Avery Rozar | 24 Nov 16:42 2015
Gravatar

SMTP Preprocessor question

Hello,
I'm looking for some help understanding the SMTP preprocessor. For example. the attached pcap is from a hit on "smtp: Attempted data header buffer overflow, sid: 2; gid: 124". Digging in the PCAP the only thing (other than this looks like junk email) I can come up with is the "List" command to unsubscribe looks like it's longer than the 512 specified in the "max_command_line_len" parameter. Am I correct in this finding, or way off?

Here is the preprocessor.rules:
alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; reference:cve,2010-4344; )

Here is the Snort config file:
# SMTP normalization and anomaly detection.  For more information, see README.SMTP
preprocessor smtp: ports { 25 465 587 691 } \
    inspection_type stateful \
    b64_decode_depth 0 \
    qp_decode_depth 0 \
    bitenc_decode_depth 0 \
    uu_decode_depth 0 \
    log_mailfrom \
    log_rcptto \
    log_filename \
    log_email_hdrs \
    normalize cmds \
    normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
    normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
    normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
    normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
    max_command_line_len 512 \
    max_header_line_len 1000 \
    max_response_line_len 512 \
    alt_max_command_line_len 260 { MAIL } \
    alt_max_command_line_len 300 { RCPT } \
    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
    valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
    valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
    valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
    valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
    xlink2state { enabled }

Attachment (tcpdump.Z0.log.1448341337.pcap): application/octet-stream, 41 KiB
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Alex Samad | 22 Nov 22:17 2015
Picon

newbie question

Hi

I am testing out snort. running it on centos 6.x. I have installed the
packages from https://forensics.cert.org/. Seems like the snort.org
only has centos/rhel 7 packages :(

I installed snort-openappid-2.9.7.6-1.el6.x86_64

So I have it installed and it seems to be running as in i can run
snort -c /etc/snort/snort.conf -N -s -i eth1.207

I did register and downloaded the  snort rules, placed them in
/usr/local/lib/snort

updated my /etc/snort/snort.conf file to point there
create empty white_list.rules and black_list.rules to satisfy

preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/white_list.rules, \
   blacklist $BLACK_LIST_PATH/black_list.rules

My snort box is not in the path of all the traffic, its a VM on a
VMWare host. I have 2 nic's 1 is management with an IP that I can ssh
to.

The other nic is setup on VLAN 4095 (VMWare special vlan ID to get all
packets, with tagging).

I have created eth1.<vlanid> for all the interested vlans I want to
watch. For example users and guest network.

currently I have screen running and I start 2 processes like this
snort -c /etc/snort/snort.conf -N -s -i eth1.145

I don't really want to log any packets, just want to check out the
alerting. I believe this will send any alerts to syslog.

I have been keeping track of /var/log/message /var/log/secure

nothing as yet.

How can I set this up so I run it as a deamon and can 1 process watch
2 or more interfaces ?

or am I going about this all wrong :)

thanks

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Andre DiMino | 22 Nov 03:22 2015

PulledPork 0.7.2 errors with ETPro rules

I've recently noted PulledPork errors when it attempts to download ETPro rulesets.
I've been speaking to the developer, and have posted an issue on PulledPork's Github.  However I wanted to put this out there in case anyone else is experiencing similar issues.

Running PulledPork with ETPro enabled causes the following:
++++++++++++++++++++

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2975.tar.gz....
They Match
Done!

Rules tarball download of community-rules.tar.gz....
Checking latest MD5 for opensource.gz....
They Match
Done!

Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done

Rules tarball download of emerging.rules.tar.gz....
They Match
Done!

Checking latest MD5 for etpro.rules.tar.gz....

Use of uninitialized value $md5 in scalar chomp at /home/snortscan/snort_src/pulledpork-read-only/pulledpork.pl line 522.

Use of uninitialized value $md5 in pattern match (m//) at /home/snortscan/snort_src/pulledpork-read-only/pulledpork.pl line 524.

No Match
Done

Rules tarball download of etpro.rules.tar.gz....
No Match
Done

Rules tarball download of etpro.rules.tar.gz....
No Match
Done

Rules tarball download of etpro.rules.tar.gz....
No Match
Done

Rules tarball download of etpro.rules.tar.gz....
No Match
Done

Rules tarball download of etpro.rules.tar.gz....
No Match
Done

++++++++++++++++++++

This just loops until it crashes.
If I comment out the ETPro ruleset download. everything completes successfully.

--

Andre' M. DiMino
DeepEnd Research
http://www.deependresearch.org
http://sempersecurus.org

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Dorian Promo | 20 Nov 21:23 2015
Picon

content alerts for re-transmit packets

My match content rule only gives an alerts for the original packet not for re-transmits. 
How can I change that to fire alerts on retransmits.

Thank you

snort 2.9.7.6 GRE (Build 285)
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Alex Samad | 20 Nov 10:01 2015
Picon

building rpms for centos6

Hi

I notice there are rpms for centos7 on the web site but I don't see
any or cant find any for centos6.

This is what I have tried so far
yum install -y pcre pcre-devel gcc flex byacc bison l libxml2-devel
kernel-devel  libdnet libdnet-devel  autoconf automake libpcap-devel
rpm-build
wget https://snort.org/downloads/snort/snort-2.9.7.6-1.src.rpm
wget https://snort.org/downloads/snort/daq-2.0.6-1.src.rpm
yum install rpm-build
yum install http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.2.el6.rf.x86_64.rpm
http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.2.el6.rf.x86_64.rpm

yum install https://forensics.cert.org/centos/cert/6/x86_64/luajit-2.0.2-9.el6.x86_64.rpm
https://forensics.cert.org/centos/cert/6/x86_64/luajit-devel-2.0.2-9.el6.x86_64.rpm

yum install openssl-devel.x86_64

rpmbuild -bb ~/rpmbuild/SPECS/daq.spec

rpm -ivh daq

rpmbuild -bb ~/rpmbuild/SPECS/snort.spec
### I tried to build the basic one first then try with the openid

RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.Rg6ESq (%install)

+ find doc -maxdepth 1 -type f -not -name 'Makefile*' -exec
/usr/bin/install -p -m 0644 '{}'
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/share/doc/snort-2.9.7.6
';'
+ /bin/rm -f '/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/share/doc/snort-2.9.7.6/Makefile.*'
+ '[' plain = openappid ']'
+ /usr/lib/rpm/find-debuginfo.sh --strict-build-id
/root/rpmbuild/BUILD/snort-2.9.7.6
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_ssl_preproc.so.0.0.0
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_modbus_preproc.so.0.0.0
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_pop_preproc.so.0.0.0
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_ssh_preproc.so.0
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0.0.0
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_smtp_preproc.so.0
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_sdf_preproc.so.0
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_sdf_preproc.so.0.0.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_sdf_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_sdf_preproc.so.0
extracting debug info from
/root/rpmbuild/BUILDROOT/snort-2.9.7.6-1.x86_64/usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_pop_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.6_dynamicpreprocessor/libsf_pop_preproc.so.0

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Rafael Leiva-Ochoa | 19 Nov 22:48 2015
Picon

Re: Steam5 configuration with Windows, and Linux

Any idea why I am getting the 

"Initializing rule chains...

ERROR: /etc/snort/snort.conf(281) Unknown rule type: track_udp."

Error?

Thanks,

Rafael


On Thu, Nov 19, 2015 at 1:09 PM, Rafael Leiva-Ochoa <spawn <at> rloteck.net> wrote:
Perfect, it is giving me more information about the problem. Here is the output:

root <at> snort-sensor1 ~]# snort -i eth1 -c /etc/snort/snort.conf -A console

Running in IDS mode


        --== Initializing Snort ==--

Initializing Output Plugins!

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file "/etc/snort/snort.conf"

PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 7000:7001 7005 7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020 8028 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090:9091 9111 9290 9443 9447 9710 9788 9999:10000 11371 12601 13014 15489 19980 29991 33300 34412 34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]

PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]

PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]

PortVar 'SSH_PORTS' defined :  [ 22 ]

PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]

PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]

PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 7000:7001 7005 7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020 8028 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090:9091 9111 9290 9443 9447 9710 9788 9999:10000 11371 12601 13014 15489 19980 29991 33300 34412 34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]

PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]

Detection:

   Search-Method = AC-Full-Q

    Split Any/Any group = enabled

    Search-Method-Optimizations = enabled

    Maximum pattern length = 20

Tagged Packet Limit: 256

Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done

Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-pdf.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/policy-social.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-ie.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-iis.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/exploit-kit.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-tftp.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-other.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-other.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-multimedia.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-webapp.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-dns.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-other.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-other.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-other.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-office.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-java.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/malware-other.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-snmp.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/pua-p2p.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-windows.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/malware-cnc.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-flash.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-nntp.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/indicator-shellcode.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-mail.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/netbios.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-image.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-linux.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-mysql.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-apache.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-voip.so... done

  Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-oracle.so... done

  Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules

Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done

  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done

  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/

Log directory = /var/log/snort

WARNING: ip4 normalizations disabled because not inline.

WARNING: tcp normalizations disabled because not inline.

WARNING: icmp4 normalizations disabled because not inline.

WARNING: ip6 normalizations disabled because not inline.

WARNING: icmp6 normalizations disabled because not inline.

Frag3 global config:

    Max frags: 65536

    Fragment memory cap: 4194304 bytes

Frag3 engine config:

    Bound Address: default

    Target-based policy: LINUX

    Fragment timeout: 180 seconds

    Fragment min_ttl:   1

    Fragment Anomalies: Alert

    Overlap Limit:     10

    Min fragment Length:     100

      Max Expected Streams: 768

Stream global config:

    Track TCP sessions: ACTIVE

    Max TCP sessions: 262144

    TCP cache pruning timeout: 30 seconds

    TCP cache nominal timeout: 3600 seconds

    Memcap (for reassembly packet storage): 8388608

    Track UDP sessions: ACTIVE

    Max UDP sessions: 131072

    UDP cache pruning timeout: 30 seconds

    UDP cache nominal timeout: 180 seconds

    Track ICMP sessions: INACTIVE

    Track IP sessions: INACTIVE

    Log info if session memory consumption exceeds 1048576

    Send up to 0 active responses

    Protocol Aware Flushing: ACTIVE

        Maximum Flush Point: 16000

Stream TCP Policy config:

    Bound Addresses: 192.168.1.28

    Reassembly Policy: WINDOWS

    Timeout: 30 seconds

    Maximum number of bytes to queue per session: 1048576

    Maximum number of segs to queue per session: 2621

    Reassembly Ports:

Stream TCP Policy config:

    Bound Addresses: 192.168.1.30

    Reassembly Policy: WINDOWS

    Timeout: 30 seconds

    Maximum number of bytes to queue per session: 1048576

    Maximum number of segs to queue per session: 2621

    Reassembly Ports:

Stream TCP Policy config:

    Bound Address: default

    Reassembly Policy: LINUX

    Timeout: 30 seconds

    Maximum number of bytes to queue per session: 1048576

    Maximum number of segs to queue per session: 2621

    Reassembly Ports:

Stream UDP Policy config:

    Timeout: 180 seconds

HttpInspect Config:

    GLOBAL CONFIG

      Detect Proxy Usage:       NO

      IIS Unicode Map Filename: /etc/snort/unicode.map

      IIS Unicode Map Codepage: 1252

      Memcap used for logging URI and Hostname: 150994944

      Max Gzip Memory: 838860

      Max Gzip Sessions: 1807

      Gzip Compress Depth: 65535

      Gzip Decompress Depth: 65535

    DEFAULT SERVER CONFIG:

      Server profile: All

      Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 7000 7001 7005 7071 7144 7145 7510 7770 7777 7778 7779 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 12601 13014 15489 19980 29991 33300 34412 34443 34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 

      Server Flow Depth: 0

      Client Flow Depth: 0

      Max Chunk Length: 500000

      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times

      Max Header Field Length: 750

      Max Number Header Fields: 100

      Max Number of WhiteSpaces allowed with header folding: 200

      Inspect Pipeline Requests: YES

      URI Discovery Strict Mode: NO

      Allow Proxy Usage: NO

      Disable Alerting: NO

      Oversize Dir Length: 500

      Only inspect URI: NO

      Normalize HTTP Headers: NO

      Inspect HTTP Cookies: YES

      Inspect HTTP Responses: YES

      Extract Gzip from responses: YES

      Decompress response files:   

      Unlimited decompression of gzip data from responses: YES

      Normalize Javascripts in HTTP Responses: YES

      Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200

      Normalize HTTP Cookies: NO

      Enable XFF and True Client IP: NO

      Log HTTP URI data: NO

      Log HTTP Hostname data: NO

      Extended ASCII code support in URI: NO

      Ascii: YES alert: NO

      Double Decoding: YES alert: NO

      %U Encoding: YES alert: YES

      Bare Byte: YES alert: NO

      UTF 8: YES alert: NO

      IIS Unicode: YES alert: NO

      Multiple Slash: YES alert: NO

      IIS Backslash: YES alert: NO

      Directory Traversal: YES alert: NO

      Web Root Traversal: YES alert: NO

      Apache WhiteSpace: YES alert: NO

      IIS Delimiter: YES alert: NO

      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 

      Whitespace Characters: 0x09 0x0b 0x0c 0x0d 

rpc_decode arguments:

    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 

    alert_fragments: INACTIVE

    alert_large_fragments: INACTIVE

    alert_incomplete: INACTIVE

    alert_multiple_requests: INACTIVE

FTPTelnet Config:

    GLOBAL CONFIG

      Inspection Type: stateful

      Check for Encrypted Traffic: YES alert: NO

      Continue to check encrypted data: YES

    TELNET CONFIG:

      Ports: 23 

      Are You There Threshold: 20

      Normalize: YES

      Detect Anomalies: YES

    FTP CONFIG:

      FTP Server: default

        Ports (PAF): 21 2100 3535 

        Check for Telnet Cmds: YES alert: YES

        Ignore Telnet Cmd Operations: YES alert: YES

        Ignore open data channels: NO

      FTP Client: default

        Check for Bounce Attacks: YES alert: YES

        Check for Telnet Cmds: YES alert: YES

        Ignore Telnet Cmd Operations: YES alert: YES

        Max Response Length: 256

SMTP Config:

    Ports: 25 465 587 691 

    Inspection Type: Stateful

    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50 

    Ignore Data: No

    Ignore TLS Data: No

    Ignore SMTP Alerts: No

    Max Command Line Length: 512

    Max Specific Command Line Length: 

       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255 

       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255 

       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500 

       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246 

       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246 

       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246 

       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246 

       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246 

       XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246 

       XUSR:246 

    Max Header Line Length: 1000

    Max Response Line Length: 512

    X-Link2State Alert: Yes

    Drop on X-Link2State Alert: No

    Alert on commands: None

    Alert on unknown commands: No

    SMTP Memcap: 838860

    MIME Max Mem: 838860

    Base64 Decoding: Enabled

    Base64 Decoding Depth: Unlimited

    Quoted-Printable Decoding: Enabled

    Quoted-Printable Decoding Depth: Unlimited

    Unix-to-Unix Decoding: Enabled

    Unix-to-Unix Decoding Depth: Unlimited

    Non-Encoded MIME attachment Extraction: Enabled

    Non-Encoded MIME attachment Extraction Depth: Unlimited

    Log Attachment filename: Enabled

    Log MAIL FROM Address: Enabled

    Log RCPT TO Addresses: Enabled

    Log Email Headers: Enabled

    Email Hdrs Log Depth: 1464

SSH config: 

    Autodetection: ENABLED

    Challenge-Response Overflow Alert: ENABLED

    SSH1 CRC32 Alert: ENABLED

    Server Version String Overflow Alert: ENABLED

    Protocol Mismatch Alert: ENABLED

    Bad Message Direction Alert: DISABLED

    Bad Payload Size Alert: DISABLED

    Unrecognized Version Alert: DISABLED

    Max Encrypted Packets: 20  

    Max Server Version String Length: 100  

    MaxClientBytes: 19600 (Default) 

    Ports:

22

DCE/RPC 2 Preprocessor Configuration

  Global Configuration

    DCE/RPC Defragmentation: Enabled

    Memcap: 102400 KB

    Events: co 

    SMB Fingerprint policy: Disabled

  Server Default Configuration

    Policy: WinXP

    Detect ports (PAF)

      SMB: 139 445 

      TCP: 135 

      UDP: 135 

      RPC over HTTP server: 593 

      RPC over HTTP proxy: None

    Autodetect ports (PAF)

      SMB: None

      TCP: 1025-65535 

      UDP: 1025-65535 

      RPC over HTTP server: 1025-65535 

      RPC over HTTP proxy: None

    Invalid SMB shares: C$ D$ ADMIN$ 

    Maximum SMB command chaining: 3 commands

    SMB file inspection: Disabled

DNS config: 

    DNS Client rdata txt Overflow Alert: ACTIVE

    Obsolete DNS RR Types Alert: INACTIVE

    Experimental DNS RR Types Alert: INACTIVE

    Ports: 53

SSLPP config:

    Encrypted packets: not inspected

    Ports:

      443      465      563      636      989

      992      993      994      995     5061

     7801     7802     7900     7901     7902

     7903     7904     7905     7906     7907

     7908     7909     7910     7911     7912

     7913     7914     7915     7916     7917

     7918     7919     7920

    Server side data is trusted

    Maximum SSL Heartbeat length: 0

Sensitive Data preprocessor config: 

    Global Alert Threshold: 25

    Masked Output: DISABLED

SIP config: 

    Max number of sessions: 40000  

    Max number of dialogs in a session: 4 (Default) 

    Status: ENABLED

    Ignore media channel: DISABLED

    Max URI length: 512  

    Max Call ID length: 80  

    Max Request name length: 20 (Default) 

    Max From length: 256 (Default) 

    Max To length: 256 (Default) 

    Max Via length: 1024 (Default) 

    Max Contact length: 512  

    Max Content length: 2048  

    Ports:

5060 5061 5600

    Methods:

  invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack

IMAP Config:

    Ports: 143 

    IMAP Memcap: 838860

    MIME Max Mem: 838860

    Base64 Decoding: Enabled

    Base64 Decoding Depth: Unlimited

    Quoted-Printable Decoding: Enabled

    Quoted-Printable Decoding Depth: Unlimited

    Unix-to-Unix Decoding: Enabled

    Unix-to-Unix Decoding Depth: Unlimited

    Non-Encoded MIME attachment Extraction: Enabled

    Non-Encoded MIME attachment Extraction Depth: Unlimited

POP Config:

    Ports: 110 

    POP Memcap: 838860

    MIME Max Mem: 838860

    Base64 Decoding: Enabled

    Base64 Decoding Depth: Unlimited

    Quoted-Printable Decoding: Enabled

    Quoted-Printable Decoding Depth: Unlimited

    Unix-to-Unix Decoding: Enabled

    Unix-to-Unix Decoding Depth: Unlimited

    Non-Encoded MIME attachment Extraction: Enabled

    Non-Encoded MIME attachment Extraction Depth: Unlimited

Modbus config: 

    Ports:

502

DNP3 config: 

    Memcap: 262144

    Check Link-Layer CRCs: ENABLED

    Ports:

20000

Reputation config: 

WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.


+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

ERROR: /etc/snort/snort.conf(281) Unknown rule type: track_udp.

Fatal Error, Quitting..


Any ideas?


On Thu, Nov 19, 2015 at 1:01 PM, James Lay <jlay <at> slave-tothe-box.net> wrote:
Comment out:

$RepeatedMsgReduction on

in your rsyslog.conf if you want to see all the messages.

Or just start it without the -D and run it in the foreground.

James

On 2015-11-19 13:58, Rafael Leiva-Ochoa wrote:
> Where do I look for the rate-limited messages? That is what is
> confusing me.
>
> Thanks,
>
> Rafael
>
> On Thu, Nov 19, 2015 at 12:52 PM, James Lay <jlay <at> slave-tothe-box.net>
> wrote:
>
>> On 2015-11-19 13:47, Rafael Leiva-Ochoa wrote:
>>
>>> Thanks for the reply James. Snort was working fine, but when I
>>> added
>>> the following entries:
>>>
>>> preprocessor stream5_global: track_tcp yes
>>>
>>> preprocessor stream5_tcp: bind_to 192.168.1.28/32 [1] [1], policy
>>> windows
>>>
>>> preprocessor stream5_tcp: bind_to 192.168.1.30/32 [2] [2], policy
>>> windows
>>>
>>> preprocessor stream5_tcp: policy linux
>>>
>>> It gives me that "rsyslog-limitting" error. I have no idea what
>>> that
>>> has to do with the changes I made. All I want to do is to support
>>> reassembly for both Linux, and Windows system. I only have 2
>>> Windows
>>> system, I thought it was by easy to define them explicitly on the
>>> configuration as you see above, but it is not working on the snort
>>> configuration.
>>>
>>> Thanks,
>>>
>>> Rafael
>>
>> Ya that looks good...though you can most likely drop the "/32" since
>> these are just single IP's.  I'd be curious to see what the
>> rate-limited messages are.
>>
>> James
>>
>> On Thu, Nov 19, 2015 at 12:39 PM, James Lay
>> <jlay <at> slave-tothe-box.net>
>> wrote:
>>
>> On 2015-11-19 12:26, Rafael Leiva-Ochoa wrote:
>> Hi All,
>>
>> I am trying to configure the Stream5 preprocessor to do
>> reassembly
>> for both Windows and Linux using the following configuration:
>>
>> # Target-Based stateful inspection/stream reassembly.  For more
>> inforation, see README.stream5
>>
>> preprocessor stream5_global: track_tcp yes
>>
>> preprocessor stream5_tcp: bind_to 192.168.1.28/32 [1] [1] [1],
>> policy
>> windows
>>
>> preprocessor stream5_tcp: bind_to 192.168.1.30/32 [2] [2] [2],
>> policy
>>
>> windows
>>
>> preprocessor stream5_tcp: policy linux
>>
>> track_udp yes, \
>>
>> track_icmp no, \
>>
>> max_tcp 262144, \
>>
>> max_udp 131072, \
>>
>> max_active_responses 2, \
>>
>> min_response_seconds 5
>>
>> detect_anomalies, require_3whs 180, \
>>
>> overlap_limit 10, small_segments 0 bytes 150, timeout 180, \
>>
>> ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135
>> 136
>> 137 139 143 \
>>
>> 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070
>> 6665
>> 6666 6667 6668 6669 \
>>
>> 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777
>> 32778 32779, \
>>
>> ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443
>> 465
>> 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995
>> 1158
>> 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029
>> 3037
>> 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080
>> 6173
>> 6988 7907 7000 7001 7005 7071 7144 7145 7510 7802 7770 7777 7778
>> 7779
>> \
>>
>> 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910
>> 7911
>> 7912 7913 7914 7915 7916 \
>>
>> 7917 7918 7919 7920 8000 8001 8008 8014 8015 8020 8028
>> 8040
>> 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243
>> 8280
>> 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000
>> 9002
>> 9060 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371
>> 12601 13014 15489 19980 29991 33300 34412 34443 34444 40007 41080
>> 44449 50000 50002 51423 53331 55252 55555 56712
>>
>> But, I only get this error when trying to run it.
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]: Frag3 global config:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max frags: 65536
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment memory
>> cap:
>> 4194304 bytes
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]: Frag3 engine config:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Address:
>> default
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Target-based
>> policy:
>> LINUX
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment timeout:
>> 180
>> seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment min_ttl:
>> 1
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment
>> Anomalies:
>> Alert
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Overlap Limit:
>> 10
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Min fragment
>> Length:
>> 100
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Expected
>> Streams: 768
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream global config:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track TCP
>> sessions:
>> ACTIVE
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max TCP sessions:
>> 262144
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     TCP cache pruning
>> timeout: 30 seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     TCP cache nominal
>> timeout: 3600 seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Memcap (for
>> reassembly
>> packet storage): 8388608
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track UDP
>> sessions:
>> ACTIVE
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max UDP sessions:
>> 131072
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     UDP cache pruning
>> timeout: 30 seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     UDP cache nominal
>> timeout: 180 seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track ICMP
>> sessions:
>> INACTIVE
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track IP sessions:
>> INACTIVE
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Log info if
>> session
>> memory consumption exceeds 1048576
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Send up to 0
>> active
>> responses
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Protocol Aware
>> Flushing: ACTIVE
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:         Maximum Flush
>> Point: 16000
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy
>> config:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Addresses:
>> 192.168.1.28
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy:
>> WINDOWS
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30
>> seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of
>> bytes to queue per session: 1048576
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of
>> segs
>> to queue per session: 2621
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy
>> config:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Addresses:
>> 192.168.1.30
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy:
>> WINDOWS
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30
>> seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of
>> bytes to queue per session: 1048576
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of
>> segs
>> to queue per session: 2621
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy
>> config:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Address:
>> default
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy:
>> LINUX
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30
>> seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of
>> bytes to queue per session: 1048576
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of
>> segs
>> to queue per session: 2621
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream UDP Policy
>> config:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 180
>> seconds
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]: HttpInspect Config:
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:     GLOBAL CONFIG
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:       Detect Proxy
>> Usage:
>> NO
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:       IIS Unicode Map
>> Filename: /etc/snort/unicode.map
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:       IIS Unicode Map
>> Codepage: 1252
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:       Memcap used for
>> logging URI and Hostname: 150994944
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Gzip Memory:
>> 838860
>>
>> Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Gzip
>> Sessions:
>> 1807
>>
>> Nov 19 11:24:25 snort-sensor1 rsyslogd-2177: imuxsock begins to
>> drop
>> messages from pid 24078 due to rate-limiting
>> Any ideas on how to fix this?
>>
>> Thanks,
>>
>> Rafael
>>
>> What's the issue?  The syslog entry?  Normal at startup with Snort
>> if
>> you have rsyslog rate-limiting on.  Comment out:
>>
>> $RepeatedMsgReduction on
>>
>> in your rsyslog.conf if you want to see all the messages.
>>
>> James
>
>
> ------------------------------------------------------------------------------
>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users <at> lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>
>  Links:
> ------
> [1] http://192.168.1.28/32
> [2] http://192.168.1.30/32
>
>
>
> Links:
> ------
> [1] http://192.168.1.28/32
> [2] http://192.168.1.30/32

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Rafael Leiva-Ochoa | 19 Nov 21:11 2015
Picon

Stream5 configuration with Windows, and Linux

Hi All,

    I am trying to configure the Stream5 preprocessor to do reassembly for both Windows and Linux using the following configuration:

# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5

preprocessor stream5_global: track_tcp yes

preprocessor stream5_tcp: bind_to 192.168.1.28/32, policy windows

preprocessor stream5_tcp: bind_to 192.168.1.30/32, policy windows

preprocessor stream5_tcp: policy linux

   track_udp yes, \

   track_icmp no, \

   max_tcp 262144, \

   max_udp 131072, \

   max_active_responses 2, \

   min_response_seconds 5

detect_anomalies, require_3whs 180, \

   overlap_limit 10, small_segments 0 bytes 150, timeout 180, \

    ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \

        161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \

        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \

    ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 7907 7000 7001 7005 7071 7144 7145 7510 7802 7770 7777 7778 7779 \

        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \

        7917 7918 7919 7920 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 12601 13014 15489 19980 29991 33300 34412 34443 34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712


But, I only get this error when trying to run it.

Nov 19 11:24:25 snort-sensor1 snort[24078]: Frag3 global config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max frags: 65536

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment memory cap: 4194304 bytes

Nov 19 11:24:25 snort-sensor1 snort[24078]: Frag3 engine config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Address: default

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Target-based policy: LINUX

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment timeout: 180 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment min_ttl:   1

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment Anomalies: Alert

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Overlap Limit:     10

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Min fragment Length:     100

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Expected Streams: 768

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream global config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track TCP sessions: ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max TCP sessions: 262144

Nov 19 11:24:25 snort-sensor1 snort[24078]:     TCP cache pruning timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     TCP cache nominal timeout: 3600 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Memcap (for reassembly packet storage): 8388608

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track UDP sessions: ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max UDP sessions: 131072

Nov 19 11:24:25 snort-sensor1 snort[24078]:     UDP cache pruning timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     UDP cache nominal timeout: 180 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track ICMP sessions: INACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track IP sessions: INACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Log info if session memory consumption exceeds 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Send up to 0 active responses

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Protocol Aware Flushing: ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:         Maximum Flush Point: 16000

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Addresses: 192.168.1.28

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy: WINDOWS

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of segs to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Addresses: 192.168.1.30

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy: WINDOWS

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of segs to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Address: default

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy: LINUX

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of segs to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream UDP Policy config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 180 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]: HttpInspect Config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     GLOBAL CONFIG

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Detect Proxy Usage:       NO

Nov 19 11:24:25 snort-sensor1 snort[24078]:       IIS Unicode Map Filename: /etc/snort/unicode.map

Nov 19 11:24:25 snort-sensor1 snort[24078]:       IIS Unicode Map Codepage: 1252

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Memcap used for logging URI and Hostname: 150994944

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Gzip Memory: 838860

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Gzip Sessions: 1807

Nov 19 11:24:25 snort-sensor1 rsyslogd-2177: imuxsock begins to drop messages from pid 24078 due to rate-limiting

Any ideas on how to fix this?

Thanks,

Rafael
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Rafael Leiva-Ochoa | 19 Nov 20:26 2015
Picon

Steam5 configuration with Windows, and Linux

Hi All,

    I am trying to configure the Stream5 preprocessor to do reassembly for both Windows and Linux using the following configuration:

# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5

preprocessor stream5_global: track_tcp yes

preprocessor stream5_tcp: bind_to 192.168.1.28/32, policy windows

preprocessor stream5_tcp: bind_to 192.168.1.30/32, policy windows

preprocessor stream5_tcp: policy linux

   track_udp yes, \

   track_icmp no, \

   max_tcp 262144, \

   max_udp 131072, \

   max_active_responses 2, \

   min_response_seconds 5

detect_anomalies, require_3whs 180, \

   overlap_limit 10, small_segments 0 bytes 150, timeout 180, \

    ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \

        161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \

        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \

    ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 7907 7000 7001 7005 7071 7144 7145 7510 7802 7770 7777 7778 7779 \

        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \

        7917 7918 7919 7920 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 12601 13014 15489 19980 29991 33300 34412 34443 34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712


But, I only get this error when trying to run it.

Nov 19 11:24:25 snort-sensor1 snort[24078]: Frag3 global config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max frags: 65536

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment memory cap: 4194304 bytes

Nov 19 11:24:25 snort-sensor1 snort[24078]: Frag3 engine config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Address: default

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Target-based policy: LINUX

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment timeout: 180 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment min_ttl:   1

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment Anomalies: Alert

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Overlap Limit:     10

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Min fragment Length:     100

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Expected Streams: 768

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream global config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track TCP sessions: ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max TCP sessions: 262144

Nov 19 11:24:25 snort-sensor1 snort[24078]:     TCP cache pruning timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     TCP cache nominal timeout: 3600 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Memcap (for reassembly packet storage): 8388608

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track UDP sessions: ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max UDP sessions: 131072

Nov 19 11:24:25 snort-sensor1 snort[24078]:     UDP cache pruning timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     UDP cache nominal timeout: 180 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track ICMP sessions: INACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track IP sessions: INACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Log info if session memory consumption exceeds 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Send up to 0 active responses

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Protocol Aware Flushing: ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:         Maximum Flush Point: 16000

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Addresses: 192.168.1.28

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy: WINDOWS

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of segs to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Addresses: 192.168.1.30

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy: WINDOWS

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of segs to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Address: default

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Policy: LINUX

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number of segs to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly Ports:

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream UDP Policy config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 180 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]: HttpInspect Config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     GLOBAL CONFIG

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Detect Proxy Usage:       NO

Nov 19 11:24:25 snort-sensor1 snort[24078]:       IIS Unicode Map Filename: /etc/snort/unicode.map

Nov 19 11:24:25 snort-sensor1 snort[24078]:       IIS Unicode Map Codepage: 1252

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Memcap used for logging URI and Hostname: 150994944

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Gzip Memory: 838860

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Gzip Sessions: 1807

Nov 19 11:24:25 snort-sensor1 rsyslogd-2177: imuxsock begins to drop messages from pid 24078 due to rate-limiting

Any ideas on how to fix this?

Thanks,

Rafael
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Navneet Singh | 19 Nov 16:53 2015
Picon

Snort with openappid doesn't block android apps

Hi All

I am testing snort 2.9.7.6 with openappid on ARM platform. Snort is using nfq as daq mode and i am able to block various sites as per their appid rules in various browsers. But none of the appid that also has its own android application is blocking on the client, however if i browse the same site using browser on the client it is blocking fine. I tried known applications like facebook, youtube, whatsapp but none is able to block.

I use this command
sudo snort -Q --daq nfq --daq-var device=wlan1 --daq-var queue=1 -c /etc/snort/snort.conf -A console

followed by
sudo iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -I FORWARD -j NFQUEUE --queue-num 1
sudo iptables -I INPUT -j NFQUEUE --queue-num 1
sudo iptables -I OUTPUT -j NFQUEUE --queue-num 1
to run snort.

Here wlan1 is in AP mode and other clients are connected to this interface.

I am also attaching snort.conf, local.rules files and logs when i run snort.

Please help me with this issue.

--
Regards
Navneet

Attachment (snort.conf): application/octet-stream, 35 KiB
Attachment (local.rules): application/octet-stream, 1215 bytes
Attachment (snort_log): application/octet-stream, 71 KiB
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Chirag Pandya | 18 Nov 10:08 2015
Picon

Integration of Artificial Intelligence in Snort IDS

Hello everyone,
I am a newbie to snort and wish to integrate artificial neural networks in snort.
But I have no idea where to start, I have gone through snort documentation but could not find anything relevant to it.
So can anyone tell me from where I should start or point me to any on-line resources you may know of. 
Your time and help is greatly appreciated.


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Turnbough, Bradley E. | 17 Nov 17:06 2015

Threshold not working properly...

I currently have this rule:

event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 120

Is this syntax right?  I am still getting alerts for events that have occurred less than 120 seconds apart,
with the same source IP.

Brad
_____________________________________________________________ This e-mail transmission
contains information that is confidential and may be privileged. It is intended only for the
addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the
contents of this information is prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it from your computer system. Your
assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Gmane