Argcyborg | 8 Dec 17:48 2014
Picon

Daq module for wndows

Hi, there´s a way to use snort in windows in inline mode ?

I need that snort can drop a packet with an specific string on it, is that possible ?

 

Windows 2003 x64 Enterprise

Snort 2.9.70

 

 

Thanks in advance

Best regards

 

Diego.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Eugeniu Babin | 8 Dec 17:01 2014
Picon

worms detection

Hi All,
I have a question regarding the possibility to catch worms activity by using SNORT.
Currently I have SNORT 2.9.7 (with Personal subscription for Rules 29 USD/Year) running and sniffing a part of the  network. I'm sure that some of stations are infected with Conficker worm (for example), but unfortunately My snort is quiet about this.
So:
Q1: Is snort capable to detect such worms like conficker ?
Q2: If Yes should I be able to identify worms with My Personal subscription ?
Q3: Should I upgrade to Business subscription?

Thank You,
Eugene

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Colony.Three | 8 Dec 16:39 2014
Picon

ET SHELLCODE Possible Call with No Offset UDP Shellcode

Turns out that this is quite a mean little nasty:
https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2012/08/22/network-detection-...


-------- Original Message --------
Subject: ET SHELLCODE Possible Call with No Offset UDP Shellcode
Time (GMT): Dec 07 2014 22:41:31
From: Colony.Three <at> protonmail.ch
To: snort-users <at> lists.sourceforge.net

I picked this up this interesting High Severity last night (sid 2012087), coming in to my TOR Gateway.  I searched and searched but there doesn't seem to be a reference for these alerts.  rootedyour has never heard of it, and EMC has taken down networkforensics altogether.

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:1;)

Is there any way to investigate this further?



------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Mark Greenman | 8 Dec 15:40 2014
Picon

snort daqs capabilities

Hi. I am new to snort and I am confused about some actions performed
by some daqs.
I am trying to use react rule option to block some applications (using
appid rule option) and send another web page instead.

Three scenarios where examined:
1- snort using pcap daq when listening on the interface connected to
the server network,
2- snort using pcap daq when listening on the interface connected to
the client network,
3- snort using nfq daq for extracting packets from a user space queue.

when pcap on the client side interface is used, the connection is
destroyed successfully and the webpage is sent to the client. How is
it possible for pcap to drop packets if it is not in inline mode? or,
is pcap running in inline mode?
when pcap on the server side interface is used, the connection is
destroyed again but no webpage is sent to the client? What do you
think is the reason for that?
Finally, when nfq is used, again the connection is destroyed (which is
normal) but the page is not sent to the client. What is the reason for
this one?

Thank you very much
Mark.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Matheus Condi'ez | 6 Dec 01:16 2014
Picon

Re: pf_ring, openfpc, snort and snorby

So Kevin yeh I love bro and will be rrunning it as a guest vm (probably as a secon sensor).

OK so this is my new plan (no pf_ring)
Redhat server running openfpc and v box.

Fedora guest running snort (with this new app ID thing!)

Seconion guest running bro.

I'm gonna put a splunk forwarder on the guests and also get snort to write to snorby db.

On 6/12/2014 12:25 PM, "Kevin Ross" <kevross33 <at> googlemail.com> wrote:
and also you should give bro-ids a try to complement snort with lots of metadata & use scripts like this https://github.com/sooshie/bro-scripts/blob/master/2.2-scripts/vt_check.bro in order to check certain filetypes automatically to see if Virustotal has seen them.

You could then index your snort and bro logs into something like an ELK install or ELSA https://www.youtube.com/watch?v=INRJZ3_Dsyc and https://www.youtube.com/watch?v=d4rINH22MYo

I find bro provides great metadata around a connection (connections, HTTP information, file types returned, email metadata, self signed certs and so on. Also for he amount of metadata you get I find it provides a great longer term option to analysis if you are looking at something which has already been rotated from your PCAPs.


Kind Regards,
Kevin Ross

On 3 December 2014 at 03:52, Matheus Condi'ez <conma293 <at> gmail.com> wrote:
In short, after many builds of snort sensors I am about to start off on a new journey of discovery which will potentially send me mad.

My goal is to create a sensor(s) which runs OpenFPC on PF_Ring native, with snort sitting on top as a guest vm.

Has anyone had any experience with PF_Ring and snort, or PF_Ring and snort?

Am aware that I will have to patch PF_Ring onto both the host and the guest OS's for this to work.

Am also aware that most likely will have to build and configure OpenFPC and/or Snort as PF_Ring aware?

If I do this but then attempt to run a version of Snort and/or OpenFPC that is not configured to handle PF_Ring, will it take it?



Finally - I want to send all this information to a centralised Snorby GUI, so another question is, how do I get Snorby to differentiate between different sensor IP's to grab the pcaps from the difference OpenFPC instances?

im sure someone has been overly ambitious and has attempted some, if not all of this before..

any guidance would be muchly appreciated.

-conma

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Andre DiMino | 5 Dec 18:36 2014

Error 500 today?

Everything worked fine up until this morning.  Now I see:

"Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2962.tar.gz.md5 at /home/xxx/xxx/pulledpork-0.7.0/pulledpork.pl line 463.

main::md5file('my_oinkcode', 'snortrules-snapshot-2962.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /home/xxx/xxx/pulledpork-0.7.0/pulledpork.pl line 1847"

Any thoughts?
-- 

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Heine Lysemose | 5 Dec 19:19 2014
Picon

Re: Cert error on snort.org

Oh, Joel Esler has just announced issue with the site and that's properly what you are experiencing...

So disregard my previous post.

Regards,
Lysemose

On Dec 5, 2014 7:16 PM, "Heine Lysemose" <lysemose <at> gmail.com> wrote:

Hi

I don't.
The certificate issued to snort.org but has the DNS name www.snort.org in it as well in the Subject Alternative Name field.

What certificate is Chrome presenting you?

Regards,
Lysemose

On Dec 5, 2014 6:54 PM, "Michael Wisniewski" <wiz561 <at> gmail.com> wrote:
All,

I was wondering if anybody else is getting certificate errors from
snort.org.  When accessing...

https://www.snort.org

I get...

NET::ERR_CERT_COMMON_NAME_INVALID

with chrome.  With pulled pork, I'm getting this Error 500...

Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<<api>>
https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/<<api>>
==> 500 Can't connect to www.snort.org:443 (certificate verify failed)
Error 500 when fetching
https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at
/usr/local/bin/pulledpork.pl line 463.
main::md5file('<api>', 'snortrules-snapshot-2970.tar.gz', '/tmp/',
'https://www.snort.org/reg-rules/') called at
/usr/local/bin/pulledpork.pl line 1847

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Joel Esler (jesler | 5 Dec 19:03 2014
Picon

Snort.org

We are currently working with Snort.org, sorry for the immediate notice.  We need to make some network changes to the site, and during this time you may receive some SSL errors on access or download.  We apologize for the inconvenience.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

Attachment (smime.p7s): application/pkcs7-signature, 6594 bytes
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Michael Wisniewski | 5 Dec 18:52 2014
Picon

Cert error on snort.org

All,

I was wondering if anybody else is getting certificate errors from
snort.org.  When accessing...

https://www.snort.org

I get...

NET::ERR_CERT_COMMON_NAME_INVALID

with chrome.  With pulled pork, I'm getting this Error 500...

Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<<api>>
https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/<<api>>
==> 500 Can't connect to www.snort.org:443 (certificate verify failed)
Error 500 when fetching
https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5 at
/usr/local/bin/pulledpork.pl line 463.
main::md5file('<api>', 'snortrules-snapshot-2970.tar.gz', '/tmp/',
'https://www.snort.org/reg-rules/') called at
/usr/local/bin/pulledpork.pl line 1847

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Anshuman Anil Deshmukh | 5 Dec 06:47 2014

Multiple errors on Snort

Hi,

 

I recently upgraded my working setup of Snort from version 2.9.6.1 to version 2.9.7.0. After upgrading I am facing following issues.

 

1.       I cannot update the so_rules via pulledpork. It’s even not working when if I try to dump the so_rules manually. It is picking up the weired path (same as mentioned in the thread http://seclists.org/snort/2013/q4/126) . It is said in this thread to touch or copy. I couldn’t understand what exactly needs to be done. What is the resolution to it. I already copied the required .so files so as to dump dynamic option to work. On which files am I supposed to do the touch?

2.       If I try to disable the so_rule configuration within snort.conf and pulledpork.conf, it gives me error “ERROR: /etc/snort/snort.conf(373) => Too many parameters for option in Session config.” 

 

Please suggest what should be done to resolve the issue.

 

 

Regards,

Anshuman

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Praveen D | 3 Dec 18:01 2014
Picon

Comparison of extracted value between packets

In a flow-bit based rule, is it possible to extract value from packet A and compare (byte_test) with a value in packet B.

Best Regards,
Praveen Darshanam
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane