Jon P | 4 May 15:05 2016
Picon

Barnyard not using gen-msg.map

m using the ET Community rule set. Pulled pork updates this daily. That
seems to be working fine. 

I did something that is causing my alerts to now be loaded as Snort
Alert [1:2101411:12] in BASE. 

I *think* the issue is with the gen_file and sid_file; but my config
looks ok. 

config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config reference_file:      /etc/snort/reference.config
config sid_file:            /etc/snort/sid-msg.map
input unified2
output alert_fast: stdout
output database: log, mysql, user=snort xxxxxxxxxxxxxxxxxxxxxx

Both the *.map files look right and have the text for the alerts im
seeing. 

Is it better practice to use the -S and -G options?

Thanks!

-jp

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
(Continue reading)

rmkml | 4 May 07:58 2016

RE : snort honeytoken config

Hi Samuel, 

Please try with cksum disabled  (-k none).

Regards
<at> Rmkml 



-------- Message d'origine --------
De : Samuel Kidman <skidman <at> netwealth.com.au>
Date : 04/05/2016 07:23 (GMT+01:00)
À : snort-users <at> lists.sourceforge.net
Objet : [Snort-users] snort honeytoken config

Hello

 

I am trying to use snort to check for certain strings leaving an MSSQL database. The idea is if these are leaving the database then someone is doing queries they shouldn’t be.

 

I have created a simple content rule:

 

alert tcp any 1433 -> any any (content: "HONEYTOKEN"; msg: "test honeytoken rule"; sid:1000001;)

 

If I query the database and run a packet capture on the snort machine, then feed the packet capture into snort (using the -r switch) the rule works as expected.

 

However, if I run snort in IDS mode (using -i switch) then the rule isn’t triggered.

 

Does anyone know what could be happening?

 

Regards, Sam

 

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Samuel Kidman | 4 May 07:23 2016
Picon

snort honeytoken config

Hello

 

I am trying to use snort to check for certain strings leaving an MSSQL database. The idea is if these are leaving the database then someone is doing queries they shouldn’t be.

 

I have created a simple content rule:

 

alert tcp any 1433 -> any any (content: "HONEYTOKEN"; msg: "test honeytoken rule"; sid:1000001;)

 

If I query the database and run a packet capture on the snort machine, then feed the packet capture into snort (using the -r switch) the rule works as expected.

 

However, if I run snort in IDS mode (using -i switch) then the rule isn’t triggered.

 

Does anyone know what could be happening?

 

Regards, Sam

 

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Snort Releases | 3 May 15:07 2016

Snort++ Build 197 Available Now

Snort++ build 197 is now available on snort.org.  This is the latest 
monthly update available for download.  You can also get the latest 
updates from github (snortadmin/snort3) which is updated weekly.

Bug Fixes:

* cmake and pkgconfig fixes
* fixed clang, gcc, and icc, build warnings
* fix FreeBSD build
* fix building against LuaJIT using only pkg-config
* fix rule compilation for sticky buffers
* miscellaneous warning and lint cleanup
* update extras to better serve as examples
* cleanup use of protocol numbers and identifiers
* fixed so rule input / output
* fixed protocol numbering issues
* fixed 129:18
* fix session parsing abort handling
* perf_monitor config and format fixes
* new_http_inspect unicode initialization bug fix
* legacy search engine cleanup
* fix process stats output
* update extra version to alpha 4 - thanks to Henry Luciano
<cuncator <at> mote.org> for reporting the issue
* fix unit tests
* fixed memory leaks
* fixed static analysis issues

Enhancements:

* use hwloc for CPU affinity
* cmake - check all dependencies before fatal error
* add configure --enable-address-sanitizer
* add configure --enable-code-coverage
* remove legacy/unused obfuscation api
* finished stream_tcp refactoring; starting on updates
* add dce rule options iface, opnum, smb, stub_data, tcp
* add dce option for byte_extract/jump/test
* initial side channel and file connector for high availability
* initial high availability for UDP
* new_http_inspect %u encoding and utf 8 bare byte
* add UTF-8 normalization for new_http_inspect
* unicode map file for new_http_inspect
* host_cache and host_tracker config and stats updates
* snort2Lua updates for preproc sensitive_data and sd_pattern option
* dce2 port continued - add dce packet fragmentation
* dce segmentation changes
* dce smb header checks port - non segmented packets
* memory manager updates
* added iterative pruning for out of memory condition
* added preemptive pruning to memory manager
* added thread timing stats to perf_monitor
* perf_monitor refactoring
* added file capture stats
* added packet_capture module
* DAQ interface refactoring
* updated catch headers to v1.4.0

Please submit bugs, questions, and feedback to bugs <at> snort.org or the 
Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Shy It | 2 May 15:09 2016
Picon

SSL Inspection

Hello,

I am in the process of looking at commercial solutions that will do IPS/IDS.  After looking at these solutions and how they sniff traffic I am concerned that they will not capture everything unless I do some type of SSL inspection.  Before diving in with a commercial solution I figure I'll give snort a try.  How is the SNORT community getting full functionality if they are not implementing with SSL inspection?  

Lastly, has SNORT reduced incidents of crypto in your environment?

Thank You
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Wilson Mesa | 1 May 17:28 2016

Snort SID Help 1:3813

Hello All

I am a student using a cyber competition data set from 2009 for a school project.  One alert that I'm especially interested in shows SID 3813.  I found an old entry on the SourceForge mailing list and a few other spots. 

There appears to be no mention of it in the National Vulnerability Database or CVSS.  Would any of you seasoned Snort users be able to tell me why this particular vulnerability doesn't have an entry in either of those repositories?

Thank you
  Wilson
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Ehardt, Laurie J (IS | 28 Apr 00:51 2016
Picon

RHEL 6.7 dnet library not found - but is there

I have a similar issue with installing on RHEL 6.7 with a few changes to the output.

 

Re: CentOS install 6.2 - dnet library not found - but is there

 

 

On Sun, Apr 8, 2012 at 5:56 PM, Hanks, Dustin <hokorippoi () gmail com> wrote:

When trying to ./configure Snort I get this:

.....

checking dnet.h usability... no

checking dnet.h presence... no

checking for dnet.h... no

checking dumbnet.h usability... no

checking dumbnet.h presence... no

checking for dumbnet.h... no

 

   ERROR!  dnet library not found, go get it from

   http://code.google.com/p/libdnet/ or use the --with-dnet-*

   options, if you have it installed in an unusual place

 

 

dnet is there:

# dnet-config --libs --cflags --version

1.12

-I/usr/local/include

-L/usr/local/lib -ldnet

 

# /usr/local/lib

lib/     lib64/   libexec/

 

 

I have tried:

# ./configure --with-dnet-libraries=/usr/local/lib/

--with-dnet-includes=/usr/local/include/

 

Still get error.

 

 

I tried this but linked to the libdnet.so actually copied the libraries to the directories and did not work.

 

 

From: Jeremy Hoel <jthoel () gmail com>
Date: Mon, 9 Apr 2012 20:56:01 +0000

When I'm building dnet on a 64bit system I end up linking it..

 

cd /usr/src

tar -xzvf libdnet-1.11.tar.gz

cd libdnet-1.11

./configure && make && make install

ln -s /usr/local/lib/libdnet.1 /usr/lib/

ln -s /usr/local/lib/libdnet.1 /usr/lib64/

 

 

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
James Lay | 26 Apr 20:37 2016
Picon

Infosec Institute series

For those that may not know:

http://resources.infosecinstitute.com/search/?s=Snort%20Lab

Starting with "Basic Snort Rules Syntax and Usage" on up is a pretty 
good deep dive into really using Snort.

James

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Lawrence S. Slifkin | 26 Apr 15:29 2016
Picon

Snort and Snorby Reports

I am seeing a ton of Other Destination IP Addresses in my Daily reports from Snorby.  This only started to happen 3 weeks ago and No changes have been implemented.

If anyone has any thoughts on this, or a good way to track down if they are actually getting through, or just being rejected, I would appreciate it.

Thank you

_______________________________
Lawrence S. Slifkin

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
fatema bannatwala | 25 Apr 17:30 2016
Picon

Event_filters don't work with in-rule threshold filters.

Hi,

I am a new snort user, and started looking at some alerts. I wanted to customize the rules threshold by defining stand-alone event_filter in threshold.config file for specific gid and sid.

I realized that after doing that, snort doesn't start and when I disable those event_filters in threshold.config , snort will start normally.
After looking into the original rule in .rules files pulled by pulledpork, I noticed that the rules that I was trying to write event_filter for, have in-rule threshold command limiting the logged alerts.
When I read the documentation, it doesn't say anything about "you can't specify event_filters for the rules that already have "threshold command" defined inside the rules".
And I think that's the problem and that's why snort fails to start when I try to define stand-alone event filters for the rules having threshold defined inside the rules.

So I wanted to ask that what's the correct way to limit some rules alerts that already have threshold defined in them? (I have many rules for which I would really like to define event_filters to limit the logged alerts, but am not able to do that).

I apologize if this is already been discussed in some other thread (any pointer to the same would be appreciated).
Thanks in advance.

Thanks,
Fatema.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Chris Sandford | 25 Apr 12:20 2016

config file

Hi all,

 

My first attempt at using Snort – new product to me.

 

Attempting to load and validate config file the following error is thrown up.

 

Decoding Ethernet

ERROR: log_tcpdump: Failed to open log file "c:\snort\log/c:\snort\log.1461579119

9": Invalid argument

Fatal Error, Quitting..

 

 

I update my config file to point to c:\snort\log but I do not understand why it is looking for a log.1461579119?

 

There is no file in that folder named as such so I can understand why it’s failing.

 

Using on Windows

 

SMS Head Office : Starling House, Lancelot Road, Beacon Park, Gorleston-on-Sea, Great Yarmouth, Norfolk, NR31 7BF
Tel: +44 (0)1493

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane