gmane.comp.security.ids.snort.devel

Re: Snort 2.9.3 Beta Now Available

Joel Esler — 2012-05-18T20:00:52

I'll post some excerpts from the doc, then I'll explain a bit about how we designed this:

set
---
This keyword sets bits to group for a particular flow. When no group specified, 
set the default group. This keyword always returns true.

Syntax:
    flowbits:set,bats[,group]
Usage:  
    flowbits:set,bit1,doc;
    flowbits:set,bit2&bit3,doc;
    First rule sets bit1 in doc group, second rule sets bit2 and bit3 in doc group. 
    So doc group has bit 1, bit2 and bit3 set  

setx
---
This keyword sets bits to group exclusively. This clears other bits in group. 
Group must present.This keyword always returns true.

Syntax:
    flowbits:setx,bats,group
Usage:  
    flowbits: setx, bit1, doc
    flowbits: setx, bit2&bit3, doc
    First rule sets bit1 in doc group, second rule sets bit2 and bit3 in doc group.
    So doc group has bit2 and bit3 set, because bit1 is cleared by rule 2.

unset
-----
This keyword clears bits specified for a particular flow or clears all bits in the 
group (Group must present). This ke

Re: Snort 2.9.3 Beta Now Available

Joshua Kinard — 2012-05-18T18:58:14




This will be interesting to play with.  I take it this was designed to
combine multiple uses of the keyword when checking the state of several
flowbits?




I take it this also fixes the handling of ignore_data with respect to the
fast-pattern matcher?




Looking at the changed code, I think this will also fix the same issue when
logging with tcpdump output.  I hacked right around that for loop in
snort_stream5_tcp.c and was able to fully log all packets associated with a
stream when using file_data with SMTP.  I suspect this might also fix the
use case with flow:only_stream and flow:only_frag.  I'll have to test, though.


Thanks!

Snort 2.9.3 Beta Now Available

Snort Releases — 2012-05-18T13:55:44

Snort 2.9.3 Beta is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Development
Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.3 introduces the following new capabilities:

[*] New additions
  * Updates to flowbit rule option to allow for OR and AND
    of individual bits within a single rule, and allow flowbits
    to be used in multiple groups.  See README.flowbits and
    the Snort manual for details.

  * Dynamic output plugin architecture to provide an API that
    developers can write their own output mechanisms to log alert
    and packet data from Snort.  Some output plugins have been
    removed as a result of this to be maintained by their
    respective authors.

  * Update to dcerpc2 preprocessor for improved accuracy and
    handling of different OSs for SMB processing.  See README.dcerpc2
    and the Snort manual for details.

  * Updates to reputation preprocessor for handling of wh

Re: [Snort-users] Perfmonitor Issue

Guillaume Daleux — 2012-05-17T17:11:33

Hi Abdel,

 

You need to change your compilation options and disable linux-smp-stats

 

--enable-dynamicplugin --enable-perfprofiling --enable-targetbased
--enable-ipv6 --enable-ppm --enable-gre --enable-static-daq=no
--enable-64bit-gcc=no 

 

Regards,

 

Guillaume DALEUX

 

 

From: Abdelmonaim Mokadem [mailto:abdelmonaim.mokadem< at >abovesecurity.com]

Sent: Wednesday, May 16, 2012 2:11 PM
To: snort-users< at >lists.sourceforge.net; snort-devel< at >lists.sourceforge.net
Subject: [Snort-users] Perfmonitor Issue

 

Hi all,

I have an issue using the perfmonitor preprocessor for snort inline  to
provide the "Max performance snort stats" with the following parameters:

 

  preprocessor perfmonitor: time 300 pktcnt 5000 events max console

 

Here are the options used to launch snort :

 

        -A none \

        --dynamic-engine-lib "${SNORT_ENG}" 

        --dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"

        --dynamic-detection-lib-dir "${SNORT_DYNRULDIR}" 

        --daq-dir "${DAQ_DIR}" 

        -i "${

Perfmonitor Issue

Abdelmonaim Mokadem — 2012-05-16T18:10:58

Hi all,

I have an issue using the perfmonitor preprocessor for snort inline  to
provide the "Max performance snort stats" with the following parameters:

 

  preprocessor perfmonitor: time 300 pktcnt 5000 events max console

 

Here are the options used to launch snort :

 

        -A none \

        --dynamic-engine-lib "${SNORT_ENG}" 

        --dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"

        --dynamic-detection-lib-dir "${SNORT_DYNRULDIR}" 

        --daq-dir "${DAQ_DIR}" 

        -i "${INTERFACE}" 

        -c "${SNORT_CONF}" 

        --perfmon-file "${LOG_DIR}/snort.stats" 

        -l "${LOG_DIR}" 

        -Q

 

Since I'm using the "max " and  "console" parameters, my console should
display the results, based on the following code:

if(iFlags & MAX_PERF_STATS)

{

      .

      .

  LogMessage("uSeconds/Pkt\n");

  LogMessage("----------------\n");

  LogMessage("Snort:
%.3f\n",sfBaseStats->usecs_per_packet.usertime);

  LogMessage("Sniffing:
%.3f\n",sfBaseStats->usecs_per_packet.syst

Snort 2.9.2.3 Now Available

Snort Releases — 2012-05-15T19:56:27

Snort 2.9.2.3 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.3 includes changes for the following:

  * Update to GTP preprocessor to better handle GTPv1 data.

  * Update to DNP3 preprocessor to add stricter checking on
    packets before processing by dnp3.  Improved checking
    on reassembly buffer

  * Update to PCRE rule option processing to prevent issues
    seen w/ libpcre-8.30 and certain rules.

  * Update to dcerpc2 to not abort reassembly if target-based
    protocol is undefined.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs< at >snort.org.

Happy Snorting!
The Snort Release Team


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat land

Re: Snort

2012-05-15T07:07:49

Snort i will always make this my priority from now on http://cnbcnews.net this is going to change everything 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: AF_PACKET zero copy mode

Joel Esler — 2012-05-10T13:39:10

We generally don't comment on future plans, however, yes, we are looking at this for several different things.

J

On May 10, 2012, at 9:28 AM, "Guillaume Daleux" <guillaume.daleux< at >abovesecurity.com> wrote:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

AF_PACKET zero copy mode

Guillaume Daleux — 2012-05-10T13:28:39

Hi all,

Is it possible to know if the implementation of AF_PACKET capture mode with zero copy mode is currently under development in Snort ?

https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/


Thanks for your answer,

Guillaume DALEUX
Junior Research Engineer
Ingénieur Junior en Recherchetel : 450.430.8166 ext. 2279 | guillaume.daleux< at >abovesecurity.com
sans frais / toll free : 1.866.430.8166 | fax: 450.430.1858
 Managed Security Services ? Information Risk Management
Surveillance ? Gestion des Risques Informationnels
203 - 1919 boul. Lionel-Bertrand ? Boisbriand ? QC ? Canada ? J7H 1N8
www.abovesecurity.com




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl0

Re: Active response on two interfaces

Russ Combs — 2012-05-09T17:27:30

You may get different results with a newer Snort.

On Wed, May 9, 2012 at 1:18 PM, Jon Larson <jlarson< at >catbird.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Active response on two interfaces

Jon Larson — 2012-05-09T17:18:44

Snort is Version 2.9.0.5
DAQ is 0.5 I think.

The storm occurs when I have a rule configured like this:
alert tcp [192.168.10.10] any -> [192.168.20.11] any (resp:reset_both; 
flow:to_server,established; )

Anyway, snort isn't really *supposed* to be used like a firewall in this 
manner so we've moved on.

On 5/8/2012 9:57 PM, Russ Combs wrote:
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Active response on two interfaces

Russ Combs — 2012-05-09T04:57:30

What version of Snort and DAQ are you using?  Snort has a check to prevent
RST to RST.

On Tue, May 1, 2012 at 7:46 PM, Jon Larson <jlarson< at >catbird.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: SPDY Awareness

Graham Bignell — 2012-05-02T18:43:00

It's probably how you are pulling down bits from a Google service if
you run chrome.
Locally it's mod_spdy on Apache with Chrome clients.  It's all encrypted.

\\//,
Lorax

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Question regarding snort statistics

Russ Combs — 2012-05-04T14:38:37


If you look for DETECTION_OPTION_MATCH and DETECTION_OPTION_NO_MATCH you
will find what you need.

J
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Question regarding snort statistics

Joel Esler — 2012-05-04T13:49:06

The Snort code is available at www.snort.org.  I suggest you take a look at it and see how you can modify it to fit your purpose.

J

On May 4, 2012, at 6:45 AM, Efthymia Tsamoura wrote:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Question regarding snort statistics

Efthymia Tsamoura — 2012-05-04T10:45:35

Hi all,

My name is Efi and Im a PhD student. Im writing this email, since I  
want to find out how to monitor for each rule and for each input  
packet which of the rule's predicates were satisfied and which not for  
the specific packet that is currently being processed. For example,  
given the rule

alert tcp 1.1.1.1 any -> 2.2.2.2 80 (content:"BOB"; gid:1000001;  
sid:1; rev:1;),

i want for each packet statistics of the form:

Packet 1 satisfied Protocol=tcp and srcIp = 1.1.1.1
and did not satisfy destIp = 2.2.2.2 and destport = 80 and content = "BOB"

What are the modifications that need to be performed to the src to get  
this info? For example, which functions, data structures hold this  
info ...

Best Regards,
Efi



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security,

Re: SPDY Awareness

Joel Esler — 2012-05-04T01:50:03

It won't be in 2.9.3. That version is already baked.  I'll keep you updated as we work on it. 

--
Joel Esler
Sent from my.. NO ONE CARES

On May 3, 2012, at 9:43 PM, Joshua Kinard <kumba< at >gentoo.org> wrote:


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: SPDY Awareness

Joshua Kinard — 2012-05-04T01:43:09



I believe Firefox plans to enable SPDY support by default in FF 13.  Not
sure what your roadmap is, but 12 just came out, so maybe a beta
preprocessor in Snort-2.9.3 or 2.9.4?

I haven't looked at it yet myself.  Wireshark doesn't even have a dissector
for it I believe.

Re: SPDY Awareness

Russ Combs — 2012-05-02T17:06:49

It is on the roadmap.  Are you seeing SPDY traffic now?  Can you tell us
about what the client and server are running?  Is any of the SPDY traffic
encrypted?

Thanks
Russ

On Tue, May 1, 2012 at 4:46 PM, Brian Wilhide <brian.wilhide< at >gmail.com>wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Active response on two interfaces

Jon Larson — 2012-05-01T23:46:18

I/we need to get snort to operate on two interfaces.  For simplicity, 
let's just say I want to have snort monitor traffic on eth0, but then 
send its resets out on eth1.  What's the configuration magic to allow this?

I've tried something like this in the snort.conf:
config response: device eth1 attempts 2

This, however, seems to get snort into this mode (when it detects some 
TCP connection it's configured to reset) where it "sniffs" back in the 
RST packet (on the other interface), then sends another RST packet.  
Kinda like "eating it's own tail".  The snort process consumes the CPU 
and floods the network in this mode.

Also is there documentation someone could point me to regarding 
configuring snort for multiple interfaces?

Any and all information would be greatly appreciated!
Jonny L.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how

SPDY Awareness

Brian Wilhide — 2012-05-01T20:46:10

Have you guys looked into SPDY awareness within Snort?
http://en.wikipedia.org/wiki/SPDY

Brian Wilhide
brian.wilhide< at >gmail.com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!