headers
Jagan Mohan Reddy D | 10 Feb 13:45
Picon

on snort

While running the following command, i got some database errors.

I was configured with Mysql+BASE+ Barnyard2

$ sudo /usr/local/snort/bin/snort -i eth0 --daq-dir=/usr/local/lib/daq -l /var/log/snort -c /usr/local/snort/etc/snort.conf 

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/snort/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/snort/lib/snort_dynamicrules...
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/netbios.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/multimedia.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/nntp.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/snmp.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/dos.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/web-client.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/imap.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/web-iis.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/bad-traffic.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/web-misc.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/smtp.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/exploit.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/specific-threats.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/p2p.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/misc.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/web-activex.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/icmp.so... done
  Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/chat.so... done
  Finished Loading all dynamic detection libs from /usr/local/snort/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/snort/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/snort/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! WARNING: The database output plugins are considered deprecated as
!!          of Snort 2.9.2 and will be removed in Snort 2.9.3.
!!          The recommended approach to logging is to use unified2 with
!!          barnyard2 or similar.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
database: must enter database name in configuration file


USAGE: database plugin

 output database: [log | alert], [type of database], [parameter list]

 [log | alert] selects whether the plugin will use the alert or
 log facility.

 For the first argument, you must supply the type of database.
 The possible values are mysql, postgresql, odbc, oracle and
 mssql 
 The parameter list consists of key value pairs. The proper
 format is a list of key=value pairs each separated a space.

 The only parameter that is absolutely necessary is "dbname".
 All other parameters are optional but may be necessary
 depending on how you have configured your RDBMS.

 dbname - the name of the database you are connecting to

 host - the host the RDBMS is on

 port - the port number the RDBMS is listening on

 user - connect to the database as this user

 password - the password for given user

 sensor_name - specify your own name for this snort sensor. If you
        do not specify a name one will be generated automatically

 encoding - specify a data encoding type (hex, base64, or ascii)

 detail - specify a detail level (full or fast)

 ignore_bpf - specify if you want to ignore the BPF part for a sensor

              definition (yes or no, no is default)

 FOR EXAMPLE:
 The configuration I am currently using is MySQL with the database
 name of "snort". The user "snortusr <at> localhost" has INSERT and SELECT
 privileges on the "snort" database and does not require a password.
 The following line enables snort to log to this database.

 output database: log, mysql, dbname=snort user=snortusr host=localhost

ERROR: 
Fatal Error, Quitting..

What happen to my snort.....?

Can any one help me on this......

----------------
D J M Reddy

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 1 comment |
headers
Joel Esler | 9 Feb 21:58

Some notes about today's VRT Rule release for 02/09/2012

VRT Rule release for 02/09/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 10 new rules and made modifications to 4172 additional rules.

There were no changes made to the snort.conf in this release.

Today, we leveled the playing field between the various ways to get Snort rules. It has long been the case where Sourcefire products, by default, enabled rules in the balanced-ips policy.  

When you use PulledPork (http://code.google.com/p/pulledpork/), this is also the default behavior. But when you simply downloaded the rules from Snort.org, the rules were a hodge podge of rules that were enabled or disabled, denoted by whether or not the rule was commented out in the rules file.

In an effort to make the barrier to entry that much easier, the Open Source rule package downloaded on snort.org now exactly mirrors what you would get if you used PulledPork. All rules in balanced-ips are enabled and all rules not in balanced-ips are disabled. The exception to this is that rules that set flowbits that are used by rules that are in balanced-ips are also enabled. This means that the default Open Source ruleset will now provide a good balance between speed, performance, and detection and all rules should work as expected.  Those using Oinkmaster, or simply downloading the ruleset directly, will now be running the "balanced-ips" policy.  A rule's "on/off" state is now dictated by policy.

This change is in no way an indication that PulledPork is not the recommended way to manage your Open Source ruleset. PulledPork also tracks your own custom policy tailored to your environment and provides other benefits. If you want to use the security-ips policy, you may go through and enable these rules by default, or choose the easy way and use PulledPork to manage this for you. So, use PulledPork if you aren't already!

 In VRT's rule release:

Synopsis: This release adds and modifies rules in several categories.

Details: The Sourcefire VRT has added and modified multiple rules in the attack-responses, backdoor, bad-traffic, blacklist, botnet-cnc, chat, dns, dos, exploit, file-identify, finger, icmp, icmp-info, imap, misc, multimedia, netbios, nntp, oracle, p2p, password, policy, pop3, rpc, rservices, scada, scan, shellcode, smtp, specific-threats, spyware-put, sql, username, voip, web-activex, web-cgi, web-client, web-iis, web-misc and x11 rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 0 comments |
headers
Leach, Rob M (NAM E | 8 Feb 23:29
Picon
Gravatar

Snort Users - Flowbits and rule ordering

Hello Snort-Users!
 
 (Apologies if this appears twice on the list.  I don't see it in the archive, and I do see mails from other users that were already posted today.)
 
  I am having some issues making a flowbits "set" operation be recognized on the first packet of a UDP stream.  Specifically, I set a flag called 'acme_noalert' and have all the firewall verification rules check issnotset:acme_noalert.
 
  When the first packet of a flow comes in, three rules seem to trigger:
     1) Base RPC-Decode informational rules  -- prints output
     2) The (flowbits:set,acme_noalert) rule -- no print
     3) The fw-verify "invalid port" rule  -- prints output (acme_noalert isn't set?)
 
  When each subsequent packet of a flow comes in, the same three rules trigger:
     1) Base RPC-Decode informational stuff -- sometimes prints
     2) The (flowbits:set,acme_noalert) rule -- no print, no net effect
     3) The fw-verify "invalid port" rule -- no print (acme_noalert has been set)
 
  Is it possible to force snort to evaluate rule (2) before rule (3)?  Is there some other way of flagging the flow for my other rules?
 
 
 
  Below is a sanitized set of vars, rules, and example "before" and "after" logfiles.
 
  I have an example .pcap file that triggers the issue, but am unsure how to distribute it to the users list.  (Please let me know what I should do to distribute it.)
 
  Also, let me know if I should instead re-send this mail with attachments instead of inline text.
 
 
Thanks,
-Rob
 
~~~~~~snort.conf additions~~~~~
#######################################
# Example rules
#######################################
 
###### HOSTS
var ACME_HOST_TYPE_GREEN [192.168.1.11]
 
var ACME_HOST_TYPE_ORANGE [192.168.1.22]
 
# All ACME AIX hosts
var ACME_HOST_ALL_AIX [192.168.1.11,192.168.1.22]
 
###### PORTS
# AIX ports which are bindable only by root
portvar ACME_PORTS_AIX_ROOT_RESV [1:1023]
 
# Note: Default ephemeral port range restricted by ACME
portvar ACME_PORTS_AIX_EPHEMERAL [58535:65535]
 
# Portmapper-111 NFS-2049  LowEphemeral--58535:58555
portvar ACME_PORTS_AIX_PORTMAPPED_SVCS [111,2049,58535:58555]
 
#### Verify-firewall ports
portvar ACME_PORTS_GREENAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535]
 
portvar ACME_PORTS_ORANGEAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535]
 
##****************************************************************
##*  Insert the following include afer the last "include" statement in snort.conf
##****************************************************************
include $RULE_PATH/acme-noalert.rules
 
include $RULE_PATH/acme-verify-firewall.rules
 
 
~~~~~~~$RULE_PATH/acme-noalert.rules ~~~~~~~
##### ---- Begin custom non-generated pre-base rules ---- #####
# Mark as "acme_noalert" -- allows other rules to alert on suspicious traffic
# UDP Portmapper - both directions, just in case
 
alert udp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX 111 (flowbits:set,acme_noalert; flowbits:noalert; sid:88001;)
alert udp $ACME_HOST_ALL_AIX 111 -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV (flowbits:set,acme_noalert; flowbits:noalert; sid:88002;)
 
# TCP Portmapped Services - ONE direction
alert tcp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_PORTMAPPED_SVCS (flowbits:set,acme_noalert; flowbits:noalert; sid:88003;)
 
~~~~~~~$RULE_PATH/acme-verify-firewall.rules ~~~~~~~
alert udp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC UDP port for GREEN AIX";classtype:misc-attack; sid:89001; rev:1;)
alert tcp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC TCP port for GREEN AIX";classtype:misc-attack; sid:89002; rev:1;)
 
alert udp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST UDP port for GREEN AIX";classtype:misc-attack; sid:89003; rev:1;)
alert tcp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST TCP port for GREEN AIX";classtype:misc-attack; sid:89004; rev:1;)
 
alert udp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC UDP port for ORANGE AIX";classtype:misc-attack; sid:89011; rev:1;)
alert tcp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC TCP port for ORANGE AIX";classtype:misc-attack; sid:89012; rev:1;)
 
alert udp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST UDP port for ORANGE AIX";classtype:misc-attack; sid:89013; rev:1;)
alert tcp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST TCP port for ORANGE AIX";classtype:misc-attack; sid:89014; rev:1;)
 
~~~~~~~~ EXAMPLE LOG WITH acme-noalert.rules ENABLED ~~~~~~~~
02/07-08:11:34.803555  [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803555  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
 
~~~~~~~~ EXAMPLE LOG WITHOUT acme-noalert.rules ~~~~~~~~~~~~~
02/07-08:11:34.803555  [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803555  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803849  [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:807
02/07-08:11:34.804600  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.804758  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.804803  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.804955  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805001  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.805151  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805803  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805848  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.807006  [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807308  [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:809
02/07-08:11:34.807993  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808099  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808212  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808329  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808422  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808547  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808554  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808749  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 0 comments |
headers
Leach, Rob M (NAM E | 8 Feb 20:59
Picon
Gravatar

Flowbits and rule ordering issue

Hello Snort-Users!
 
  I am having some issues making a flowbits "set" operation be recognized on the first packet of a UDP stream.  Specifically, I set a flag called 'acme_noalert' and have all the firewall verification rules check issnotset:acme_noalert.
 
  When the first packet of a flow comes in, three rules seem to trigger:
     1) Base RPC-Decode informational rules  -- prints output
     2) The (flowbits:set,acme_noalert) rule -- no print
     3) The fw-verify "invalid port" rule  -- prints output (acme_noalert isn't set?)
 
  When each subsequent packet of a flow comes in, the same three rules trigger:
     1) Base RPC-Decode informational stuff -- sometimes prints
     2) The (flowbits:set,acme_noalert) rule -- no print, no net effect
     3) The fw-verify "invalid port" rule -- no print (acme_noalert has been set)
 
  Is it possible to force snort to evaluate rule (2) before rule (3)?  Is there some other way of flagging the flow for my other rules?
 
 
 
  Below is a sanitized set of vars, rules, and example "before" and "after" logfiles.
 
  I have an example .pcap file that triggers the issue, but am unsure how to distribute it to the users list.  (Please let me know what I should do to distribute it.)
 
  Also, let me know if I should instead re-send this mail with attachments instead of inline text.
 
 
Thanks,
-Rob
 
~~~~~~snort.conf additions~~~~~
#######################################
# Example rules
#######################################
 
###### HOSTS
var ACME_HOST_TYPE_GREEN [192.168.1.11]
 
var ACME_HOST_TYPE_ORANGE [192.168.1.22]
 
# All ACME AIX hosts
var ACME_HOST_ALL_AIX [192.168.1.11,192.168.1.22]
 
###### PORTS
# AIX ports which are bindable only by root
portvar ACME_PORTS_AIX_ROOT_RESV [1:1023]
 
# Note: Default ephemeral port range restricted by ACME
portvar ACME_PORTS_AIX_EPHEMERAL [58535:65535]
 
# Portmapper-111 NFS-2049  LowEphemeral--58535:58555
portvar ACME_PORTS_AIX_PORTMAPPED_SVCS [111,2049,58535:58555]
 
#### Verify-firewall ports
portvar ACME_PORTS_GREENAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535]
 
portvar ACME_PORTS_ORANGEAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535]
 
##****************************************************************
##*  Insert the following include afer the last "include" statement in snort.conf
##****************************************************************
include $RULE_PATH/acme-noalert.rules
 
include $RULE_PATH/acme-verify-firewall.rules
 
 
~~~~~~~$RULE_PATH/acme-noalert.rules ~~~~~~~
##### ---- Begin custom non-generated pre-base rules ---- #####
# Mark as "acme_noalert" -- allows other rules to alert on suspicious traffic
# UDP Portmapper - both directions, just in case
 
alert udp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX 111 (flowbits:set,acme_noalert; flowbits:noalert; sid:88001;)
alert udp $ACME_HOST_ALL_AIX 111 -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV (flowbits:set,acme_noalert; flowbits:noalert; sid:88002;)
 
# TCP Portmapped Services - ONE direction
alert tcp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_PORTMAPPED_SVCS (flowbits:set,acme_noalert; flowbits:noalert; sid:88003;)
 
~~~~~~~$RULE_PATH/acme-verify-firewall.rules ~~~~~~~
alert udp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC UDP port for GREEN AIX";classtype:misc-attack; sid:89001; rev:1;)
alert tcp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC TCP port for GREEN AIX";classtype:misc-attack; sid:89002; rev:1;)
 
alert udp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST UDP port for GREEN AIX";classtype:misc-attack; sid:89003; rev:1;)
alert tcp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST TCP port for GREEN AIX";classtype:misc-attack; sid:89004; rev:1;)
 
alert udp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC UDP port for ORANGE AIX";classtype:misc-attack; sid:89011; rev:1;)
alert tcp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC TCP port for ORANGE AIX";classtype:misc-attack; sid:89012; rev:1;)
 
alert udp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST UDP port for ORANGE AIX";classtype:misc-attack; sid:89013; rev:1;)
alert tcp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST TCP port for ORANGE AIX";classtype:misc-attack; sid:89014; rev:1;)
 
~~~~~~~~ EXAMPLE LOG WITH acme-noalert.rules ENABLED ~~~~~~~~
02/07-08:11:34.803555  [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803555  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
 
~~~~~~~~ EXAMPLE LOG WITHOUT acme-noalert.rules ~~~~~~~~~~~~~
02/07-08:11:34.803555  [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803555  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803849  [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:807
02/07-08:11:34.804600  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.804758  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.804803  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.804955  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805001  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.805151  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805803  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805848  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.807006  [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807308  [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:809
02/07-08:11:34.807993  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808099  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808212  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808329  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808422  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808547  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808554  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808749  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 0 comments |
headers
Dave Kelly | 8 Feb 16:03
Gravatar

Basics of setting up an inline snort installation

Hello,

I'm going to try setting up a new inline configuration, I've only
tried passive before but would like Snort to be able to drop packets
it says are bad.  I'm trying to work out the IP addressing for it. At
the moment, I have all my machines in 192.168.1.0/24 with a router at
192.168.1.1 and a mirrored port on the switch sending all traffic to
snort.

It's pretty similar to the Ubuntu getting started guide in the docs
("Snort 2.9.2.0 on Ubuntu 10.04 LTS").

I think that to move snort to inline I'm going to need to give it a
proper IP address and have the traffic pass through it but I can't
quite work out how to do that without reconfiguring all the hosts to
have new gateway addresses etc.  Any hints to get me going would be
much appreciated.

Dave.

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 9 comments |
headers
Jagan Mohan Reddy D | 8 Feb 14:55
Picon

snort with mysql



While running the following command, i am getting the errors from database.


snort -l c:\Snort\log -c C:\Snort\etc\snort.conf


ERROR: database: mysql_error: Access denied for user 'snort' <at> 'localhost' (using
password: NO)
Fatal Error, Quitting..

In the configuration file, i used the following one.

output database: log, mysql, user=snort  password=046687 dbname=snort host=localhost port=3306

I was configured my database (mysql) for snort user.

i given all the privileges to that user.


can any one help me this...
----------------
Thanks & Regards
D J M Reddy

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 1 comment |
headers
Jagan Mohan Reddy D | 7 Feb 17:43
Picon

Snort on WIN XP

While i am running Snort on WIN XP, i am unable to run it..!


C:\Snort\bin>snort -A console -i 1 -c C:\Snort\etc\snort.conf -l C:\Snort\log -K  ascii

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "C:\Snort\etc\snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830 2301 2381
 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181
 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: C:\Snort\etc\snort.conf(237) Missing/incorrect dynamic engine lib specifi
er.
Fatal Error, Quitting..



What's wrong with my snort....?

Here i'm attaching my snort.conf file

Plz help me on this...





----------------
D J M Reddy

Attachment (snort.conf): application/octet-stream, 23 KiB
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 5 comments |
headers
PS | 6 Feb 20:05
Picon
Gravatar

Barnyard2 and AFPACKET

Hello,

I would like to know how set the "config interface" option in the barnyard2.conf file when using Snort and
AFPACKET if it is possible. Is it possible to configure the file so that it can differentiate which
interface the alert fired off on? I am currently using interfaces eth0:eth1.

Thanks!
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 2 comments |
headers
PS | 6 Feb 17:51
Picon
Gravatar

SSL and Snort

Hello,

Does anyone know of a free/opensource tool which could decrypt ssl and make accessible to snort?

Something like a mitm proxy with the capability to pass the unencrypted packets over to snort for analysis.

Thanks!

Victor Pineiro

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 10 comments |
headers
Lawrence R. Hughes, Sr. | 6 Feb 15:37

snort 2.9.2 preproc sids, gids missing from gen-msg.map

Hi,
 
There seems to be many sids & gid descriptions missing from the gen-msg.map for the 2.9.2.0 rule snapshot?
This is one example preprocessor rule missing out of the gen-msg.map:
 
alert ( msg: "DNP3_DROPPED_FRAME"; sid:2; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )
 
How do we resolve this?
 
Thanks,
Larry
 
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 2 comments |
headers
Jonathan S. Abrams | 3 Feb 21:54
Picon
Gravatar

Where Is libprelude?

Hello,

I am in the process of installing Snort (and the prerequisites) on OS X Server v10.6.8.  While installing libdnet, I encountered the following error.

configure.in:424: error: possibly undefined macro: AM_PATH_LIBPRELUDE
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.

It appears that OS X Server v10.6.8 does not include libprelude by default.  When I go to http://www.prelude-technologies.com/en/development/download/index.html to download libprelude, the page says "You can find Prelude OSS packages on most Linux distribution (Mandriva, Debian, Red Hat, etc.) Prelude OSS source code will be back on this site later."

I am not using a Linux distribution.  Where does an OS X user get libprelude?

Thanks for reading!
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 7 comments |

Gmane