Snort mailing list archives
Re: Snort-users Digest, Vol 3, Issue 30
From: "flipsdd () sina com" <flipsdd () sina com>
Date: Wed, 23 Aug 2017 15:41:35 +0800
Hello, I have some rules. The key words are not clear. They are : 1.byte_extract 2.flowbits 3.within:cipsize; flipsdd () sina com From: snort-users-request Date: 2017-08-23 00:00 To: snort-users Subject: Snort-users Digest, Vol 3, Issue 30 Send Snort-users mailing list submissions to snort-users () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists snort org You can reach the person managing the list at snort-users-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. NIPS Rules (Manojit Ghosh) 2. Re: NIPS Rules (wkitty42 () windstream net) 3. Re: NIPS Rules (Manojit Ghosh) ---------------------------------------------------------------------- Message: 1 Date: Mon, 21 Aug 2017 23:55:40 +0530 From: Manojit Ghosh <a46105 () gmail com> To: snort-users () lists snort org Subject: [Snort-users] NIPS Rules Message-ID: <CAD2+Gzu8bfwC4Hm+YwRFBOo-H+H7fdCXyDKbe7jX9FJ=hvWE+w () mail gmail com> Content-Type: text/plain; charset="utf-8" Hi, I have installed Snort 2.9.9.0 on windows 7 professional 32 bit and running it using the command snort -i 3 -c C:\Snort\etc\snort.conf -A fast. In the alert.ids file, I see a lot of reset outside window alerts, such as this, 08/21-23:16:37.473511 [**] [129:15:1] Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:443 -> XXXX:XXXX:XXXX:XXXX:XXXX:57462. I have reason to believe that these alerts are the result of malicious activities. I want to protect my network from these attacks. Please provide me the precise instructions to prevent these attacks, i.e. the rule(s), the file to place the rule(s) in, & the location of the file. -- Manojit Ghosh CEO, A Joshing Moth ajoshingmoth.blogspot.in *Disclaimer:* This e-mail contains privileged and confidential information intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. The sender has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. The sender reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the e-mail system. *End of Disclaimer* -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170821/e977fa4f/attachment-0001.html> ------------------------------ Message: 2 Date: Mon, 21 Aug 2017 15:18:32 -0400 From: wkitty42 () windstream net To: snort-users () lists snort org Subject: Re: [Snort-users] NIPS Rules Message-ID: <f207dc88-fb29-46f9-bccf-50741dad8499 () windstream net> Content-Type: text/plain; charset=utf-8; format=flowed On 08/21/2017 02:25 PM, Manojit Ghosh via Snort-users wrote:
I have installed Snort 2.9.9.0 on windows 7 professional 32 bit and running it
using the command snort -i 3 -c C:\Snort\etc\snort.conf -A fast. In the
alert.ids file, I see a lot of reset outside window alerts, such as this,
08/21-23:16:37.473511 [**] [129:15:1] Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:443 -> XXXX:XXXX:XXXX:XXXX:XXXX:57462. I
have reason to believe that these alerts are the result of malicious activities.
I want to protect my network from these attacks. Please provide me the precise
instructions to prevent these attacks, i.e. the rule(s), the file to place the
rule(s) in, & the location of the file.
if the rule is alerting, then you are already detecting them... if you want to
block them, add the remote IP to your firewall's blocking list...
but these may not really be attacks... you need to capture the traffic and study
it to see if it really is an attack... it may be that you need to simply adjust
your stream5 preprocessor settings in your snort.conf file... search for
"small_segments" and increase the count if you like... see README.stream5 for
more information...
FWIW: one thing that i've noted over the years of using snort is that new folks
to snort are now suddenly introduced to what's really going on on their network
and how it really works... many are quite surprised to traffic they had no idea
about... i remember one person freaking out when they discovered how chatty
NETBIOS/NETBEUI is and how often devices using that protocol fight over which
one is going to be the master browser for the network ;)
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
------------------------------
Message: 3
Date: Tue, 22 Aug 2017 11:42:53 +0530
From: Manojit Ghosh <a46105 () gmail com>
To: snort-users () lists snort org
Subject: Re: [Snort-users] NIPS Rules
Message-ID:
<CAD2+Gzv-RoTF4hBp00V1cMh1UKDCcksqo3FTJF9-hcrMi-G9jw () mail gmail com>
Content-Type: text/plain; charset="utf-8"
I was hoping to block them using snort. I am in a wireless network.
On Mon, Aug 21, 2017 at 11:55 PM, Manojit Ghosh <a46105 () gmail com> wrote:
Hi,
I have installed Snort 2.9.9.0 on windows 7 professional 32 bit and
running it using the command snort -i 3 -c C:\Snort\etc\snort.conf -A fast.
In the alert.ids file, I see a lot of reset outside window alerts, such as
this, 08/21-23:16:37.473511 [**] [129:15:1] Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:443 ->
XXXX:XXXX:XXXX:XXXX:XXXX:57462. I have reason to believe that these
alerts are the result of malicious activities. I want to protect my network
from these attacks. Please provide me the precise instructions to prevent
these attacks, i.e. the rule(s), the file to place the rule(s) in, & the
location of the file.
--
Manojit Ghosh
CEO, A Joshing Moth
ajoshingmoth.blogspot.in
*Disclaimer:*
This e-mail contains privileged and confidential information intended
solely for the use of the addressee(s). If you are not the intended
recipient, please notify the sender by e-mail and delete the original
message. Further, you are not to copy, disclose, or distribute this e-mail
or its contents to any other person and any such actions are unlawful. This
e-mail may contain viruses. The sender has taken every reasonable
precaution to minimize this risk, but is not liable for any damage you may
sustain as a result of any virus in this e-mail. You should carry out your
own virus checks before opening the e-mail or attachment. The sender
reserves the right to monitor and review the content of all messages sent
to or from this e-mail address. Messages sent to or from this e-mail
address may be stored on the e-mail system.
*End of Disclaimer*
-- Manojit Ghosh CEO, A Joshing Moth ajoshingmoth.blogspot.in *Disclaimer:* This e-mail contains privileged and confidential information intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. The sender has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. The sender reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the e-mail system. *End of Disclaimer* -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170822/ed2a8410/attachment-0001.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-users mailing list Snort-users () lists snort org https://lists.snort.org/mailman/listinfo/snort-users ------------------------------ End of Snort-users Digest, Vol 3, Issue 30 ******************************************
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 3, Issue 30 flipsdd () sina com (Aug 23)
- Re: Snort-users Digest, Vol 3, Issue 30 wkitty42 (Aug 23)