gmane.comp.security.ids.snort.devel

problem with snort.conf

Jeff Dell — 2008-11-17T21:24:27

When downloading the rule set from here: http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-CURRENT.tar.gz The preprocessor frag3_global line is not comma separated. It has: #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144 When it should have: #preprocessor frag3_global: max_frags 65536, prealloc_frags 262144 As you can imagine it will throw an error because of this missing value. The snort.conf in the latest snort tarball is correct. Cheers, Jeff ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

question on thresholding code

snort user — 2008-11-07T16:00:36

Hello ! In the thresholding code (sfthreshold.c, in snort 2.8) there is a static variable s_enabled which is set to 1. What is the use of this variable? I didnt find it being set to 0 anywhere (in any condition). Please clarify. Thanks ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Port Matching Logic

John Pritchard — 2008-11-03T21:26:28

I would argue that the correct behavior would be for snort to flag such misconfiguration issues or logic errors on start-up and fail to launch. In this case though, I'd say it is less about the "rule writer" (although I could see a hand-crafted rule with such a logic problem) and more about as a snort configuration with a logic error (as you pointed out). For your example, the logic error could be avoided with the following: portvar HTTP_PORTS [80,1025:] However, I wouldn't recommend such a configuration unless you're hoping to seriously bog down your ability to inspect traffic..... (Try playing with incrementally adding more and more ports to this variable and you'll see what I mean). see great value in having automated "logic checks" report when/if I've done something unintended. Cheers, John On Mon, Nov 3, 2008 at 11:22 AM, snort user gmail.com> wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Develop

reading pcap from pipes

Môshe Van der Sterre — 2008-11-03T10:13:11

Hello, Some time ago, I asked how to use a pipe as input for stdin on your forum: http://www.snort.org/reg-bin/forums.cgi?forum_id=5&topic_id=6585 Because I received no answer, today I went looking a bit why this does not work. It seems all files to be opened are checked on S_IFREG. Disabling that check gives no error for me, so I wonder why that check is in there. Can someone explain this? If there is no particular reason to check for S_IFREG in the case of PCAP_SINGLE, I might make a patch removing it. I have not looked at the code for other types, but if these are implemented using a select or poll mechanism, I see no reason to keep the S_IFREG checks at all. Also, I noticed someone recently posted a patch on using stdin ( http://www.snort.org/reg-bin/forums.cgi?forum_id=4&topic_id=6609 ). I think this (reversed) patch is not the correct way to do this, but being able to use "snort -r -" might be a usefull option. If not "snort -r /proc/self/fd/0" does ofcourse already work (with files).

Re: Portlists

snort user — 2008-10-30T12:23:02

What does it mean by a pure not portobject ? Ref: parser.c (snort 2.8) /* check for a pure not rule - fatal if we find one */ if( PortObjectIsPureNot( portobject ) ) { FatalError("Pure NOT ports are not allowed!\n"); /* if( dst_flag ) rtn->flags |= EXCEPT_DST_PORT; else rtn->flags |= EXCEPT_SRC_PORT; */ } With PortLists, is the function CheckDstPortNotEq used ? It seems not. Thanks On Tue, Oct 28, 2008 at 4:44 PM, Steven Sturges sourcefire.com> wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Portlists

Steven Sturges — 2008-10-28T20:44:05

Yes, this should be supported... portvar TEST_PORTS [80,[1,2,3],8000:9000] alert tcp any $TEST_PORTS -> any any (msg:"Test ports"; sid:3;) snort user wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Portlists

snort user — 2008-10-28T17:41:25

Hello, With PORTLISTS (snort 2.8) does it support list of lists of ports/ranges? for e.g. portvar TEST_PORTS [80,[1,2,3],8000:9000] Thanks ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Unused code?

Steven Sturges — 2008-10-27T20:42:58

It determined whether the rule had been evaluated previously (within the same packet) -- intended to improve performance. That is handled differently code-wise in ac-bnfa. snort user wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Unused code?

snort user — 2008-10-27T20:32:53

Thanks for the reply. Can you please explain what the function did when MWM was used? On Mon, Oct 27, 2008 at 4:27 PM, Steven Sturges sourcefire.com> wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Unused code?

Steven Sturges — 2008-10-27T20:27:52

That was use when Wu-Manber pattern matcher was in Snort. When that was removed, the non-default cases were removed. The function was kept with the notion that it might be needed in the future for other pattern match engines. Cheers snort user wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Unused code?

snort user — 2008-10-27T20:15:36

Hello and greetings ! In snort 2.8 release -- In fpdetect.c, there are calls to function, mpseSetRuleMask but the function does not seem to be doing much. Can anyone explain the reason for this function? Thanks ahead for any info. void mpseSetRuleMask ( void *pvoid, BITOP * rm ) { MPSE * p = (MPSE*)pvoid; switch( p->method ) { default: return ; } } ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Problem Snort Reading STDIN

Todd Wease — 2008-10-27T15:12:39

Hey John, Thanks for notifying us about this. This seems to have happened a few releases ago when we implemented code to read multiple pcaps from the command line. The fix should be in our next release. Thanks, Todd John Gerber wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Problem Snort Reading STDIN

John Gerber — 2008-10-26T23:17:10

------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Snort-devel mailing list Snort-devel< at >lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel

Re: [Snort-users] Are there any test suite for snort?

Jason Zhao — 2008-10-25T03:40:56

Thank you, Richard! I am trying the tips. Jason ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Are there any test suite for snort?

Jason Zhao — 2008-10-24T06:31:02

FYI. Thanks Jason Jason Zhao wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: React with InlineMode

Steven Sturges — 2008-10-23T21:50:09

Hi Giacomo-- We'll have a look at your changes as time permits... Cheers. -steve Giacomo Tesio wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Re: Implementing timeouts in Snort

Devdutt Patnaik — 2008-10-21T21:27:28

Re: Implementing timeouts in Snort

Steven Sturges — 2008-10-21T12:39:14

Hi Devdutt-- Depending on what protocols your preprocessor is using, you can leverage the stream API and store data that is associated with the TCP or UDP session structure. The data is then freed (providing you specify a free function) when the session is terminated -- via timeout or normal TCP FIN/FIN-ACK/etc. Cheers. -steve Devdutt Patnaik wrote: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/

Implementing timeouts in Snort

Devdutt Patnaik — 2008-10-21T09:18:28

Re: React with InlineMode

Giacomo Tesio — 2008-10-17T08:06:48

Re: React with InlineMode

Giacomo Tesio — 2008-10-17T08:05:13