Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users Digest, Vol 98, Issue 29

From: Chiranjeevi Chekka <chiruch09 () gmail com>
Date: Wed, 16 Jul 2014 19:26:26 +0530
On Jul 10, 2014 10:25 PM, <snort-users-request () lists sourceforge net> wrote:


Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim
your response.

Today's Topics:

   1. Re: default snort rules (Abhijit Tikekar)
   2. Re: Snort BPF.filter doesn't work (James Lay)
   3. Re: default snort rules (Jeremy Hoel)


----------------------------------------------------------------------

Message: 1
Date: Thu, 10 Jul 2014 12:37:59 -0400
From: Abhijit Tikekar <abhijittikekar () gmail com>
Subject: Re: [Snort-users] default snort rules
To: "snort-users () lists sourceforge net"
        <snort-users () lists sourceforge net>
Message-ID:
        <
CAHFpcLK9z47m5zjHDmNhLV6SKDwSuR2DhW6BztdxWcGsqzipHQ () mail gmail com>
Content-Type: text/plain; charset="utf-8"

The $OPTION script and the value in daemon line were missing in snortd.
Added those and now I can see the options being used.

snort    41331  0.5  3.3 579460 269956 ?       Ssl  12:25   0:02
/usr/sbin/snort -d -D -i eth2 -u snort -g snort* -k none* -c
/etc/snort/snort.conf -l /var/log/snort/eth2

But no change in snort behavior yet. Started another full scan, included
options like DOS, Fragmented packets, bad traffic.. nothing recorded in
snort.log.

Thanks,

Abhi



On Thu, Jul 10, 2014 at 12:15 PM, Jeremy Hoel <jthoel () gmail com> wrote:


Humm.. the options should show on the command line when invoked.

Did you install snort via tarball or some rpm?

Near the top of the init script i have for snort I see:

# Source function library.
. /etc/rc.d/init.d/functions

# Source the local configuration file
. /etc/sysconfig/snort

# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$OPTIONS"X = "X" ]; then
   OPTIONS="$OPTIONS"
fi


do you have that in yours?


Then further down, during the case commands, you should see $OPTIONS in
the line with daemon



On Thu, Jul 10, 2014 at 4:07 PM, Abhijit Tikekar <

abhijittikekar () gmail com

wrote:



Added OPTIONS=" -k none" towards end of /sysconfig/snort and restarted.
No errors, but process still doesn't show any new flag, does that look

okay?


snort    40088  0.3  3.1 579436 254884 ?       Ssl  11:54   0:00
/usr/sbin/snort -d -D -i eth2 -u snort -g snort -c

/etc/snort/snort.conf -l

/var/log/snort/eth2


Re ran the scan.. no activity in snort. The latest snort.log.TIMESTAMP
file stays at 0 bytes.

Thanks,

Abhi


On Thu, Jul 10, 2014 at 11:33 AM, Jeremy Hoel <jthoel () gmail com> wrote:


in /etc/sysconfig/snort at the bottom is OPTIONS=" "   add the -k

there.

If it's not there, add it and that should work and should be picked up

from

the init script.

ie:  OPTIONS=" -k none "


On Thu, Jul 10, 2014 at 3:24 PM, Abhijit Tikekar <
abhijittikekar () gmail com> wrote:


Thanks for the responses.

I checked the current snort instance.. it's not running with "-k

none"..


snort    37452  0.3  3.3 579264 273292 ?       Ssl  10:47   0:05
/usr/sbin/snort -d -D -i eth2 -u snort -g snort -c

/etc/snort/snort.conf -l

/var/log/snort/eth2

How do I add "-k none" option in the daemon mode? It wasn't there

under

/etc/sysconfig/snort

Although, I did find "config checksum_mode: all" under snort.conf.. I
changed it from "all" to "none"  [ Is this the same as adding -k

none? ]


restarted snortd but it still cannot see any scans from pytbull.
Verified using tcpdump that traffic from pytbull is coming to the
interface, and if I edit icmp.rules and add a test "any any" rule,

then it

start detecting all icmp packets as "DELETED ICMP Source Quench".. but
nothing else. Not sure if it's a missing snort config param or if the
default rules are not tailored for something like pytbull.

Thanks,

Abhi



On Tue, Jul 8, 2014 at 6:19 PM, Joel Esler (jesler) <jesler () cisco com



wrote:



 On Jul 8, 2014, at 2:27 PM, Abhijit Tikekar <

abhijittikekar () gmail com>

wrote:

  I am a new snort user. Current implementation is snort-2.9.6.1 on
CentOS 6.4 along with barnyard and snorby. My question is regarding

the

ruleset which I downloaded as a registered user.

 Many of the rule files are empty, e.g, icmp.rules, or ddos.rules.

Are

these supposed to be empty?


 Yes, these rules have transitioned to new categories per the policy
realignment.

 The reason I am asking is because when I used pytbull against snort
to test, snort.log never recorded anything.
When I add a test icmp rule(alert icmp any any -> any any (msg:"ICMP
Packet"; sid:477; rev:3;), then only that is captured by snort,

nothing

else.

 How much tuning should I do to my default snort ruleset before
noticing any alerts by scans from pytbull etc?
Is the default snort implementation capable of detecting such

attacks?

I enabled all options in pytbull while scanning, e.g. Fragmented

packets,

brute force, shellcodes, DOS etc..

 Ruleset used: *snortrules-snapshot-2961.tar.gz*


 having not tested pytbull myself successfully, id say take a look at
the Snort faq.




https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md


 --
*Joel Esler*
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team







------------------------------------------------------------------------------

Open source business process management suite built on Java and

Eclipse

Turn processes into business applications with Bonita BPM Community
Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!









------------------------------------------------------------------------------

Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community
Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Thu, 10 Jul 2014 10:38:42 -0600
From: James Lay <jlay () slave-tothe-box net>
Subject: Re: [Snort-users] Snort BPF.filter doesn't work
To: <snort-users () lists sourceforge net>
Message-ID: <4159715b638fb2bce974e9f57ef699fb@localhost>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 2014-07-10 10:25, Robert Millott wrote:

I Understand about the business IP, can you clean up a single line
and
modify the addresses? I just want to see if there is something wrong
with my syntax. ?My system is also off the internet, so I understand
that problem. ?My bpf.filter has a single line in it

not host 192.168.1.1

so I just wanted to see if yours had any different syntax I may be
missing out on.

The way I tested it was I added a snort rule to my misc.rules. The
rule is

alert tcp any any -> 192.168.1.1 80 (msg:"My Test Rule"; sid: 99999;
rev: 1)

This alert fires constantly whenever I hit the web page on
192.168.1.1. ?I then fired up snort, adding a -F
/etc/snort/bpf.filter to the command line, and looking for alerts. ?I
continue to get alerts on my test rule, which tells me snort isnt
ignoring all my traffic to that host.

Suggestions? ?

Yea, I ve seen the pfring stuff, and debated switcching to it, but it
looks like allot of effort to set up, and I was originally hoping a
real simple bpf filter would do what I needed.

Thanx



Please copy and past an actual alert event text.

James




------------------------------

Message: 3
Date: Thu, 10 Jul 2014 16:52:29 +0000
From: Jeremy Hoel <jthoel () gmail com>
Subject: Re: [Snort-users] default snort rules
To: Abhijit Tikekar <abhijittikekar () gmail com>
Cc: "snort-users () lists sourceforge net"
        <snort-users () lists sourceforge net>
Message-ID:
        <CAH_p-VP2L02KGQ5DxRFVsvOHV7_fXyE3ceRzFXCixnm=
mJJuvA () mail gmail com>
Content-Type: text/plain; charset="utf-8"

do you have those rules loaded?  if you tcpdump -i eth2, do you see the
scan traffic?

cat /var/log/messages |grep snort |grep -i "rules read"

How man rules are you loading.

what are your output options in your snort.conf file?

output unified2: filename snort.u2, limit 128
output alert_syslog: LOG_LOCAL6 LOG_ALERT

something like that?





On Thu, Jul 10, 2014 at 4:37 PM, Abhijit Tikekar <abhijittikekar () gmail com



wrote:


The $OPTION script and the value in daemon line were missing in snortd.
Added those and now I can see the options being used.

snort    41331  0.5  3.3 579460 269956 ?       Ssl  12:25   0:02
/usr/sbin/snort -d -D -i eth2 -u snort -g snort* -k none* -c
/etc/snort/snort.conf -l /var/log/snort/eth2

But no change in snort behavior yet. Started another full scan, included
options like DOS, Fragmented packets, bad traffic.. nothing recorded in
snort.log.

Thanks,

Abhi



On Thu, Jul 10, 2014 at 12:15 PM, Jeremy Hoel <jthoel () gmail com> wrote:


Humm.. the options should show on the command line when invoked.

Did you install snort via tarball or some rpm?

Near the top of the init script i have for snort I see:

# Source function library.
. /etc/rc.d/init.d/functions

# Source the local configuration file
. /etc/sysconfig/snort

# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$OPTIONS"X = "X" ]; then
   OPTIONS="$OPTIONS"
fi


do you have that in yours?


Then further down, during the case commands, you should see $OPTIONS in
the line with daemon



On Thu, Jul 10, 2014 at 4:07 PM, Abhijit Tikekar <
abhijittikekar () gmail com> wrote:


Added OPTIONS=" -k none" towards end of /sysconfig/snort and restarted.
No errors, but process still doesn't show any new flag, does that look

okay?


snort    40088  0.3  3.1 579436 254884 ?       Ssl  11:54   0:00
/usr/sbin/snort -d -D -i eth2 -u snort -g snort -c

/etc/snort/snort.conf -l

/var/log/snort/eth2


Re ran the scan.. no activity in snort. The latest snort.log.TIMESTAMP
file stays at 0 bytes.

Thanks,

Abhi


On Thu, Jul 10, 2014 at 11:33 AM, Jeremy Hoel <jthoel () gmail com>

wrote:



in /etc/sysconfig/snort at the bottom is OPTIONS=" "   add the -k
there. If it's not there, add it and that should work and should be

picked

up from the init script.

ie:  OPTIONS=" -k none "


On Thu, Jul 10, 2014 at 3:24 PM, Abhijit Tikekar <
abhijittikekar () gmail com> wrote:


Thanks for the responses.

I checked the current snort instance.. it's not running with "-k
none"..

snort    37452  0.3  3.3 579264 273292 ?       Ssl  10:47   0:05
/usr/sbin/snort -d -D -i eth2 -u snort -g snort -c

/etc/snort/snort.conf -l

/var/log/snort/eth2

How do I add "-k none" option in the daemon mode? It wasn't there
under /etc/sysconfig/snort

Although, I did find "config checksum_mode: all" under snort.conf.. I
changed it from "all" to "none"  [ Is this the same as adding -k

none? ]


restarted snortd but it still cannot see any scans from pytbull.
Verified using tcpdump that traffic from pytbull is coming to the
interface, and if I edit icmp.rules and add a test "any any" rule,

then it

start detecting all icmp packets as "DELETED ICMP Source Quench"..

but

nothing else. Not sure if it's a missing snort config param or if the
default rules are not tailored for something like pytbull.

Thanks,

Abhi



On Tue, Jul 8, 2014 at 6:19 PM, Joel Esler (jesler) <

jesler () cisco com>

wrote:



 On Jul 8, 2014, at 2:27 PM, Abhijit Tikekar <
abhijittikekar () gmail com> wrote:

  I am a new snort user. Current implementation is snort-2.9.6.1 on
CentOS 6.4 along with barnyard and snorby. My question is regarding

the

ruleset which I downloaded as a registered user.

 Many of the rule files are empty, e.g, icmp.rules, or ddos.rules.
Are these supposed to be empty?


 Yes, these rules have transitioned to new categories per the policy
realignment.

 The reason I am asking is because when I used pytbull against snort
to test, snort.log never recorded anything.
When I add a test icmp rule(alert icmp any any -> any any (msg:"ICMP
Packet"; sid:477; rev:3;), then only that is captured by snort,

nothing

else.

 How much tuning should I do to my default snort ruleset before
noticing any alerts by scans from pytbull etc?
Is the default snort implementation capable of detecting such
attacks? I enabled all options in pytbull while scanning, e.g.

Fragmented

packets, brute force, shellcodes, DOS etc..

 Ruleset used: *snortrules-snapshot-2961.tar.gz*


 having not tested pytbull myself successfully, id say take a look
at the Snort faq.




https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md


 --
*Joel Esler*
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team







------------------------------------------------------------------------------

Open source business process management suite built on Java and

Eclipse

Turn processes into business applications with Bonita BPM Community
Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!









------------------------------------------------------------------------------

Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community
Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!









------------------------------------------------------------------------------

Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community

Edition

Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 98, Issue 29
*******************************************


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: