gmane.comp.security.ids.snort.general

Re: Snort Stream5 Support

Joel Esler — 2012-05-22T15:49:34

Either call your test.rule from snort.conf with an include statement, or place the contents of your test.rule in the bottom of snort.conf

I recommend the first option.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On May 22, 2012, at 11:36 AM, Turnbough, Bradley E. wrote:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please v

Re: Snort Stream5 Support

Turnbough, Bradley E. — 2012-05-22T15:36:48

Ah.... That would make sense.  So then I can't consider my rules to be additive to what's in snort.conf already.  Bummer.....

Any way around that?  I'd rather not place any configs in snort.conf.

From: Russ Combs [mailto:rcombs< at >sourcefire.com]
Sent: Tuesday, May 22, 2012 10:31 AM
To: Turnbough, Bradley E.
Cc: snort-users< at >lists.sourceforge.net
Subject: Re: [Snort-users] Snort Stream5 Support

Looks like the conf you are telling snort to use is /tmp/test.rule which, per your cat output, does not include the stream5 config, etc.
On Tue, May 22, 2012 at 10:22 AM, Turnbough, Bradley E. <bturnbough< at >belcan.com<mailto:bturnbough< at >belcan.com>> wrote:
Very new to snort.

I seem to be having some issues with getting Stream5 support up and running.  Here is the rule:

[root< at >hostname]# cat /tmp/test.rule
log tcp any any ->  xx.xx.xx.xx/29 23
alert tcp any any -> xx.xx.xx.xx/29 22 (\
msg:"Potential SSH Brute Force";\
flow:to_server;\
flags:S;\
threshold:type threshold, track by_src, count 3, seconds 60;\
classtype:atte

Re: Snort Stream5 Support

Russ Combs — 2012-05-22T15:30:39

Looks like the conf you are telling snort to use is /tmp/test.rule which,
per your cat output, does not include the stream5 config, etc.

On Tue, May 22, 2012 at 10:22 AM, Turnbough, Bradley E. <
bturnbough< at >belcan.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

subcribe

Lawrence R. Hughes, Sr. — 2012-05-22T14:24:36

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort Stream5 Support

Turnbough, Bradley E. — 2012-05-22T14:22:10

Very new to snort.

I seem to be having some issues with getting Stream5 support up and running.  Here is the rule:

[root< at >hostname]# cat /tmp/test.rule
log tcp any any ->  xx.xx.xx.xx/29 23
alert tcp any any -> xx.xx.xx.xx/29 22 (\
msg:"Potential SSH Brute Force";\
flow:to_server;\
flags:S;\
threshold:type threshold, track by_src, count 3, seconds 60;\
classtype:attempted-dos;\
sid:2001218;\
rev:4;\
resp:rst-all;\
)

Using the following options to startup:

snort -d -i eth0 -c /tmp/test.rule -l /tmp/log

Produces a nasty error:

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/tmp/test.rule"
Tagged Packet Limit: 256
Log directory = /tmp/log

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /tmp/test.rule(11): Stream5 must be enabled to use the 'to_server' option.
Fatal Error, Quitting..



Review of the snort.conf file, it appears I DO have Stream5 support enabl

Re: New snort install question

Sallee, Stephen (Jake — 2012-05-22T13:22:36

...kind of.   A few years ago we had the opportunity to completely redesign our network structure.  We adopted the following VLan scheme

10.BB.VV.XX

Where:
BB = building number (arbitrarily assigned by yours truly)
VV = VLAN ID
XX = workstations

We have separate VLans for faculty/staff and students as well as voice and NAC, etc. ... all for each building.

I had not seen that distro, it looks promising though.  I will most certainly look into it, THANKS!

As for the BPF filter, that seems like an excellent idea if we find our boxes have trouble keeping up, hopefully they won't but you never know.

Thank you for the info.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU

From: Vivek Rajagopalan [mailto:vivek< at >unleashnetworks.com]
Sent: Tuesday, May 22, 2012 2:56 AM
To: snort-users< at >lists.sourceforge.net
Subject: Re: [Snort-users] New snort install question

Apologies, meant to reply

Logging URI too long

Nelo Belda — 2012-05-22T11:55:27

Hi all,

I realized a behaviour in Snort that I want to share with all of you. Snort
is now logging URI and Hostname as Extra Data but, what if URI is too long?
I've seen alerts related with error 500 that uri is present but when alert
is 414 (URI too long) there's no extra data.

I've made a patch in BASE to show Extra Data Info and tried with u2spewfoo
as well but it seems that in this case it's not logged. That
post<http://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html>says:

"When a HTTP Request URI is greater than 2048 or when a HTTP hostname
(specified in the "Host" Request header) is greater than 256, Snort will
log the truncated the URI and/or hostname. A preprocessor alert with
GID:119 and SID:25 is generated when hostname exceeds 256 bytes."

Where is truncated? How can I get Extra Data of a "URI Too Long" alert? Is
it logged in that case?

Best regards
Un saludo
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive li

Re: New snort install question

Vivek Rajagopalan — 2012-05-22T07:56:06

Apologies, meant to reply to list.

On 22-05-2012 02:49, Sallee, Stephen (Jake) wrote:

Are these non-university machines on a guest VLAN ? If they are, then a 
BPF filter on Snort can help cut down the 'trusted' traffic. This means 
your i3 Dells might be sufficient for the workload.

As far as deploying this over 50+ buildings are concerned have you 
checked out the Security Onion distro ?

Hope that helps,

Vivek
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/sn

Re: vendor list surfing

Jason Haar — 2012-05-22T04:04:56

second hit on Google :-)

https://freedom-to-tinker.com/blog/felten/safemedia-parody/

Re: vendor list surfing

Sallee, Stephen (Jake — 2012-05-22T02:46:44

Thank you Joel.  These lists are invaluable, and I would not like to see them turned into playgrounds for overzealous marketing departments.

BTW you may want to take a look < at > safemedia they are selling an appliance based on snort but I cant find any mention of snort on their site ... SNORT is still GPL code right?


If any one from safemedia reads this, please know its nothing personal ... we all have to play by the rules, thats all.

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: Joel Esler [jesler< at >sourcefire.com]
Sent: Monday, May 21, 2012 6:22 PM
To: Sallee, Stephen (Jake)
Cc: snort-users< at >lists.sourceforge.net
Subject: Re: [Snort-users] vendor list surfing

Jake, thanks for letting me know.

Apparently vendors don't get it.  This is for assistance for people who use Snort.  Not a commercial.  Even Sourcefire tries hard not to advertise on these lists, an

Re: vendor list surfing

Joel Esler — 2012-05-21T23:22:14

Jake, thanks for letting me know.

Apparently vendors don't get it.  This is for assistance for people who use Snort.  Not a commercial.  Even Sourcefire tries hard not to advertise on these lists, and I don't allow it from our internal people.

To get the point across, I've unsubscribed everyone from safemedia.com and banned them from the lists.

They need to write me directly to get back on.

Joel

On May 21, 2012, at 5:51 PM, "Sallee, Stephen (Jake)" <Jake.Sallee< at >umhb.edu> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user op

vendor list surfing

Sallee, Stephen (Jake — 2012-05-21T21:51:50

< at > whoever called me from safemedia.com

I joined this list to get advice and assistance from people who use snort, NOT a commercial.

If you have a product that you feel will assist me I am willing to listen, but please contact me via email and off this list.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/

Re: New snort install question

Sallee, Stephen (Jake — 2012-05-21T21:19:34

Jason, thank you for your response.




The uplinks are 1Gb.  The idea would be to span a port on the switch and let the snort box passively analyze that traffic with a separate link on the snort box for management and reporting.  We are thinking that this would be the easiest way to sniff our traffic yet keep the box out of band.  That way even if it does get bogged down it won't introduce latency into the network.




Intel core i3 < at > 3.2Ghz, 4 GB DDR3 RAM < at > 10666, 300 GB SATAII HD, 2 x 1 Gb NIC.

Does that sound sufficient for real time monitoring?  We are not interested in historical reporting right now as we are planning on sending the events to a syslog server and our NAC.




We are indeed trying to protect our LAN from internal threats.  We have a well-protected internet facing edge but as a university we have a few thousand non-university owned assets that access our network every day.  Once these devices are on my network they have bypassed my armored edge and are able to poke away at my soft belly

Re: New snort install question

Jason Haar — 2012-05-21T20:34:04

What are the uplinks? I'd guess either 1G or 10G? Do "old" Dell 960s
have PCIe buses and Ethernet cards to match, and do they have high-end
CPUs that can keep up with "counting" 1-10Gbps Ethernet traffic? I think
you may be expecting too much of the hardware?


Assuming I am correct about the uplink speeds, this is probably the best
way of doing it. The only other option would be to "collapse" those
uplinks into a single area and SPAN that - but then you're in the
10-100Gbs range...? Meethinks that's a harder problem to solve ;-)
First question is always: "what are you trying to achieve"? Second is
"what is your budget" ;-). If you are wanting to protect your computers
from your computers, then you are on the right track. If you are trying
to protect your computers from "the Internet", then you're doing it
wrong - you only need one NIDS at the edge of your network.

Basically, lots of organizations use NIDS to monitor (LAN to) WAN or
Internet pipes, few use it to monitor (LAN to) LANs - it's just too
expensi

New snort install question

Sallee, Stephen (Jake — 2012-05-21T19:37:39

Hello all!

I work for a small private university and we are looking into deploying snort for monitoring our internal network.

We have 50+ buildings on campus and the idea is to place a single snort box in each building and have it sniff the uplink traffic, then report back to our NAC system (Packetfence).  The goal was to be able to use some of our older desktops (Dell 960s) as kind of snort nodes with no keyboard, mouse or monitor.

We would prefer to be able to manage all of these distributed snort boxes from a single place or at least from a web GUI on each box.

#1. Am I way off base thinking about using snort this way?
#2. What kind of tools exist to manage multiple snort boxes?
#3. Am I missing something crucial that would make me look like an idiot when I go to set this up?

I have other questions but I will not spam the list with them all at once.  Please let me know your ideas and or suggestions.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
B

Re: please ! unsuscribe me !!! I have done severaltimes but it doesn't work

Joel Esler — 2012-05-21T14:35:46

Done.

On May 20, 2012, at 4:23 PM, Adriana Solé <adrianasole< at >gmail.com> wrote:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy

Russ Combs — 2012-05-21T14:13:20

The eth1 data looks like it is much further into the packet than the eth0
data, so check your http_inspect flow depths.

On Mon, May 21, 2012 at 3:30 AM, Balasubramaniam Natarajan <
bala150985< at >gmail.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: barnyard2 database and java

Gregor Binder — 2012-05-21T13:43:10

sry, i found a separate group for barnyard2 here: https://groups.google.com/forum/#!forum/barnyard2-users
but if somebody can help it would be nice.

king regards
gregor binder

----- Original Message -----

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

barnyard2 database and java

Gregor Binder — 2012-05-21T13:38:19

hi,

i build an analyzer for barnyard2 in java. my tool can currently read from the barnyard2 database get get all values but i have problems how to interpret data_paylod from the data table.
how can i read work with the data_payload values from the data table?
has anybody some example for that?
i need to analyze sip records only.

king regards
gregor binder

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler

Re: [Emerging-Sigs] Snort Alerts Differences with andwithout WebProxy

Balasubramaniam Natarajan — 2012-05-21T07:30:01

I also tried giving an additional option of "-P 0" while invoking snort
still no result.

On Mon, May 21, 2012 at 3:03 AM, Balasubramaniam Natarajan <
bala150985< at >gmail.com> wrote:

Re: [Emerging-Sigs] Snort Alerts Differences with andwithout WebProxy

Balasubramaniam Natarajan — 2012-05-20T21:33:35

There was an error in my previous link, this is the correct one which shows
Test2 and Test3 results.

http://img207.imageshack.us/img207/4480/snortproxy.jpg

On Mon, May 21, 2012 at 12:58 AM, Balasubramaniam Natarajan <
bala150985< at >gmail.com> wrote: