Snort Releases | 6 Jul 18:14 2015

Snort++ Alpha 2 Available Now

The second alpha release of Snort++ is now available on snort.org, and it
includes a lot of new features and functionality:

Snort features:

* sync with Snort 297-177
* ported dns inspector
* ported ssh and ssl inspector
* ported smtp, pop, and imap inspectors
* ported sip inspector
* ported file processing

New features:

* added publish-subscribe handling of inspection events
* added data_log plugin example for pub-sub
* added build of snort_manual.text if w3m is installed
* added file_magic.lua
* added socket DAQ to input payload only with flow tuple
* added hext DAQ to for packet input in hex and plain text
* added file DAQ for plain file input (w/o packets)
* added socket codec for use with above DAQs
* added stream_user for payload only processing
* added stream_file for file inspection and processing
* added usage, bugs, and DAQ sections to user manual
* added default_snort_manual.text w/o w3m
* rewrote alert_csv with all new default format
* changed stream_tcp to reassemble payload only
* optionally omit ports or networks and ports in rule headers
* updated new_http_inspect
(Continue reading)

Siti Farhana Binti Lokman | 3 Jul 15:12 2015
Picon

Multi-Pattern Matching Engine in Snort

 

 

Hi,

 

Currently I’m doing a comparative study on analysing performance of multi-pattern matching engine in Snort.

 

Based on my findings of inner working in Snort so far, it has included more pattern matching algorithms as configuration options of the signature matching engine like AC-FULL, MWM, LOW_MEM, etc.

But, if I want to do some modifications or additions (compare other pattern matching algorithms with existing unmodified algorithms in Snort), so how can I compile the source code and test the performance?

I’m planning to measure the performance of memory usage vs. speed of a new search method using the latest ruleset in Snort “snortrules-snapshot-2962.tar.gz” with some precaptured PCAP files.

 

Right now I’m having difficulties finding resources in technical part especially on how to compile and run the code.

I read some papers the source code files involve is: fpcreate.c, mpse.c, mpse.h and new C files of a new algorithms.

 

But can you suggest me if there’s any technical documentations or step by step on how to accomplish this?

 

I’m really sorry as I’m really new in this area and still learning. Any suggestions and advice is much appreciated.

 

Thank you in advance.

 

Best regards,

Farhana

 

 

 

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Marcio Guerreiro | 3 Jul 11:07 2015
Picon

Detecting Hydra tool - FTP attack

Hi all

 

I am trying to figure out how to detect a number of attempts (4 – 100) of password guessing without trigger the normal login of the user.

 

For example if I use one computer to deploy the command

 

root <at> golias:~# hydra -t 1 -l mark -P passwords.txt -Vv 192.168.1.77 ftp

 

and the rule to detect

 

 

I would be able to capture the malicious activity, but I would also capture the user mark logging in the system. For me it is obvious that if I check my log  and see 10 alerts it is suspicious and I would investigate. If I see just one alert, I would assume that the user mark has logged normally. The question is… does anybody knows if there any keyword that would detect consecutive attempts rather than just one  or two ?

 

 

 

 

Thank you

 

Marcio

 

 

 

 

 

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Davison, Charles Robert | 2 Jul 14:54 2015
Picon

Barnyard 2 Error

Good Morning,

 

I have completed the following steps in the Snort 2.9.7.x on Ubuntu 12 LTS and 14 LTS for installing Barnyard 2 on Ubuntu 14.04 (64Bit):

 

Barnyard 2

Step 1: sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

 

Step 2: Line 520 Add:

output unified2: filename snort.u2, limit 128

 

Step 3:

cd ~/snort_src

wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-2-1.13.tar.gz

tar zxvf barnyard2-2-1.13.tar.gz

cd barnyard2-master

autoreconf -fvi -I ./m4

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu

make

sudo make install

 

However, I will follow additional steps and get to the point of testing Barnyard 2 and receive the below error:

 

spectrum5ghz <at> ubuntu:~$ sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo \

> -g snort -u snort

[sudo] password for spectrum5ghz:

sudo: barnyard2: command not found

spectrum5ghz <at> ubuntu:~$

 

I wiped my virtual machine clean and started from scratch. This time taking a snapshot right before I begin by Barnyard 2 install. I noticed the following errors when “making” the file that might have caused the previous errors up above:

 

alert_prelude.o spo_alert_syslog.o spo_alert_test.o spo_alert_unixsock.o spo_common.o spo_log_ascii.o spo_log_null.o spo_log_tcpdump.o spo_sguil.o spo_echidna.o spo_syslog_full.o spo_database.o spo_database_cache.o
ranlib libspo.a
make[3]: Leaving directory `/home/spectrum5ghz/snort_src/barnyard2-master/src/output-plugins'
Making all in input-plugins
make[3]: Entering directory `/home/spectrum5ghz/snort_src/barnyard2-master/src/input-plugins'
gcc -DHAVE_CONFIG_H -I. -I../..  -I.. -I../sfutil  -DDEBUG  -g -O0 -fno-strict-aliasing -Wall -c -o spi_unified2.o spi_unified2.c
rm -f libspi.a
ar cru libspi.a spi_unified2.o
ranlib libspi.a
make[3]: Leaving directory `/home/spectrum5ghz/snort_src/barnyard2-master/src/input-plugins'
make[3]: Entering directory `/home/spectrum5ghz/snort_src/barnyard2-master/src'
gcc -DHAVE_CONFIG_H -I. -I..  -Isfutil -DDEBUG  -g -O0 -fno-strict-aliasing -Wall -c -o barnyard2.o barnyard2.c
gcc -DHAVE_CONFIG_H -I. -I..  -Isfutil -DDEBUG  -g -O0 -fno-strict-aliasing -Wall -c -o debug.o debug.c
gcc -DHAVE_CONFIG_H -I. -I..  -Isfutil -DDEBUG  -g -O0 -fno-strict-aliasing -Wall -c -o decode.o decode.c
decode.c:38:18: fatal error: dnet.h: No such file or directory
 #include <dnet.h>
                  ^
compilation terminated.
make[3]: *** [decode.o] Error 1
make[3]: Leaving directory `/home/spectrum5ghz/snort_src/barnyard2-master/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/spectrum5ghz/snort_src/barnyard2-master/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/spectrum5ghz/snort_src/barnyard2-master'
make: *** [all] Error 2

spectrum5ghz <at> spectrum5ghz:~/snort_src/barnyard2-master$

Can you offer me a suggestion as to what I should do to correct this issue? I am in the process of making a snort training video series and already have 70+ slides. I definitely want to include Barnyard2 as one of the videos. I have looked at several other websites on how to install Barnyard2, and even posted this issue in the IRC channel with no resolution. I appreciate your help!

Sincerely,

Spectrum5GHz

 

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Schwaiger, Markus | 2 Jul 10:16 2015

Barnyard2 error: FATAL ERROR: /etc/snort/barnyard2.conf(14) Unknown output plugin: "log_syslog_full"

Hi,

 

I have a problem with the barnyard2 log_syslog_full plugin.

Whenever I try to use it by2 quits with the error:

 

FATAL ERROR: /etc/snort/barnyard2.conf(14) Unknown output plugin: "log_syslog_full"

 

Config line looks like this:

output log_syslog_full: sensor_name xx01, server 10.xx.xx.xx, protocol udp, port 514, log_priority log_alert, operation_mode default

 

I have absolutely no idea how to solve it...  I already googled for the problem, but it seems that I’m the only one ;-(

 

Thanks!

Die gesetzlichen Pflichtangaben finden Sie unter:
http://www.hirschvogel.com/de/impressum.html
Please find our disclaimer at:
http://www.hirschvogel.com/en/impressum.html
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Joel Esler (jesler | 1 Jul 13:18 2015
Picon

Re: [SUSPICIOUS] Report malicious viruses site

Liu,

Snort covers many things and is a fantastic product at protecting networks, but no one product can defend against everything.   In addition to a network based IDS/IPS, we recommend host based antivirus. In fact we make and give one away for free at immunet.com

We'll take a look at the site you mentioned and see what it contains.  

--
Joel Esler 
Sent from my iPhone

On Jul 1, 2015, at 6:02 AM, Liu Xuan <mrliuxuan1 <at> gmail.com> wrote:

Dear Mr. or Mrs.

I'm a user of Snort. i've been using your for a while and thought it was great. However, when I was downloading a software from a website, my computer got a virus.

The website was:
http://secure-web.cisco.com/1LQqtOxnc6ycnHmb8gHFLsBfOK66Hv5P30UwzTVpM44Im7mq0ity5-d742tjIdlSjdcOo8YZFLBiyxTcgqgUOBNlOZYGNdjmdFA68dcHN3rcZAzn8urGpTqwpOYamfCZy147TQQsS0fcoUlh57SnlP4h9VSzeb20rLIJ1g9JGsobx9mah8PeBj2h1CtNjAroIn1w62CLYDx-pnGhEtb2kzxcWpCT5kT_2CWbrX02-o274rVMNoJvjz_Sbbq0Uuv6OWXtLA3h3DIY2-ooYrcPPpceHfehSNjYYq_bAtJD5rw0/http%3A%2F%2Flineage123.com%2Fclentdown%2F23.html

I don't know why your software didn't alert me immediately. I trusted your software so I thought the software that I downloaded was fine. Who knew the next day my online bank account was hacked. My Facebook and my Line(application) was hacked too and weird stuff had been put on my accounts. I didn't post anything at all but my friends kept being bothered by the stuff that came from my account. I figured something was wrong and used my friend's laptop to browse that website. She used kaspersky antivirus software and it immediately alerted me when I went on that website.

It seems like your software's update has been a little bit slow. I hope you can fix it as soon as possible so other people's computers won't be infected. I still like your product pretty much but I was a little disappointed by this incident.

Thank you for your time,
Liu Xuan Salute
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
C.L. Martinez | 1 Jul 10:21 2015
Picon

Does arp spoof preprocessor works on 2.9.7.3??

Hi all,

  It works?? I have a snort IDS host configured with this preprocessor 
but when I execute "snort -c snort.conf -T", it doesn't shows anything 
about it.

Config:

preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.33.2 60:be:b5:30:5b:d2

  Any idea??

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

yudhi ardiyanto | 27 Jun 07:06 2015
Picon

(no subject)

Hello,  my name yudhi


Any one in forum can describe commercial VS open source snort rules


Thanks a lot
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Rahul Bhonsale | 26 Jun 17:06 2015

Snort only alerting about IP its running on

I'm trying to set up a snort IDS from my machine(opensuse 13.1) to monitor the entire network. When I run
snort I am sniffing all the packets and monitoring all computers on the network, but I am only getting
alerts for my machine. I want the alert file to alert me about ALL IP's. I also tried including specific IP
adressess in HOME_NET and it would still only alert me about my opensuse machine.

My snort.conf: HOME_NET 192.168.1.0/24

EXTERNAL_NET !$HOME_NET

output alert_fast: /var/log/snort/fast_alert.txt

I am using pulledpork for my one snort.rules file.

I run snort as so: snort -d -c /etc/snort/snort.conf -vv

also, It might be important information that I do not have eth0 as a network device option.

How can I make snort alert me for all machines/IP's on the network?
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Ikenna Chiadikaobi | 26 Jun 08:26 2015
Picon

Rules

HI all, Please can yara rules be implemented in Snort and how can i create a multi layer detection like combining Signature and Anomaly in Snort.
In addition, how does decision tree or machine algorithm be used for IDS











"The declaration of your identity is the restoration of your dignity".
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Anshuman Anil Deshmukh | 25 Jun 07:21 2015

Flowbits set rule to a noalert

Hi,

 

With reference to the discussion thread happened (refer - http://seclists.org/snort/2014/q2/309) could you please explain what is flowbits set rule to a noalert  and how could we change it?

 

 

Regards,

Anshuman

 

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane