Mike Michalak | 16 Jan 15:29 2015

Barnyard2


I have installed Snort and I am in the testing phase.

What are your thoughts on using Barnyard2 with snort?  Is it worth it or not needed.

I am running snort on a CentOS 6.5 box.

Regards,

Mike


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jake Hann | 15 Jan 17:17 2015

BASE timestamp wrong

Hello Everyone,

When I pull up BASE to examine events I noticed the time stamps are incorrect. The event happened at 6:00am but the timestamp in base is set for 1400 or 2:00pm. I checked the timestamp in the database itself and the event there has the correct timestamp of 6:00am. I have done some googling with no luck as to why I am having this problem. Any help would be appreciated. Thank you.

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Anthony Sheetz | 14 Jan 21:15 2015

reject without being inline

We have a snort sensor on our network being fed packets using a mirror from our switch. We'd like to be able to send RST packets using reject rules without having the sensor inline with our Internet traffic. Is this possible?

It seems like it should be possible to route RST packets generated by our snort sensor out through our internet gateway without actually putting snort in the packet stream, perhaps using iptables rules on the sensor to rewrite them properly, or direct them out the correct ethernet port to the gateway, rather than the mirror port.

Has anyone done this?
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Praveen D | 14 Jan 10:58 2015
Picon

byte_test and relative

Hi,

In byte_test, relative is mentioned as "Use an offset relative to last pattern match".
Please confirm if the pattern match is relative to "content:" or "pcre:" or both.

41 42 43 44 . . . .  10 . . . . . 31 32        ABCD . . . .  . . . . . . 1 2

content:"ABCD"; byte_test:1,=,0x10,offset:4,relative;
pcre:"/ABCD/"; byte_test:1,=,0x10,offset:4,relative;

Will both content/pcre work?

Best Regards,
Praveen Darshanam
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Zeeshan Afzal | 12 Jan 18:41 2015
Picon

Re: Old Snort Rules

Hi,
 
Thanks. That is definitely helpful.
 
/Zee
 
-----Original Message-----
From: Jack Pepper <pepperjack <at> autoshun.org>
To: Zeeshan Afzal <zeeshan.afzal <at> kau.se>
Cc: "snort-users <at> lists.sourceforge.net list" <snort-users <at> lists.sourceforge.net>
Date: Mon, 12 Jan 2015 08:38:35 -0600
Subject: Re: [Snort-users] Old Snort Rules
 
I have two older versions:   vision.conf from October of 2000 and vision18.conf from June of 2001.   What a bunch of simpletons we were in those days.
 
jp
 
On Mon, Jan 12, 2015 at 5:40 AM, Zeeshan Afzal < zeeshan.afzal <at> kau.se> wrote:
Hi,
 
Would it be possible to find old Snort rule snapshots anywhere? I am interested in doing a study showing trends.
 
Best Regards,
Zeeshan

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
vanity: www.gigenet.com
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
www.gigenet.com
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Zeeshan Afzal | 12 Jan 12:40 2015
Picon

Old Snort Rules

Hi,
 
Would it be possible to find old Snort rule snapshots anywhere? I am interested in doing a study showing trends.
 
Best Regards,
Zeeshan
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
vanity: www.gigenet.com
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Eugeniu Babin | 12 Jan 09:38 2015
Picon

What is snort sensor

Hi All,
Could You please clarify us how exactly the licensing for snort works?
We are going to put in production one single snort server which will have 5 Ethernet interfaces, connected in 5 different networks. Is it enough to purchase one business license for such setup ?
As I understood a snort sensor is considered a server, and it doesn't matter on how many interfaces snort is analyzing the traffic.

Thank You.
Eugene
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
vanity: www.gigenet.com
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Mark Greenman | 11 Jan 14:21 2015
Picon

activate/dynamic rules problem

Hi. Do you know the reason for this warning after using activate/dynamic rules:

WARNING: an activation rule with no dynamic rules matched.

The set of rules that I have used in the experiment are:

activate tcp 192.168.5.32 80 -> 192.168.4.22 50444 (msg:"adc!"; content:"Tree"; activates:1; sid:1000001;)
dynamic tcp 192.168.5.32 80 -> 192.168.4.22 50444 (msg:"dyn!"; activated_by:1; count:3; sid:1000002;)

Thanks
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Avery Rozar | 11 Jan 12:05 2015

Snort EOL question about VRT rules.

Since 2.9.5.6 will be EOL 1/21/15, is that the last day for VRT updates on that version? According to the EOL
page "Updates cease 90 days following the release date of the Current Version". I assume 2.9.7.0 is the
current version, It was released 10/23/14 so will the VRT rules stop working for 2.9.5.6 90 days from the
release of 2.9.7.0?

Thanks,
Avery

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Anthony Sheetz | 9 Jan 22:37 2015

active response and network tap

I'm getting started with snort, and am currently using it with a network tap from an intelligent switch in passive mode. Is it possible to use an active response rule in such a setup? I probably haven't included enough information to get an intelligent answer - happy to explain more of the setup if needed.

Thanks in advance.
Anthony Sheetz
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jake Hann | 9 Jan 19:29 2015

Snort Configuration Trouble

I am setting up Snort for the second time on an Ubuntu 12.04 on VMware to practice before deploying on our live network with an actual Ubuntu server. I have encountered a strange problem I did not have the first time. I am following this guide: https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/050/original/Snort_2.9.6.2_on_Ubuntu.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1420749048&Signature=A8s%2FRaAbWtBBP3ehIT%2BeQnuaMLM%3D

And am using Snort 2.9.7.0, DAQ 2.0.4 and barnyard2 2-1.13. I did this once before recently with no problems. When I get to the point in the guide where it asks you to perform make on barnyard2 I get the following:

make[3]: Entering directory `/home/jake/snort_src/barnyard2-master/src'

gcc -DHAVE_CONFIG_H -I. -I..  -Isfutil -I/usr/include/mysql -DENABLE_MYSQL  -g -O2 -fno-strict-aliasing -Wall -c decode.c

decode.c:38:18: fatal error: dnet.h: No such file or directory

compilation terminated.

make[3]: *** [decode.o] Error 1

make[3]: Leaving directory `/home/jake/snort_src/barnyard2-master/src'

make[2]: *** [all-recursive] Error 1

make[2]: Leaving directory `/home/jake/snort_src/barnyard2-master/src'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/home/jake/snort_src/barnyard2-master'

make: *** [all] Error 2

 

I have done some internet research but not found anything that was able to help me resolve this problem. Any help would be appreciated. Thank you.

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane