Snort mailing list archives
REMOVE
From: Daniel Holt <dholt () icsi com>
Date: Mon, 25 Sep 2017 12:41:17 +0000
Daniel Holt |Office: 410 280 3000 x108 | Fax:410-280-3001 1612 McGuckian Street | Annapolis, MD 21401 www.icsi.com | www.annapolisgeeks.com Email support () icsi com for any technical assistance -----Original Message----- From: Snort-users [mailto:snort-users-bounces () lists snort org] On Behalf Of snort-users-request () lists snort org Sent: Saturday, September 23, 2017 12:00 PM To: snort-users () lists snort org Subject: Snort-users Digest, Vol 4, Issue 22 Send Snort-users mailing list submissions to snort-users () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists snort org You can reach the person managing the list at snort-users-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: Misc UPNP Attak on my two network devices (a modem and a routeur) (wkitty42 () windstream net) 2. Re: Question (wkitty42 () windstream net) 3. Re: Question (Jim Campbell) 4. Re: Question (William Pearson) ---------------------------------------------------------------------- Message: 1 Date: Fri, 22 Sep 2017 12:44:16 -0400 From: wkitty42 () windstream net To: snort-users () lists snort org Subject: Re: [Snort-users] Misc UPNP Attak on my two network devices (a modem and a routeur) Message-ID: <7000dc65-048d-06c3-a199-84640622dfa7 () windstream net> Content-Type: text/plain; charset=utf-8; format=flowed On 09/21/2017 03:26 PM, Dorian ROSSE wrote:
I have a Misc UPNP Attack on my two network device a modem and a routeur also how to stop this attacks from IP : 239.255.255.250:1900,
generally that's not an attack... that's generally the destination IP... it is a broadcast IP specifically for service discovery... see here for an explanation... https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol if you think you're part of that 2014 DDoS, you should look to your device manufacturers for a fix... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* ------------------------------ Message: 2 Date: Fri, 22 Sep 2017 12:47:53 -0400 From: wkitty42 () windstream net To: snort-users () lists snort org Subject: Re: [Snort-users] Question Message-ID: <90ddfd6f-caf8-4756-f492-9f34c7f57e42 () windstream net> Content-Type: text/plain; charset=utf-8; format=flowed On 09/22/2017 11:46 AM, William Pearson wrote:
I'm using BASE, and the results snort is giving me is beyond vague. I presume this is an issue with the rules and preprocessing. I couldn't care less about what preprocessor is being used. I'm singularly interested in the actual rule. Why won't it show me the message field in the actual rules? [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
in this example, the all CAPS /is/ the msg portion of the rule... however,
preprocessors are slightly different in that the rules are written into the code
of snort... kind of like the shared object rules... generally speaking, their
msg contents cannot be changed like the text based rules that are used...
are you, perhaps, looking for the actual GID:SID of the rule? it us, that's more
important than the msg text...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
------------------------------
Message: 3
Date: Fri, 22 Sep 2017 17:25:06 -0400
From: Jim Campbell <jim () w4bqp net>
To: William Pearson <william () cnsp net>, snort-users () lists snort org
Subject: Re: [Snort-users] Question
Message-ID: <16a09599-1e18-6c3e-7ba2-ba10159477e7 () w4bqp net>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Will,
If you hover your cursor over the [snort
<http://www.snort.org/search/sid/120-3>] at the beginning of the Alert,
you will see the GID-SID at the bottom of the page.
Jim
On 9/22/2017 11:46 AM, William Pearson wrote:
I'm using BASE, and the results snort is giving me is beyond vague. I presume this is an issue with the rules and preprocessing. I couldn't care less about what preprocessor is being used. I'm singularly interested in the actual rule. Why won't it show me the message field in the actual rules? [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Will _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170922/4a0da96d/attachment-0001.html> ------------------------------ Message: 4 Date: Fri, 22 Sep 2017 16:26:44 -0600 From: William Pearson <william () cnsp net> Cc: snort-users () lists snort org Subject: Re: [Snort-users] Question Message-ID: <CAJEJux0ubtcmDVQqscsukuMgHHuGQSFhemeN+HyMtu8t+LURiQ () mail gmail com> Content-Type: text/plain; charset="utf-8" Jim, Yeah, I know, but it's much easier to manage if it lists things by the msg in the rule. So, for example this rule, alert tcp $HOME_NET any -> [31.214.157.227,31.41.44.130] any (msg:"ET CNC Ransomware Tracker Reported CnC Server TCP group 86"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,$ I want it to say "ET CNC Ransomware Tracker Reported CnC Server TCP group 86" in BASE. Will On Fri, Sep 22, 2017 at 3:25 PM, Jim Campbell <jim () w4bqp net> wrote:
Will, If you hover your cursor over the [snort <http://www.snort.org/search/sid/120-3>] at the beginning of the Alert, you will see the GID-SID at the bottom of the page. Jim On 9/22/2017 11:46 AM, William Pearson wrote: I'm using BASE, and the results snort is giving me is beyond vague. I presume this is an issue with the rules and preprocessing. I couldn't care less about what preprocessor is being used. I'm singularly interested in the actual rule. Why won't it show me the message field in the actual rules? [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Will _______________________________________________ Snort-users mailing listSnort-users () lists snort org Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170922/fd138d55/attachment-0001.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-users mailing list Snort-users () lists snort org https://lists.snort.org/mailman/listinfo/snort-users ------------------------------ End of Snort-users Digest, Vol 4, Issue 22 ****************************************** _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- REMOVE Daniel Holt (Sep 25)