Beto C | 18 Feb 20:32 2015
Picon

Alert with no data

Hello everyone,

I have noticed that my implementation of snort has generated alerts with no data and ever show how source and destination IP 0.0.0.0.
I have no idea what may be happening. This only happens, for the moment, with alert POLICY-ICMP Truncated ICMPv6 denial of service attempt (27611). The server logs, do not show anything that might help. Hope you can help.

Best regards

Alberto
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Lawrence Decker | 18 Feb 14:33 2015
Picon

Pulledpork: please verify that you have recently updated your root certificates!

I'm running fedora core 20, I've updated my ca-certs, tried installing the cert from amazonaws, but I still get

"500 Can't connect to s3.amazonaws.com:443 (certificate verify failed) (1s)"

If I take the link, I can plug it into my browser and it saves the snapshot, but running pulledpork, it keeps erroring out...  I've changed my distro from FC-20 -> FC-19 -> FC-14, no difference

Any suggestions???

Lawrence



frwg01:~># yum install ca-certificates
Loaded plugins: langpacks, refresh-packagekit
Package ca-certificates-2014.2.2-1.0.
fc20.noarch already installed and latest version
Nothing to do



frwg01:~># /usr/scripts/pulledpork/pulledpork.pl -vv -c /etc/snort/pulledpork.conf -T -l

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.1 - Swine Flu with a side of Ebola!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2014 JJ Cummings
  <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug /etc/snort/pulledpork.conf
    rule_path = /etc/snort/rules
    sorule_path = /usr/local/lib/snort_dynamicrules/
    version = 0.7.1
    rule_url = ARRAY(0x2675e50)
    ignore = deleted.rules,experimental.rules,local.rules
    config_path = /etc/snort/snort.conf
    sid_msg_version = 1
    dropsid = /etc/snort/dropsid.conf
    sid_msg = /etc/snort/sid-msg.map
    snort_path = /usr/sbin/snort
    temp_path = /tmp
    distro = FC-14
    snort_control = /usr/sbin/snort_control
    disablesid = /etc/snort/disablesid.conf
    sid_changelog = /var/log/sid_changes.log
    local_rules = /etc/snort/rules/rules/local.rules
    modifysid = /etc/snort/modifysid.conf
    enablesid = /etc/snort/enablesid.conf
    black_list = /etc/snort/rules/black_list.rules
MISC (CLI and Autovar) Variable Debug:
    arch Def is: x86-64
    Config Path is: /etc/snort/pulledpork.conf
    Distro Def is: FC-14
    Disabled policy specified
    local.rules path is: /etc/snort/rules/rules/local.rules
    Rules file is: /etc/snort/rules
    Path to disablesid file: /etc/snort/disablesid.conf
    Path to dropsid file: /etc/snort/dropsid.conf
    Path to enablesid file: /etc/snort/enablesid.conf
    Path to modifysid file: /etc/snort/modifysid.conf
    sid changes will be logged to: /var/log/sid_changes.log
    sid-msg.map Output Path is: /etc/snort/sid-msg.map
    Snort Version is: 2.9.7.0
    Snort Config File: /etc/snort/snort.conf
    Snort Path is: /usr/sbin/snort
    Logging Flag is Set
    Text Rules only Flag is Set
    Extra Verbose Flag is Set
    Verbose Flag is Set
    Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
    Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/<oinkcode> ==> 200 OK (1s)
    most recent rules file digest: b1583e298e07ace6460dd985d94729f0
Rules tarball download of snortrules-snapshot-2970.tar.gz....
    Fetching rules file: snortrules-snapshot-2970.tar.gz
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz/<oinkcode> ==> 302 Found
** GET https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/001/327/original/snortrules-snapshot-2970.tar.gz?AWSAccessKeyId=<TRIMMED>&Expires=1424221083&Signature=<TRIMMED> ==> 500 Can't connect to s3.amazonaws.com:443 (certificate verify failed)
    A 500 error occurred, please verify that you have recently updated your root certificates!

Message from syslogd <at> frwg01 at Feb 17 18:56:36 ...
 pulledpork[2232]:FATAL: 500 error occured
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Ikenna Chiadikaobi | 18 Feb 03:44 2015
Picon

Re: Snort-users Digest, Vol 105, Issue 49

hi, everyone, please how can i get the number of false negative and positive rate, after i evaluate Snort with Darpa dataset.

Thanks
 



On Wednesday, February 18, 2015 5:02 AM, "snort-users-request <at> lists.sourceforge.net" <snort-users-request <at> lists.sourceforge.net> wrote:


Send Snort-users mailing list submissions to
    snort-users <at> lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
    snort-users-request <at> lists.sourceforge.net

You can reach the person managing the list at
    snort-users-owner <at> lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

  1. Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? (James Lay)
  2. Re: $eth1_ADDRESS still a valid variable in 2.9.7.0?
      (Starner, Mark)


----------------------------------------------------------------------

Message: 1
Date: Tue, 17 Feb 2015 13:51:58 -0700
From: James Lay <jlay <at> slave-tothe-box.net>
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in
    2.9.7.0?
To: <snort-users <at> lists.sourceforge.net>
Message-ID: <51b1cadb56b0ced49e0c4debe71ac9e5 <at> localhost>
Content-Type: text/plain; charset="utf-8"



On 2015-02-17 01:32 PM, Al Lewis (allewi) wrote:

> Can you send us
the conf file you are using? Or how you are defining the variables?
>

> Thanks!
>
> Albert Lewis
>
> QA Software Engineer
>
>
SOURCEFIRE, Inc. now part of CISCO
>
> 9780 Patuxent Woods Drive
>
Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email:
allewi <at> cisco.com
>
> FROM: Starner, Mark
[mailto:mark.starner <at> unisys.com]
> SENT: Tuesday, February 17, 2015
12:54 PM
> TO: snort-users <at> lists.sourceforge.net
> SUBJECT: Re:
[Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?
>
>
Ok.. I get that?. So I come back to my original question.
>
> How do I
get $ethX_ADDRESS variables assigned if -enable-sourcefire is configured
and I am not running snort as root? I thought running as root was a bad
idea?
>
> Here is the section of code from parser.c
>
> #ifndef
SOURCEFIRE
>
> /* If snort is not run with root privileges, no
interfaces will be defined,
>
> * so user beware if an iface_ADDRESS
variable is used in snort.conf and
>
> * snort is not run as root
(even if just in read mode) */
>
> DefineAllIfaceVars(sc);
>
>
#endif
>
> Is there another way to enable that?
>
> Curious what the
thinking is here?
>
> Thanks
>
> Mark
>
> FROM: Joel Esler
(jesler) [mailto:jesler <at> cisco.com [9]]
> SENT: Tuesday, February 17,
2015 12:21 PM
> TO: Starner, Mark
> CC:
snort-users <at> lists.sourceforge.net [10]
> SUBJECT: Re: [Snort-users]
$eth1_ADDRESS still a valid variable in 2.9.7.0?
>
> Unfortunately
that disables everything that we test against with the ruleset. I
suggest you not do that.
>
>> On Feb 17, 2015, at 12:03 PM, Starner,
Mark <mark.starner <at> unisys.com [1]> wrote:
>>
>> I retract my question.
I configured "--enable-sourcefire" for the first time and found the
comment in parser.c that said the $IF_ADDRESS variables are not defined
if Sourcefire is enabled and snort is not running as root. So I
recompiled without "--enable-sourcefire" and all is well.
>>
>> Maybe
this will help anyone else who comes across this.
>>
>> Mark
>>
>>
FROM: Starner, Mark [mailto:mark.starner <at> unisys.com [2]]
>> SENT:
Tuesday, February 17, 2015 11:33 AM
>> TO:
snort-users <at> lists.sourceforge.net [3]
>> SUBJECT: [Snort-users]
$eth1_ADDRESS still a valid variable in 2.9.7.0?
>>
>> I use
$eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts,
it says:
>>
>> ERROR: rules/local.rules(8) Undefined variable in the
string: $eth1_ADDRESS.
>>
>> I think I encountered this with a
previous upgrade, but I don't recall how I resolved it.
>>
>> So
>>

>> 1) Is this still valid with 2.9.7.0?
>>
>> 2) If Yes, then what
would cause this NOT to be defined (yes, I verified I have an eth1 and
it has an IP address defined.
>>
>> Thanks
>>
>> Mark
>>
>>
------------------------------------------------------------------------------
>>
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>
from Actuate! Instantly Supercharge Your Business Reports and
Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App
Integration & more
>> Get technology previously reserved for
billion-dollar corporations, FREE
>>
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
[4]
>> Snort-users mailing list
>> Snort-users <at> lists.sourceforge.net
[5]
>> Go to this URL to change user options or unsubscribe:
>>
https://lists.sourceforge.net/lists/listinfo/snort-users [6]
>>
Snort-users list archive:
>>
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[7]
>>
>> Please visit http://blog.snort.org [8] to stay current on all
the latest Snort news!

Define it at the start of local.rules:

ipvar
eth1_ADDRESS <ip.address>

James

Links:
------
[1]
mailto:mark.starner <at> unisys.com
[2] mailto:mark.starner <at> unisys.com
[3]
mailto:snort-users <at> lists.sourceforge.net
[4]
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
[5]
mailto:Snort-users <at> lists.sourceforge.net
[6]
https://lists.sourceforge.net/lists/listinfo/snort-users
[7]
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[8]
http://blog.snort.org
[9] mailto:jesler <at> cisco.com
[10]
mailto:snort-users <at> lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Tue, 17 Feb 2015 20:38:38 +0000
From: "Starner, Mark" <mark.starner <at> unisys.com>
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in
    2.9.7.0?
To: "Al Lewis (allewi)" <allewi <at> cisco.com>,
    "snort-users <at> lists.sourceforge.net"
    <snort-users <at> lists.sourceforge.net>
Message-ID:
    <b232f59324364cddb16c26ebbf2dfc65 <at> US-EXCH13-2.na.uis.unisys.com>
Content-Type: text/plain; charset="utf-8"

I am not defining the variable ? in the past (and without ?enable-sourcefire) Snort always defined the variable for me. And it still does if I don?t use the ??enable-sourcefire? config directive.



I?d prefer not to send my conf file in the clear to the mailing list.



I am just using that Snort defined variable in one of my rules to generate an alert for specific packets directed to the Management Interface of my Snort Sensor.



My questions at this point are:

1)      Is it safe to run Snort as root in order to get Snort to define the interface variables? (since that seems to be the only way to get those variables assigned if you ?enable-sourcefire)????



2)      Why does ??enable-sourcefire? disable the creation/assignment of the interface variables? Is there a risk using those variables in rules?





From: Al Lewis (allewi) [mailto:allewi <at> cisco.com]
Sent: Tuesday, February 17, 2015 3:33 PM
To: Starner, Mark; snort-users <at> lists.sourceforge.net
Subject: RE: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?



Can you send us the conf file you are using? Or how you are defining the variables?



Thanks!





Albert Lewis

QA Software Engineer

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi <at> cisco.com <mailto:allewi <at> cisco.com



From: Starner, Mark [mailto:mark.starner <at> unisys.com]
Sent: Tuesday, February 17, 2015 12:54 PM
To: snort-users <at> lists.sourceforge.net <mailto:snort-users <at> lists.sourceforge.net>
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?



Ok.. I get that?. So I come back to my original question.



How do I get $ethX_ADDRESS variables assigned if ?enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea?



Here is the section of code from parser.c



#ifndef SOURCEFIRE

    /* If snort is not run with root privileges, no interfaces will be defined,

    * so user beware if an iface_ADDRESS variable is used in snort.conf and

    * snort is not run as root (even if just in read mode) */

    DefineAllIfaceVars(sc);

#endif



Is there another way to enable that?



Curious what the thinking is here?



Thanks

Mark





From: Joel Esler (jesler) [mailto:jesler <at> cisco.com]
Sent: Tuesday, February 17, 2015 12:21 PM
To: Starner, Mark
Cc: snort-users <at> lists.sourceforge.net <mailto:snort-users <at> lists.sourceforge.net>
Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?



Unfortunately that disables everything that we test against with the ruleset.  I suggest you not do that.





On Feb 17, 2015, at 12:03 PM, Starner, Mark <mark.starner <at> unisys.com <mailto:mark.starner <at> unisys.com> > wrote:



I retract my question. I configured ??enable-sourcefire? for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without ??enable-sourcefire? and all is well.



Maybe this will help anyone else who comes across this.



Mark





From: Starner, Mark [mailto:mark.starner <at> unisys.com]
Sent: Tuesday, February 17, 2015 11:33 AM
To: snort-users <at> lists.sourceforge.net <mailto:snort-users <at> lists.sourceforge.net>
Subject: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?



I use $eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says:

ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS.



I think I encountered this with a previous upgrade, but I don?t recall how I resolved it.



So

1)      Is this still valid with 2.9.7.0?

2)      If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined.



Thanks

Mark



------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631 <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________> &iu=/4140/ostg.clktrk_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net <mailto:Snort-users <at> lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9426 bytes
Desc: not available

------------------------------

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 105, Issue 49
********************************************


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Starner, Mark | 17 Feb 17:32 2015
Picon

$eth1_ADDRESS still a valid variable in 2.9.7.0?

I use $eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says:

ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS.

 

I think I encountered this with a previous upgrade, but I don’t recall how I resolved it.

 

So

1)      Is this still valid with 2.9.7.0?

2)      If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined.

 

Thanks

Mark

 

Attachment (smime.p7s): application/pkcs7-signature, 12 KiB
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Eugene Grama | 17 Feb 12:06 2015
Picon

Snort and a remote mssql database server

Hello,

Can snort send its result to a remote mssql server?

If yes (and I really hope so), can you kindly please give me any link for guides/procedure on how to accomplish this.

I can see there are issues with regarding to authentication of mssql and snort.

--
Thank you and Best regards,

Eugene
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Dario Bruno | 17 Feb 10:09 2015
Picon

Pulledpork download rulesets error 500

Hello everybody,
I'm trying to configure Pulledpork to download the rulesets using the
doc "Snort 2.9.7.x on Ubuntu 12 and 14 with Barnyard2, PulledPork, and
BASE" written by Noah Dietrich in January 2015.
I following his instructions to modify the /etc/snort/pulledpork.conf
but when I run it I receive the following error:

Checking latest MD5 for community-rules.tar.gz....
	Error 500 when fetching
https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5
at /usr/local/bin/pulledpork.pl line 463.
	main::md5file('Community', 'community-rules.tar.gz', '/tmp/',
'https://s3.amazonaws.com/snort-org/www/rules/community/') called at
/usr/local/bin/pulledpork.pl line 1847

I'm sure regarding the oinkcode.
Thank you for your kindly help
Best regards
Dario
-- 
Dario Bruno
PGP key: 0x8D83F768
(keys.gnupg.net)

========================================================================

ATTENZIONE!!
Il presente messaggio ha contenuto confidenziale, e la sua lettura,
allegati compresi, e' riservata esclusivamente ai destinatari previsti.
Nel caso riteniate di non essere uno dei destinatari previsti, siete
pregati di distruggere il messaggio e di informarne il mittente.

WARNING!!
This message contains confidential information, and it is intended to be
read, attachments included, only by intended recipients.
If you believe not to be one of the intended recipients, please destroy
the message and inform the sender.

========================================================================

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Eugene Grama | 17 Feb 07:24 2015
Picon

Fwd: snort using rpcap in windows


Hello,


Can snort run using rpcap? I'm trying this command, but not successful

snort -c c:\Snort\etc\snort.conf -l c:\Snort\log --daq pcap --daq-mode inline -i rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}

I run on ERROR:pcap does not support inline

run command snort --daq-list; the result is Available DAQ modules: pcap(v3): readback live multi unpriv

Please help, how can i connect and collect data to my remote machine (Windows web server)

--
Thank you and Best regards,

Eugene

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Lena Okanovic | 16 Feb 20:04 2015

Stuck at Commencing Packet Processing

​Hello,

I am new to Snort. I just recently downloaded and installed it on Windows 2008 box. I got the WinPcap and rules installed per instructions found on the internet. I also configured the snort.conf file to use Snort as IDS. Testing results come back without any errors. However, when I execute snort.exe -i1 -s -l C:\snort\log\ -c C:\Snort\etc\snort.conf I get no log created and the cmd prompt is stuck at Commencing Packet Processing


I also chose Interface 1 because of my configuration. 1 and 2 have no IP and 3 is my management interface with IP settings assigned.


What am I doing wrong? Oh, also, in the config file I left 'any' for the HOME_NET address.


Thank you!







------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Dario Bruno | 16 Feb 20:39 2015
Picon

snort lan sniff

Hello everybody,
I'm using Snort 2.9.7.0 on Ubuntu 14.04
All works fine when I sniff traffic on my nic (eth0) but I would like to
sniff packets on the lan (i.e. http to the router inside interface).
I tried putting my nic in promiscuous mode but I still just able to
sniff the traffic only to/from my interface (eth0).
Thank you for your help
Best regards
-- 
Dario Bruno
PGP key: 0x8D83F768
(keys.gnupg.net)

========================================================================

ATTENZIONE!!
Il presente messaggio ha contenuto confidenziale, e la sua lettura,
allegati compresi, e' riservata esclusivamente ai destinatari previsti.
Nel caso riteniate di non essere uno dei destinatari previsti, siete
pregati di distruggere il messaggio e di informarne il mittente.

WARNING!!
This message contains confidential information, and it is intended to be
read, attachments included, only by intended recipients.
If you believe not to be one of the intended recipients, please destroy
the message and inform the sender.

========================================================================

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Henry Collins | 16 Feb 15:42 2015
Picon

Snort even though working properly does not report majority of rules

I have installed Snort 2.9.7.0 and it does not detect majority of attacks, such as nmap port scans, downloading exe files, opening documents containing keyword "root".

I use Snort together with Pulled Pork and Barnyard2. Everything seems to function and I can see alerts on the website that is powered by BASE.

The problem is that I can only trigger 3 different alerts. Everything else is simply not detected. I want obviously to be able to get alerts when someone performs port scanning, trying to attempt to perform DDOS attack and so on. This I cannot trigger. Do I have to enable something somewhere?...

I have made my own local.rules file, which contains a single rule - monitoring of ICMP echo packets.

Pulled Pork does show that it has downloaded over 20000 rules and over 5000 rules are enabled. This can be seen in snort.rules file, which I included in snort.conf file.

The 3 alerts I am able to trigger are:

stream5: TCP Small Segment Threshold Exceeded (this is due to my old Win SCP client)
ssh: Protocol mismatch (this is due to my old Putty client)
ICMP test (my own rule from local.rules)

My snort.conf can be found on the following website (had to move it there, because i reached max chars list): https://paste.ee/p/RTUgY

My pulledpork.conf can be found on the following website: https://paste.ee/p/ixZqW

My local.rules looks like this (which does work):

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

What is strange is that last Friday, Snort suddenly started to work and used Pulled Pork's rules. However, currently, when I am writing this, it doesn't work anymore. I tried to reinstall Snort, Barnyard2 and everything else on a completely fresh Linux computer. It didn't help.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Sandeep Singh | 14 Feb 08:21 2015
Picon

Regarding GID 1, SID 33429 - Microsoft Windows SMB potential group policy fallback exploit attempt

Hi all,
I am seeing a lot of noise for the recently pushed rule with GID 1, SID 33429 which works for detection of attempts towards vulnerability mentioned in MS15-014 (https://technet.microsoft.com/library/security/ms15-014.

Rule --> 

alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB potential group policy fallback exploit attempt"; flow:to_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"|5C 00|g|00|p|00|t|00|T|00|m|00|p|00|l|00|.|00|i|00|n|00|f|00 00|"; fast_pattern:only; detection_filter:track by_src,count 5,seconds 2; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service netbios-ssn; reference:cve,2015-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-014; classtype:attempted-user; sid:33429; rev:1; )


From what I can understand from the rule and the alerts is that it triggers every time a computer tries to query a shared folder (which contains the group policies) for settings that applies to the current computer or user it fires an alarm which is of course causing huge number of false positives.


We are already in process of deploying an enterprise wide patch for MS15-014 but in the meantime is there anything that can be done to tune this detection rule.


If required I can provide a packet capture


Any suggestions?


Thanks


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane