Richard Smollett | 27 Aug 15:52 2014
Picon

trouble with inline mode

IP setup looks like this.

root <at> snort:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:fd:b5:c4
          inet addr:172.28.61.104  Bcast:172.28.61.127  Mask:255.255.255.128
          inet6 addr: fe80::a00:27ff:fefd:b5c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:472894 errors:5 dropped:15 overruns:0 frame:0
          TX packets:15266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:129789824 (123.7 MiB)  TX bytes:2332609 (2.2 MiB)
          Interrupt:10 Base address:0xd020

eth1      Link encap:Ethernet  HWaddr 08:00:27:97:66:ff
          inet addr:192.168.123.1  Bcast:192.168.123.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe97:66ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:438796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:962 (962.0 B)  TX bytes:123829936 (118.0 MiB)
          Interrupt:9 Base address:0xd240

The eth0 interface is the outside and eth1 is inside. I'm starting snort with this command.

snort --daq afpacket -i eth0:eth1 --daq-mode inline -c /etc/snort/snort.conf

But I still cannot ping an inside host from the outside. I can ping between the snort device and inside/ouside hosts. If I ping an inside host from the outside, tcpdump shows the icmp echo request arriving but no reply. Inside host ip is 192.168.123.2.

Can anyone recommend some other troubleshooting steps or suggest where I may have left anything out of the setup?
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Bad so_rules on file snortrules-snapshot-2961.tar.gz

Hi guys, i’m having some troubles with the last file rule from yestarday.

 

The so_rules from that file are not updated like it should. Instead, they are the old files from 5 of August.

 

Joel, can you comfirm this?

 

Thanks!!!

 

 

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Bankole Agunbiade | 27 Aug 10:54 2014
Picon

Urgent

I am in dying need of ideas regarding my thesis, which has to do with snort as an IDS (Topic is: evaluation of IDS with Snort as case study). i have done the basic experimental setup of snort in a VMware and configured snort to generate logs and alerts which has worked perfectly well but i was asked to dig deeper and do more complicated and interesting experiments with snort, like working on its vulnerabilities or finding means of visualising snort rules and all of that.

I have been looking for ideas in what direction to take my work but i have not found much, so am wondering if u could expose me to more stuffs about snort and point me in a direction to go.

Many Thanks

Bankole
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Kevin Ross | 26 Aug 11:09 2014

OpenFPC Daemonlogger Segfault Through OpenFPC

Hi,

I know this is an older tool which isn't supported but I use it for ease of integration into snorby & also that it stores onto disk and then fetches on request making it better for my sensors as PCAP solutions like moloch are just too resource intensive so I would appreciate any help kindly given (or suggestions for another suitable maintained PCAP option similar in nature).

My systems were updated recently and fine; now following reboot daemonlogger segfaults when run through openfpc so I am not able to get PCAPs. If I run daemonlogger say with just daemonlogger -i eth1 it is fine and logs PCAPs but when using openfpc -a start it says it starts and then in status it is stopped and shows in /var/log/messages as segfault error with same memory location and things for each system:

System 1 Error - kernel: : daemonlogger[23570]: segfault at 0 ip 0000000000402a0a sp 00007fffbc8be100 error 4 in daemonlogger[400000+7000]
System 2 Error - kernel: : daemonlogger[3392]: segfault at 0 ip 0000000000402a0a sp 00007fff0e1e8c90 error 4 in daemonlogger[400000+7000]

Running the queue daemon in debug mode and things is fine and shows nothing but I have no idea how to debug daemonlogger through openfpc. Some other points:

- Daemonlogger Version1.2.1 (latest version installed)
- Latest openfpc
- System running Centos 6.4
- SELINUX tried relabel, disabled etc.

Thank you for any help in advance.

Kindest Regards,
Kevin Ross
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Scott Schweitzer | 25 Aug 23:12 2014
Picon

10GbE & 40GbE Support for Multiple Parallel Snort Instances


If you are seeking a method to support multiple parallel instances of Snort on a 10GbE or 40GbE interface you might want to consider Solarflare’s SolarCapture on their Flareon adapter line.  SolarCapture has a feature that supports application clustering that supports N instances of Snort up to the total number of cores in the server, then it uses Receive Flow Steering (advanced form of RSS) to spread flows across cores (based on a tuple hash). 

It also can make a single copy of the incoming traffic so you can sniff packets into a libpcap compliant, clustered Snort environment while still delivering the packets to kernel for their initial destination. To learn more check out this link, or contact me for the User’s Guide. 

-- Scott Schweitzer

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
kinomakino | 25 Aug 19:54 2014
Picon

two outputs

First, thanks for everything.
I wonder if I can have two outputs for Snort, one to write to / var / log / snort / alert and another outlet for barnyard2.
so now I start snort:
./snort i eth0-d u c snort snort -g /etc/snort/snort.conf l / var / log / snort

Thank you !!!

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Y M | 24 Aug 16:24 2014

Re: Snort 2.9.6.2 inline mode problem

How are you testing/connecting the client (icmp echo request sender), the sensor, and the receiver of the icmp? The NICs that Snort is using to receive --> pass/drop --> forward traffic should be inline with no IP addresses. From your description, it seems that you are using the same interface to ping the box as well as do the IPS work.

P.S.: Please respond to the list and not only to myself. Its a mutual benefit.

YM

Date: Sun, 24 Aug 2014 14:00:20 +0200
Subject: Re: [Snort-users] Snort 2.9.6.2 inline mode problem
From: demonsdebason <at> gmail.com
To: snort <at> outlook.com

The same behavior when running with 'eth1:eth2'.
Yeah, the interfaces are in promiscuous, silly me.
Any ideas?


On Sun, Aug 24, 2014 at 7:34 AM, Y M <snort <at> outlook.com> wrote:

inline.
Date: Sun, 24 Aug 2014 05:02:13 +0200
From: demonsdebason <at> gmail.com
To: snort-users <at> lists.sourceforge.net
Subject: [Snort-users] Snort 2.9.6.2 inline mode problem


Hi all.
I've been working on my Snort IPS for some time now.
Noticed that 'drop' rules are working half-way, I have set the test rule to drop ICMP coming to the sensor from local machine:
drop icmp 192.168.1.2 any -> 192.168.1.1 any (msg: "Test rule"; sid:110011;)

Alerts get logged and can view them via BASE, but when I ping from .2 to .1 I get this:
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1
 
: icmp_seq=1 ttl=64 time=0.216 ms
From 192.168.1.1 icmp_seq=1 Destination Port Unreachable
64 bytes from 192.168.1.1
 
: icmp_seq=2 ttl=64 time=0.269 ms
>From 192.168.1.1 icmp_seq=2 Destination Port Unreachable
64 bytes from 192.168.1.1
 
: icmp_seq=3 ttl=64 time=0.221 ms

So some of them are getting 'blocked'.

When I shutdown Snort I's all fine:
64 bytes from 192.168.1.1
 
: icmp_seq=8 ttl=64 time=0.226 ms
64 bytes from 192.168.1.1
 
: icmp_seq=9 ttl=64 time=0.201 ms
64 bytes from 192.168.1.1
 
: icmp_seq=10 ttl=64 time=0.253 ms
64 bytes from 192.168.1.1
 
: icmp_seq=11 ttl=64 time=0.204 ms

Here is my info:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.2 GRE (Build 77)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3
+++++++++++++++++++++++++++
snort    41104  4.6  2.0 1675528 1342832 ?     Ssl  04:48   0:00 /usr/sbin/snort -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q --daq-mode inline -k none
+++++++++++++++++++++++++++

# Looks like you have double colons "eth1::eth2", as opposed to one colon "eth1:eth2". Not sure if the double colons are causing the partial drops.


snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

++++++++++++++++++++++++++
snort.conf:

config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline
config daq_var: buffer_size_mb=1024


I've tried dropping all the ICMPs in the iptables, results are as expected, but Snort still logs the alerts.
Do you have any idea what is the issue here?

# Does Snort log the requests or replies or both? I would image if the NIC is promiscuous, then it would still see the requests. 


--
Aut viam inveniam aut faciam
:wq!

------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users <at> lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!



--
Aut viam inveniam aut faciam
:wq!
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Debason Shockre | 24 Aug 05:02 2014
Picon

Snort 2.9.6.2 inline mode problem

Hi all.
I've been working on my Snort IPS for some time now.
Noticed that 'drop' rules are working half-way, I have set the test rule to drop ICMP coming to the sensor from local machine:
drop icmp 192.168.1.2 any -> 192.168.1.1 any (msg: "Test rule"; sid:110011;)

Alerts get logged and can view them via BASE, but when I ping from .2 to .1 I get this:
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1
 
: icmp_seq=1 ttl=64 time=0.216 ms
From 192.168.1.1 icmp_seq=1 Destination Port Unreachable
64 bytes from 192.168.1.1
 
: icmp_seq=2 ttl=64 time=0.269 ms
>From 192.168.1.1 icmp_seq=2 Destination Port Unreachable
64 bytes from 192.168.1.1
 
: icmp_seq=3 ttl=64 time=0.221 ms

So some of them are getting 'blocked'.

When I shutdown Snort I's all fine:
64 bytes from 192.168.1.1
 
: icmp_seq=8 ttl=64 time=0.226 ms
64 bytes from 192.168.1.1
 
: icmp_seq=9 ttl=64 time=0.201 ms
64 bytes from 192.168.1.1
 
: icmp_seq=10 ttl=64 time=0.253 ms
64 bytes from 192.168.1.1
 
: icmp_seq=11 ttl=64 time=0.204 ms

Here is my info:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.2 GRE (Build 77)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3
+++++++++++++++++++++++++++
snort    41104  4.6  2.0 1675528 1342832 ?     Ssl  04:48   0:00 /usr/sbin/snort -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q --daq-mode inline -k none
+++++++++++++++++++++++++++
snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

++++++++++++++++++++++++++
snort.conf:

config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline
config daq_var: buffer_size_mb=1024


I've tried dropping all the ICMPs in the iptables, results are as expected, but Snort still logs the alerts.
Do you have any idea what is the issue here?

--
Aut viam inveniam aut faciam
:wq!
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
greg.mcnathansonsnuf003 | 23 Aug 19:48 2014
Picon

Missing shared object files in snapshot download file

I read about the reconstruction of shared object rules in the blog. So I'm confused about the missing file
report. (see below)

....
Aug 23 19:22:40 c1 snort[801]: FATAL ERROR: /etc/snort//etc/snort/so_rules/browser-other.rules(0)
Unable to open rules file "/etc/snort//etc/snort/so_rules/browser-other.rules": No such file or directo
Aug 23 19:22:40 c1 snort[796]: Starting snort: [FAILED]
Aug 23 19:22:40 c1 snort[805]: Stopping snort: [FAILED]
Aug 23 19:22:40 c1 systemd[1]: Started Snort IDS system.
...

The stub file couldn't be generated because the browser-other.so file isn't delivered in the latest
snapshot download file.
There are more files missing not only browser-other.so. I expected all files listed in the blog to be
included in the snapshot download file.

Is this a planned measurement of the reconstruction of shared object rules?

Greg

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

hushsnort | 23 Aug 06:43 2014

snort 2.9.6.2 make fails on OSX 10.9.4

Hi Folks,

Am trying to install on MBP running OSX 10.9.4.

I get the following error(s) during make:

<BEGIN ERROR SNIPPET>
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil  -I../../src/output-plugins
-I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors
-I../../src/preprocessors/portscan -I../../src/preprocessors/HttpInspect/include
-I../../src/preprocessors/Stream5 -I../../src/target-based -I../../src/control
-I../../src/file-process -I../../src/file-process/libs -I../../src/side-channel
-I../../src/side-channel/plugins  -I/usr/local/include -I/usr/local/include -DZLIB -DGRE -DMPLS
-DPPM_MGR -DNDEBUG -DENABLE_REACT -DENABLE_RESPOND -DENABLE_RESPONSE3 -DSF_WCHAR -DTARGET_BASED
-DPERF_PROFILING -DSNORT_RELOAD -DNO_NON_ETHER_DECODER -DNORMALIZER -DACTIVE_RESPONSE  -g -O2
-DSF_VISIBILITY -fvisibility=hidden -Wall -c spo_alert_syslog.c
In file included from spo_alert_syslog.c:71:
../../src/strlcatu.h:24:8: error: expected parameter declarator
size_t strlcat(char *, const char *, size_t);

^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk/usr/include/secure/_string.h:111:44:
note: 
      expanded from macro 'strlcat'
  __builtin___strlcat_chk (dest, src, len, __darwin_obsz (dest))

^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk/usr/include/secure/_common.h:39:62:
note: 
      expanded from macro '__darwin_obsz'
#define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIF...

^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk/usr/include/secure/_common.h:30:32:
note: 
      expanded from macro '_USE_FORTIFY_LEVEL'
#    define _USE_FORTIFY_LEVEL 2
                               ^
In file included from spo_alert_syslog.c:71:
../../src/strlcatu.h:24:8: error: expected ')'

<END ERROR SNIPPET>

How do I go about fixing this? Any pointers appreciated.

Thanks,

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Richard Smollett | 22 Aug 22:25 2014
Picon

in-line mode question

So when I start Snort in in-line mode, does it automatically set up routing? Or is that something I have to do beforehand?
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane