2040607 () windstream net>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 5/28/2014 3:48 PM, Jefferson, Shawn wrote:
> > Yes, but that doesn't work for a SRC<->DEST type suppression.  You can
> only
> > make Snort blind to ALL things from that IP.  You need to use BPF to do a
> > SRC<->DEST suppression (basically not sending that traffic to snort at
> all.)
>
> no ya don't ;)  you've forgotten about "detection_filter" which is what
> the old
> in-rule thresholding is now called...
>
> eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
> Brute-Force login attempt (1) -- BLOCKED DESTINATION";
> flow:from_server,established; dsize:<100; content:"530 "; depth:4;
> pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
> detection_filter: track by_dst, count 5, seconds 300; sid:100000001;
> rev:5;)
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 28 May 2014 22:37:23 -0400
> From: waldo kitty <wkitty42 () windstream net>
> Subject: Re: [Snort-users] blacklist vs black_list :: pulledpork
>         overwrites the files with a list of IP addresses
> To: snort-users () lists sourceforge net
> Message-ID: <53869D63.4080206 () windstream net>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 5/28/2014 4:47 PM, Steve Crow wrote:
> > Pulledpork is overwriting my blacklist.rules or black_list.rules files
> that
> > normally has rules in it with a list IP addresses. Whichever is listed in
> > snort.conf gets overwritten.
> >
> > Why are there two similarly named rules files.
> > What are their proper uses.
> > How does it need to be specified in snort.conf so that pulledpork doesn't
> > overwrite the rules with IP addresses?
>
> the one named in the reputation blacklist/whitelist section is the one that
> should have IP addresses in it... the other one is the one with rules in
> it...
>
> FWIW: this came up about a year+ ago... at that time, i suggested to VRt
> that
> they rename the reputation blacklist/whitelist files to RP_whitelist and
> RP_blacklist specifically so denote them being related to the reputation
> processor... i recommend you do the same now and leave the other one named
> as it
> is... i don't recall which is which but your snort.conf will tell you ;)
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 28 May 2014 22:39:24 -0400
> From: waldo kitty <wkitty42 () windstream net>
> Subject: Re: [Snort-users] Snort spikes to 100% CPU followed by
>         network latency
> To: snort-users () lists sourceforge net
> Message-ID: <53869DDC.2060802 () windstream net>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 5/28/2014 5:40 PM, Cody Brugh wrote:
> > Also note that when we see these CPU/latency spikes we have no alerts or
> drops
> > that would easily tell us what is causing the problem. If it's not a
> rule what
> > should I start turning off to try eliminate possible causes?  It's
> something
> > that doesn't log or anything.
>
> what does your traffic look like on the line when this happens? is there
> any?
> are the light blinking? are you using some sort of additional packet
> capturing
> package that you can look at for the periods of high snort CPU usage???
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 29 May 2014 12:44:41 +0000
> From: "Joel Esler (jesler)" <jesler () cisco com>
> Subject: Re: [Snort-users] How to threshold ALL sigs
> To: waldo kitty <wkitty42 () windstream net>
> Cc: "snort-users () lists sourceforge net"
>         <snort-users () lists sourceforge net>
> Message-ID: <8C2B0696-3F0B-4615-BA8C-DDD338322D78 () cisco com>
> Content-Type: text/plain; charset="windows-1252"
>
> On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 () windstream net<mailto:
> wkitty42 () windstream net>> wrote:
>
> no ya don't ;)  you've forgotten about "detection_filter" which is what
> the old
> in-rule thresholding is now called...
>
> eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
> Brute-Force login attempt (1) -- BLOCKED DESTINATION";
> flow:from_server,established; dsize:<100; content:"530 "; depth:4;
> pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
> detection_filter: track by_dst, count 5, seconds 300; sid:100000001;
> rev:5;)
>
> kinda.  detection_filter doesn?t limit the number of alerts like threshold
> did.  That?s still threshold.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 6
> Date: Thu, 29 May 2014 13:03:20 +0000
> From: "Russ Combs (rucombs)" <rucombs () cisco com>
> Subject: Re: [Snort-users] How to threshold ALL sigs
> To: "Joel Esler (jesler)" <jesler () cisco com>, waldo kitty
>         <wkitty42 () windstream net>
> Cc: "snort-users () lists sourceforge net"
>         <snort-users () lists sourceforge net>
> Message-ID:
>         <6BD6F06B9CA6764DB4E3B905660DEC5E08FE7B79 () xmb-aln-x06 cisco com>
> Content-Type: text/plain; charset="windows-1252"
>
>
> ________________________________
> From: Joel Esler (jesler)
> Sent: Thursday, May 29, 2014 8:44 AM
> To: waldo kitty
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] How to threshold ALL sigs
>
> On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 () windstream net<mailto:
> wkitty42 () windstream net>> wrote:
>
> no ya don't ;)  you've forgotten about "detection_filter" which is what
> the old
> in-rule thresholding is now called...
>
> eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP
> Brute-Force login attempt (1) -- BLOCKED DESTINATION";
> flow:from_server,established; dsize:<100; content:"530 "; depth:4;
> pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
> detection_filter: track by_dst, count 5, seconds 300; sid:100000001;
> rev:5;)
>
> kinda.  detection_filter doesn?t limit the number of alerts like threshold
> did.  That?s still threshold.
>
> * threshold is deprecated:
>
> -- use detection_filter in a rule to prevent it from generating events
> until the limit is reached
>
> -- use event_filter outside a rule to limit the number of events logged
>
> See README.filters for details.
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Time is money. Stop wasting it! Get your web API in 5 minutes.
> www.restlet.com/download
> http://p.sf.net/sfu/restlet
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 96, Issue 62
> *******************************************
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!