João Soares | 16 May 04:51 2016
Picon

Snort3 generating multiple alert files

Greetings,

I'm trying to learn and adapt to snort3 and it's not being easy.

I'm running snort3 with this command:

snort -l /root/snort-logs -A full -i eth0 -c etc/snort/snort.lua -D -z 0 -d -e -w -X -y

I have a two questions and I would really appreciate it if you guys could help me out:

1 - Why is snort3 making a new alert file each time the original file reaches approximately 4kb? How can I change that?

2 - How can I make snort3 log both alerts and pcaps of intrusions, I can't get it to work, I have tried combining both -A and -L options but I can only get one of them to be logged.

I'm sorry if these are really obvious questions, but I've read the manual and I can't seem to find the answers.

Best regards and thank you for your time!

-- João Soares SIC - Serviço de Informática e Comunicações https://helpdesk.dei.uc.pt Department of Informatics Engineering Faculty of Science and Technology University of Coimbra
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Lenny Hansson | 14 May 08:20 2016
Picon

UDP detection when no payload is pressent i UDP packets problem

Hi All
I am looking at an attack where no payload in UDP packets are present.
My SNORT installation is working on other rules and traffic types.

This attack comes from a large DDOS where the packet all look like this.
But all source IP is random and source and dest ports on UDP is random.
The only thing witch is steady is packet size.

So the idea was to look for UDP packets whit 46 Bytes and do a drop on
that and/or put in a detection filter and start dropping after receiving
500/1000 packets within 5 seconds ore so.

My starting rule was to look for UDP like the here. But here comes my
problem. I can't even get SNORT to alert on simple UDP packets like the
one attached. If I craft my own UDP packet it will alert ore if I do
testing with other UDP based attacks with content and so on.

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"UDP no payload
attack"; priority:1; sid:880000; rev:1;)

I have attached 1 pcap with one such packet not detected with SNORT. DST
IP have been changed in the pcap file as the only thing. But the rest of
the packet is still original from the attack.

What am I missing here ? Sense I can't get SNORT to give me alerts in
logs files ore in screen ?

I am testing on SNORT version 2.9.8.2
-- 
Venlig hilsen / Best Regards
Lenny Hansson
***********************************
Web: networkforensic.dk
***********************************
E-mail: security <at> netcowboy.dk
Key-ID: 91379877
***********************************

Attachment (No.pcap): application/octet-stream, 117 bytes
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Samuel Kidman | 9 May 02:25 2016
Picon

snort honeytoken config

Hello

 

just resending the below because I still really need to get it working.


Problem is content rules are working on a packet capture (using -r switch) but not working when using NIDS mode (-i switch).

 

More information is below.

 

Regards, Sam

 

From: Samuel Kidman
Sent: 05 May 2016 10:58
To: snort-users <at> lists.sourceforge.net
Subject: FW: RE : RE: RE : [Snort-users] snort honeytoken config

 

 

>Maybe I am missing something but your output says there are 16 alerts logged: They should be in the /var/log/snort directory based on your output.

I think it is 0 alerts logged but there are 16 packets logged.

 

>Share a full network pcap trace ?

Can’t do that unfortunately. If there was a way to send one with dummy data I would.

 

> How to capture ? What is ens192 ? 

I am running snort on a VM on the same host as a VM running MSSQL. I have allowed promiscuous made on the virtual network where both VMs are so snort sees all of the traffic that the MSSQL server sees, similar to a network tap.

ens192 is just the virtual Ethernet card.

 

Your snort output indicate fire 6 times ? 

I think that is because of the log rule that I have.

 

And what is three sigs ? 

alert tcp any 1433 -> any any (content: "bjkhvjkhbvhjb"; msg: "test honeytoken rule"; sid:1000001;)

log tcp any any -> 10.0.0.X any (sid:1000003;)  #refers to my local workstation

alert icmp any any -> any any (content: "|DE AD BE EF|"; msg: "test rule"; sid:1000000;)

 

The test ICMP rule works fine.

 

Regards, Sam

 

 

From: rmkml [mailto:rmkml <at> ligfy.org]
Sent: 05 May 2016 01:27
To: Samuel Kidman <skidman <at> netwealth.com.au>
Cc: rmkml <at> ligfy.org; snort-users <at> lists.sourceforge.net
Subject: RE : RE: RE : [Snort-users] snort honeytoken config

 

Hi Sam, 

 

Could you share more information please ? 

 

Share a full network pcap trace ? How to capture ? What is ens192 ? 

 

Your snort output indicate fire 6 times ? 

And what is three sigs ? 

 

Are you sure you need to check mssql reply side please ? (alert tcp any 1433 -> any any...)

 

Regards 

<at> rmkml 

 

 

 

 

-------- Message d'origine --------
De : Samuel Kidman <skidman <at> netwealth.com.au>
Date : 04/05/2016 08:58 (GMT+01:00)
À : rmkml <rmkml <at> ligfy.org>
Cc : snort-users <at> lists.sourceforge.net
Objet : RE: RE : [Snort-users] snort honeytoken config

Hello


Thanks for your reply, I gave it a go but still no alert when running in ids mode.

 

output from running snort at console is below:

 

admin <at> nwidsdev ~ % sudo /sbin/snort -k none -i ens192 -c /etc/snort/snort.conf ip host 10.0.0.81 and tcp port 1433

Running in IDS mode

 

        --== Initializing Snort ==--

Initializing Output Plugins!

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file "/etc/snort/snort.conf"

PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]

PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]

PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]

PortVar 'SSH_PORTS' defined :  [ 22 ]

PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]

PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]

PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]

PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]

Detection:

   Search-Method = AC-Full-Q

    Split Any/Any group = enabled

    Search-Method-Optimizations = enabled

    Maximum pattern length = 20

Tagged Packet Limit: 256

Snort BPF option: ip host 10.0.0.81 and tcp port 1433

Loading dynamic engine /usr/lib64/snort-2.9.8.2_dynamicengine/libsf_engine.so... done

Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...

WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.

  Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules

Loading all dynamic preprocessor libs from /usr/lib64/snort-2.9.8.2_dynamicpreprocessor/...

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_dce2_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_dnp3_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_dns_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_gtp_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_imap_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_modbus_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_pop_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_reputation_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_sdf_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_sip_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_smtp_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_ssh_preproc.so... done

  Loading dynamic preprocessor library /usr/lib64/snort-2.9.8.2_dynamicpreprocessor//libsf_ssl_preproc.so... done

  Finished Loading all dynamic preprocessor libs from /usr/lib64/snort-2.9.8.2_dynamicpreprocessor/

Log directory = /var/log/snort

WARNING: ip4 normalizations disabled because not inline.

WARNING: tcp normalizations disabled because not inline.

WARNING: icmp4 normalizations disabled because not inline.

WARNING: ip6 normalizations disabled because not inline.

WARNING: icmp6 normalizations disabled because not inline.

Frag3 global config:

    Max frags: 65536

    Fragment memory cap: 4194304 bytes

Frag3 engine config:

    Bound Address: default

    Target-based policy: WINDOWS

    Fragment timeout: 180 seconds

    Fragment min_ttl:   1

    Fragment Anomalies: Alert

    Overlap Limit:     10

    Min fragment Length:     100

      Max Expected Streams: 768

Stream global config:

    Track TCP sessions: ACTIVE

    Max TCP sessions: 262144

    TCP cache pruning timeout: 30 seconds

    TCP cache nominal timeout: 3600 seconds

    Memcap (for reassembly packet storage): 8388608

    Track UDP sessions: ACTIVE

    Max UDP sessions: 131072

    UDP cache pruning timeout: 30 seconds

    UDP cache nominal timeout: 180 seconds

    Track ICMP sessions: INACTIVE

    Track IP sessions: INACTIVE

    Log info if session memory consumption exceeds 1048576

    Send up to 2 active responses

    Wait at least 5 seconds between responses

    Protocol Aware Flushing: ACTIVE

        Maximum Flush Point: 16000

Stream TCP Policy config:

    Bound Address: default

    Reassembly Policy: WINDOWS

    Timeout: 180 seconds

    Limit on TCP Overlaps: 10

    Maximum number of bytes to queue per session: 1048576

    Maximum number of segs to queue per session: 2621

    Options:

        Require 3-Way Handshake: YES

        3-Way Handshake Timeout: 180

        Detect Anomalies: YES

    Reassembly Ports:

      21 client (Footprint)

      22 client (Footprint)

      23 client (Footprint)

      25 client (Footprint)

      42 client (Footprint)

      53 client (Footprint)

      79 client (Footprint)

      80 client (Footprint) server (Footprint)

      81 client (Footprint) server (Footprint)

      109 client (Footprint)

      110 client (Footprint)

      111 client (Footprint)

      113 client (Footprint)

      119 client (Footprint)

      135 client (Footprint)

      136 client (Footprint)

      137 client (Footprint)

      139 client (Footprint)

      143 client (Footprint)

      161 client (Footprint)

      additional ports configured but not printed.

Stream UDP Policy config:

    Timeout: 180 seconds

HttpInspect Config:

    GLOBAL CONFIG

      Detect Proxy Usage:       NO

      IIS Unicode Map Filename: /etc/snort/unicode.map

      IIS Unicode Map Codepage: 1252

      Memcap used for logging URI and Hostname: 150994944

      Max Gzip Memory: 838860

      Max Gzip Sessions: 1613

      Gzip Compress Depth: 65535

      Gzip Decompress Depth: 65535

    DEFAULT SERVER CONFIG:

      Server profile: All

      Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555

      Server Flow Depth: 0

      Client Flow Depth: 0

      Max Chunk Length: 500000

      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times

      Max Header Field Length: 750

      Max Number Header Fields: 100

      Max Number of WhiteSpaces allowed with header folding: 200

      Inspect Pipeline Requests: YES

      URI Discovery Strict Mode: NO

      Allow Proxy Usage: NO

      Disable Alerting: NO

      Oversize Dir Length: 500

      Only inspect URI: NO

      Normalize HTTP Headers: NO

      Inspect HTTP Cookies: YES

      Inspect HTTP Responses: YES

      Extract Gzip from responses: YES

      Decompress response files:

      Unlimited decompression of gzip data from responses: YES

      Normalize Javascripts in HTTP Responses: YES

      Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200

      Normalize HTTP Cookies: NO

      Enable XFF and True Client IP: NO

      Log HTTP URI data: NO

      Log HTTP Hostname data: NO

      Extended ASCII code support in URI: NO

      Ascii: YES alert: NO

      Double Decoding: YES alert: NO

      %U Encoding: YES alert: YES

      Bare Byte: YES alert: NO

      UTF 8: YES alert: NO

      IIS Unicode: YES alert: NO

      Multiple Slash: YES alert: NO

      IIS Backslash: YES alert: NO

      Directory Traversal: YES alert: NO

      Web Root Traversal: YES alert: NO

      Apache WhiteSpace: YES alert: NO

      IIS Delimiter: YES alert: NO

      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07

      Whitespace Characters: 0x09 0x0b 0x0c 0x0d

rpc_decode arguments:

    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779

    alert_fragments: INACTIVE

    alert_large_fragments: INACTIVE

    alert_incomplete: INACTIVE

    alert_multiple_requests: INACTIVE

FTPTelnet Config:

    GLOBAL CONFIG

      Inspection Type: stateful

      Check for Encrypted Traffic: YES alert: NO

      Continue to check encrypted data: YES

    TELNET CONFIG:

      Ports: 23

      Are You There Threshold: 20

      Normalize: YES

      Detect Anomalies: YES

    FTP CONFIG:

      FTP Server: default

        Ports (PAF): 21 2100 3535

        Check for Telnet Cmds: YES alert: YES

        Ignore Telnet Cmd Operations: YES alert: YES

        Ignore open data channels: NO

      FTP Client: default

        Check for Bounce Attacks: YES alert: YES

        Check for Telnet Cmds: YES alert: YES

        Ignore Telnet Cmd Operations: YES alert: YES

        Max Response Length: 256

SMTP Config:

    Ports: 25 465 587 691

    Inspection Type: Stateful

    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50

    Ignore Data: No

    Ignore TLS Data: No

    Ignore SMTP Alerts: No

    Max Command Line Length: 512

    Max auth Command Line Length: 1000

    Max Specific Command Line Length:

       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255

       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255

       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500

       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246

       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246

       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246

       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246

       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246

       XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246

       XUSR:246

    Max Header Line Length: 1000

    Max Response Line Length: 512

    X-Link2State Alert: Yes

    Drop on X-Link2State Alert: No

    Alert on commands: None

    Alert on unknown commands: No

    SMTP Memcap: 838860

    MIME Max Mem: 838860

    Base64 Decoding: Enabled

    Base64 Decoding Depth: Unlimited

    Quoted-Printable Decoding: Enabled

    Quoted-Printable Decoding Depth: Unlimited

    Unix-to-Unix Decoding: Enabled

    Unix-to-Unix Decoding Depth: Unlimited

    Non-Encoded MIME attachment Extraction: Enabled

    Non-Encoded MIME attachment Extraction Depth: Unlimited

    Log Attachment filename: Enabled

    Log MAIL FROM Address: Enabled

    Log RCPT TO Addresses: Enabled

    Log Email Headers: Enabled

    Email Hdrs Log Depth: 1464

SSH config:

    Autodetection: ENABLED

    Challenge-Response Overflow Alert: ENABLED

    SSH1 CRC32 Alert: ENABLED

    Server Version String Overflow Alert: ENABLED

    Protocol Mismatch Alert: ENABLED

    Bad Message Direction Alert: DISABLED

    Bad Payload Size Alert: DISABLED

    Unrecognized Version Alert: DISABLED

    Max Encrypted Packets: 20

    Max Server Version String Length: 100

    MaxClientBytes: 19600 (Default)

    Ports:

        22

DCE/RPC 2 Preprocessor Configuration

  Global Configuration

    DCE/RPC Defragmentation: Enabled

    Memcap: 102400 KB

    Events: co

    SMB Fingerprint policy: Disabled

  Server Default Configuration

    Policy: WinXP

    Detect ports (PAF)

      SMB: 139 445

      TCP: 135

      UDP: 135

      RPC over HTTP server: 593

      RPC over HTTP proxy: None

    Autodetect ports (PAF)

      SMB: None

      TCP: 1025-65535

      UDP: 1025-65535

      RPC over HTTP server: 1025-65535

      RPC over HTTP proxy: None

    Invalid SMB shares: C$ D$ ADMIN$

    Maximum SMB command chaining: 3 commands

    SMB file inspection: Disabled

DNS config:

    DNS Client rdata txt Overflow Alert: ACTIVE

    Obsolete DNS RR Types Alert: INACTIVE

    Experimental DNS RR Types Alert: INACTIVE

    Ports: 53

SSLPP config:

    Encrypted packets: not inspected

    Ports:

      443      465      563      636      989

      992      993      994      995     7801

     7802     7900     7901     7902     7903

     7904     7905     7906     7907     7908

     7909     7910     7911     7912     7913

     7914     7915     7916     7917     7918

     7919     7920

    Server side data is trusted

    Maximum SSL Heartbeat length: 0

Sensitive Data preprocessor config:

    Global Alert Threshold: 25

    Masked Output: DISABLED

SIP config:

    Max number of sessions: 40000

    Max number of dialogs in a session: 4 (Default)

    Status: ENABLED

    Ignore media channel: DISABLED

    Max URI length: 512

    Max Call ID length: 80

    Max Request name length: 20 (Default)

    Max From length: 256 (Default)

    Max To length: 256 (Default)

    Max Via length: 1024 (Default)

    Max Contact length: 512

    Max Content length: 2048

    Ports:

        5060    5061    5600

    Methods:

          invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack

IMAP Config:

    Ports: 143

    IMAP Memcap: 838860

    MIME Max Mem: 838860

    Base64 Decoding: Enabled

    Base64 Decoding Depth: Unlimited

    Quoted-Printable Decoding: Enabled

    Quoted-Printable Decoding Depth: Unlimited

    Unix-to-Unix Decoding: Enabled

    Unix-to-Unix Decoding Depth: Unlimited

    Non-Encoded MIME attachment Extraction: Enabled

    Non-Encoded MIME attachment Extraction Depth: Unlimited

POP Config:

    Ports: 110

    POP Memcap: 838860

    MIME Max Mem: 838860

    Base64 Decoding: Enabled

    Base64 Decoding Depth: Unlimited

    Quoted-Printable Decoding: Enabled

    Quoted-Printable Decoding Depth: Unlimited

    Unix-to-Unix Decoding: Enabled

    Unix-to-Unix Decoding Depth: Unlimited

    Non-Encoded MIME attachment Extraction: Enabled

    Non-Encoded MIME attachment Extraction Depth: Unlimited

Modbus config:

    Ports:

        502

DNP3 config:

    Memcap: 262144

    Check Link-Layer CRCs: ENABLED

    Ports:

        20000

Reputation config:

WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

3 Snort rules read

    3 detection rules

    0 decoder rules

    0 preprocessor rules

3 Option Chains linked into 3 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

+-------------------[Rule Port Counts]---------------------------------------

|             tcp     udp    icmp      ip

|     src       1       0       0       0

|     dst       0       0       0       0

|     any       1       0       1       0

|      nc       1       0       0       0

|     s+d       0       0       0       0

+----------------------------------------------------------------------------

 

+-----------------------[detection-filter-config]------------------------------

| memory-cap : 1048576 bytes

+-----------------------[detection-filter-rules]-------------------------------

| none

-------------------------------------------------------------------------------

 

+-----------------------[rate-filter-config]-----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[rate-filter-rules]------------------------------------

| none

-------------------------------------------------------------------------------

 

+-----------------------[event-filter-config]----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[event-filter-global]----------------------------------

+-----------------------[event-filter-local]-----------------------------------

| none

+-----------------------[suppression]------------------------------------------

| none

-------------------------------------------------------------------------------

Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log

Verifying Preprocessor Configurations!

 

[ Port Based Pattern Matching Memory ]

+- [ Aho-Corasick Summary ] -------------------------------------

| Storage Format    : Full-Q

| Finite Automaton  : DFA

| Alphabet Size     : 256 Chars

| Sizeof State      : Variable (1,2,4 bytes)

| Instances         : 3

|     1 byte states : 3

|     2 byte states : 0

|     4 byte states : 0

| Characters        : 30

| States            : 33

| Transitions       : 60

| State Density     : 0.7%

| Patterns          : 3

| Match States      : 3

| Memory (KB)       : 20.37

|   Pattern         : 0.29

|   Match Lists     : 0.49

|   DFA

|     1 byte states : 8.57

|     2 byte states : 0.00

|     4 byte states : 0.00

+----------------------------------------------------------------

[ Number of patterns truncated to 20 bytes: 0 ]

pcap DAQ configured to passive.

Acquiring network traffic from "ens192".

Reload thread starting...

Reload thread started, thread 0x7f2fae0d8700 (6518)

Decoding Ethernet

 

        --== Initialization Complete ==--

 

   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.8.2 GRE (Build 335)

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team

           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.5.3

           Using PCRE version: 8.32 2012-11-30

           Using ZLIB version: 1.2.7

 

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.6  <Build 1>

           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>

           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>

           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>

           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>

           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>

           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>

           Preprocessor Object: SF_POP  Version 1.0  <Build 1>

           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>

           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>

           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>

           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>

           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>

           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>

           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>

Commencing packet processing (pid=6509)

 

 

After exit running query and exiting--

 

===============================================================================

Run time for packet processing was 133.14664 seconds

Snort processed 2563 packets.

Snort ran for 0 days 0 hours 2 minutes 13 seconds

   Pkts/min:         1281

   Pkts/sec:           19

===============================================================================

Memory usage summary:

  Total non-mmapped bytes (arena):       5758976

  Bytes in mapped regions (hblkhd):      30130176

  Total allocated space (uordblks):      3479520

  Total free space (fordblks):           2279456

  Topmost releasable block (keepcost):   257360

===============================================================================

Packet I/O Totals:

   Received:         2564

   Analyzed:         2563 ( 99.961%)

    Dropped:            0 (  0.000%)

   Filtered:            0 (  0.000%)

Outstanding:            1 (  0.039%)

   Injected:            0

===============================================================================

Breakdown by protocol (includes rebuilt packets):

        Eth:         2631 (100.000%)

       VLAN:            0 (  0.000%)

        IP4:         2631 (100.000%)

       Frag:            0 (  0.000%)

       ICMP:            0 (  0.000%)

        UDP:            0 (  0.000%)

        TCP:         2173 ( 82.592%)

        IP6:            0 (  0.000%)

    IP6 Ext:            0 (  0.000%)

   IP6 Opts:            0 (  0.000%)

      Frag6:            0 (  0.000%)

      ICMP6:            0 (  0.000%)

       UDP6:            0 (  0.000%)

       TCP6:            0 (  0.000%)

     Teredo:            0 (  0.000%)

    ICMP-IP:            0 (  0.000%)

    IP4/IP4:            0 (  0.000%)

    IP4/IP6:            0 (  0.000%)

    IP6/IP4:            0 (  0.000%)

    IP6/IP6:            0 (  0.000%)

        GRE:            0 (  0.000%)

    GRE Eth:            0 (  0.000%)

   GRE VLAN:            0 (  0.000%)

    GRE IP4:            0 (  0.000%)

    GRE IP6:            0 (  0.000%)

GRE IP6 Ext:            0 (  0.000%)

   GRE PPTP:            0 (  0.000%)

    GRE ARP:            0 (  0.000%)

    GRE IPX:            0 (  0.000%)

   GRE Loop:            0 (  0.000%)

       MPLS:            0 (  0.000%)

        ARP:            0 (  0.000%)

        IPX:            0 (  0.000%)

   Eth Loop:            0 (  0.000%)

   Eth Disc:            0 (  0.000%)

   IP4 Disc:          458 ( 17.408%)

   IP6 Disc:            0 (  0.000%)

   TCP Disc:            0 (  0.000%)

   UDP Disc:            0 (  0.000%)

  ICMP Disc:            0 (  0.000%)

All Discard:          458 ( 17.408%)

      Other:            0 (  0.000%)

Bad Chk Sum:            0 (  0.000%)

    Bad TTL:            0 (  0.000%)

     S5 G 1:           37 (  1.406%)

     S5 G 2:           31 (  1.178%)

      Total:         2631

===============================================================================

Action Stats:

     Alerts:            0 (  0.000%)

     Logged:           16 (  0.608%)

     Passed:            0 (  0.000%)

Limits:

      Match:            0

      Queue:            0

        Log:            0

      Event:            0

      Alert:            0

Verdicts:

      Allow:         2563 ( 99.961%)

      Block:            0 (  0.000%)

    Replace:            0 (  0.000%)

  Whitelist:            0 (  0.000%)

  Blacklist:            0 (  0.000%)

     Ignore:            0 (  0.000%)

===============================================================================

Frag3 statistics:

        Total Fragments: 0

      Frags Reassembled: 0

               Discards: 0

          Memory Faults: 0

               Timeouts: 0

               Overlaps: 0

              Anomalies: 0

                 Alerts: 0

                  Drops: 0

     FragTrackers Added: 0

    FragTrackers Dumped: 0

FragTrackers Auto Freed: 0

    Frag Nodes Inserted: 0

     Frag Nodes Deleted: 0

===============================================================================

===============================================================================

Stream statistics:

            Total sessions: 61

              TCP sessions: 61

              UDP sessions: 0

             ICMP sessions: 0

               IP sessions: 0

                TCP Prunes: 0

                UDP Prunes: 0

               ICMP Prunes: 0

                 IP Prunes: 0

TCP StreamTrackers Created: 61

TCP StreamTrackers Deleted: 61

              TCP Timeouts: 0

              TCP Overlaps: 1

       TCP Segments Queued: 740

     TCP Segments Released: 740

       TCP Rebuilt Packets: 99

         TCP Segments Used: 740

              TCP Discards: 354

                  TCP Gaps: 42

      UDP Sessions Created: 0

      UDP Sessions Deleted: 0

              UDP Timeouts: 0

              UDP Discards: 0

                    Events: 11

           Internal Events: 0

           TCP Port Filter

                  Filtered: 0

                 Inspected: 0

                   Tracked: 2105

           UDP Port Filter

                  Filtered: 0

                 Inspected: 0

                   Tracked: 0

===============================================================================

===============================================================================

SMTP Preprocessor Statistics

  Total sessions                                    : 0

  Max concurrent sessions                           : 0

===============================================================================

dcerpc2 Preprocessor Statistics

  Total sessions: 0

===============================================================================

===============================================================================

SIP Preprocessor Statistics

  Total sessions: 0

===============================================================================

Reputation Preprocessor Statistics

 Total Memory Allocated: 0

===============================================================================

 

From: rmkml [mailto:rmkml <at> ligfy.org]
Sent: 04 May 2016 15:58
To: Samuel Kidman <skidman <at> netwealth.com.au>
Cc: rmkml <at> ligfy.org; snort-users <at> lists.sourceforge.net
Subject: RE : [Snort-users] snort honeytoken config

 

Hi Samuel, 

 

Please try with cksum disabled  (-k none).

 

Regards

<at> Rmkml 

 

 

-------- Message d'origine --------
De : Samuel Kidman <skidman <at> netwealth.com.au>
Date : 04/05/2016 07:23 (GMT+01:00)
À : snort-users <at> lists.sourceforge.net
Objet : [Snort-users] snort honeytoken config

Hello

 

I am trying to use snort to check for certain strings leaving an MSSQL database. The idea is if these are leaving the database then someone is doing queries they shouldn’t be.

 

I have created a simple content rule:

 

alert tcp any 1433 -> any any (content: "HONEYTOKEN"; msg: "test honeytoken rule"; sid:1000001;)

 

If I query the database and run a packet capture on the snort machine, then feed the packet capture into snort (using the -r switch) the rule works as expected.

 

However, if I run snort in IDS mode (using -i switch) then the rule isn’t triggered.

 

Does anyone know what could be happening?

 

Regards, Sam

 

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Oleg Makarov | 12 May 13:26 2016

Too much of snort events

Hi guys!
Please give me an advice, sorry I'm a newbie here.
So I have Snort+Barnyard2+PulledPork+Aanval (as web siem)
It works correctly. I found a lot of alerts with gen_id 129, sig_id 12 and gen_id 129, sig_id 4 and suppress them (it's not informative). I found them in Aanval and it's trying to upload whole mysql DB.
But there are still too much alerts  ~ 30events per second and it's nearly 800k events per day.
How can I more understand what are the events generating ?
Thanks.
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Akhil Koul | 12 May 07:25 2016
Picon

Interfacing Snort with other apps

Hello

Does Snort provide a C/C++ API to interface with other applications, for instance Web Application Firewalls(Waf). I am working on a project which will interface Snort to work with Modsecurity.
Any help is appreciated.

Thanks
Akhil
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
WGM IT | 11 May 18:14 2016

Barnyard2 hangs when started with MySQL

Hello,

 

I have a problem with Barnyard2 – it hangs when started with MySQL.

I would be very grateful to you for any proposals and comments.

 

 

Step 1

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

OK

 

Step 2

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort –D

OK

 

Step3

mysql -u snort -p -D snort -e "select count(*) from event"

OK – MySQL events number  increases (e.g. after ping)

 

Step 4

Kill snort process

kill barnyard2 process

 

Step 5

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

Errors when generating Stub Rules

 

Step 6

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort –D

barnyard2 hangs for 2 minutes

 

Step 7

mysql -u snort -p -D snort -e "select count(*) from event"

MySQL events number  remains constant (e.g. after ping)

 

 

Any ideas?

 

Thanks a lot in advance for your cooperation.

 

 

 

 

Best regards

Alexej Teplitsky

 

WGM IT

 

+49 172 834 08 12

Skype: alexej.teplitsky

 

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo -g snort -u snort -D
-----------------------------------------------------------------------------------------------------------------------------------

Apr  7 16:59:45 at-desktop barnyard2[2499]: Running in Continuous mode
Apr  7 16:59:45 at-desktop barnyard2[2499]: 
Apr  7 16:59:45 at-desktop barnyard2[2499]:         --== Initializing Barnyard2 ==--
Apr  7 16:59:45 at-desktop barnyard2[2499]: Initializing Input Plugins!
Apr  7 16:59:45 at-desktop barnyard2[2499]: Initializing Output Plugins!
Apr  7 16:59:45 at-desktop barnyard2[2499]: Parsing config file "/etc/snort/barnyard2.conf"
Apr  7 16:59:45 at-desktop barnyard2[2499]: #012#012+[ Signature Suppress list ]+#012----------------------------
Apr  7 16:59:45 at-desktop barnyard2[2499]: +[No entry in Signature Suppress List]+
Apr  7 16:59:45 at-desktop barnyard2[2499]: ----------------------------#012+[ Signature Suppress
list ]+#012
Apr  7 16:59:45 at-desktop barnyard2[2499]: Barnyard2 spooler: Event cache size set to [2048] 
Apr  7 16:59:45 at-desktop barnyard2[2499]: Log directory = /var/log/barnyard2
Apr  7 16:59:45 at-desktop barnyard2[2499]: INFO database: Defaulting Reconnect/Transaction Error
limit to 10 
Apr  7 16:59:45 at-desktop barnyard2[2499]: INFO database: Defaulting Reconnect sleep time to 5 second 
Apr  7 16:59:45 at-desktop barnyard2[2499]: Initializing daemon mode
Apr  7 16:59:45 at-desktop barnyard2[2500]: Daemon initialized, signaled parent pid: 2499
Apr  7 16:59:45 at-desktop barnyard2[2500]: PID path stat checked out ok, PID path set to /var/run/
Apr  7 16:59:45 at-desktop barnyard2[2499]: Daemon parent exiting
Apr  7 16:59:45 at-desktop barnyard2[2500]: Writing PID "2500" to file "/var/run//barnyard2_NULL.pid"
Apr  7 16:59:45 at-desktop barnyard2[2500]: #012[CacheSynchronize()],INFO: No system was found in
cache (from signature map file), will not process or synchronize informations found in the database #012
Apr  7 16:59:45 at-desktop barnyard2[2500]: database: compiled support for (mysql)
Apr  7 16:59:45 at-desktop barnyard2[2500]: database: configured to use mysql
Apr  7 16:59:45 at-desktop barnyard2[2500]: database: schema version = 107
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:           host = localhost
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:           user = snort
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:  database name = snort
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:    sensor name = at-desktop:NULL
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:      sensor id = 1
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:     sensor cid = 1
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:  data encoding = hex
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:   detail level = full
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:     ignore_bpf = no
Apr  7 16:59:45 at-desktop barnyard2[2500]: database: using the "log" facility
Apr  7 16:59:45 at-desktop barnyard2[2500]: 
Apr  7 16:59:45 at-desktop barnyard2[2500]:         --== Initialization Complete ==--
Apr  7 16:59:45 at-desktop barnyard2[2500]: Barnyard2 initialization completed successfully (pid=2500)
Apr  7 16:59:45 at-desktop barnyard2[2500]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Apr  7 16:59:45 at-desktop barnyard2[2500]: Waiting for new spool file
Apr  7 17:02:35 at-desktop anacron[941]: Job `cron.daily' started
Apr  7 17:02:35 at-desktop anacron[2528]: Updated timestamp for job `cron.daily' to 2016-04-07

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo -g snort -u snort -D
---------------------------------------------------------------------------------------------------------------------------------

Apr  7 19:11:16 at-desktop barnyard2[2835]: Running in Continuous mode
Apr  7 19:11:16 at-desktop barnyard2[2835]: 
Apr  7 19:11:16 at-desktop barnyard2[2835]:         --== Initializing Barnyard2 ==--
Apr  7 19:11:16 at-desktop barnyard2[2835]: Initializing Input Plugins!
Apr  7 19:11:16 at-desktop barnyard2[2835]: Initializing Output Plugins!
Apr  7 19:11:16 at-desktop barnyard2[2835]: Parsing config file "/etc/snort/barnyard2.conf"
Apr  7 19:11:16 at-desktop barnyard2[2835]: #012#012+[ Signature Suppress list ]+#012----------------------------
Apr  7 19:11:16 at-desktop barnyard2[2835]: +[No entry in Signature Suppress List]+
Apr  7 19:11:16 at-desktop barnyard2[2835]: ----------------------------#012+[ Signature Suppress
list ]+#012
Apr  7 19:12:06 at-desktop barnyard2[2835]: Barnyard2 spooler: Event cache size set to [2048] 
Apr  7 19:12:06 at-desktop barnyard2[2835]: Log directory = /var/log/barnyard2
Apr  7 19:12:06 at-desktop barnyard2[2835]: INFO database: Defaulting Reconnect/Transaction Error
limit to 10 
Apr  7 19:12:06 at-desktop barnyard2[2835]: INFO database: Defaulting Reconnect sleep time to 5 second 
Apr  7 19:12:06 at-desktop barnyard2[2835]: Initializing daemon mode
Apr  7 19:12:06 at-desktop barnyard2[2840]: Daemon initialized, signaled parent pid: 2835
Apr  7 19:12:06 at-desktop barnyard2[2835]: Daemon parent exiting
Apr  7 19:12:06 at-desktop barnyard2[2840]: PID path stat checked out ok, PID path set to /var/run/
Apr  7 19:12:06 at-desktop barnyard2[2840]: Writing PID "2840" to file "/var/run//barnyard2_NULL.pid"
Apr  7 19:15:51 at-desktop barnyard2[2840]: [SystemPullDataStore()]: No System found in database ... 
Apr  7 19:15:51 at-desktop barnyard2[2840]: [ReferencePullDataStore()]: No Reference found in
database ... 
Apr  7 19:17:01 at-desktop CRON[2859]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
     https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings
   <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2982.tar.gz....
Rules tarball download of snortrules-snapshot-2982.tar.gz....
	They Match
	Done!
Rules tarball download of community-rules.tar.gz....
IP Blacklist download of http://talosintel.com/feeds/ip-filter.blf....
Reading IP List...
Checking latest MD5 for opensource.gz....
Rules tarball download of opensource.gz....
	They Match
	Done!
Prepping rules from snortrules-snapshot-2982.tar.gz for work....
	Done!
Prepping rules from opensource.gz for work....
	Done!
Prepping rules from community-rules.tar.gz for work....
	Done!
Reading rules...
Generating Stub Rules....
	An error occurred: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
	An error occurred: WARNING: ip4 normalizations disabled because not inline.
	An error occurred: WARNING: tcp normalizations disabled because not inline.
	An error occurred: WARNING: icmp4 normalizations disabled because not inline.
	An error occurred: WARNING: ip6 normalizations disabled because not inline.
	An error occurred: WARNING: icmp6 normalizations disabled because not inline.
	Done
Reading rules...
Reading rules...
Writing Blacklist File /etc/snort/rules/iplists/black_list.rules....
Writing Blacklist Version 929247585 to /etc/snort/rules/iplistsIPRVersion.dat....
Setting Flowbit State....
	Enabled 9 flowbits
	Done
Writing /etc/snort/rules/snort.rules....
	Done
Generating sid-msg.map....
	Done
Writing v2 /etc/snort/sid-msg.map....
	Done
Writing /var/log/sid_changes.log....
	Done
Rule Stats...
	New:-------28143
	Deleted:---0
	Enabled Rules:----8332
	Dropped Rules:----0
	Disabled Rules:---19812
	Total Rules:------28144
IP Blacklist Stats...
	Total IPs:-----38945

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Attachment (4. snort.conf): application/octet-stream, 29 KiB
Attachment (5. barnyard2.conf): application/octet-stream, 13 KiB
Attachment (6. pulledpork.conf): application/octet-stream, 11 KiB
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Amul Patel | 11 May 07:33 2016
Picon

Help - How to isolate specific device communication connected on wlan0 interface with same subnet.

Hello Team,

I need help on isolation of devices connected on wlan0 interface.

consider devices are connected on wlan0 interface on same subnet.
ex 

device 1 :-192.168.1.9,
device 2:-192.168.1.10,
device 3:-192.168.1.15
wlan0 interface:- 192.168.1.1

Now I want device 1 and device 2 should not communicate, but device 1 and device 3 should communicate.
Can you help out How I can achieve this?

I tried "option isolate 1"  in /etc/config/wireless but  it restrict all the clients communication with each other.
But I want to restrict only specific clients communication.

I  checked firewall rules to drop the packets but device 1 to device 2 packets does not reach to firewall. looks its switching at L2 layer only hence firewall rule is not applicable.
I am using wireless adapter which is creating wlan0 interface using hostapd.


Thanks & Regards,
Amul Patel

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Hamid Rezaei | 9 May 08:11 2016
Picon
Gravatar

Snort Version 3.0.0-a4 doesn’t work in inline mode.

Hi guys.

I have been trying run snort in inline mode on FreeBSD with IPFW, but it doesn’t work and never printing alert or message. Snort3 correctly run in IDS mode and show alert. I just have a simple rule:

    drop icmp any any -> any any ( msg:"ICMP Packet Dropped"; sid:19769; rev:1; )


I changed and inserted below lines in my config file:

    HOME_NET = 'any'
    EXTERNAL_NET = 'any'
    daq =
    {
        type = 'ipfw',
        mode = 'inline',
    }
    ips =
    {
        mode = 'inline',
    }



And uncomment normalizer.

    normalizer = { }

 
then I ran snort with below options (inline mode):

    snort -c snort.lua -R sample.rules -A cmg -i em0 -Q
 

When I ran snort with -T option for test on the current configuration, everything is OK.

    --------------------------------------------------
    rule counts
           total rules loaded: 1
                   text rules: 1
                option chains: 1
                chain headers: 1
    --------------------------------------------------
    port rule counts
                 tcp     udp    icmp      ip
         any       0       0       1       0
        slow       0       0       1       0
       total       0       0       2       0
    --------------------------------------------------
    ipfw DAQ configured to inline.

    Snort successfully validated the configuration.
    o")~   Snort exiting

Any help is appreciated.

Thanks.​

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Glenn Fowler | 9 May 00:39 2016

Inline config won't pass DHCP

Hello all,

I have been trying  figure this out for a while now. Running 2.9.7.2 inline. If my modem is power cycled, the DHCP info (discover, offer, request, ack) will not pass through snort. No rules are fired. However, if I connect the modem directly to the router bypassing snort until the DHCP lease is established and then physically reconnect snort back inline, traffic flows fine. I can even then do a DHCP release and renew with snort inline and it works, so I know snort is passing that UDP traffic fine. 

My first though was to increase the UDP timeout from the default 30, because of the modem power-up time: preprocessor stream5_udp: timeout 180

After changing, the logs show:

Sun May  8 18:30:19 2016 daemon.notice snort[8460]:     UDP cache pruning timeout: 30 seconds
Sun May  8 18:30:19 2016 daemon.notice snort[8460]:     UDP cache nominal timeout: 180 seconds

I haven't found anywhere is change "UDP cache pruning timeout". Can this be changed or am I going completely in the wrong direction?

Any help appreciated...
Glenn




------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Akhil Koul | 8 May 15:55 2016
Picon

Snort NIDS configuration problems

I ran into the following error while configuring SNort to run in NIDS mode. I followed the exact procedure as mentioned in the installation guide.

  1. Running in Test mode
  2.  
  3.         --== Initializing Snort ==--
  4. Initializing Output Plugins!
  5. Initializing Preprocessors!
  6. Initializing Plug-ins!
  7. Parsing Rules file "/etc/snort/snort.conf"
  8. PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
  9. PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
  10. PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
  11. PortVar 'SSH_PORTS' defined :  [ 22 ]
  12. PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
  13. PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
  14. PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
  15. PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
  16. Detection:
  17.    Search-Method = AC-Full-Q
  18.     Split Any/Any group = enabled
  19.     Search-Method-Optimizations = enabled
  20.     Maximum pattern length = 20
  21. ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/app-detect.rules": No such file or directory.
  22.  
  23. Fatal Error, Quitting..

Any help is appreciated.

Thanks and Regards
Akhil Koul
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
rohan dora | 6 May 06:45 2016
Picon

snort dns Preprocessor

Hell0 all,

I was browsing through the code of DNS Dynamic preprocessor(spp_dns.c) of Snort 2.9.1.

Objective

To count the number of DNS Queries that are made by my machine to DNS server(may be local/Remote doesn't matter).

Problem

Right now, DNS Dynamic preprocessor is able to track responses that are coming from DNS server to my machine,however it is not able to track/see the DNS queries that my machine makes.

I know that DNS Preprocessor is meant for analysing the responses of Remote server,But i added some code(Some if conditions,print statements) to track DNS queries.

Anyone ,having ideas what could be the problem or is this the right approach(modifying code in spp_dns.c) ?

Thanks


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane