Research | 2 Mar 21:15 2015

Semantics of ipvar HOME_NET

Hello,

I am currently using snort as an IDS on a web server.

In /etc/snort/snort.conf when I have the variable “HOME_NET”, I understand that in an inline
context, that would be my network block for my internal network (i.e.: 192.168.1.0/24).   In my context,
though, is it correct to set HOME_NET to the IP address of my web server as the IP address is the one I am trying
to monitor ?

Thanks
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort Releases | 2 Mar 17:35 2015

Snort++ Build 140 Available Now

Snort++ build 140 is now available.  This is the second monthly update 
of the downloads.  You can also get the latest updates from github 
(snortadmin/snort3) which is updated weekly.

Continued code sync with Snort 2.9.7:

* sync 297 http xff, swf, and pdf updates
* sync ftp with 297; replace stream event callbacks with FlowData virtuals
* sync stream with 297
* 297 sync of active and codecs
* sync normalizations with 297

Other updates:

* normalization refactoring, renaming
* fix icmp4 encoding
* fix encoder check for ip6 extensions
* update documentation on new HTTP inspector, binder, and wizard
* documented gotcha regarding rule variable definitions in Lua
* uncrustify, see crusty.cfg

Please submit bugs, questions, and feedback to bugs <at> snort.org.

Happy Snorting!
The Snort Release Team

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
(Continue reading)

Research | 1 Mar 18:25 2015

http_inspect_server syntax error ?

Hi,

I am currently trying to configure the: http_inspect_server preprocessor options.

As a minimalist approach, I have:

	preprocessor http_inspect_server: server 1.2.3.4 profile apache ports { 80 }

I am aiming to have the options:

	server 1.2.3.4		My web server IP address
	profile apache		My web server is Apache
	ports { 80 } 		…running HTTP on port 80

However, when I attempt to launch Snort, I receive the following error:

	Verifying Preprocessor Configurations!
	HttpInspectConfigCheck() default server configuration not specified
	Fatal Error, Quitting..

…which seems to apply it wants a profile of default.

What am I doing wrong ?

Thanks
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
(Continue reading)

Research | 1 Mar 00:43 2015

Use of iis_unicode_map in HTTP Inspect on Linux IDS host

Hi,

I had a question involving an option to the global setting of the HTTP inspect pre-processor in snort 2.9.7.0.

The default setting for the global settings for this pre-processor in snort.conf are:

	preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535
decompress_depth 65535

I see that iis_unicode_map unicode.map 1252 refers to the unicode.map file in /etc/snort and is using
codepage 1252, but I was wondering if this is necessary if the host that Snort is running on is using Linux
and Apache ?  Do I have to adjust that accordingly ?  I am doubly unsure because I note in the PDF of the manual on
page 60 the following:

	"The iis unicode map is a required configuration parameter.”

…which makes me think it applies to *ANY* HTTP server.  As a consequence, I have left it as a default setting
but am wondering if it could and should be modified.

Thanks
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
(Continue reading)

Research | 28 Feb 22:18 2015

Frag3 target default setting

Hi,

I have noticed that in the default snort.conf file that ships with Snort 2.9.7.0, the frag3
preprocessor’s setting for “policy” is “windows:

	preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length
100 timeout 180

Based on the latest Snort manual, I note the following about target based assembly:

	"The basic idea behind target-based IDS is that we tell the IDS information about hosts on the network so
that it can 
	avoid Ptacek & Newsham style evasion attacks based on information about how an individual target IP stack operates.”

In my case, I am using Snort in passive mode on a web server based on Linux.  The target that I am protecting is
not a network,
but a single Linux host.

In this case, should I not change the policy to linux, as in:

	preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 10 min_fragment_length 100
timeout 180

…or am I a) incorrect or b) the differences are minimal ?

Thanks
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
(Continue reading)

Research | 27 Feb 21:58 2015

Generator ID map file location changed ?

Hello,

On page 12 of the PDF format of the “Snort 2.9.7 Manual) [1], it notes that the mapping for GID’s
(Generator ID’s), can be found in:

	"For a list of GIDs, please read etc/generators in the Snort source. In this case, we know that this event
came from the “decode” (116) component of Snort.”

>From the source tar ball, I can see the etc subdirectory:

	~/snort_src/snort-2.9.7.0/etc

In there I can see “gen-map.msg”:

	-rw-r--r--  1 user user  31K Sep 16 14:24 gen-msg.map

Inside this file I can see a mapping to “decode” for GID 116 (as referenced in the first quote from the
manual), so is this the file that the GID mappings are in now, *NOT* generators, or am I still looking in the
wrong place ?  If so, am I correct interpreting that a GID of 1 means the generator was “snort general
rule” which matches up to a custom rule I wrote ?

Thanks

[1] See: https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/051/original/snort_manual.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1425073972&Signature=9uEeOQH3nRJTwXr6c7XxK%2F%2FWqAU%3D
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
(Continue reading)

Research | 26 Feb 18:11 2015

Startup error post-package install

Hello,

I have just begun using Snort and am following along with a book (“Linux Firewalls", 4th Edition (c)
2015).  I am currently just focussing on getting Snort up and running and plan to read the full Snort
documentation set next.

Installing on Ubuntu 12.0.4.5 LTS via the following:

	sudo apt-get install snort

…installs Snort.  Verision is:

	snort -V

…returning "Version 2.9.2 IPv6 GRE (Build 78)”.

I verified in: /etc/snort/snort.conf that the ruleset that ships with the Ubuntu package is correctly referenced:

	var RULE_PATH /etc/snort/rules

I then attempted to start Snort in non-daemon mode with:

	sudo snort start -c /etc/snort/snort.conf

…however I receive the following and then termination:

	(lines omitted)
	+++++++++++++++++++++++++++++++++++++++++++++++++++
	Initializing rule chains...
	WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead.
(Continue reading)

Rishabh Shah | 26 Feb 08:07 2015
Picon

Snort react should return HTTP 302 instead of HTTP 403

Hi Snort Team,

Is it possible that Snort can return a HTTP 302 page instead of HTTP 403 forbidden when react is configured in the configuration file?

I have defined "config react: /var/www/html/block.html" in my configuration file and my traffic hits the following rule:
reject tcp any any -> any any (msg:"Illegal access"; appid: facebook; sid: 1020120; rev: 1; react: msg;)

On my windows client, I receive an HTTP 403 forbidden after sending a facebook request as shown in the packet capture below:

GET / HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: datr=sha8U6TWZDuLx0REq-EwnR1l


HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 99

<!DOCTYPE html> <html> <body> <h1>My Heading</h1> <p>My paragraph.</p> </body> </html>

<^Content of block.html>

But I want Snort to return HTTP 302 instead of HTTP 403, as the above message doesn't get displayed in the browser when the response is HTTP 403.

I tried modifying "snort-2.9.7.0/src/detection-plugins/sp_react.c" (replacing HTTP/1.1 403 Forbidden\r\n to HTTP/1.1 302 Moved Temporarily\r\n )and did a make/make install to update the sp.react.o (object file). But I am still receiving HTTP 403.

Kindly let me know if I am missing anything. Thank You!

Regards,
Rishabh Shah.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Weir, Jason | 24 Feb 22:01 2015

Sourcefire Intrusion Agent

Anyone using the Intrusion Agent on a self built snort sensor to integrate with Defense Center, or have docs regarding its setup?

 

Jason

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
James Dickenson | 24 Feb 03:44 2015
Picon

False positives on mysql traffic

Has anyone else noticed these signatures creating false positives on mysql traffic (usually 3306).

Anyone have any thoughts on how to tune it out?



alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established; content:"|41 00 00 00 03|"; depth:5; dsize:<160; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:32609; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 02|"; depth:5; dsize:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:32610; rev:1;)


-James
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Lena Okanovic | 24 Feb 01:24 2015

real-time alerting and rule to monitor only specific traffic

​Hello,


How can I only monitor TCP traffic that is not on port 80 or 443 or on our DMZ IP address? And also, can someone please provide me with instructions on how to setup real-time (email) alerting in Snort on Windows server box.

So, if 'bad' TCP traffic comes through, I would like to get an email right a way letting me know.



<!-- p {margin-top:0px; margin-bottom:0px} -->

Thank you,


Lena Okanovic

lokanovic <at> flightapps.com

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane