Hyunseok | 18 Dec 16:09 2014
Picon

question about paf

Hi,
I have a question about protocol aware flushing (paf).
As I understand, paf allows snort to more intelligently deal with flushing.

However, there is paf_max which defines maximum pdu snort can handle.

config paf_max: <max-pdu>
where <max-pdu> is between zero (off) and 63780.

So does this mean that if a given attack somehow spans across a large data stream of more than 63K size, snort will fail to detect it because snort will eventually flush buffer in the middle of the stream?  If so, is that safe?

-HS

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Praveen D | 18 Dec 09:11 2014
Picon

byte_test/byte_jump negative offsets

Hi,

Below is the data which I am trying to detect
1c 0c 00 00 74 45 58 74 41 41 41 41 41 41 41 41   ....tEXtAAAAAAAA

content:"tEXt"; byte_test:4,>,0x3000,-4,relative;
Extract 0x1c0c0000 and compare with 0x3000

After matching tEXt, where does the pointer pointed to? Should I use offset:-4 or offset:-8?

Best Regards,
Praveen Darshanam
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Mark Greenman | 18 Dec 05:01 2014
Picon

Problem with Content rule option

Hi. I am new to snort. I want to use content rule option to execute some actions based on the content of the http response message (the payload). But, it can not work properly. For example, if I want to replace some word with another, the detection engine can detect some words in the http response message but can not some of the same words in the same message. Sometimes it can't even detect a single word. The problem is that it works properly for the content of the http header. Does anyone know the reason?

Thanks
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Millott | 16 Dec 20:02 2014

troubleshooting dead snort

My snort IDS keeps dying and I don't know why. Anyone got some good suggestions on where to start looking?
   I am running snort 2.9.6 with barnyard 2.1.10 beta2 on Gentoo 3.12.13.  It starts up just fine and runs like a champ. sometimes it will run fine for days, but eventually, I come in and run a "ps ax | grep snort"  and its just gone.   Barnyard is usually still going, but obviously not doing much without snort. I check the logs and see nothing about it halting. There is still a pid in /etc/snort/pid, so I don't think it closed down nicely. 
  I've looked at the performance data, but it just shows that it was running, but doesn't give me any indication of why it stopped.

Suggestions would be appreciated.

--
Robert Millott
President, Millott and Associates
(443) 255-3588
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Y M | 16 Dec 18:51 2014

Re: Snort++ Extras

I am getting 404 for the download links :)

YM

Date: Tue, 16 Dec 2014 17:07:13 +0000
Subject: Snort

Snort++ Extras

Posted: 16 Dec 2014 07:00 AM PST

Snort++ Extras

Snort++ is all about plugins. It has over 140 by default and makes it easy to add more in C++ or LuaJIT. This post will walk you through building and running a set of extra example plugins. If you haven't installed and verified Snort++, you will need to do that first. We will cover the following topics:
  • Overview
  • Download
  • Build Extras
  • Run Extras
  • Next Steps

OVERVIEW

The following things are pluggable in Snort++:
  • codec - decode and encode support for a given protocol
  • data - additional configuration for inspectors
  • inspector - replaces Snort preprocessors
  • ips_option - IPS rule option like content and byte_test
  • ips_action - IPS rule action like alert and block
  • search_engine - fast pattern matcher
  • logger - event handers
  • SO rules - dynamic rules

DOWNLOAD

There are two extra tarballs, once for autotools and one for cmake:
snort_extra-1.0.0-a1-130-auto.tar.gz
snort_extra-1.0.0-a1-130-cmake.tar.gz


<!-- .ExternalClass h1 a:hover { background-color:#888; } .ExternalClass div#ecxemailbody table#ecxitemcontentlist tr td div ul { list-style-type:square; padding-left:1em; } .ExternalClass div#ecxemailbody table#ecxitemcontentlist tr td div blockquote { padding-left:6px; border-left:6px solid #dadada; } .ExternalClass div#ecxemailbody table#ecxitemcontentlist tr td div li { } .ExternalClass table#ecxitemcontentlist tr td a:link, .ExternalClass ul#ecxsummarylist li a { color:#000099; font-weight:bold; text-decoration:none; } .ExternalClass img { border:none; } -->
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Alex Tatistcheff | 15 Dec 16:40 2014
Picon

Protected content

I’ve been fiddling with some new options in Snort 2.9.7 rules. Specifically the new protected_content rule option. I discovered some things that are not clear in the Snort Manual so I thought I would share.

The protected_content option is designed to allow searching for content in a packet without having to spell out the content in the rule. That way if your rule is looking for something sensitive, you can hide this from anyone with access to the rule. It’s helpful if you’re looking for things like passwords you have used. In my case I have some content rules looking for my wife’s common passwords leaving the network. (I, of course would never re-use a password) ;-)

My old rules had the password clearly shown in the content match. So I thought this would be a perfect match for the new keyword. However, there are some differences between the two. The content keyword looks through the entire packet (or whatever is entered in offset,depth,distance and within) for the string. Protected_content is different, it only looks in a specific spot. When using protected_content you search for a hash of the string instead of the string itself. So Snort has to hash whatever bytes you want to check. Because of this, we can’t really check an entire packet because it would mean calculating hundreds of hashes - way too slow.

The protected_content keyword comes with several parameters:

The hash itself

The hash type (md5, sha256, sha512)

The length of the original string

Optional - offset or distance

Consider:

protected_content:"131848a7d09b05b96ea105fe238619e3"; hash:md5; length:8;

This would look in the packet at byte offset zero for an 8 byte string matching the md5 shown. It would ONLY look in the first 8 bytes. In this case the length parameter works much like distance or within in a normal content match.

So, you need to look in a specific location. But how then do I find my wife’s password? I have no idea how far into the packet it might be.

There’s another consideration, the protected_content keyword is “computationally expensive” according to the Snort Manual. So we should precede it with a content match to take advantage of the fast pattern matcher. Turns out I can kill two birds here, I can search the entire packet and make the rule more efficient by using a content keyword prior. The answer is to search for a small subset of my protected content to determine what part of the packet to hash. Yes this does somewhat compromise my secret string but it’s a tradeoff to get detection.

Here is the rule:

alert tcp $HOME_NET any -> any any (sid:1000000; content:"over"; protected_content:"ef87dbd48fed4bcaf02cfc9e8c534344"; hash:md5; length:11; distance:-6; metadata:service http, service smtp, service imap, service pop3, impact_flag red; msg:"Sensitive data 1 ...over..."; classtype:sdf; rev:6; )

I start out looking for a portion of the secret word. Hopefully this is as specific as possible without giving away too much. This is followed by the protected content option which backs up far enough to get to the start of my secret word and hash the required bytes.

Disadvantages of this technique are:

- If the word “over” occurs more than once I will only check for my wife’s password the first time it’s seen in a packet. So it’s possible the password could still be hiding later in a packet with “over" somewhere earlier.
- It’s not as fast as pure “content” but we knew that going in
- It requires that I put part of my secret word into a regular content match
- Possibly other factors I haven’t discovered yet

Well I hope that makes you think a bit. Reply if you have any thoughts on additional ways to improve rules using this new keyword.

Alex

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Mark Greenman | 14 Dec 08:24 2014
Picon

http_inspect works incorrectly

Hi. What Snort user manual mentions about extended_response_inspection is that "When this option is turned on, if the HTTP response packet has a body then any content pattern matches ( without http modifiers ) will search the response body ((decompressed in case of gzip) and not the entire packet payload. To search for patterns in the header of the response, one should use the http modifiers with content such as http header, http stat code, http stat msg and http cookie".
I have applied this feature for http_inspect preprocessor but it seems like it is working in the reverse manner. Like, the rules only match when the specified pattern exists in the header and they do not match when the pattern exists in the body of the http packet. Why is this happening?
Here is the configuration for http_inspect:

# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    max_spaces 200 \
    small_chunk_length { 10 5 } \
    ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    normalize_utf \
    unlimited_decompress \
    normalize_javascript \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    utf_8 no \
    u_encode yes \
    webroot no

Thanks
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Sec_Aficionado | 13 Dec 22:02 2014
Picon

Re: trouble with online mode

---- quoted message follows ----
Ah....yea that's the issue. With --daq-mode inline snort will create it's own bridge (that you have no control over). This type of deployment works really well as having snort on it's own machine inline such as: (Internet) <-> (SnortIPS) <-> (LinuxRouter) <-> (Switch) I think you and I were in the same boat where we had a linux router that we wanted to put IPS on. You can use the nfq daq functionality like so:

snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /usr/local/etc/snort/snort.conf /sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 or /sbin/iptables -I INPUT -j NFQUEUE --queue-num 1 

But I'm going to be honest...I never got nfq to work well. There's a thread on the list that talks heavily about this, but in a nutshell as soon as a packet hits the snort queue, it is either dropped as an IPS hit, or accepted and sent along, which means any iptables rules AFTER the snort queue rule are not referenced, so be warned and make sure to nmap the external IP after you make the changes. It really seems like the IPS functionality is more suited for the IPS on it's own dedicated machine and not integrated into a router. My two cents :) James

---- end of quoted message ---- 

James,

I wonder if you ever got this setup to work. I found the following suggestions in a suricata configuration guide. They use FORWARD instead of INPUT. I have to do some reading before I test this but I'd like to know if you have any advice.

I would really like to get snort to work as an IPS in a firewall/router box, rather than in a separate machine.

Thanks!


There is also a way to use iptables with multiple networks (and interface cards). Example:

sudo iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE sudo iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE

The options -i (input) -o (output) can be combined with all previous mentioned options

If you would stop Suricata and use internet, the traffic will not come through. To make internet work correctly, you have to erase all iptable rules.


Sent from my mobile
Any weird stuff is autocorrect's fault
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Sec_Aficionado | 12 Dec 16:53 2014
Picon

Barnyard2 and Snortsam for 2.9.7.0

Hello there,

I was looking through Barnyard2's barnyard2.conf file and noticed the section under
# alert fw_sam: allow blocking of IP's through remote services 

However, I can't find a Snortsam version for snort later than 2.9.5.3

Does anyone here know if the project changed name or moved somewhere else for newer snort versions?

As usual, thanks in advance!

Sent from my mobile
Any weird stuff in the message above is autocorrect's fault
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Dmitry Melekhov | 12 Dec 06:32 2014

error 500 last several days

Hello!

I get following:

hecking latest MD5 for snortrules-snapshot-2962.tar.gz....
     Error 500 when fetching 
https://www.snort.org/reg-rules/snortrules-snapshot-2962.tar.gz.md5 at 
/etc/pulledpork/pulledpork.pl line 463
     main::md5file('32cef1b0c141b7b986f0278ced2bbf2d78ff1d4', 
'snortrules-snapshot-2962.tar.gz', '/tmp/', 
'https://www.snort.org/reg-rules/') called at 
/etc/pulledpork/pulledpork.pl line 1847

last several days, when I try to update rules using pulledpork.
Previously it worked.

Could you tell me are there any changes? What can I do to resolve this?

Thank you!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort Releases | 11 Dec 16:06 2014

Snort 3.0 Alpha 1 b130 Now Available

The Snort team is happy to announce the first alpha release of Snort 3.0, which includes the
following features:

* Support for multiple packet processing threads
* Use of a shared configuration and attribute table across different threads
* A simple, scriptable configuration with strict grammar
* Updates to make key components plugable
* Auto-detection of services for port-less configuration
* Support sticky buffers in rules
* Auto-generation of reference documentation
* Improved support for cross platform building/deployment

The code can be obtained from snort.org under http://www.snort.org/downloads/snortplus.
The code can also be obtained via a github repository git://github.com/snortadmin/snort3.git.

Snort 3.0 is a complete overhaul of Snort 2.x, and the focus has been on the framework,
configuration and grammar, and it is initially based from an early build of Snort 2.9.6
with just HTTP Inspect and FTP.  Information about Snort 3.0 can be found on the
website under http://www.snort.org/snort3.

Look for blogs with additional information, how to guides, etc as well as updates to the
Alpha as we hear about issues, requests for changes and improvements, and roll out
additional dynamic inspectors, bringing the functionality up to more recent Snort versions
over the next few weeks and months.

We're looking forward to hearing all of your feedback, positive and negative!

Happy Snorting!
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane