Snort mailing list archives
Re: help with file bpf and ip 0.0.0.0
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 12 Feb 2016 13:59:19 +0000
Not sure if you saw this before but I sent you a message back on 1/22/16.
Your issue is probably with BASE summarizing events or your logging format. Have you looked at the log files from snort
directly and not from within BASE?
Can you run snort with "-Acmg -H -U -k none" and see if you get any alerts with this address?
I have a rule with " alert tcp $HOME_NET any -> any any (sid:1000001; msg:"TEST")" using your ' ipvar HOME_NET
[192.168.1.66/24]'
I don't get any alerts with 0.0.0.0 in them. I do get a TON of these (see below I clipped a bunch off) which could be
the output logging is summarizing.
[root@onetwo snort-2.9.8.0-build_229]# ./bin/snort -c etc/ZERO.conf -r etc/ZERO.pcap -Acmg -H -U -k none -q | grep -i
TEST
01/22-16:38:11.806576 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:11.896482 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:11.896600 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.184956 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.218249 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.226693 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.245704 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80
01/22-16:38:12.246559 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80
01/22-16:38:12.267310 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80
01/22-16:38:12.345081 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.354908 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.360292 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.382499 [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com
From: hernani coelho [mailto:hernani_coelho () msn com]
Sent: Saturday, January 23, 2016 12:49 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] help with file bpf and ip 0.0.0.0
i install snorby for to see alerts
and i have alerts from src 64.4.8.0 to dst 0.0.0.0
how can i stop alerts from 64.4.8.0 or to dst 0.0.0.0
i send a photo snorby
thanks
hernani
On 21-01-2016 12:11, Joel Esler (jesler) wrote:
Port 80 is not something you want to ignore. Considering a large number of attacks take place on port 80.
Sent from my iPhone
On Jan 21, 2016, at 6:05 AM, hernani coelho <hernani_coelho () msn com<mailto:hernani_coelho () msn com>> wrote:
On 20-01-2016 21:52, Joel Esler (jesler) wrote:
On Jan 20, 2016, at 1:10 PM, hernani coelho <hernani_coelho () msn com<mailto:hernani_coelho () msn com>> wrote:
On 20-01-2016 17:55, wkitty42 () windstream net<mailto:wkitty42 () windstream net> wrote:
On 01/20/2016 12:03 PM, hernani coelho wrote:
now i see if i search an web page snort give me alerts like this -->
#0-(1-7731)
<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=>
[snort <http://www.snort.org/search/sid/119-15>] http_inspect: OVERSIZE
REQUEST-URI DIRECTORY 2016-01-20 16:59:34 192.168.1.66
<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:57514
95.172.94.15
<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80
TCP
is safe to ignore port 80??
IMHO, absolutely not...
if you are getting oversize reports like that, you can increase the size of your
oversize_dir_length setting in the http_inspect preprocessor section of your
snort.conf file... we use 750 here but you may need a larger or smaller value
depending on the traffic on your network...
i have lots of alert from port 80, how can i stop alerts from port 80?
#41-(1-30)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%2341-%281-30%29&sort_order=time_d>
[snort<http://www.snort.org/search/sid/129-12>] stream5: TCP Small Segment Threshold Exceeded
2016-01-21 10:46:46
195.23.51.104<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=195.23.51.104&netmask=32>:80
192.168.1.66<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask32>:60009
TCP
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: help with file bpf and ip 0.0.0.0, (continued)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 wkitty42 (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 wkitty42 (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 Joel Esler (jesler) (Jan 20)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 Joel Esler (jesler) (Jan 21)
- Re: help with file bpf and ip 0.0.0.0 hernani coelho (Feb 12)
- Re: help with file bpf and ip 0.0.0.0 Al Lewis (allewi) (Feb 12)