James Lay | 30 Oct 16:19 2014
Picon

Snort 2.9.7.0 unable to find daq

Topic says it...

checking for daq_load_modules in -ldaq_static... yes
checking for daq_hup_apply... yes
checking for daq_acquire_with_meta... yes
checking for daq_dp_add_dc... yes
checking for struct _DAQ_DP_key_t.sa.src_ip4... no

    ERROR!  daq library missing C99 patch, upgrade to >=2.0.4, go get it 
from

Daq-2.0.4 was configured with:

./configure --prefix=/usr

[08:12:18 ids:/usr/lib$] ls -l libdaq*
-rw-r--r-- 1 root root 50834 2014-10-30 07:47 libdaq.a
-rwxr-xr-x 1 root root   909 2014-10-30 07:47 libdaq.la*
lrwxrwxrwx 1 root root    15 2014-10-30 07:47 libdaq.so -> 
libdaq.so.2.0.4*
lrwxrwxrwx 1 root root    15 2014-10-30 07:47 libdaq.so.2 -> 
libdaq.so.2.0.4*
-rwxr-xr-x 1 root root 42271 2014-10-30 07:47 libdaq.so.2.0.4*
-rw-r--r-- 1 root root 51852 2014-10-30 07:47 libdaq_static.a
-rwxr-xr-x 1 root root   877 2014-10-30 07:47 libdaq_static.la*
-rw-r--r-- 1 root root 99020 2014-10-30 07:47 libdaq_static_modules.a
-rwxr-xr-x 1 root root   901 2014-10-30 07:47 libdaq_static_modules.la*

from snort config.log:

(Continue reading)

Sabu Thaliyath | 30 Oct 08:31 2014
Picon

Frequency of Compromised Hosts rule updates

Hi,

I was trying to figure out how frequently is the rule - 'Compromised Hosts' under emerging threats - is updated.

http://doc.emergingthreats.net/bin/view/Main/CompromisedHost



I tried looking at the changelogs but couldn't figure it out. Can anybody let me know on an average how frequently this rule is updated ?



Regards,

Sabu 

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
C. L. Martinez | 29 Oct 13:00 2014
Picon

Debug errors with Openappid and Snort 2.9.7.0

Hi all,

 I have enabled appid preprocessor in a test host (FreeBSD 10, Snort
2.9.7.0) and it seems is working correct, but I see a lot of debug
errors like these:

Oct 29 11:58:22 plzfnsm01 snort[1403]: client
/data/config/etc/idpsnort/common/appid/odp/lua/client_tds.lua: error
validating [string ""]:151: attempt to call global
'getShortHostFormat' (a nil value)
Oct 29 11:58:22 plzfnsm01 snort[1403]: client
/data/config/etc/idpsnort/common/appid/odp/lua/client_tds.lua: error
validating [string ""]:151: attempt to call global
'getShortHostFormat' (a nil value)
Oct 29 11:58:22 plzfnsm01 snort[1403]: client
/data/config/etc/idpsnort/common/appid/odp/lua/client_tds.lua: error
validating [string ""]:151: attempt to call global
'getShortHostFormat' (a nil value)
Oct 29 11:58:30 plzfnsm01 snort[1403]: client
/data/config/etc/idpsnort/common/appid/odp/lua/client_tds.lua: error
validating [string ""]:151: attempt to call global
'getShortHostFormat' (a nil value)

Any idea??

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

C. L. Martinez | 29 Oct 08:12 2014
Picon

Errors initializing Snort with netmap support

Hi all,

 Starting Snort with netmap support in DAQ, returns me the following error:

FATAL ERROR: Can't start DAQ (-1) - start_instance: Netmap
registration for em0 failed: Invalid argument (22)!

DAQ conf:

config daq: netmap
config daq_dir: /opt/daq/lib/daq
config daq_mode: passive
#config daq_var:

Snort startup command is: "snort -D -q -c /etc/snort/snort.conf -i em0"

Do I need to setup something else?? Snort is 2.9.7.0 under FreeBSD 10 host

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

hitesh menghani | 29 Oct 07:05 2014
Picon

[Snort]Linux system non-accessible after sometime

Hi,

Problem-
Linux system become inaccessible after sometime(2-3 hrs) and has to be restarted back, when traffic is passed through it.

Below are my linux system details:
1. Kernel version: 2.6.33.3-85
1. Installed snort(2.9.7.0 rc + openaappid version 220) for application detection.
2. Queuing traffic to both snort through iptables.

Kernel logs obtained on console confirms that issue is with snort-2.9.7.0-rc, by using pid shown.

Please find serial console output and remote console output in attachment.
Waiting for your reply.


Thanks,
Hitesh
BUG: unable to handle kernel NULL pointer dereference at 0000001e
IP: [<c070b1de>] qdisc_calculate_pkt_len+0x8/0x61
*pdpt = 000000003305e001 *pde = 00000000a9cd9067
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.0/0000:01:00.0/net/eth0/broa                                                                                        dcast
Modules linked in: tun nfnetlink_queue nfnetlink xt_iprange xt_NFQUEUE xt_MARK x                                                                                        t_mark xt_CONNMARK
ipt_REDIRECT xt_multiport ipt_MASQUERADE iptable_raw iptable_                                                                                        mangle iptable_nat nf_nat
nf_conntrack_ipv6 ip6table_mangle ip6table_filter ip6_                                                                                        tables 8021q garp stp llc ipv6 e1000e
iTCO_wdt iTCO_vendor_support i2c_i801 seri                                                                                        o_raw i915 drm_kms_helper drm i2c_algo_bit i2c_core
video output [last unloaded:                                                                                         scsi_wait_scan]

Pid: 13292, comm: snort Not tainted 2.6.33.3-85.fc13.i686.PAE #1 To be filled by                                                                                         O.E.M./To Be Filled By O.E.M.
EIP: 0060:[<c070b1de>] EFLAGS: 00210202 CPU: 1
EIP is at qdisc_calculate_pkt_len+0x8/0x61
EAX: f0909600 EBX: f0909600 ECX: f71c65fc EDX: 00000002
ESI: f0909600 EDI: f71c65a0 EBP: f27b7bc4 ESP: f27b7bb8
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process snort (pid: 13292, ti=f27b6000 task=f3184c80 task.ti=f27b6000)
Stack:
 f0909600 f71c65a0 f71c65a0 f27b7bd4 c06faa2a f0909600 f6af8000 f27b7bf0
<0> c06fbd60 f71c65fc f71c6580 f0909600 f193fc60 f10e7908 f27b7c14 c0722500
<0> 00bd701f 00000000 f193fc50 f193fc00 00000028 f0909600 00bd701f f27b7c20
Call Trace:
 [<c06faa2a>] ? qdisc_enqueue_root+0x1d/0x2a
 [<c06fbd60>] ? dev_queue_xmit+0x2d9/0x3f4
 [<c0722500>] ? ip_finish_output2+0x18e/0x1c6
 [<c0722591>] ? ip_finish_output+0x59/0x5c
 [<c0722819>] ? ip_output+0x74/0x79
 [<c07216d5>] ? dst_output+0x9/0xb
 [<c0713b12>] ? nf_reinject+0xa3/0xe6
 [<f8082427>] ? nfqnl_recv_verdict+0x1cf/0x1e0 [nfnetlink_queue]
 [<f7e5f1ab>] ? nfnetlink_rcv_msg+0x118/0x149 [nfnetlink]
 [<f7e5f0b9>] ? nfnetlink_rcv_msg+0x26/0x149 [nfnetlink]
 [<c0711903>] ? netlink_sendmsg+0x72/0x221
 [<f7e5f093>] ? nfnetlink_rcv_msg+0x0/0x149 [nfnetlink]
 [<c0711130>] ? netlink_rcv_skb+0x30/0x76
 [<f7e5f08c>] ? nfnetlink_rcv+0x1b/0x22 [nfnetlink]
 [<c0710f6f>] ? netlink_unicast+0xbe/0x119
 [<c0711aa5>] ? netlink_sendmsg+0x214/0x221
 [<c06edfad>] ? __sock_sendmsg+0x45/0x4e
 [<c06ee254>] ? sock_sendmsg+0x93/0xa7
 [<c05a6680>] ? might_fault+0x19/0x1b
 [<c05a6680>] ? might_fault+0x19/0x1b
 [<c06f5f38>] ? copy_from_user+0x8/0xa
 [<c06f6246>] ? verify_iovec+0x3e/0x6c
 [<c06ee676>] ? sys_sendmsg+0x187/0x1eb
 [<c041cd0d>] ? lapic_next_event+0x16/0x1a
 [<c045cc40>] ? clockevents_program_event+0xc6/0xd8
 [<c045dac3>] ? tick_dev_program_event+0x2e/0xb4
 [<c0442bfc>] ? irq_exit+0x39/0x5c
 [<c041d687>] ? smp_apic_timer_interrupt+0x6f/0x7d
 [<c078306d>] ? apic_timer_interrupt+0x31/0x38
 [<c06f00d8>] ? alloc_sock_iocb+0x76/0x79
 [<c07815c4>] ? _cond_resched+0x1/0x42
 [<c05a6680>] ? might_fault+0x19/0x1b
 [<c06efe80>] ? sys_socketcall+0x15e/0x1a5
 [<c0782bdc>] ? syscall_call+0x7/0xb
 [<c0780000>] ? acpi_processor_add+0x1f/0x74b
Code: 17 ff ff ff 83 c4 0c 8b 45 f0 89 43 14 f0 ff 8e 80 02 00 00 8b 47 50 eb 02                                                                                         31 c0 8d 65 f4 5b 5e 5f 5d c3 55 89 e5 57 56 89 c6
53 <8b> 7a 1c 89 d3 8b 4a 0c                                                                                         03 48 50 85 ff 74 38 0f bf 52 0a 31 c0
EIP: [<c070b1de>] qdisc_calculate_pkt_len+0x8/0x61 SS:ESP 0068:f27b7bb8
CR2: 000000000000001e
---[ end trace 8807d152644ab1c9 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Pid: 13292, comm: snort Tainted: G      D    2.6.33.3-85.fc13.i686.PAE #1
Call Trace:
 [<c0780b4f>] ? printk+0xf/0x18
 [<c0780a8d>] panic+0x39/0xec
 [<c0783c90>] oops_end+0x92/0xa1
 [<c04261c1>] no_context+0x13e/0x148
 [<c04262b7>] __bad_area_nosemaphore+0xec/0xf4
 [<c0784e87>] ? do_page_fault+0x0/0x2fa
 [<c04262cc>] bad_area_nosemaphore+0xd/0x10
 [<c078501b>] do_page_fault+0x194/0x2fa
 [<c0784e87>] ? do_page_fault+0x0/0x2fa
 [<c07832df>] error_code+0x73/0x78
 [<c078007b>] ? acpi_processor_add+0x9a/0x74b
 [<c070b1de>] ? qdisc_calculate_pkt_len+0x8/0x61
 [<c06faa2a>] qdisc_enqueue_root+0x1d/0x2a
 [<c06fbd60>] dev_queue_xmit+0x2d9/0x3f4
 [<c0722500>] ip_finish_output2+0x18e/0x1c6
 [<c0722591>] ip_finish_output+0x59/0x5c
 [<c0722819>] ip_output+0x74/0x79
 [<c07216d5>] dst_output+0x9/0xb
 [<c0713b12>] nf_reinject+0xa3/0xe6
 [<f8082427>] nfqnl_recv_verdict+0x1cf/0x1e0 [nfnetlink_queue]
 [<f7e5f1ab>] nfnetlink_rcv_msg+0x118/0x149 [nfnetlink]
 [<f7e5f0b9>] ? nfnetlink_rcv_msg+0x26/0x149 [nfnetlink]
 [<c0711903>] ? netlink_sendmsg+0x72/0x221
 [<f7e5f093>] ? nfnetlink_rcv_msg+0x0/0x149 [nfnetlink]

Message from syslogd <at> hitesh at Oct 28 15:48:41 ...
 kernel:Oops: 0000 [#1] SMP

Message from syslogd <at> hitesh at Oct 28 15:48:41 ...
 kernel:last sysfs file: /sys/devices/pci0000:00/0000:00:1c.0/0000:01:00.0/net/eth0/broadcast

Message from syslogd <at> hitesh at Oct 28 15:48:41 ...
 kernel:Process snort (pid: 13292, ti=f27b6000 task=f3184c80 task.ti=f27b6000)

Message from syslogd <at> hitesh at Oct 28 15:48:41 ...
 kernel:Stack:

Message from syslogd <at> hitesh at Oct 28 15:48:41 ...
 kernel:Call Trace:
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
bancfc | 28 Oct 22:02 2014

Snort string matching whitelist possible?

Can snort do string matching where the packet payload MUST match a 
certain whitelisted text string and only that?

I want to make sure that nothing malicious is sneaked into the rest of 
the packet besides the allowed data.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Alex McDonnell | 28 Oct 19:32 2014

Re: Snort-users Digest, Vol 101, Issue 41

Hi Ron,

 We have observed alerts on newegg's site for our shellshock rules. It seems that there is some sort of performance tracking that is injecting the pattern that rule looks for into the URI. At this point, if it is only a aleatory alert on newegg's site we will not be changing the rule, as it has yielded nothing but true positives thus far. Any pcap you have and want to forward along would also be helpful.

Alex McDonnell
TALOS (Formerly VRT)



Message: 3
Date: Mon, 27 Oct 2014 21:04:14 +0000
From: Ron Haines <rhaines <at> grantspassoregon.gov>
Subject: [Snort-users] Shellshock Signatures
To: "snort-users <at> lists.sourceforge.net"
        <snort-users <at> lists.sourceforge.net>
Message-ID: <5C428EDCD67FA1469CBAB808D0472B2074069B23 <at> emperor>
Content-Type: text/plain; charset="us-ascii"

I have been seeing multiple alerts on 1:31977:3 when people visit the Newegg website. This is a community rule and I'm thinking this is a false positive. I have found several instances in the websites code where they use a lot of function calls that have () { in them. This is how the rule is built for 1:31977, 31978, 31975, and 31976. So far, only the 31977 has been triggered from Newegg. If it is a false positive, it's not a big deal. I just wanted to run this by the group to make sure I don't have to look at something else or contact Newegg about this.

Thanks,

Ron Haines
Computer Services Technician
Information Technology
Email: rhaines <at> grantspassoregon.gov<blocked::mailto:rhaines <at> grantspassoregon.gov>
Phone: 541.450.6185
[Signature - Guide]


-----------------------------------------------------------

DISCLOSURE: Messages to and from this E-mail address may be subject to Oregon Public Records Law.
-----------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 5908 bytes
Desc: image002.jpg

------------------------------

------------------------------------------------------------------------------


------------------------------

_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 101, Issue 41
********************************************

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Tony Robinson | 28 Oct 17:46 2014
Picon

APT28 Snort Signatures

Howdy Howdy. I'm sure many of you are aware of the recent news with APT28. If not, have a look:
http://www.fireeye.com/resources/pdfs/apt28.pdf
https://github.com/fireeye/iocs/tree/master/APT28

I have developed and tested signatures based off the PDF report and the IOCs provided by Fire Eye. Here is what I have:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CORESHELL POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/check/"; http_uri; content:"User-Agent|3A| MSIE 8.0"; http_header; fast_pattern:only; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf metadata:security-ips drop, service http; sid:1000000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v1 POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/webhp?rel="; nocase; http_uri; content:"hl="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v2 POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/search?btnG="; nocase; http_uri; content:"utm="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000002; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OLDBAIT POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/index.php"; fast_pattern:only; http_uri; content:"prefs="; nocase; http_client_body; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000003; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS kavkazcentr.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kavkazcentr|04|info"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000004; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS rnil.am"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rnil|02|am"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000005; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS standartnevvs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|standartnevvs|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000006; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS novinitie.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|novinitie|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000007; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS n0vinite.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000008; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS qov.hu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|qov|02|hu|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000009; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS mail.g0v.pl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000010; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS baltichost.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|baltichost|03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000011; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS nato.nshq.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000012; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS natoexhibitionff14.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|natoexhibitionff14|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000013; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS login-osce.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|login-osce|03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000014; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS smigroup-online.co.uk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|smigroup-online|02|co|02|uk"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000015; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS q0v.pl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|q0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc; sid:1000016; rev:1;)

Questions? Concerns? Improvements? Feel free to contact me on-list (for everyone's benefits) or modify as you see fit. Also included as an attachment for your convenience.

--
when does reality end? when does fantasy begin?
Attachment (apt28.rules): application/octet-stream, 9 KiB
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Leo Miao | 28 Oct 16:41 2014

Poodle Signatures

Does the latest rule (snortrules-snapshot-2970.tar.gz) include the fix for Poodle vulnerability?

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Ron Haines | 27 Oct 22:04 2014

Shellshock Signatures

I have been seeing multiple alerts on 1:31977:3 when people visit the Newegg website. This is a community rule and I’m thinking this is a false positive. I have found several instances in the websites code where they use a lot of function calls that have () { in them. This is how the rule is built for 1:31977, 31978, 31975, and 31976. So far, only the 31977 has been triggered from Newegg. If it is a false positive, it’s not a big deal. I just wanted to run this by the group to make sure I don’t have to look at something else or contact Newegg about this.

 

Thanks,

 

Ron Haines

Computer Services Technician

Information Technology

Email: rhaines <at> grantspassoregon.gov

Phone: 541.450.6185

 

<!-- /* Font Definitions */ <at> font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} p.MsoPlainText, li.MsoPlainText, div.MsoPlainText {mso-style-link:"Plain Text Char"; margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} span.PlainTextChar {mso-style-name:"Plain Text Char"; mso-style-link:"Plain Text"; font-family:"Calibri","sans-serif";} .MsoChpDefault {font-family:"Calibri","sans-serif";} .MsoPapDefault {margin-bottom:10.0pt; line-height:115%;} <at> page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} -->

-----------------------------------------------------------

DISCLOSURE: Messages to and from this E-mail address may be subject to Oregon Public Records Law.

-----------------------------------------------------------

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Giancarlo Capone | 27 Oct 15:39 2014
Picon

Information Request about snort unix socket (unixSock)

Good morning to all of you,
I’m an Italian student, and I’ve successfully installed snort as NIDS on an OpenSuse Virtual Machine. 

Now I’m trying to make snort printing alerts on unix-socket. I’ve firstly tried a perl script that
listens to the unix socket created by snort: it works fine, but I’m only able to catch the “msg”
I’ve written in the rule, but I’m not able to catch other info about the data packet itself. For
instance I’d like to get ip source address and destination, as many other info. 

I’ve read the C code provided in the README.UNSOCK file, but when I try to compile it, there is a problem
because, obviously, the compiler doesn’t find the snort.h file. Can you give any suggestion about how
to resolve this issue? I’ve tried to find this file in snort folders, but unsuccessfully. 

I’d like also to ask you another question, because I don’t also understand where in the C code it starts
listening to the unix socket. In perl code (that I’ve written at the bottom of this email) I use the
following code :”Local => "$ENV{HOME}/snort_alert”)” to define the location of the unix socket I
want to listen to.

I thank you in advance, and I’m sorry if my English is not so good.

Have a nice day, 
Giancarlo Capone.

PS. I write here the perl script I’ve found on internet: 

#!/usr/bin/perl
# Include the socket libraries
use IO::Socket;

# This is the template to capture the Alert Name
# Edit this to get the additional packets.
$TEMPLATE = "A256 A*”;

# Release the socket if it already exists
unlink "$ENV{HOME}/snort_alert”;

# In case of user termination - exit gracefully.
$SIG{TERM} = $SIG{INT} = sub { exit 0 };

# Open up the socket.
my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,
              Local => "$ENV{HOME}/snort_alert”)
              or die "Socket: $ <at> “;

print STDOUT "Socket Opened ... \n”;

# Loop receiving data from the socket, pulling out the
# alert name and printing it.
my $data;

while ( true ) {
print STDOUT "\n \n \n Before receive rcv... \n”;
   recv($client,$data,1024,0);
    <at> FIELDS = unpack($TEMPLATE, $data);
   # print " <at> FIELDS \n”;
	print " <at> FIELDS[0] \n”;
}

# At termination close up the socket again.
END {unlink "$ENV{HOME}/snort_alert";}

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane