Jutichai Thongkrachai | 27 Jan 05:45 2015
Picon

Cisco Proprietary Protocol and Snort

Hello,

My Snort keep telling me that it detect "snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol" (Sid:450,Gid:116) hourly which come from my Cisco Switch send Multicast Packet to the Network with its proprietary PIM protocol (sparse-dense-mode).

I'm curious that my Snort cannot decode Cisco PIM Protocol. So,it detect as
"WARNING: BAD-TRAFFIC Bad IP protocol" Is it possible?
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
zT | 26 Jan 21:15 2015
Picon

[Snort-user] dynamic variable for content match

hello All, i am new in snort. i want to get a keyword from ubunt
terminal and search it in packet( content match). do this with static
value is something like this:
alert tcp any any -> any any (msg:" your content found"; sid:100000;
content:"something to find"; )
Any help is highly appreciated.

Thanks and Regards,

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Eugenio Perez | 26 Jan 18:23 2015

HTTP preprocesor

Hi Everyone.

I don't know if HTTP preprocesor is working properly. Using Snort
2.9.7.0 and the attached pcap, and the next line to run snort:

    snort -v -e --pid-path /var/run -r 80.pcap -c
/etc/snort/snort.conf -l /var/log/snort/ --perfmon-file /dev/null
--treat-drop-as-alert --daq dump --daq-var load-mode=read-file -Q

I'm not able to see the HTTP response in the stats:
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          0
    HTTP Request Headers extracted:       0
    Avg Request Header length:            n/a
    HTTP Request Cookies extracted:       0
    Avg Request Cookie length:            n/a
    Post parameters extracted:            0
    HTTP response Headers extracted:      0
    Avg Response Header length:           0.00
    HTTP Response Cookies extracted:      0
    Avg Response Cookie length:           n/a
    Unicode:                              0
    Double unicode:                       0
    Non-ASCII representable:              0
    Directory traversals:                 0
    Extra slashes ("//"):                 0
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 0
    Gzip Compressed Data Processed:       n/a
    Gzip Decompressed Data Processed:     n/a
    Total packets processed:              1
===============================================================================

Following "http://seclists.org/snort/2013/q2/905", if I enable inline
mode operation (adding --daq dump --daq-var load-mode=read-file -Q), I
see that HTTP preprocesor can extract more info:

===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          0
    HTTP Request Headers extracted:       0
    Avg Request Header length:            n/a
    HTTP Request Cookies extracted:       0
    Avg Request Cookie length:            n/a
    Post parameters extracted:            0
    HTTP response Headers extracted:      1
    Avg Response Header length:           0.00
    HTTP Response Cookies extracted:      0
    Avg Response Cookie length:           n/a
    Unicode:                              0
    Double unicode:                       0
    Non-ASCII representable:              0
    Directory traversals:                 0
    Extra slashes ("//"):                 0
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 0
    Gzip Compressed Data Processed:       n/a
    Gzip Decompressed Data Processed:     n/a
    Total packets processed:              2
===============================================================================

However, my pcap is a full one (it includes syn, ack, fin, and all
packets needed to establish the TCP connection). Why HTTP preprocesor
is able to see more information in inline mode?

Thanks in advance, regards.
Attachment (80f.pcap): application/vnd.tcpdump.pcap, 2022 bytes
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
zT | 25 Jan 08:05 2015
Picon

[Snort-user] error with start snort

hello ,
i use this command           sudo /etc/init.d/snortd start       to
start snort, and this file is exist but when i run it can not start
snort and says this:
sudo: unable to execute /etc/init.d/snortd: No such file or directory

snort make me crazy. attached image show above explanation.
thanks for any help
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
zT | 25 Jan 21:54 2015
Picon

[Snort-user] rule file: get input form terminal

hello all, i need to get input from terminal and send it to rule file
something like function call in programming language . is this
possible ?
thanks in advance

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

zT | 24 Jan 20:52 2015
Picon

$ sudo service snortd restart

hello All
when i run this command this error appear, 
$ sudo service snortd restart
/etc/init.d/snortd: 1: /etc/init.d/snortd: d$: not found
/etc/init.d/snortd: 1: /etc/init.d/snortd: d$: not found
Stopping snort: snort: no process found

why this did not work???????? 
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
John Hall | 24 Jan 19:21 2015

Place to install Snort

One method is to place a hub (not switch) between the LAN cable of your router and the LAN connection to the
switch. Or if you have a monitoring port configured on your switch, then you can use that.

Internet => Router => HUB (not switch) =>regular switch (and connect Snort to the hub where it will get all
traffic passed behind the firewall)
or
Internet => Router => Switch with monitoring port configured (and connect Snort to the monitoring port)

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Madz | 23 Jan 06:56 2015
Picon

Analyse pcap file

Hi all,
How can i analyse a pcap file? & How can i identify attacks in that pcap file using snort? Can anyone tell what are the rules that i need to use to analyse it?

Thank yoi

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Minh Trung | 23 Jan 05:43 2015
Picon

Place to install Snort

Hi experts,

My network as below:
                                                                             1 Line Internet(Router)
                                                                                         |
                                                                                         |
                                                                             Switch(Cisco 2960)
                                                                                         |
                                                                                         |
                                                                             Firewalls(Fortinet)
                                                                                         |
                                                                                         |
                                                                                Core switches
                                                                                   |             |
                                                                                   |             |
                                                                               LAN       VMware system(ESX)

Is this possible to place Snort  on vmware ? which spec i need to configuration for this machine? I want to capture all from Router, how to configuration Snort to listen everything on Router, how configuration router look like?
Any suggestion please let me know

Regards,



------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Hafez Kamal | 22 Jan 22:59 2015

[HITB-Announce] #HITB2015AMS Call for Papers 1st Round is Closing in 10 Days

Hi guys - Happy New Year!

Just a reminder that the first selection round for submissions to HITB
Security Conference 2015 in Amsterdam is closing at the end of January!
That's T - 10 days and counting!!!

===

Date: 26th - 29th May 2015
Venue: De Beurs van Berlage
Event Website: http://conference.hitb.org/hitbsecconf2015ams/

---

HITBSecConf is a deep-knowledge, highly technical conference and we're
looking for material which is new, fresh and preferably something which
hasn't been presented previously. In short, show us your 0days!

Submission Deadlines:

    Round #1 selection: 1st February 2015
    Round #2 selection: 1st March 2015

Submissions will be evaluated in 2 rounds. If all slots are filled
in the first selection round, we will close CFP early so DON'T DELAY
SUBMITTING!

HITB CFP: http://cfp.hackinthebox.org/

===

Each accepted submission will entitle the speaker(s) to
accommodation for 3 nights / 4 days and travel expense reimbursement
up to EUR1200.00 _per speaking slot_

Topics of interest include, but are not limited to the following:

   Cloud Security
   File System Security
   3G/4G/WIMAX Security
   SS7/GSM/VoIP Security
   Security of Medical Devices
   Critical Infrastructure Security
   Smartphone / MobileSecurity
   Smart Card and Physical Security
   Network Protocols, Analysis and Attacks
   Applications of Cryptographic Techniques
   Side Channel Analysis of Hardware Devices
   Analysis of Malicious Code / Viruses / Malware
   Data Recovery, Forensics and Incident Response
   Hardware based attacks and reverse engineering
   Windows / Linux / OS X / *NIX Security Vulnerabilities
   Next Generation Exploit and Exploit Mitigation Techniques
   NFC, WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security

WHITE PAPER: If your presentation is short listed for inclusion into the
conference program, a technical white paper must also be provided for
review (3000 - 5000 words).

Your submissions will be reviewed by The HITB CFP Review Committee:

Charlie Miller (formerly Principal Research Consultant, Accuvant Labs)
Katie Moussouris, Chief Policy Officer, HackerOne
Marco Balduzzi, Lead Research Scientist, Trend Micro
Itzik Kotler, Chief Technology Officer, Security Art
Cesar Cerrudo, Chief Technology Officer, IOActive
Jeremiah Grossman, Founder, Whitehat Security
Andrew Cushman, Senior Director, Microsoft
Saumil Shah, Founder CEO Net-Square
Thanh 'RD' Nguyen, THC, VNSECURITY
Alexander Kornburst, Red Database
Fredric Raynal, QuarksLab
Shreeraj Shah, Founder, BlueInfy
Emmanuel Gadaix, Founder, TSTF
Andrea Barisani, Inverse Path
Philippe Langlois, TSTF
Ed Skoudis, InGuardians
Haroon Meer, Thinkst
Chris Evans, Google
Raoul Chiesa, TSTF/ISECOM
rsnake, SecTheory
Gal Diskin, Intel
Skyper, THC

Note: We do not accept product or vendor related pitches. If you would
like to showcase your company's products or technology at HITB Haxpo
(which also has it's own set of speaking slots), please email
info <at> haxpo.nl or conferenceinfo <at> hackinthebox.org to request for a
sponsorship kit

Regards,
Hafez Kamal
Hack in The Box (M) Sdn. Bhd
36th Floor, Menara Maxis
Kuala Lumpur City Centre
50088 Kuala Lumpur, Malaysia
Tel: +603-26157299
Fax: +603-26150088

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Jefferson, Shawn | 22 Jan 20:48 2015

Hosts Attribute exception/override?

I recently made some changes on the network, and was trying to get alerting setup for a proxy server.  I had some trouble and finally tracked it down to the hosts attribute entry for my proxy.  I’m using PRADS and shipping that file to all my sensors.  Basically what had happened was that PRADS thinks that the proxy port 3128 is TLS/SSL, which it can be, but it’s also HTTP.  Snort was completely ignoring the HTTP traffic for that port, even though I had 3128 in all the right places in the snort.conf, and treating the proxy as EXTERNAL_NET.

 

Is there a method to override the hosts attribute table, or should I strip this system out before sending it to this particular sensor that is watching the proxy traffic?

 

Thanks

Shawn

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane