Teo En Ming | 18 Apr 21:24 2014
Picon

My Snort IDS Sensor Detected Nessus Vulnerability Scan

Hi,

My Snort IDS sensor detected nessus vulnerability scan. The nessus vulnerability scan was launched from WAN outside of HOME_NET. However, the alerts generated were few. It seems that Snort rules are not comprehensive enough.

Here are the alerts:

04/19-02:54:23.361505  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:50619 -> 192.168.1.146:80
04/19-02:54:24.940222  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:50631 -> 192.168.1.147:80
04/19-02:56:13.080227  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:53504 -> 192.168.1.146:80
04/19-02:56:19.700298  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:53644 -> 192.168.1.147:80
04/19-02:56:50.601653  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:54289 -> 192.168.1.146:80
04/19-02:56:52.220320  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:54304 -> 192.168.1.147:80
04/19-02:57:02.961654  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:54605 -> 192.168.1.146:80
04/19-02:57:04.180442  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 171.207.15.38:54615 -> 192.168.1.147:80
04/19-02:57:21.921667  [**] [1:22063:9] SERVER-WEBAPP PHP-CGI remote file include attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 171.207.15.38:55062 -> 192.168.1.146:80
04/19-02:57:23.962694  [**] [1:22063:9] SERVER-WEBAPP PHP-CGI remote file include attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 171.207.15.38:55145 -> 192.168.1.147:80

Please note that Snort cannot detect nmap scan.

Thank you.

Regards,

Teo En Ming
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Kurzawa, Kevin | 18 Apr 19:32 2014
Picon

PulledPork 403 Forbidden error

PulledPork 0.7.0

Snort 2960

Archlinux

 

Switching over from Oinkmaster to PulledPork. I want the ability to automatically switch between the connectivity, balanced, and security rulesets easily (if this is do-able in Oinkmaster, someone please enlighten me).

 

Running sudo pulledpork.pl –c /etc/pulledpork/pulledpork.conf –T -vv

 

Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot-2960.tar.gz|83c886d030bc3d56e56d69488c456404xxxx

Checking latest MD5 for snortrules-snapshot-2960.tar.gz....

Fetching md5sum for: snortrules-snapshot-2960.tar.gz.md5

** GET https://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz.md5/83c886d030bc3d56e56d69488c456404xxxx ==> 403 Forbidden (1s)

A 403 error occurred, please wait for the 15 minute timeout

to expire before trying again or specify the -n runtime switch

You may also wish to verfiy your oinkcode, tarball name, and other configuration options

Error 403 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 463.

main::md5file('83c886d030bc3d56e56d69488c456404xxxx ', 'snortrules-snapshot-2960.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/local/bin/pulledpork.pl line 1847

 

If I use a base URL without the version in yells at me and tells me I have to specify it.

Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|83c886d030bc3d56e56d69488c456404xxxx

 

I get this 403 error after waiting for 20 minutes, 30 minutes, whenever minutes.

I verified my oinkcode, it is correct.

I got the tarball name from the Snort.org site where it references downloading via the command line.

As for other configuration options, I do not know what else it could be.

 

 

My pulledpork.conf file:

 

# RULE URI

#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|83c886d030bc3d56e56d69488c456404xxxx

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-2960.tar.gz|83c886d030bc3d56e56d69488c456404xxxx

#rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open

#rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>

#rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open

#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>

 

ips_policy=security

ignore=deleted.rules,experimental.rules,local.rules

temp_path=/tmp

rule_path=/etc/pulledpork/rules/snort.rules

# out_path=/usr/local/etc/snort/rules/

local_rules=/etc/pulledpork/rules/local.rules

sid_msg=/etc/pulledpork/sid-msg.map

sid_msg_version=1

sid_changelog=/var/log/pulledpork/sid_changes.log

 

# SHARED OBJECT (SO) RULES

#sorule_path=/usr/local/lib/snort_dynamicrules/

snort_path=/usr/bin/snort

#sostub_path=

#config_path=/etc/snort/snort.conf

# Define your distro, this is for the precompiled shared object libs!

# Valid Distro Types:

# Debian-5-0, Debian-6-0,

# Ubuntu-8.04, Ubuntu-10-4

# Centos-4-8, Centos-5-4

# FC-12, FC-14, RHEL-5-5, RHEL-6-0

# FreeBSD-7-3, FreeBSD-8-1

# OpenBSD-4-8

# Slackware-13-1

#distro=FreeBSD-8.1

 

black_list=/etc/pulledpork/rules/default.blacklist

IPRVersion=/etc/pulledpork/rules/iplists

#snort_control=/usr/bin/snort_control

# backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dynamicrules/

# backup_file=/tmp/pp_backup

# docs=/path/to/base/www

# state_order=disable,drop,enable

# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid

# snort_version=2.9.0.0

enablesid=/etc/pulledpork/enablesid.conf

dropsid=/etc/pulledpork/dropsid.conf

disablesid=/etc/pulledpork/disablesid.conf

modifysid=/etc/pulledpork/modifysid.conf

version=0.7.0

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Xavier Van Pottelbergh | 18 Apr 16:04 2014
Picon

Trouble getting PF_Ring DNA and DAQ to work

Hi,

 

I’m a student trying to set up snort.

 

I’ve ran into trouble trying to get multiple snort instances listening on one interface (I have too much traffic for one instance to handle).

I’m using a RHEL 6.5 server
Snort version:

  ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.6.0 GRE (Build 47)

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.5.3

           Using PCRE version: 7.8 2008-09-05

           Using ZLIB version: 1.2.

DAQ-version: daq-2.0.2

PF_RING version: PF_RING-5.6.2

 

I removed the driver and pf_ring modules (if they were loaded)

rmmod ixgbe.ko

Rmmod pf_ring.ko

 

I loaded the driver:

cd /root/PF_RING-5.6.2/drivers/DNA/ixgbe-3.18.7-DNA/src/

Make

Insmod ixgbe.ko

 

I loaded pf_ring:

cd /root/PF_RING-5.6.2/kernel/

Make

Make install

Insmod pf_ring.ko transparent_mode=0 min_num_slots=16384

 

I compiled daq with the following options:

cd /root/daq-2.0.2/
./configure –disable-nfq-module –disable-ipq-module –with-libpcap-includes=/usr/local/include –with-libpcap-libraries=/usr/local/lib

 

Made the PF_RING DAQ Module:

cd /root/PF_RING-5.6.2/userland/snort/pfring-daq-module/

Autoreconf –ivf

./configure

Make

Make install

 

Compiled snort like this:

cd /root/snort-2.9.6.0/

./configure –with-libpcap-includes=/usr/local/include –with-libpcap-libraries=/usr/local/lib –with-libpfring-includes=/usr/local/include/daq –with-libpfring-includes=/usr/local/lib/daq –enable-sourcefire –enable-perfprofiling

Make

Make install

 

I modified this into my init.d script:

for i in 1 2 3 4 5 6 7 8; do

      daemon /usr/sbin/snort –A Fast -N -D -i dna1 <at> $i -u snort -g snort –c /etc/snort/snort.conf –daq-dir=/usr/local/lib/daq –daq-mode passive –daq pfring &

done

 

Each snort instance then fails with:

pfring DAQ configured to passive.

FATAL ERROR: Can't initialize DAQ pfring (-1) - "

 

When I run snort without the daq-configuration options, snort fails with the following message:

pcap DAQ configured to passive.

Acquiring network traffic from "dna1 <at> 3".

Initializing daemon mode

Daemon initialized, signaled parent pid: 24786

Reload thread starting...

Reload thread started, thread 0x7f149cb45700 (25309)

FATAL ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!

The ‘ip link list’ command shows dna1 as up

 

If you need more info, please ask so I can provide it.

 

Thank you in advance.

 

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Michael Brown | 17 Apr 19:19 2014
Picon

Snoge

Is Snoge still in active development with the latest versions of snort? I am doing a demonstration to some high school students within the next month and wanted to see if this is still in active development in case I run into issues setting/configuring it.

Thanks

Mike
---
Thank you,

Michael A. Brown
mike.a.brown09 <at> gmail.com
(757) 912-0836
M.S. Forensic Studies: Computer Forensics
B.S. Information Technology: Network Specialist

"The only thing necessary for the triumph of evil is for good men to do nothing" -Edmund Burke
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jeremy Hoel | 17 Apr 18:44 2014
Picon

conficker 15450 question

Last night we started getting a good number of these.  We are VRT subscribers and pull rule updates every few hours looking at PP logs it seems this rule hasn't changed in a good long while.  The clients that are triggering this rule are not XP machines (Windows 7, patched current). the servers it's hitting against are all windows 2008/2012 DC's.  

I'm trying to find the info in the SO files about this particular rule so i can try and understand more about why it's firing now but searching in the source, we only see a reference to that SID in so_rules/bad-traffic.rules but that's only the rule text itself, not anything in code that could help explain why it's firing.

As a side note, the domain it's firing on are espn.go.com or espn.com


0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 02 67 6f 03 63 6f 6d 00 00  .............espn.go.com..
000001A: 01 00 01 


0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 03 63 6f 6d 00 00 01 00 01  .............espn.com.....
000001A: 

Anyone else seeing this or having any ideas?
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Kurzawa, Kevin | 17 Apr 17:25 2014
Picon

Why so many default disabled rules?

I am curious as to why the Snort rules ship with so many of them disabled/commented out by default.

 

It seems the default set is ~4,000. But if using the option to enable /all/ rules in Oinkmaster it comes out with ~20,000. I get Registered User Release rules, not the Subscriber Release rules.

 

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Anshuman Anil Deshmukh | 17 Apr 09:55 2014

Some signatures not appearing in the log

Hi,

 

I was just referring to the latest signature Daily Ruleset update summary with my latest log for signature updates. I see that one of the signature is missing. Signature missing is "2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)". If I am not mistaken ultimately all the rules should get downloaded no matter which rule state we use. Rule state would just enable or disable the rule depending upon which rule state is configured.

 

I am using the state "Security over connectivity". Pulledpork 0.70 is used to update the rules, we are on Snort 2.9.5 GRE (Build 103) . I understand that the Snort version is quite old but as I am already getting all other signatures it doesn’t look an issue with snort version, right? This is my test setup and it is used for learning purpose.

 

See below log extract from sid_changes.log.

 

Thank you in advance.

 

-=Begin Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-

 

New Rules

     ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (1:2405088)

     ET CNC Zeus Tracker Reported CnC Server TCP group 24 (1:2404196)

     ET CNC Zeus Tracker Reported CnC Server UDP group 24 (1:2404197)

     ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 (1:2500080)

     ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42 (1:2500082)

     ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 41 (1:2500081)

     ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 42 (1:2500083)

     ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (1:2018396)

     ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (1:2018395)

     ET TROJAN Common Upatre Header Structure (1:2018394)

     ET TROJAN CryptoDefense DNS Domain Lookup (1:2018397)

     ET TROJAN plasmabot Checkin (1:2018393)

 

Deleted Rules

     ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38 (1:2403374)

     ET CINS Active Threat Intelligence Poor Reputation IP UDP group 38 (1:2403375)

     ET CNC Spyeye Tracker Reported CnC Server TCP group 13 (1:2404124)

     ET CNC Spyeye Tracker Reported CnC Server UDP group 13 (1:2404125)

     ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 509 (1:2523016)

     ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 509 (1:2523017)

 

Set Policy: security

 

Rule Totals

     New:-------12

     Deleted:---6

     Enabled:---6148

     Dropped:---0

     Disabled:--32295

     Total:-----38443

 

IP Blacklist Stats

     Total IPs:-----2590

 

-=End Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-

 

 

Regards,

Anshuman

 

-----Original Message-----
From: emerging-updates-bounces <at> lists.emergingthreats.net [mailto:emerging-updates-bounces <at> lists.emergingthreats.net] On Behalf Of Francis Trudeau
Sent: Thursday, April 17, 2014 4:28 AM
To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List
Subject: [Emerging-updates] Daily Ruleset Update Summary 04/16/2014

 

[***] Summary: [***]

 

6 new Open signatures, 16 new Pro (6/10).  CryptoDefense, Nuclear EK, InstallBrain, Hupigon.

 

Thanks:  Nathan Fowler, tdzmont, <at> EKWatcher

 

[+++]          Added rules:          [+++]

 

Open:

 

  2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)

  2018393 - ET TROJAN plasmabot Checkin (trojan.rules)

  2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)

  2018395 - ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (trojan.rules)

  2018396 - ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert

(current_events.rules)

  2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)

 

Pro:

 

  2807952 - ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules)

  2807953 - ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)

  2807954 - ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules)

  2807955 - ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules)

  2807956 - ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules)

  2807957 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin

(trojan.rules)

  2807958 - ETPRO MALWARE InstallBrain Checkin (malware.rules)

  2807959 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin

(mobile_malware.rules)

  2807960 - ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules)

  2807961 - ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014

(current_events.rules)

 

 

[///]     Modified active rules:     [///]

 

  2017598 - ET TROJAN Possible Kelihos.F EXE Download Common Structure

(trojan.rules)

  2017714 - ET TROJAN PlugX Checkin (trojan.rules)

  2018362 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)

  2018372 - ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules)

  2018373 - ET CURRENT_EVENTS Malformed HeartBeat Response

(current_events.rules)

  2018374 - ET CURRENT_EVENTS Malformed HeartBeat Request method 2

(current_events.rules)

  2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)

  2807950 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules)

 

 

[---]         Removed rules:         [---]

 

  2003548 - ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin

(malware.rules)

  2008282 - ET TROJAN Antispywaremaster.com Fake AV Checkin (trojan.rules) _______________________________________________

Emerging-updates mailing list

Emerging-updates <at> lists.emergingthreats.net

https://lists.emergingthreats.net/mailman/listinfo/emerging-updates

 


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
João Tormenta | 16 Apr 18:54 2014
Picon

oinkcodes

I’m new to SNORT … really new .. first time I setup snort.

 

I’m having a problem with the generation of the oinkcode to automatically download VTR rules.

 

In my account I click generate oinkcode … it tells me that it is generated successfully but I cant see any code lol.

 

Ty

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Gierczak, Stan | 16 Apr 17:19 2014

AANVAL or MYSQL question

I have just finished installing snort/barnyard/aanval.

I can see that snort is working.  I see messages queuing in the alert file in /var/log/snort/eth0.

Not sure if barnyard is not populating mysql or if aanval is not working.

I got this message in aanval under configuration/snort module settings:

 

I verified that the db is correct as is the user name and password.

 

I have this in the syslog for when barnyard loads:

Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Running in Continuous mode

Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]:

Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]:         --== Initializing Barnyard2 ==--

Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Initializing Input Plugins!

Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Initializing Output Plugins!

Apr 16 09:36:01 rlicsnortids1 barnyard2[1456]: Parsing config file "/etc/snort/barnyard.conf"

Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Log directory = /var/log/snort/eth0

Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Initializing daemon mode

Apr 16 09:36:04 rlicsnortids1 barnyard2[1456]: Daemon parent exiting

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Daemon initialized, signaled parent pid: 1456

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: PID path stat checked out ok, PID path set to /var/run/

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Writing PID "1457" to file "/var/run//barnyard2_NULL.pid"

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: compiled support for (mysql)

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: configured to use mysql

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: schema version = 107

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:           host = localhost

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:           user = snort_user

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:  database name = snortdb

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:    sensor name = rlicsnortids1:NULL

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:      sensor id = 1

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:     sensor cid = 1

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:  data encoding = hex

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:   detail level = full

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database:     ignore_bpf = no

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: database: using the "log" facility

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]:

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]:         --== Initialization Complete ==--

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Barnyard2 initialization completed successfully (pid=1457)

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: WARNING: Unable to open waldo file '/var/log/snort/eth0/barnyard2.waldo' (No such file or directory)

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Opened spool file '/var/log/snort/eth0/snort.log.1397656582'

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Closing spool file '/var/log/snort/eth0/snort.log.1397656582'. Read 0 records

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Opened spool file '/var/log/snort/eth0/snort.log.1397658954'

Apr 16 09:36:04 rlicsnortids1 barnyard2[1457]: Waiting for new data

 

The only error I see is about WALDO.  Not sure if that is an issue or not.

 

Again thanks everyone for all the help.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Alan Nala | 16 Apr 06:15 2014
Picon

Fw: News

Hi!      

News:  http://lovegames14.info/fulb/news.php

 

Alan Nala

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Gierczak, Stan | 15 Apr 19:46 2014

How to change monitor to ETH1

 

How do I change the monitoring interface to eth1 from eth0 in snort?

 

 

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane