Snort mailing list archives
Re: Snort-users Digest, Vol 98, Issue 29
From: Chiranjeevi Chekka <chiruch09 () gmail com>
Date: Wed, 16 Jul 2014 19:26:26 +0530
On Jul 10, 2014 10:25 PM, <snort-users-request () lists sourceforge net> wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: default snort rules (Abhijit Tikekar) 2. Re: Snort BPF.filter doesn't work (James Lay) 3. Re: default snort rules (Jeremy Hoel) ---------------------------------------------------------------------- Message: 1 Date: Thu, 10 Jul 2014 12:37:59 -0400 From: Abhijit Tikekar <abhijittikekar () gmail com> Subject: Re: [Snort-users] default snort rules To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: < CAHFpcLK9z47m5zjHDmNhLV6SKDwSuR2DhW6BztdxWcGsqzipHQ () mail gmail com> Content-Type: text/plain; charset="utf-8" The $OPTION script and the value in daemon line were missing in snortd. Added those and now I can see the options being used. snort 41331 0.5 3.3 579460 269956 ? Ssl 12:25 0:02 /usr/sbin/snort -d -D -i eth2 -u snort -g snort* -k none* -c /etc/snort/snort.conf -l /var/log/snort/eth2 But no change in snort behavior yet. Started another full scan, included options like DOS, Fragmented packets, bad traffic.. nothing recorded in snort.log. Thanks, Abhi On Thu, Jul 10, 2014 at 12:15 PM, Jeremy Hoel <jthoel () gmail com> wrote:Humm.. the options should show on the command line when invoked. Did you install snort via tarball or some rpm? Near the top of the init script i have for snort I see: # Source function library. . /etc/rc.d/init.d/functions # Source the local configuration file . /etc/sysconfig/snort # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$OPTIONS"X = "X" ]; then OPTIONS="$OPTIONS" fi do you have that in yours? Then further down, during the case commands, you should see $OPTIONS in the line with daemon On Thu, Jul 10, 2014 at 4:07 PM, Abhijit Tikekar <abhijittikekar () gmail comwrote:Added OPTIONS=" -k none" towards end of /sysconfig/snort and restarted. No errors, but process still doesn't show any new flag, does that lookokay?snort 40088 0.3 3.1 579436 254884 ? Ssl 11:54 0:00 /usr/sbin/snort -d -D -i eth2 -u snort -g snort -c/etc/snort/snort.conf -l/var/log/snort/eth2 Re ran the scan.. no activity in snort. The latest snort.log.TIMESTAMP file stays at 0 bytes. Thanks, Abhi On Thu, Jul 10, 2014 at 11:33 AM, Jeremy Hoel <jthoel () gmail com> wrote:in /etc/sysconfig/snort at the bottom is OPTIONS=" " add the -kthere.If it's not there, add it and that should work and should be picked upfromthe init script. ie: OPTIONS=" -k none " On Thu, Jul 10, 2014 at 3:24 PM, Abhijit Tikekar < abhijittikekar () gmail com> wrote:Thanks for the responses. I checked the current snort instance.. it's not running with "-knone"..snort 37452 0.3 3.3 579264 273292 ? Ssl 10:47 0:05 /usr/sbin/snort -d -D -i eth2 -u snort -g snort -c/etc/snort/snort.conf -l/var/log/snort/eth2 How do I add "-k none" option in the daemon mode? It wasn't thereunder/etc/sysconfig/snort Although, I did find "config checksum_mode: all" under snort.conf.. I changed it from "all" to "none" [ Is this the same as adding -knone? ]restarted snortd but it still cannot see any scans from pytbull. Verified using tcpdump that traffic from pytbull is coming to the interface, and if I edit icmp.rules and add a test "any any" rule,then itstart detecting all icmp packets as "DELETED ICMP Source Quench".. but nothing else. Not sure if it's a missing snort config param or if the default rules are not tailored for something like pytbull. Thanks, Abhi On Tue, Jul 8, 2014 at 6:19 PM, Joel Esler (jesler) <jesler () cisco comwrote:On Jul 8, 2014, at 2:27 PM, Abhijit Tikekar <abhijittikekar () gmail com>wrote: I am a new snort user. Current implementation is snort-2.9.6.1 on CentOS 6.4 along with barnyard and snorby. My question is regardingtheruleset which I downloaded as a registered user. Many of the rule files are empty, e.g, icmp.rules, or ddos.rules.Arethese supposed to be empty? Yes, these rules have transitioned to new categories per the policy realignment. The reason I am asking is because when I used pytbull against snort to test, snort.log never recorded anything. When I add a test icmp rule(alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;), then only that is captured by snort,nothingelse. How much tuning should I do to my default snort ruleset before noticing any alerts by scans from pytbull etc? Is the default snort implementation capable of detecting suchattacks?I enabled all options in pytbull while scanning, e.g. Fragmentedpackets,brute force, shellcodes, DOS etc.. Ruleset used: *snortrules-snapshot-2961.tar.gz* having not tested pytbull myself successfully, id say take a look at the Snort faq.https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md-- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team------------------------------------------------------------------------------Open source business process management suite built on Java andEclipseTurn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Thu, 10 Jul 2014 10:38:42 -0600 From: James Lay <jlay () slave-tothe-box net> Subject: Re: [Snort-users] Snort BPF.filter doesn't work To: <snort-users () lists sourceforge net> Message-ID: <4159715b638fb2bce974e9f57ef699fb@localhost> Content-Type: text/plain; charset=UTF-8; format=flowed On 2014-07-10 10:25, Robert Millott wrote:I Understand about the business IP, can you clean up a single line and modify the addresses? I just want to see if there is something wrong with my syntax. ?My system is also off the internet, so I understand that problem. ?My bpf.filter has a single line in it not host 192.168.1.1 so I just wanted to see if yours had any different syntax I may be missing out on. The way I tested it was I added a snort rule to my misc.rules. The rule is alert tcp any any -> 192.168.1.1 80 (msg:"My Test Rule"; sid: 99999; rev: 1) This alert fires constantly whenever I hit the web page on 192.168.1.1. ?I then fired up snort, adding a -F /etc/snort/bpf.filter to the command line, and looking for alerts. ?I continue to get alerts on my test rule, which tells me snort isnt ignoring all my traffic to that host. Suggestions? ? Yea, I ve seen the pfring stuff, and debated switcching to it, but it looks like allot of effort to set up, and I was originally hoping a real simple bpf filter would do what I needed. ThanxPlease copy and past an actual alert event text. James ------------------------------ Message: 3 Date: Thu, 10 Jul 2014 16:52:29 +0000 From: Jeremy Hoel <jthoel () gmail com> Subject: Re: [Snort-users] default snort rules To: Abhijit Tikekar <abhijittikekar () gmail com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <CAH_p-VP2L02KGQ5DxRFVsvOHV7_fXyE3ceRzFXCixnm= mJJuvA () mail gmail com> Content-Type: text/plain; charset="utf-8" do you have those rules loaded? if you tcpdump -i eth2, do you see the scan traffic? cat /var/log/messages |grep snort |grep -i "rules read" How man rules are you loading. what are your output options in your snort.conf file? output unified2: filename snort.u2, limit 128 output alert_syslog: LOG_LOCAL6 LOG_ALERT something like that? On Thu, Jul 10, 2014 at 4:37 PM, Abhijit Tikekar <abhijittikekar () gmail comwrote:The $OPTION script and the value in daemon line were missing in snortd. Added those and now I can see the options being used. snort 41331 0.5 3.3 579460 269956 ? Ssl 12:25 0:02 /usr/sbin/snort -d -D -i eth2 -u snort -g snort* -k none* -c /etc/snort/snort.conf -l /var/log/snort/eth2 But no change in snort behavior yet. Started another full scan, included options like DOS, Fragmented packets, bad traffic.. nothing recorded in snort.log. Thanks, Abhi On Thu, Jul 10, 2014 at 12:15 PM, Jeremy Hoel <jthoel () gmail com> wrote:Humm.. the options should show on the command line when invoked. Did you install snort via tarball or some rpm? Near the top of the init script i have for snort I see: # Source function library. . /etc/rc.d/init.d/functions # Source the local configuration file . /etc/sysconfig/snort # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$OPTIONS"X = "X" ]; then OPTIONS="$OPTIONS" fi do you have that in yours? Then further down, during the case commands, you should see $OPTIONS in the line with daemon On Thu, Jul 10, 2014 at 4:07 PM, Abhijit Tikekar < abhijittikekar () gmail com> wrote:Added OPTIONS=" -k none" towards end of /sysconfig/snort and restarted. No errors, but process still doesn't show any new flag, does that lookokay?snort 40088 0.3 3.1 579436 254884 ? Ssl 11:54 0:00 /usr/sbin/snort -d -D -i eth2 -u snort -g snort -c/etc/snort/snort.conf -l/var/log/snort/eth2 Re ran the scan.. no activity in snort. The latest snort.log.TIMESTAMP file stays at 0 bytes. Thanks, Abhi On Thu, Jul 10, 2014 at 11:33 AM, Jeremy Hoel <jthoel () gmail com>wrote:in /etc/sysconfig/snort at the bottom is OPTIONS=" " add the -k there. If it's not there, add it and that should work and should bepickedup from the init script. ie: OPTIONS=" -k none " On Thu, Jul 10, 2014 at 3:24 PM, Abhijit Tikekar < abhijittikekar () gmail com> wrote:Thanks for the responses. I checked the current snort instance.. it's not running with "-k none".. snort 37452 0.3 3.3 579264 273292 ? Ssl 10:47 0:05 /usr/sbin/snort -d -D -i eth2 -u snort -g snort -c/etc/snort/snort.conf -l/var/log/snort/eth2 How do I add "-k none" option in the daemon mode? It wasn't there under /etc/sysconfig/snort Although, I did find "config checksum_mode: all" under snort.conf.. I changed it from "all" to "none" [ Is this the same as adding -knone? ]restarted snortd but it still cannot see any scans from pytbull. Verified using tcpdump that traffic from pytbull is coming to the interface, and if I edit icmp.rules and add a test "any any" rule,then itstart detecting all icmp packets as "DELETED ICMP Source Quench"..butnothing else. Not sure if it's a missing snort config param or if the default rules are not tailored for something like pytbull. Thanks, Abhi On Tue, Jul 8, 2014 at 6:19 PM, Joel Esler (jesler) <jesler () cisco com>wrote:On Jul 8, 2014, at 2:27 PM, Abhijit Tikekar < abhijittikekar () gmail com> wrote: I am a new snort user. Current implementation is snort-2.9.6.1 on CentOS 6.4 along with barnyard and snorby. My question is regardingtheruleset which I downloaded as a registered user. Many of the rule files are empty, e.g, icmp.rules, or ddos.rules. Are these supposed to be empty? Yes, these rules have transitioned to new categories per the policy realignment. The reason I am asking is because when I used pytbull against snort to test, snort.log never recorded anything. When I add a test icmp rule(alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;), then only that is captured by snort,nothingelse. How much tuning should I do to my default snort ruleset before noticing any alerts by scans from pytbull etc? Is the default snort implementation capable of detecting such attacks? I enabled all options in pytbull while scanning, e.g.Fragmentedpackets, brute force, shellcodes, DOS etc.. Ruleset used: *snortrules-snapshot-2961.tar.gz* having not tested pytbull myself successfully, id say take a look at the Snort faq.https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md-- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team------------------------------------------------------------------------------Open source business process management suite built on Java andEclipseTurn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM CommunityEditionQuickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 98, Issue 29 *******************************************
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 98, Issue 29 Chiranjeevi Chekka (Jul 16)
- Re: Snort-users Digest, Vol 98, Issue 29 Joel Esler (jesler) (Jul 16)