Carter Waxman (cwaxman | 4 Apr 17:37 2014
Picon

Re: profiling

Percent of total indicates the percentage of time spent in the particular
preprocessor / phase of detection. If you add all of the values together,
then you will get a value greater than 100. Processing is performed using
a hierarchy, so percent of total will include time for the layer + time
spent in sub-layers. Layer simply refers to the depth of calls. For
example, for s5TcpData, the call hierarchy is s5->s5tcp->s5TcpState (layer
0->1->2).

This should help clarify things:
https://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pd
f

On 4/4/14 10:43 AM, "simegnew yihunie" <syihunie <at> gmail.com> wrote:

>Thanks.
>do you have any idea about the column percent of total and layer
>stands for. it is more than 100 when I add all.
>Sincerely,
>Sy.
>
>On 4/3/14, Carter Waxman (cwaxman) <cwaxman <at> cisco.com> wrote:
>> Hello,
>>
>> You are correct. All of the statistics you listed track Stream5.
>>
>> -Carter
>>
>> On 4/3/14 10:33 AM, "simegnew yihunie" <syihunie <at> gmail.com> wrote:
>>
>>>Hey Guys,
(Continue reading)

ped | 4 Apr 13:42 2014
Picon

Snort 2.9.6 doesn't alert using subscribed VRT ruleset but with ETOpen


I have subscribed to Snort VRT and received the latest rule set (snortrules-snapshot-2956.tar.gz), I installed snort from source using (http://www.snort.org/assets/158/snortinstallguide293.pdf) guide for Ubuntu 12.04 LTS.

I found snort does not alert on sample malicious requests i.e. DT to ../../../etc/passwd, curl www.testmyids.com, portscan using VRT ruleset. So then I added ETOpen ruleset and it started to alert on the above requests (curl www.testmyids.com, sample ping in local.rules, DNS attack):

04/03-11:32:47.780946  [**] [1:2100498:8] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:44591
04/03-11:47:28.034106  [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} X.X.X.X -> Y.Y.Y.Y
04/03-12:01:12.771472  [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} X.X.X.X:39613 -> Y.Y.Y.Y:53

As it is a first time I am using VRT (I used ET before and worked quite well),

[*] is this a normal behavior not to alert on the above events?
[*] if not, is there any configuration I need to set for VRT to work? here is my snort.conf [https://clbin.com/B8Ikl]

Ped

 


 
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
stephanie sokhn | 3 Apr 18:07 2014
Picon

No alerts

Hello,
Im using snort for the first time on ubuntu 12.04 and I have a problem with the inline mode.
I have a one nic laptop .
Using:
Iptables -I INPUT -j NFQUEUE --queue-num 1
And the daq nfq:
Snort -Q --daq nfq  --daq-var device=eth0 --daq-var queue=1 -c snort.conf

Error: can't initialize DAQ nfq (-1) nfq_daq_initialize: nf queue creation failed.

Note that when I dnt configure the iptables snort is launched but fail to alert or drop packets or even log  . 

Help!! :/
Stephany
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gierczak, Stan | 3 Apr 17:38 2014

BarnYard2 Start issue.

Having an issue starting BarnYard2.

First time install.  Getting this error message when starting BarnYard2:

root <at> rlicsnortids:/# service barnyard2 start

/etc/init.d/barnyard2: 2: /etc/init.d/barnyard2: .#!/bin/sh: not found

$Starting Snort Output Processor (barnyard2): /etc/init.d/barnyard2: 30: /etc/init.d/barnyard2: barnyard2: not found

 

Any help Appreciated.

 

Thanks

 

Stan

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Teo En Ming | 3 Apr 15:11 2014
Picon

Re: Newest Version Snort 2.9.6 +ACID +Jpgraph + Adodb

You can download AlienVault OSSIM 4.6.0 here:

http://downloads.alienvault.com/c/download?version=current_ossim_iso

It's a Debian Linux operating system.

-- Yours sincerely, Teo En Ming

On 03/04/2014 22:46, webmaster wrote:
BLOCKQUOTE { MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em; MARGIN-TOP: 0px } OL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } UL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } DIV.FoxDiv20140403224421154212 { FONT-SIZE: 10.5pt; FONT-FAMILY: Microsoft YaHei UI; COLOR: #000080; LINE-HEIGHT: 1.5 } BODY { FONT-SIZE: 10.5pt; FONT-FAMILY: Microsoft YaHei UI; COLOR: #000080; LINE-HEIGHT: 1.5 }
Dear Teo,
Can you give me a link where to download OSSIM 4.3.4.
Thanks
Lampk
 
 
From: Teo En Ming
Date: 2014-04-03 19:20
Subject: Re: [Snort-users] Newest Version Snort 2.9.6 +ACID +Jpgraph + Adodb
I can help you but Snort won't be using my mysql and BASE or ACID. I will help you integrate Snort 2.9.6.0 with AlienVault OSSIM 4.3.4.

-- Yours sincerely, Teo En Ming

On 03/04/2014 18:43, webmaster wrote:
BLOCKQUOTE { MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em; MARGIN-TOP: 0px } OL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } UL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } P { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } DIV.FoxDiv20140403184056190563 { FONT-SIZE: 10.5pt; FONT-FAMILY: Microsoft YaHei UI; COLOR: #000000; MARGIN: 10px; LINE-HEIGHT: 1.5 } BLOCKQUOTE { MARGIN-TOP: 0px } OL { MARGIN-TOP: 0px } UL { MARGIN-TOP: 0px }
 Hello,
Anyone who can help me to set up IDS with the newest version of Snort 2.9.6.0 and ACID ,Jpgraph.
I tried to find a solution on internet without success. Those tutorial is out of date,the snort version is too old.
I do not know how to connect mysql with the newest snort 2.9.6. 0
Thanks a lot.
Lampk
 
 


------------------------------------------------------------------------------

_______________________________________________ Snort-users mailing list Snort-users <at> lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
simegnew yihunie | 3 Apr 16:38 2014
Picon

profiling

Hey Guys,
I enabled profile enabling of preprocessors and test the snort. In the
table there are s5, s5tcpState, s5tcpFlush, s5tcpProcessRebuilt,
s5tcpBuildPacket, s5tcpData,s5tcpPacketInsert, s5tcpNewSess. Are all
these stream preprocessors or other? Any one who have any idea about
this preprocessors layer ?
Sincerely,
S.y

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

simegnew yihunie | 3 Apr 16:33 2014
Picon

profiling

Hey Guys,
I enabled profile enabling of preprocessors and test the snort. In the
table there are s5, s5tcpState, s5tcpFlush, s5tcpProcessRebuilt,
s5tcpBuildPacket, s5tcpData,s5tcpPacketInsert, s5tcpNewSess. Are all
these stream preprocessors or other? Any one who have any idea about
this preprocessors layer ?
Sincerely,
S.y

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

simegnew yihunie | 3 Apr 16:24 2014
Picon

profiling

Hey Guys,
When I

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Teo En Ming | 3 Apr 13:25 2014
Picon

Re: Unable to add port mirroring iptables commands to Buffalo DD-WRT wireless router

Dear Bill Parker,

I can't find any dd-wrt mailing list. Could you provide me with the URL/link to the dd-wrt mailing list subscription page?

Thank you very much.

-- Yours sincerely, Teo En Ming

On 03/04/2014 01:39, Bill Parker wrote:
In searching the DD-WRT mailing list as of October 2013:

Different builds have different iptables modules and it appears that your build is missing the ROUTE target module. Try a recent build for your model and see if it has been included, if not then ask for it on trac.

You may need to get updated firmware, and since you now have a DD-WRT router, I'd also suggest subscribing to the DD-WRT mailing list for the latest information.

Bill


On Wed, Apr 2, 2014 at 10:17 AM, Bill Parker <wp02855 <at> gmail.com> wrote:
I'll have to research this, the tee command may have been modified from the version of iptables I have in my firmware.


On Wed, Apr 2, 2014 at 9:09 AM, Teo En Ming <teo.en.ming <at> gmail.com> wrote:
Dear Bill Parker,

root <at> DD-WRT:~# iptables -V
iptables v1.3.7


-- Yours sincerely, Teo En Ming
On 03/04/2014 01:11, Bill Parker wrote:
I will need to do some research on this, what version of IPtables does the router have in it's firmware?

iptables -V or iptables -v

Bill


On Wed, Apr 2, 2014 at 7:19 AM, Teo En Ming <teo.en.ming <at> gmail.com> wrote:
Dear Bill Parker,

I just bought my Buffalo DD-WRT wireless router today. The model is WZR-HP-G300NH2.

I flashed the firmware of the Buffalo wireless router to the latest DD-WRT v24 SP2 29 Mar 2014 Build 23838.

When I tried to execute the 2 iptables commands in your guide, the iptables rules were not inserted into the mangle table.

===DD-WRT console===

teo-en-ming <at> ubuntu-13:~$ ssh -l root 192.168.1.1
DD-WRT v24-sp2 std (c) 2014 NewMedia-NET GmbH
Release: 03/29/14 (SVN revision: 23838)
root <at> 192.168.1.1's password:
==========================================================

 ____  ___    __        ______ _____         ____  _  _
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || |
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_|

                       DD-WRT v24-sp2
                   http://www.dd-wrt.com

==========================================================


BusyBox v1.22.1 (2014-03-29 04:46:44 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root <at> DD-WRT:~# iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.40 --tee
root <at> DD-WRT:~# iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.40 --tee
root <at> DD-WRT:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       0    --  anywhere 227.63.156.175.unknown.m1.com.sg  MARK or 0x80000000
CONNMARK   0    --  anywhere             anywhere CONNMARK save

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
root <at> DD-WRT:~# uname -a
Linux DD-WRT 3.10.35-rc1 #7178 Sat Mar 29 04:45:44 CET 2014 mips GNU/Linux
root <at> DD-WRT:~# which gcc
root <at> DD-WRT:~# which make

===End of DD-WRT console===

How do I rectify this problem?

Thank you very much.

--
Yours sincerely,

Teo En Ming








------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Angel Chiriboga | 2 Apr 16:12 2014
Picon

Error mapping some Snort events

Hi,

 

I need your support, I have problems with some Snort events mapping.

 

I use barnyard2 for send the events to arcsight and Mysql (snorby), but the "message" of some events doesnt arrive ok. The events with errors arrive in the following way:

 

Snort Alert [x:xxxx:x]

 

I use the pulledpork for update de sid-msg.map every sunday, and my barnyard2 script run correctly.

 

Thanks for your help.

 

Regards.

 

Ángel Chiriboga Torres | Security Specialist

Tel: (593 2) 2868-931

Cel: (593) 995093859  - (593) 958847386

http://www.digitalsecurity.com.ec

 

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Teo En Ming | 2 Apr 16:19 2014
Picon

Unable to add port mirroring iptables commands to Buffalo DD-WRT wireless router

Dear Bill Parker,

I just bought my Buffalo DD-WRT wireless router today. The model is 
WZR-HP-G300NH2.

I flashed the firmware of the Buffalo wireless router to the latest 
DD-WRT v24 SP2 29 Mar 2014 Build 23838.

When I tried to execute the 2 iptables commands in your guide, the 
iptables rules were not inserted into the mangle table.

===DD-WRT console===

teo-en-ming <at> ubuntu-13:~$ ssh -l root 192.168.1.1
DD-WRT v24-sp2 std (c) 2014 NewMedia-NET GmbH
Release: 03/29/14 (SVN revision: 23838)
root <at> 192.168.1.1's password:
==========================================================

  ____  ___    __        ______ _____         ____  _  _
  | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || |
  || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_
  ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
  |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_|

                        DD-WRT v24-sp2
                    http://www.dd-wrt.com

==========================================================

BusyBox v1.22.1 (2014-03-29 04:46:44 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root <at> DD-WRT:~# iptables -A PREROUTING -t mangle -j ROUTE --gw 
192.168.1.40 --tee
root <at> DD-WRT:~# iptables -A POSTROUTING -t mangle -j ROUTE --gw 
192.168.1.40 --tee
root <at> DD-WRT:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       0    --  anywhere 227.63.156.175.unknown.m1.com.sg  MARK or 
0x80000000
CONNMARK   0    --  anywhere             anywhere CONNMARK save

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
root <at> DD-WRT:~# uname -a
Linux DD-WRT 3.10.35-rc1 #7178 Sat Mar 29 04:45:44 CET 2014 mips GNU/Linux
root <at> DD-WRT:~# which gcc
root <at> DD-WRT:~# which make

===End of DD-WRT console===

How do I rectify this problem?

Thank you very much.

--

-- 
Yours sincerely,

Teo En Ming

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Gmane