Snort mailing list archives
Re: Snort++ Build 239
From: Russ via Snort-users <snort-users () lists snort org>
Date: Mon, 31 Jul 2017 09:30:04 -0400
Snort++ has new record types for u2 output and no longer outputs the legacy types. I've contacted the barnyard2 folks to work with them on updates.
How are you using barnyard2? Are you feeding a database? On 7/29/17 3:50 PM, Jim Campbell wrote:
Sorry, should have included a record from the u2spewfoo output. (Event) Snort ID: 0 Event ID: 207 Seconds: 1501355410.399061 Policy ID: Context: 0 Inspect: 0 Detect: 0 Rule 1:2012887:2 Class: 33 Priority: 1MPLS Label: 0 VLAN ID: 0 IP Version: 0x44 IP Proto: 255Src IP: 192.168.254.2 Port: 62043 Dst IP: 54.210.126.134 Port: 80 App Name: none Status: allow Action: dtop Buffer sensor_id: 0 event_id: 207 event_second: 1501355410 packet_second: 1501355410 packet_microsecond: 399061 packet_length: 198 [ 0] 5B 20 7B 20 22 75 72 6C 22 3A 22 68 74 74 70 3A [ { "url":"http: [ 16] 2F 2F 64 79 6E 75 70 64 61 74 65 2E 6E 6F 69 70 //dynupdate.noip [ 32] 2E 63 6F 6D 2F 64 75 63 75 70 64 61 74 65 2E 70 .com/ducupdate.p [ 48] 68 70 3F 75 73 65 72 6E 61 6D 65 25 33 64 43 33 hp?username%3dC3 [ 64] 41 33 32 36 31 32 34 38 31 25 32 36 68 25 35 62 A32612481%26h%5b [ 80] 25 35 64 25 33 64 6D 61 69 6C 2E 77 34 62 71 70 %5d%3dmail.w4bqp [ 96] 2E 6E 65 74 25 32 36 67 25 35 62 25 35 64 25 33 .net%26g%5b%5d%3 [ 112] 64 47 65 6E 65 72 61 6C 25 32 36 69 70 25 33 64 dGeneral%26ip%3d [ 128] 31 37 33 2E 31 38 38 2E 31 37 30 2E 31 38 32 25 173.188.170.182% [ 144] 32 36 70 61 73 73 25 33 64 48 4D 41 43 25 37 62 26pass%3dHMAC%7b [ 160] 31 77 70 63 77 67 65 6E 36 6B 64 76 78 62 6C 66 1wpcwgen6kdvxblf [ 176] 76 72 31 69 65 73 75 64 34 6E 61 25 33 64 25 37 vr1iesud4na%3d%7 [ 192] 64 22 20 7D 20 5D d" } ] And the rule that triggered this event:drop tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"ET POLICY Http Client Body contains pass= in cleartext"; flow:established,to_server; http_client_body; content:"pass=",nocase; classtype:policy-violation; sid:2012887; rev:2; )Also, my Snort IPS is running inline between my DSL modem and my firewall.On 7/29/2017 3:09 PM, Jim Campbell wrote:I built and installed DAQ v.2.2.2 and Snort++ Build 239. I used all the configuration and rules files that had worked with the previous build of Snort.jim@jim-IPS:~$ sudo /opt/snort/bin/snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.0.0-a4 (Build 239) from 2.9.8-383 '''' By Martin Roesch & The Snort Team http://snort.org/contact#teamCopyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 2.2.2 Using libpcap version 1.7.4 Using LuaJIT version 2.0.4 Using PCRE version 8.40 2017-01-11 Using ZLIB version 1.2.8 Using LZMA version 5.1.0alpha Using OpenSSL 1.1.0f 25 May 2017 Using Hyperscan version 4.4.0 2017-07-15Snort is outputting a Unified2 file and the u2spewfoo output of that file looks normal.I had stopped and restarted Barnyard2 as part of my updating Snort. Barnyard2 isn't happy and is outputting only the following type record as per /var/log/syslog:"Jul 29 14:57:42 jim-IPS barnyard2[32016]: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x94de270], information has not been outputed."Any thoughts as to what I either didn't do or did incorrectly? Thanks, Jim_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-usersPlease visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort++ Build 239 Jim Campbell (Jul 29)
- Re: Snort++ Build 239 Jim Campbell (Jul 29)
- Re: Snort++ Build 239 Russ via Snort-users (Jul 31)
- Re: Snort++ Build 239 Jim Campbell (Jul 31)
- Re: Snort++ Build 239 Jim Campbell (Jul 31)
- Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
- Re: Snort++ Build 239 Marcin Dulak via Snort-users (Aug 07)
- Re: Snort++ Build 239 Jim Campbell (Aug 07)
- Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
- Re: Snort++ Build 239 Jim Campbell (Aug 07)
- Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
- Re: Snort++ Build 239 Jim Campbell (Aug 08)
- Re: Snort++ Build 239 Russ via Snort-users (Aug 09)
- Re: Snort++ Build 239 Russ via Snort-users (Jul 31)
- Re: Snort++ Build 239 Jim Campbell (Jul 29)