Snort mailing list archives

Re: finding which rule

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 25 Jul 2014 14:20:20 +0000

Try:

snort -c /path/to/snort.conf -A console -i eth0

On Jul 25, 2014, at 10:13 AM, Richard Smollett <yawningdogge () gmail com> wrote:

Yes. The file indicated in the snort.conf file is the empty one. I used #locate to to see if there were any others, 
and there was one in my source package that was loaded with rules. I've moved that one to where the snort.conf file 
says it should be. Now I guess it's just a question of finding the correct rule and grooming it. I guess the only 
question from here is... how did snort have awareness of the rule if it wasn't where snort was configured to look for 
it?

I ran snort in console and got this. I'm still in the dark.

root@snort:/etc/snort# snort -A console
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.2 GRE (Build 77)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=20844)



On Thu, Jul 24, 2014 at 7:15 PM, Y M <snort () outlook com> wrote:
Date: Thu, 24 Jul 2014 16:10:30 -0400

From: yawningdogge () gmail com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] finding which rule

1. I didn't explicitly put them there, but I've checked all the files against the snort.conf and pulledpork.conf 
files and the files/directories are indeed there.


In an earlier post you suggested the the preprocessor.rules file is empty. Does the file which snort.conf states is 
also empty?

2. Sorry, but I'm not seeing those stats anywhere when I start or stop snort. Do I need a specific tag to generate 
them?


Run Snort in console mode "-A console" and do not use "-q". You will start seeing Snort initializing and loading 
libraries and preprocessors, after that there will a section with "Initializing rule chains...", look for the loaded 
rules stats in this section.


On Thu, Jul 24, 2014 at 4:03 PM, Y M <snort () outlook com> wrote:
Date: Thu, 24 Jul 2014 15:52:50 -0400

From: yawningdogge () gmail com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] finding which rule

I use pulledpork.

1. When you deployed Snort, did you copy all of the necessary files to the respective directories (so_rules, 
preproc_rules, etc.)?
2. When you run Snort, from the run stats, under "Snort rules read", how many preprocessor rules are being loaded?

A correction about my initial post, i said it is sid:2, I should have said sid:1 based on your alert data.



On Thu, Jul 24, 2014 at 3:50 PM, Y M <snort () outlook com> wrote:
Date: Thu, 24 Jul 2014 15:44:24 -0400
From: yawningdogge () gmail com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] finding which rule


My preprocessor.rules file is blank

How did you copy/install your rules?


On Thu, Jul 24, 2014 at 3:24 PM, Y M <snort () outlook com> wrote:
Date: Thu, 24 Jul 2014 15:02:34 -0400
From: yawningdogge () gmail com
To: snort-users () lists sourceforge net
Subject: [Snort-users] finding which rule

I'm getting a lot of alerts that look like this.

[**] [129:20:1] Snort Alert [129:20:1] [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
07/24-14:15:35.196146 172.28.61.104:22 -> 172.28.61.88:20309
TCP TTL:64 TOS:0x10 ID:59076 IpLen:20 DgmLen:104 DF
***AP*** Seq: 0x8055FA2A  Ack: 0x450C8A09  Win: 0x545  TcpLen: 20

How do I go about finding the rule that generated this alert?

The "[129:20:1]" stands for [GID:SID:REV]. GID with value 129 is generated by the Stream5 preprocessor 
(http://manual.snort.org/node18.html), and the alert sid is 2. You can go with something similar to (assuming you are 
running *nix):

grep "sid: 2; gid: 129" /your/pathto/preproc_rules/preprocessor.rules. Though you may not get the exact content match 
upon which this signature is matching but it has references to CVE/Bugtraq. In general, the alert warns about 
existing payload on a SYN packet, which may be categorized as unusual behavior; ie., sending data on the initial SYN. 
You need to investigate to determine if it is legit or not.

The reason your alert is  showing as "Snort Alert" instead of the actual signature message is that the sid-msg.map is 
not updated with the specific signature information. 

YM

------------------------------------------------------------------------------ Want fast and easy access to all the 
code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the 
same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. 
http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org 
to stay current on all the latest Snort news!


------------------------------------------------------------------------------ Want fast and easy access to all the 
code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the 
same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. 
http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org 
to stay current on all the latest Snort news!


------------------------------------------------------------------------------ Want fast and easy access to all the 
code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the 
same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. 
http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org 
to stay current on all the latest Snort news!


------------------------------------------------------------------------------ Want fast and easy access to all the 
code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the 
same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. 
http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org 
to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

finding which rule Richard Smollett (Jul 24)
- Re: finding which rule Y M (Jul 24)
  - Re: finding which rule Richard Smollett (Jul 24)
    - Re: finding which rule Y M (Jul 24)
    - Re: finding which rule Richard Smollett (Jul 24)
    - Re: finding which rule Y M (Jul 24)
    - Re: finding which rule Richard Smollett (Jul 24)
    - Re: finding which rule Y M (Jul 24)
    - Re: finding which rule Richard Smollett (Jul 25)
    - Re: finding which rule Joel Esler (jesler) (Jul 25)
    - Re: finding which rule waldo kitty (Jul 25)
- Re: finding which rule James Lay (Jul 24)