James | 24 Oct 18:25 2014
Picon

Re: [Snort-openappid] AppId quickstart

Good catch…this is indeed --enable-open-appid…sorry about that.

James

On Oct 24, 2014, at 10:22, Costas Kleopa (ckleopa) <ckleopa <at> cisco.com> wrote:

> Can you confirm if you run:
> ./configure --enable-open-appid
> 
> Below you mentioned: --enable-appid,
> 
> 
> Thanks
> Costas
> 
> 
> On 10/24/14, 12:19 PM, "Joel Esler (jesler)" <jesler <at> cisco.com> wrote:
> 
>> Thanks James.
>> 
>> We¹ve posted several blog posts with instructions, videos, etc on the
>> Snort.org blog: http://blog.snort.org/search/label/openappid
>> 
>> Please check it out.
>> 
>> J
>> 
>>> On Oct 24, 2014, at 8:40 AM, James <jlay <at> slave-tothe-box.net> wrote:
>>> 
>>> So on Ubuntu 1[0-4]:
(Continue reading)

James | 24 Oct 17:40 2014
Picon

AppId quickstart

So on Ubuntu 1[0-4]:

Download luajit at http://luajit.org/download/LuaJIT-2.0.3.tar.gz (apt package didn’t get
recognized on snort reconfigure).
Uncompress, make, sudo make install
Download snort-openappid.tar.gz from https://www.snort.org/downloads
Uncompress and move the odp dir to somewhere (I chose /opt/share/)
Recompile snort with adding --enable-appid, make, sudo make install
Add the below to your snort.conf:

preprocessor appid : \
		app_detector_dir /opt/share

Test with sudo snort -T -c snort.conf

Should see:

AppId: adding appIds to list of referred web apps: 1963 1963 1964 1966 1969 1970 1972 1973 1975 1976 1977 1978
1979 1980 1981 1983 1984 1985 1986 1987 629 882 711 1393 1727 1728 1821 1992 1993 1806 1822 2022 2021 2129 2131
1460 1369 1392 2057 2062 1560 665 1458 929 761 2151 2157 2158 2159 2162 2019 2072 1508 1063 2261 2664 2690
Could not read configuration file /opt/share/custom/userappid.conf
LuaJIT: Version LuaJIT 2.0.3
   Setting tracker size to 219
   TCP Port-Only Services

Enjoy…subscribe to the snort-openappid list for more information and help.

James
------------------------------------------------------------------------------
_______________________________________________
(Continue reading)

Jim Garrison | 23 Oct 22:56 2014
Picon

"no return statement in function returning non-void" warnings when building snort

I get lots of these warnings when building snort, mentioning the
following functions

    ScSetInternalLogLevel
    ScRestoreInternalLogLevel

As in

In file included from parser.h:38,
                 from tag.c:43:
snort.h: In function ‘ScSetInternalLogLevel’:
snort.h:1231: warning: no return statement in function returning non-void
snort.h: In function ‘ScRestoreInternalLogLevel’:
snort.h:1236: warning: no return statement in function returning non-void

Is this something to be worried about?

--

-- 
Jim Garrison (jhg <at> acm.org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

(Continue reading)

Jim Garrison | 23 Oct 20:49 2014
Picon

Latest snort/daq binaries for centos 6?

The download page contains binaries for centos7. Will these work on
centos 6.5 as well?  If not, are there binaries for 6.5, or will I need
to build from source?

Thanks

--

-- 
Jim Garrison (jhg <at> acm.org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort Releases | 23 Oct 19:30 2014

Snort 2.9.7 is now available

Snort 2.9.7 is now available on snort.org at
http://www.snort.org/downloads in the Snort Stable Release section.

A new DAQ build is also available that updates support for a few
operating systems.

Snort 2.9.7 includes a major new feature for Application Identification,
our OpenAppID capability.

In conjunction with this release, are shifting the license for the OpenAppId
content to GPLv2 to encourage more use and submission back to Cisco.  If
you are interested in learning and writing OpenAppId content, please join
us on the OpenAppId mailing list at https://www.snort.org/community.
Any submissions to the OpenAppId ecosystem will receive public thanks
and perhaps some nice swag!

2014-10-24 - Snort 2.9.7.0
[*] New additions
* Application Identification Preprocessor, when used in conjunction with
  OpenAppID detector content, that will identify application protocol,
  client, server, and web applications (including those using SSL) and
  include the info in Snort alert data. In addition, a new rule option
  keyword 'appid' that can be used to constrain Snort rules based on one
  or more applications that are identified for the connection. Separate
  prepackaged RPMs with App Open ID are available.  See README.appid
  for further details.

* A new protected_content rule option that is used to match against a
  content that is hashed.  It can be used to obscure the full context
  of the rule from the administrator.
(Continue reading)

Tony Robinson | 23 Oct 16:00 2014
Picon

Trying to develop a systemd snort script, running into errors removing/creating pid files

Hello There,

I'm working on an update for autosnort and I figured it was high past time for me to stop half-assing boot persistence for Snort via rc.local and make actual init scripts or similar.

So here I am, trying to make a systemd script. The goals are to bring up the network interface in promisc mode, start snort, and start barnyard2. The script does that. Rather well. Probably not the way systemd devs want one to do it... but we'll cross that bridge later.

My problem comes when I try to kill snort or barnyard2. The kill command works, but there's errors in the logs:

Oct 23 09:38:10 localhost snort[2502]: Could not remove pid file /var/run//snort_ens33.pid: Permission denied
Oct 23 09:38:10 localhost snort[2502]: Snort exiting

Barnyard2 doesn't seem to care that it can't remove the pid file and that's fine, I suppose, because restarting Snort/Barnyard2 seem to work fine:

Oct 23 09:45:38 localhost snort[2912]: Checking PID path...
Oct 23 09:45:38 localhost snort[2912]: PID path stat checked out ok, PID path set to /var/run/
Oct 23 09:45:38 localhost snort[2912]: Writing PID "2912" to file "/var/run//snort_ens33.pid"

Oct 23 09:45:43 localhost barnyard2[2915]: PID path stat checked out ok, PID path set to /var/run/
Oct 23 09:45:43 localhost barnyard2[2915]: Writing PID "2915" to file "/var/run//barnyard2_ens33.pid"

Here are the options I use to start snort:
snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -i ens33

Here are the options I use to start barnyard2:
barnyard2 -c /opt/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

I know a lot of stuff changed in centOS 7. I noticed that one of them was that /var/run is now a symlink to /run. What would cause Snort/BY2 to have permissions to follow the pid file and write their pids, but then not have permissions to remove the pid file after execution has stopped?

I've attached the systemd script I wrote as well.
Attachment (snortbarn.service): application/octet-stream, 591 bytes
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
C. L. Martinez | 21 Oct 13:02 2014
Picon

Change sid number with pulledpork

Hi all,

 Is it possible to change sid number inside of several rules files? I
have downloaded rules from third party sites and in some cases, sids
numbers are the same.

 Can I change these sids to start in 5000000 and follow on with pulledpork??

Thanks.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Nicolas Greneche | 20 Oct 16:55 2014
Picon

snaplen has no effect on "ip dgm len > captured len"

Hi,

I run snort on a dummy interface (this interface is part of bridge 
configured to act as a hub).

Here is my command :

/usr/local/compiled/snort/bin/snort -vd -i dummy0 -c 
/usr/local/etc/snort/snort.conf --snaplen XXX-D

Even with large snaplen values, I have this message in logs :

"ip dgm len > captured len"

from snort_decoder.

Someone has a clue of what's wrong ?

-- 
Nicolas Grenèche

Old blog : http://blog.etcshadow.fr
New blog : http://nsm.etcshadow.fr
Tel : 01 49 40 40 35
Fax : 01 48 22 81 50

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Kurzawa, Kevin | 17 Oct 20:58 2014
Picon

Port problems in a rule

The port variable doesn’t seem to like me. I recently started playing with rules and found an unexpected problem. Wondering what I’m doing wrong.

 

# works

alert tcp any any -> any any (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:1;)

 

# doesn't work

#alert tcp any any -> any 80 (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:2;)

 

# doesn't work

#alert tcp any any -> any $HTTP_PORTS (msg: "LOCAL-RULE Test for TestMyIDS.com"; content: "testmyids.com"; classtype:misc-activity; sid:1000001; rev:3;)

 

Everything is the same with these rules except the destination port variable.

 

My conf file lists HTTP_PORTS as follows:

portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,4000,4343,4848,5117,5250,6080,6173,6988,7000,7001,7144,7145,7510,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371,12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Venkataramesh Bontupalli | 16 Oct 17:21 2014

Regular Expression Matching in Snort Rules

Dear Snort-Users,

I am trying to understand how does snort perform the regular expression matching i.e the PCRE option in the snort rules.

However, through the literature study I understood that Snort generates a Finite State Machine (FSM) during the compilation. 

Could any one let me know what kind of FSM it generated? 
Is it Deterministic Finite Automata (DFA) or Non Deterministic Finite Automata (NFA) ?

Any help is highly appreciated.

Thanks and Regards,
VenkataRamesh
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Kurzawa, Kevin | 16 Oct 16:10 2014
Picon

Snort App Logs (not alerts)

Where can I view the snort application startup logs?

 

I’ve been searching all over the snort manual and mailing list, but the only logging I can find references to is about alerts. The logging I want to see is in regards to the application startup and application errors itself (I have my alert logging working just fine). Snort is starting as a daemon and I don’t want to have to manually start it to view all the juicy startup messages. But /var/log/messages does not contain anything about snort.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane