SnortFan | 28 Mar 17:44 2014
Picon

Question about xls trigger

Hi All,

I'm seeing a lot of false positives with Excel files and I think the problem has to do with the way flowbits sets .xls files. Both SID 15463 and 19166 set 'file.xls', however it seems that 15463 is unnecessary considering 19166. Under what circumstances would 15463 be effective while 19166 fails? Are there any reasons to keep both rules active rather than suppressing 15463?

SID 15463
tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; content:".xls"; fast_pattern:only; http_uri; pcre:"/\x2exls([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xls; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.xlsFile_formats; classtype:misc-activity; sid:15463; rev:16;)

SID 19166
tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Office Excel file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0|"; depth:4; content:"W|00|o|00|r|00|k|00|b|00|o|00|o|00|k|00|"; fast_pattern:only; flowbits:set,file.xls; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:19166; rev:13;)

I'm using ips_policy=security in my pulledpork.  

Thanks,
Ed

Sent from a mobile device. 
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Joe Evango | 28 Mar 16:42 2014

Error 403 when downloading rules with pulledpork

Hello,

 

Been testing snort in a new environment with pulledpork as a registered user. I purchased a subscription yesterday and now when I attempt to download rules using pulled pork I receive the error below:

 

Error 403 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz.md5 at /usr/bin/pulledpork.pl line 458

main::md5file('<MyOinkcode>', 'snortrules-snapshot-2956.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/bin/pulledpork.pl line 1782

 

I attempted to download this ruleset from:

 

http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/<MyOinkcode>

http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/<MyOinkcode>

 

and had no issues. Found posts regarding this error and pulled pork but those posts also contained additional wording regarding a 15 minute timeout, that piece is not in my error.

 

Anyone seen this issue before?

 

 

Thank you,

 

Joe

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Fernando Cardoso | 28 Mar 16:00 2014

ERSPAN

Hello,

I'm using  Snort version 2.9.6.0 GRE (Build 47) on a Ubuntu Server to sniff ERSPAN traffic.
Snort output show me entire packet of many different vlans but the source address and destination is the same configured on my switch session.
Sniffing example running snort:
snort -X -i eth1
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/28-11:37:15.569789 10.199.11.1 -> 10.200.10.10
GRE TTL:255 TOS:0x0 ID:900 IpLen:20 DgmLen:84 DF
0x0000: 00 50 56 91 06 B7 54 7F EE 96 AC 7C 08 00 45 00  .PV...T....|..E.
0x0010: 00 54 03 84 40 00 FF 2F 65 02 0A C7 C7 01 0A 64  .T.. <at> ../e......d
0x0020: 36 C8 10 00 88 BE 32 4E CB 44 12 6B 00 01 00 01  6.....2N.D.k....
0x0030: 00 00 02 0A BD 00 00 00 02 0A BE 00 00 00 89 03  ................
0x0040: 40 20 00 B0 D1 34 32 31 00 50 56 91 72 E3 81 00   <at> ...421.PV.r...
0x0050: 02 6B 08 00 45 00 00 28 67 D8 40 00 40 06 E8 6A  .k..E..(g. <at> . <at> ..j
0x0060: 0A FC 13 05 BA DF 11 AD 1F 90 C6 6E 81 51 5B D9  ...........n.Q[.
0x0070: 6E 90 0F 3E 50 10 00 F2 83 5D 00 00 00 00 00 00  n..>P....]......
                              ..
Where 10.199.11.1 is my source and 10.200.10.10 is my destination in my session configuration

When I use tools like tshark and gulp I can see the right source and dest not only source and dest from GRE.

My switch is a nexus 5k and my config is something like this:
session 1 
--------------- 
type              : erspan-source 
state             : up 
erspan-id         : 1 
vrf-name          : default 
destination-ip    : 10.200.10.10 
ip-ttl            : 255 
ip-dscp           : 0 
origin-ip         : 10.199.11.1 (global) 
source intf       : 
    rx            : 
    tx            : 
    both          : 
source VLANs      : 
    rx            : 10,50,100-150


My question is, can snort show the ip adress dest and source from decapsulated erspan like tshark and gulp?


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Anshuman Anil Deshmukh | 27 Mar 19:11 2014

Invalid login attempts

Hi,

 

We are having a Snort test setup.  We are using free set of signatures (from Snort & ET) with Snort version 2.9.5 GRE – Build 103. Signatures were recently updated say 3-4 days before. We are updating signatures using the pre-defined rule set “Security” (Security over connectivity).

 

We have one question regarding detection of invalid login attempts for Sonicwall. Does Snort has signatures for detecting invalid login attempts to a SonicWall SSL VPN box (say for invalid login attempts while connecting to the VPN or somebody trying to bruteforcing the VPN box for admin credentials, both)? If yes, are signatures for it available in free set of signatures from Snort & ET? This question is because recently we have observed that Snort was unable to detect both of these activities.

 

Please let me know if there is any other information needed from my side to answer my question.

 

Thanks.

 

Regards,

Anshuman


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
stephanie sokhn | 27 Mar 18:02 2014
Picon

Neutralization of an IPS

Hello,
Im a student and im working on finding known vulnerabilities of an IPS so I could come up with solutions later
on.(detection by deception)
Does anyone have an idea about the subject?

Stephanie
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Balasubramaniam Natarajan | 27 Mar 17:54 2014
Picon

Diff between max_queue and log (README.event_queue)

HI

Could some one please explain the difference between max_queue and log ?  I don't understand what is ment by "only 8 events will be stored for a single packet or stream".  So if we have 8 defined for max_queue and 3 for log would that mean snort will log just 3 out of the 8 events which got triggered for that packet/stream ?

https://github.com/jasonish/snort/blob/master/doc/README.event_queue

max_queue
----------

This determines the maximum size of the event queue. For example, if the
event queue has a max size of 8, only 8 events will be stored for a single
packet or stream.

The default value is 8.

log
---

This determines the number of events to log for a given packet or stream.
You can't log more than the max_event number that was specified.

The default value is 3.


--
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Picon

God of No Mercy Lee Kuan Yew and Teo En Ming

Dear List,

This is a political joke about Singapore's former Prime Minister Mr. Lee Kuan Yew.

An American tourist was visiting a temple in Singapore when he noticed two statues of a man and a woman by the altar.

He asked the monk what was the significance of the two. The monk explained that in the Chinese system of yin and yang, positives must always be balanced by negatives, and having the two statues ensured that the universal balance was maintained.

"This statue of the woman is the Goddess of Mercy, Kuan-Yin."

"What about the other one?" asked the tourist.

In a hushed voice, the monk said, "This one is the God of No Mercy, Kuan-Yew."

Source: http://www.talkingcock.com/html/jokexec.php?op=JokeView&lexicon=jokes&jcat=Political
-- Yours sincerely, Singapore Citizen Mr. Teo En Ming (Zhang Enming)
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Turnbough, Bradley E. | 27 Mar 14:13 2014

Snort Event Types

Is it possible to generate an alert (logged to a unified file) AND also fire a script to do something on the OS
of the sensor itself?

I have snort installed and operating properly.  Snort 2.9.5.5.  Snort currently outputs to unified2.

"output unified2: filename snort.u2, limit 128"

Barnyard2 (2.1.9) picks up the .u2 file and processes it.

Barnyard2 config:
output alert_fast: stdout
output database: alert, mysql, user=snort dbname=snorby password=blah host=ipaddresshere

I want to kick off a shell script file to do some things within the sensor when the alert is first generated.  Is
this possible?

I'm running daemonlogger to generate pcap files, and want to be able to archive the pcap files when certain
traffic triggers an alert.

Thanks,

Brad

_____________________________________________________________ This e-mail transmission
contains information that is confidential and may be privileged. It is intended only for the
addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the
contents of this information is prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it from your computer system. Your
assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Egon Kidmose | 27 Mar 10:07 2014
Picon

Re: Basic snort setup for processing pcap produces no alerts

Hi James, Rmkml, Bassant

Thanks for your inputs!

> "-k none" switch on command
Doesn't improve things.
I've also noticed the following in the console output: "Bad Chk Sum:            0 (  0.000%)"
This leads me to believe that my issue isn't related to checksums.

> DARPA 1999 for reference dataset
> http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/1999data.html
I'm getting some alerts,
2-4 a day for inside and outside respectively, which corresponds reasonably well to what the documentation suggests.

> Another check if you have enabled no ethernet (don't remember exactly what name)
> on configure option please? ( New on v2.9.6.0)
I've not been able figure what this config is, but as the DARPA set works I guess it might not be crucial..

It would seem that my config is fine, while my expectation that my trace should trigger alerts is wrong.
The good thing is that I got snort running, that bad thing is that it doesn't do what I need, yet :)
I'll look into adding more rules, possibly my own.

Once again; Thanks!



Mvh/BR
Egon Kidmose


On Wed, Mar 26, 2014 at 12:41 PM, basant subba <basantsubba <at> gmail.com> wrote:
Try running  Snort on some standard dataset like DARPA 1999 dataset. If it generates alarm for DARPA dataset then there's nothing wrong with configuration else there might be some misconfiguration.


On Wed, Mar 26, 2014 at 4:05 PM, Egon Kidmose <kidmose <at> gmail.com> wrote:
Hi all,

I am working with snort for the first time, trying to feed in a pcap with known bad traffic and hoping to get out a list of alerts.

I use snortrules-snapshot-2960.tar.gz from http://snort.org/snort-rules/ without pulledpork as I don't need to get updates.
My pcap contains a trace from a controlled environment where I have infected and remote controlled a machine with the fairly old irc bot sdbot, so I expect some reaction from snort, however I get none.

My thought is that the absence of alerts follows from one of the following:
a) incorrect configuration
b) my trace not being "bad enough" for snort to pick it up
c) or something else...

Is there anyone out there who can help me to fix the configuration, point me to some reference trace that certainly triggers an alert or simply provide possibly useful hints/suggestions/insights?
Anything would be greatly appreciated!





# command used:
 ~/git-reps/.../sdbot05b-2014-03-25-1020 $ snort -c ../rules/snortrules-snapshot-2960/etc/snort.conf -r sdbot05b.pcap
# snort version:
 ~/git-reps/.../sdbot05b-2014-03-25-1020 $ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.7
# My pcap and the rules with my modifications




Mvh/BR
Egon Kidmose


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Ayoub Abid | 27 Mar 09:32 2014
Picon

Snort limitations

Hello


I want to discuss here about how far can we trust snort to secure our network. Have snort some limitations ?

I have tested snort for a couple a weeks. He detects attacks when we have normal traffic. But When we have a huge traffic like 2000 pak/ sec , he make a big delay to scan all the traffic and detect the Intrusion. For example,  i can have an attack now and he will report it in 10 or 15 min.

So what are the Limits of snort to detect attacks?

Thank you
Ayoub 
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Josh Bitto | 26 Mar 23:48 2014
Picon

What does Snort stand for?

We have a poll going in the office of where the name came from anyone know? Is it an acronym?
 
Joshua Bitto
Information Technologist
KCCS
 
 
 
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane