Jutichai Thongkrachai | 25 Oct 10:20 2014
Picon

What is URL of Signature and Rule Lookup?

Hello,

What is URL of Signature and Rule Lookup? Because the URL in Snort User manual is not work. It gives Snort's 404 not found page.

 
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
James | 24 Oct 18:25 2014
Picon

Re: [Snort-openappid] AppId quickstart

Good catch…this is indeed --enable-open-appid…sorry about that.

James

On Oct 24, 2014, at 10:22, Costas Kleopa (ckleopa) <ckleopa <at> cisco.com> wrote:

> Can you confirm if you run:
> ./configure --enable-open-appid
> 
> Below you mentioned: --enable-appid,
> 
> 
> Thanks
> Costas
> 
> 
> On 10/24/14, 12:19 PM, "Joel Esler (jesler)" <jesler <at> cisco.com> wrote:
> 
>> Thanks James.
>> 
>> We¹ve posted several blog posts with instructions, videos, etc on the
>> Snort.org blog: http://blog.snort.org/search/label/openappid
>> 
>> Please check it out.
>> 
>> J
>> 
>>> On Oct 24, 2014, at 8:40 AM, James <jlay <at> slave-tothe-box.net> wrote:
>>> 
>>> So on Ubuntu 1[0-4]:
>>> 
>>> Download luajit at http://luajit.org/download/LuaJIT-2.0.3.tar.gz (apt
>>> package didn¹t get recognized on snort reconfigure).
>>> Uncompress, make, sudo make install
>>> Download snort-openappid.tar.gz from https://www.snort.org/downloads
>>> Uncompress and move the odp dir to somewhere (I chose /opt/share/)
>>> Recompile snort with adding --enable-appid, make, sudo make install
>>> Add the below to your snort.conf:
>>> 
>>> preprocessor appid : \
>>> 		app_detector_dir /opt/share
>>> 
>>> Test with sudo snort -T -c snort.conf
>>> 
>>> Should see:
>>> 
>>> AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966
>>> 1969 1970 1972 1973 1975 1976 1977 1978 1979 1980 1981 1983 1984 1985
>>> 1986 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021
>>> 2129 2131 1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158
>>> 2159 2162 2019 2072 1508 1063 2261 2664 2690
>>> Could not read configuration file /opt/share/custom/userappid.conf
>>> LuaJIT: Version LuaJIT 2.0.3
>>>  Setting tracker size to 219
>>>  TCP Port-Only Services
>>> 
>>> EnjoyŠsubscribe to the snort-openappid list for more information and
>>> help.
>>> 
>>> James
>>> 
>>> -------------------------------------------------------------------------
>>> -----
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users <at> lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>> 

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

James | 24 Oct 17:40 2014
Picon

AppId quickstart

So on Ubuntu 1[0-4]:

Download luajit at http://luajit.org/download/LuaJIT-2.0.3.tar.gz (apt package didn’t get
recognized on snort reconfigure).
Uncompress, make, sudo make install
Download snort-openappid.tar.gz from https://www.snort.org/downloads
Uncompress and move the odp dir to somewhere (I chose /opt/share/)
Recompile snort with adding --enable-appid, make, sudo make install
Add the below to your snort.conf:

preprocessor appid : \
		app_detector_dir /opt/share

Test with sudo snort -T -c snort.conf

Should see:

AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966 1969 1970 1972 1973 1975 1976 1977 1978
1979 1980 1981 1983 1984 1985 1986 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021 2129 2131
1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158 2159 2162 2019 2072 1508 1063 2261 2664 2690
Could not read configuration file /opt/share/custom/userappid.conf
LuaJIT: Version LuaJIT 2.0.3
   Setting tracker size to 219
   TCP Port-Only Services

Enjoy…subscribe to the snort-openappid list for more information and help.

James
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Jim Garrison | 23 Oct 22:56 2014
Picon

"no return statement in function returning non-void" warnings when building snort

I get lots of these warnings when building snort, mentioning the
following functions

    ScSetInternalLogLevel
    ScRestoreInternalLogLevel

As in

In file included from parser.h:38,
                 from tag.c:43:
snort.h: In function ‘ScSetInternalLogLevel’:
snort.h:1231: warning: no return statement in function returning non-void
snort.h: In function ‘ScRestoreInternalLogLevel’:
snort.h:1236: warning: no return statement in function returning non-void

Is this something to be worried about?

--

-- 
Jim Garrison (jhg <at> acm.org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jim Garrison | 23 Oct 20:49 2014
Picon

Latest snort/daq binaries for centos 6?

The download page contains binaries for centos7. Will these work on
centos 6.5 as well?  If not, are there binaries for 6.5, or will I need
to build from source?

Thanks

--

-- 
Jim Garrison (jhg <at> acm.org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort Releases | 23 Oct 19:30 2014

Snort 2.9.7 is now available

Snort 2.9.7 is now available on snort.org at
http://www.snort.org/downloads in the Snort Stable Release section.

A new DAQ build is also available that updates support for a few
operating systems.

Snort 2.9.7 includes a major new feature for Application Identification,
our OpenAppID capability.

In conjunction with this release, are shifting the license for the OpenAppId
content to GPLv2 to encourage more use and submission back to Cisco.  If
you are interested in learning and writing OpenAppId content, please join
us on the OpenAppId mailing list at https://www.snort.org/community.
Any submissions to the OpenAppId ecosystem will receive public thanks
and perhaps some nice swag!

2014-10-24 - Snort 2.9.7.0
[*] New additions
* Application Identification Preprocessor, when used in conjunction with
  OpenAppID detector content, that will identify application protocol,
  client, server, and web applications (including those using SSL) and
  include the info in Snort alert data. In addition, a new rule option
  keyword 'appid' that can be used to constrain Snort rules based on one
  or more applications that are identified for the connection. Separate
  prepackaged RPMs with App Open ID are available.  See README.appid
  for further details.

* A new protected_content rule option that is used to match against a
  content that is hashed.  It can be used to obscure the full context
  of the rule from the administrator.

* Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to
  more accurately process different portions of email messages and file
  attachments.

* Added ability to test normalization behavior without modifying
  network traffic.  When configured using na_policy_mode:inline-test,
  statistics will be gathered on packet normalizations that would have
  occurred, allowing less disruptive testing of inline deployments.

* The HTTP Inspection preprocessor now has the ability to decompress
  DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
  content from http responses when configured with the new
  decompress_swf and decompress_pdf options. This enhancement can be
  used with existing rule options that already match against
  decompressed equivalents.

* Added improved XFF support to HttpInspect. It is now possible to
  specify custom HTTP headers to use in place of 'X-Forwarded-For'. In
  situations where traffic may contain multiple XFF-like headers, it is
  possible to specify which headers hold precedence.

* Added additional support for Heartbleed detection within the SSL
  preprocessor to improve performance.

* Added control socket command to dump packets to a file.  See
  README.snort_dump_packets_control for details.

* Added an option to suppress configuration information logging to output.

* The Stream5 preprocessor functionality is now split between the new
  Session and Stream6 preprocessors.

[*] Improvements
* Maximum IP6 extensions decoded is now configurable.

* Update active response to allow for responses of 1500+ bytes that span
  multiple TCP packets.

* Check limits of multiple configurations to not exceed a maximum ID of 
4095.

* Updated the error output of byte_test, byte_jump, byte_extract to
  including details on offending options for a given rule.

* Update build and install scripts to install preprocessor and engine
  libraries into user specified libdir.

* Improved performance of IP Reputation preprocessor.

* The control socket will now report success when reloading empty IP
  Reputation whitelists/blacklists.

* All TCP normalizations can now be enabled individually. See
  README.normalize for details on using the new options. For
  consistency with other options, the "urp" tcp normalization keyword
  now enables the normalization instead of disabling it.

* Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.

* Updated profiler output to remove duplicate results when using
  multiple configurations.

* Improved performance of FTP reassembly.

* Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD,
  FreeBSD, and DragonFlyBSD

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Tony Robinson | 23 Oct 16:00 2014
Picon

Trying to develop a systemd snort script, running into errors removing/creating pid files

Hello There,

I'm working on an update for autosnort and I figured it was high past time for me to stop half-assing boot persistence for Snort via rc.local and make actual init scripts or similar.

So here I am, trying to make a systemd script. The goals are to bring up the network interface in promisc mode, start snort, and start barnyard2. The script does that. Rather well. Probably not the way systemd devs want one to do it... but we'll cross that bridge later.

My problem comes when I try to kill snort or barnyard2. The kill command works, but there's errors in the logs:

Oct 23 09:38:10 localhost snort[2502]: Could not remove pid file /var/run//snort_ens33.pid: Permission denied
Oct 23 09:38:10 localhost snort[2502]: Snort exiting

Barnyard2 doesn't seem to care that it can't remove the pid file and that's fine, I suppose, because restarting Snort/Barnyard2 seem to work fine:

Oct 23 09:45:38 localhost snort[2912]: Checking PID path...
Oct 23 09:45:38 localhost snort[2912]: PID path stat checked out ok, PID path set to /var/run/
Oct 23 09:45:38 localhost snort[2912]: Writing PID "2912" to file "/var/run//snort_ens33.pid"

Oct 23 09:45:43 localhost barnyard2[2915]: PID path stat checked out ok, PID path set to /var/run/
Oct 23 09:45:43 localhost barnyard2[2915]: Writing PID "2915" to file "/var/run//barnyard2_ens33.pid"

Here are the options I use to start snort:
snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -i ens33

Here are the options I use to start barnyard2:
barnyard2 -c /opt/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

I know a lot of stuff changed in centOS 7. I noticed that one of them was that /var/run is now a symlink to /run. What would cause Snort/BY2 to have permissions to follow the pid file and write their pids, but then not have permissions to remove the pid file after execution has stopped?

I've attached the systemd script I wrote as well.
Attachment (snortbarn.service): application/octet-stream, 591 bytes
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
C. L. Martinez | 21 Oct 13:02 2014
Picon

Change sid number with pulledpork

Hi all,

 Is it possible to change sid number inside of several rules files? I
have downloaded rules from third party sites and in some cases, sids
numbers are the same.

 Can I change these sids to start in 5000000 and follow on with pulledpork??

Thanks.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Nicolas Greneche | 20 Oct 16:55 2014
Picon

snaplen has no effect on "ip dgm len > captured len"

Hi,

I run snort on a dummy interface (this interface is part of bridge 
configured to act as a hub).

Here is my command :

/usr/local/compiled/snort/bin/snort -vd -i dummy0 -c 
/usr/local/etc/snort/snort.conf --snaplen XXX-D

Even with large snaplen values, I have this message in logs :

"ip dgm len > captured len"

from snort_decoder.

Someone has a clue of what's wrong ?

-- 
Nicolas Grenèche

Old blog : http://blog.etcshadow.fr
New blog : http://nsm.etcshadow.fr
Tel : 01 49 40 40 35
Fax : 01 48 22 81 50

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Kurzawa, Kevin | 17 Oct 20:58 2014
Picon

Port problems in a rule

The port variable doesn’t seem to like me. I recently started playing with rules and found an unexpected problem. Wondering what I’m doing wrong.

 

# works

alert tcp any any -> any any (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:1;)

 

# doesn't work

#alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:2;)

 

# doesn't work

#alert tcp any any -> any $HTTP_PORTS (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:3;)

 

Everything is the same with these rules except the destination port variable.

 

My conf file lists HTTP_PORTS as follows:

portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Venkataramesh Bontupalli | 16 Oct 17:21 2014

Regular Expression Matching in Snort Rules

Dear Snort-Users,

I am trying to understand how does snort perform the regular expression matching i.e the PCRE option in the snort rules.

However, through the literature study I understood that Snort generates a Finite State Machine (FSM) during the compilation. 

Could any one let me know what kind of FSM it generated? 
Is it Deterministic Finite Automata (DFA) or Non Deterministic Finite Automata (NFA) ?

Any help is highly appreciated.

Thanks and Regards,
VenkataRamesh
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane