Snort mailing list archives

Re: Snort++ Build 239

From: Russ via Snort-users <snort-users () lists snort org>
Date: Mon, 31 Jul 2017 09:30:04 -0400

Snort++ has new record types for u2 output and no longer outputs thelegacy types. I've contacted the barnyard2 folks to work with them onupdates.


How are you using barnyard2?  Are you feeding a database?

On 7/29/17 3:50 PM, Jim Campbell wrote:

Sorry, should have included a record from the u2spewfoo output.

(Event)
        Snort ID: 0     Event ID: 207   Seconds: 1501355410.399061
        Policy ID:      Context: 0      Inspect: 0      Detect: 0
        Rule 1:2012887:2        Class: 33       Priority: 1

MPLS Label: 0 VLAN ID: 0 IP Version: 0x44 IPProto: 255

        Src IP: 192.168.254.2   Port: 62043
        Dst IP: 54.210.126.134  Port: 80
        App Name: none
        Status: allow   Action: dtop

Buffer
        sensor_id: 0    event_id: 207   event_second: 1501355410
        packet_second: 1501355410       packet_microsecond: 399061
        packet_length: 198
[    0] 5B 20 7B 20 22 75 72 6C 22 3A 22 68 74 74 70 3A  [ { "url":"http:
[   16] 2F 2F 64 79 6E 75 70 64 61 74 65 2E 6E 6F 69 70 //dynupdate.noip
[   32] 2E 63 6F 6D 2F 64 75 63 75 70 64 61 74 65 2E 70 .com/ducupdate.p
[   48] 68 70 3F 75 73 65 72 6E 61 6D 65 25 33 64 43 33 hp?username%3dC3
[   64] 41 33 32 36 31 32 34 38 31 25 32 36 68 25 35 62 A32612481%26h%5b
[   80] 25 35 64 25 33 64 6D 61 69 6C 2E 77 34 62 71 70 %5d%3dmail.w4bqp
[   96] 2E 6E 65 74 25 32 36 67 25 35 62 25 35 64 25 33 .net%26g%5b%5d%3
[  112] 64 47 65 6E 65 72 61 6C 25 32 36 69 70 25 33 64 dGeneral%26ip%3d
[  128] 31 37 33 2E 31 38 38 2E 31 37 30 2E 31 38 32 25 173.188.170.182%
[  144] 32 36 70 61 73 73 25 33 64 48 4D 41 43 25 37 62 26pass%3dHMAC%7b
[  160] 31 77 70 63 77 67 65 6E 36 6B 64 76 78 62 6C 66 1wpcwgen6kdvxblf
[  176] 76 72 31 69 65 73 75 64 34 6E 61 25 33 64 25 37 vr1iesud4na%3d%7
[  192] 64 22 20 7D 20 5D                                d" } ]

And the rule that triggered this event:

drop tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"ET POLICY Http ClientBody contains pass= in cleartext"; flow:established,to_server;http_client_body; content:"pass=",nocase; classtype:policy-violation;sid:2012887; rev:2; )

Also, my Snort IPS is running inline between my DSL modem and myfirewall.


On 7/29/2017 3:09 PM, Jim Campbell wrote:

I built and installed DAQ v.2.2.2 and Snort++ Build 239. I used allthe configuration and rules files that had worked with the previousbuild of Snort.
jim@jim-IPS:~$ sudo /opt/snort/bin/snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0-a4 (Build 239) from 2.9.8-383
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
Copyright (C) 2014-2017 Cisco and/or its affiliates. Allrights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using libpcap version 1.7.4
           Using LuaJIT version 2.0.4
           Using PCRE version 8.40 2017-01-11
           Using ZLIB version 1.2.8
           Using LZMA version 5.1.0alpha
           Using OpenSSL 1.1.0f  25 May 2017
           Using Hyperscan version 4.4.0 2017-07-15
Snort is outputting a Unified2 file and the u2spewfoo output of thatfile looks normal.
I had stopped and restarted Barnyard2 as part of my updating Snort.Barnyard2 isn't happy and is outputting only the following typerecord as per /var/log/syslog:
"Jul 29 14:57:42 jim-IPS barnyard2[32016]: WARNING database[Database()]: Called with Event[0x0] Event Type [0] (P)acket[0x94de270], information has not been outputed."
Any thoughts as to what I either didn't do or did incorrectly?

Thanks,

Jim


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latestSnort news!


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort++ Build 239 Jim Campbell (Jul 29)
- Re: Snort++ Build 239 Jim Campbell (Jul 29)
  - Re: Snort++ Build 239 Russ via Snort-users (Jul 31)
    - Re: Snort++ Build 239 Jim Campbell (Jul 31)
    - Re: Snort++ Build 239 Jim Campbell (Jul 31)
    - Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
    - Re: Snort++ Build 239 Marcin Dulak via Snort-users (Aug 07)
    - Re: Snort++ Build 239 Jim Campbell (Aug 07)
    - Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
    - Re: Snort++ Build 239 Jim Campbell (Aug 07)
    - Re: Snort++ Build 239 Russ via Snort-users (Aug 07)
    - Re: Snort++ Build 239 Jim Campbell (Aug 08)
    - Re: Snort++ Build 239 Russ via Snort-users (Aug 09)

(Thread continues...)