gmane.comp.security.ids.snort.devel

Unified2 with EXTRA_DATA fields

Jaime Blasco — 2012-05-24T11:14:07

Hi,

I want to explain a problem that we have while adapting our Unified2 parser
to the new extra-data fields.

The problem is that when you want to parse the vents in real time you don't
have a way to know if the Event will have an ExtraData later in the file.

Example:

(Event)
  1663     sensor id: 0    event id: 31    event second: 1337848659
 event microsecond: 228367
  1664     sig id: 99999   gen id: 1   revision: 1  classification: 0
  1665     priority: 0 ip source: 188.40.16.205    ip destination:
192.168.2.183
  1666     src port: 80    dest port: 49892    protocol: 6 impact_flag: 0
 blocked: 0
  1667
  1668 Packet
  1669     sensor id: 0    event id: 31    event second: 1337848659
  1670     packet second: 1337848659   packet microsecond: 228367
  1671     linktype: 1 packet_length: 1506

...
...

1768 (ExtraDataHdr)
  1769     event type: 4   event length: 62
  1770
  1771 (ExtraData)
  1772     sensor id: 0    event id: 14    event second: 1337848659
  1773     type: 9 datatype: 1 bloblength: 38  HTTP URI:
/forums/showthread.php?t=57055
  1774
  1775 (ExtraDataHdr)
  1776     event type: 4   event length: 50
  1777
  1778 (ExtraData)
  1779     sensor id: 0    event id: 14    event second: 1337848659
  1780     type: 10    datatype: 1 bloblength: 26  HTTP Hostname:
www.howtoforge.com
  1781
  1782 (ExtraDataHdr)
  1783     event type: 4   event length: 62
  1784
  1785 (ExtraData)
  1786     sensor id: 0    event id: 15    event second: 1337848659
  1787     type: 9 datatype: 1 bloblength: 38  HTTP URI:
/forums/showthread.php?t=57055
  1788
  1789 (ExtraDataHdr)
  1790     event type: 4   event length: 50
  1791
  1792 (ExtraData)
  1793     sensor id: 0    event id: 15    event second: 1337848659
  1794     type: 10    datatype: 1 bloblength: 26  HTTP Hostname:
www.howtoforge.com

...


So, is there a way of knowing if an Event will have an ExtraData entry
later?

Best Regards

Bug in SSL preproc or doc update/clarification?

Will Metcalf — 2012-05-23T17:26:24

I was trying to come up with sigs to hit on a C&C that uses malformed
SSLv3 client hello followed by server data that does not contain an
SSL fatal alert of some kind.  For the sake simplicity below is a rule
I would expect to match on the fatal alert from the server in response
to a malformed client hello. Based on documentation in the snort
manual it seems this rule should fire with default snort.conf but it
doesn't on 2.9.2.3. Removing both "trustservers, noinspect_encrypted"
from the ssl preproc allows this rule to fire. Bug? Expected Behavior?
User Error? pcap available upon request....

Regards,

Will

#Manual Entry
"Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP
to inspect port 443 and enabling the noinspect_encrypted option, only
the SSL handshake of each connection will be inspected. Once the
traffic is determined to be encrypted, no further inspection of the
data on the connection is made.

By default, SSLPP looks for a handshake followed by encrypted traffic
traveling to both sides. If one side responds with an indication that
something has failed, such as the handshake, the session is not marked
as encrypted. Verifying that faultless encrypted traffic is sent from
both endpoints ensures two things: the last client-side handshake
packet was not crafted to evade Snort, and that the traffic is
legitimately encrypted. "

#Rule
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET BLAH SSL 3.0
Fatal Alert (Expected Behavior)"; flow:from_server,established;
content:"|15 03 00 00 02 02|"; depth:6; classtype:trojan-activity;
sid:6014637; rev:1;)

#Preproc setting and results.

#doesn't alert
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers,
noinspect_encrypted
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }, noinspect_encrypted

#alerts
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Snort 2.9.3 Beta Now Available

Joel Esler — 2012-05-18T20:00:52

I'll post some excerpts from the doc, then I'll explain a bit about how we designed this:

set
---
This keyword sets bits to group for a particular flow. When no group specified, 
set the default group. This keyword always returns true.

Syntax:
    flowbits:set,bats[,group]
Usage:  
    flowbits:set,bit1,doc;
    flowbits:set,bit2&bit3,doc;
    First rule sets bit1 in doc group, second rule sets bit2 and bit3 in doc group. 
    So doc group has bit 1, bit2 and bit3 set  

setx
---
This keyword sets bits to group exclusively. This clears other bits in group. 
Group must present.This keyword always returns true.

Syntax:
    flowbits:setx,bats,group
Usage:  
    flowbits: setx, bit1, doc
    flowbits: setx, bit2&bit3, doc
    First rule sets bit1 in doc group, second rule sets bit2 and bit3 in doc group.
    So doc group has bit2 and bit3 set, because bit1 is cleared by rule 2.

unset
-----
This keyword clears bits specified for a particular flow or clears all bits in the 
group (Group must present). This keyword always returns true.

Syntax:
   flowbits:unset,bats
   flowbits:unset,all,group
   
Usage:  
   flowbits: unset, bit1  
   Clear bit1.
   
   flowbits: unset, bit1&bit2
   After this rule, both bit1 and bit2 are cleared.
   
   flowbits: unset, all, doc
   This clears all bits in the doc group.

<snip toggle>

isset
-----
This keyword checks a bit or several bits to see if it is set.  It returns true or
false based on the following syntax.

Syntax:  
   flowbits:isset, bits => Check whether any bit is set
   flowbits:isset, bats => Check whether all bits are set
   flowbits:isset, any, group => Check whether any bit in the group is set.
   flowbits:isset, all, group => Check whether all bits in the group are set. 
   
Usage
   flowbits:isset, bit1|bit2 => If either bit1 or bit2 is set, return true
   flowbits:isset, bit1&bit2 => If both bit1 and bit2 are set, return true, otherwise false
   flowbits:isset, any, doc => If any bit in group doc is set, return true
   flowbits:isset, all, doc => If all the bits in doc group are set, return true 

isnotset
--------
This keyword is the reverse of isset.  It returns true if isset is false, it returns
false if isset is true. Isnotset works on the final result, not on individual bits.

Syntax:  
   flowbits:isnoset, bits => Check whether not any bit is set
   flowbits:isnoset, bats => Check whether not all bits are set
   flowbits:isnoset, any, group => Check whether not bit in the group is set.
   flowbits:isnotset, all, group => Check whether not all bits in the group are set. 
   
Usage
   flowbits:isnotset, bit1|bit2 => If either bit1 or bit2 is set, return true
   flowbits:isnotset, bit1&bit2 => If both bit1 and bit2 are set, return true, otherwise false
   flowbits:isnotset, any, doc => If any bit in group doc is set, return true
   flowbits:isnotset, all, doc => If all the bits in doc group are set, return true 


So..

You can do things like:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Word doc download"; flowbits:isset,file.doc|file.ole;)

Or if you wanted to alert on all MSOFFICE documents:

Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ppt"; content:".ppt"; flowbits:set,file.ppt,msoffice; flowbits:noalert;)
Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"doc"; content:".doc"; flowbits:set,file.doc,msoffice; flowbits:noalert;)
Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"xls"; content:".xls"; flowbits:set,file.xls,msoffice; flowbits:noalert;)
Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"mdb"; content:".mdb"; flowbits:set,file.mdb,msoffice; flowbits:noalert;)

Then alert.

Alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Office document successful download!"; flowbits:isset,any,msoffice;)

Does that make sense?  There are a ton of uses for logical OR, AND, group, and "setx" (set exclusively).  We spent quite a while designing this feature, and it's sure to be awesome!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Snort 2.9.3 Beta Now Available

Joshua Kinard — 2012-05-18T18:58:14




This will be interesting to play with.  I take it this was designed to
combine multiple uses of the keyword when checking the state of several
flowbits?




I take it this also fixes the handling of ignore_data with respect to the
fast-pattern matcher?




Looking at the changed code, I think this will also fix the same issue when
logging with tcpdump output.  I hacked right around that for loop in
snort_stream5_tcp.c and was able to fully log all packets associated with a
stream when using file_data with SMTP.  I suspect this might also fix the
use case with flow:only_stream and flow:only_frag.  I'll have to test, though.


Thanks!

Snort 2.9.3 Beta Now Available

Snort Releases — 2012-05-18T13:55:44

Snort 2.9.3 Beta is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Development
Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.3 introduces the following new capabilities:

[*] New additions
  * Updates to flowbit rule option to allow for OR and AND
    of individual bits within a single rule, and allow flowbits
    to be used in multiple groups.  See README.flowbits and
    the Snort manual for details.

  * Dynamic output plugin architecture to provide an API that
    developers can write their own output mechanisms to log alert
    and packet data from Snort.  Some output plugins have been
    removed as a result of this to be maintained by their
    respective authors.

  * Update to dcerpc2 preprocessor for improved accuracy and
    handling of different OSs for SMB processing.  See README.dcerpc2
    and the Snort manual for details.

  * Updates to reputation preprocessor for handling of whitlelist
    and trustlists and zone information.  See README.reputation
    and the Snort manual for details.

  * Updates to the packet decoders to support pflog v4.

[*] Improvements
  * Update to return error messages through the control socket.

  * Updates to the processing of email attachments for better
    handling of non-encoded attachments, and improved memory
    management for attachment processing.

  * Improvements in HTTP Inspect for better performance with gzip
    decompression.  Also improvements for handling simple responses,
    encoded query strings, transfer encoding and chunk encoding
    processing.

  * Fix logging of multiple unified2 alerts with reassembled packets.

  * Compiler warning cleanup across multiple platforms.

  * Added 116:458 and 116:459 to cover fragmentation issues.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta< at >sourcefire.com.

Happy Snorting!
The Snort Release Team


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: [Snort-users] Perfmonitor Issue

Guillaume Daleux — 2012-05-17T17:11:33

Hi Abdel,

 

You need to change your compilation options and disable linux-smp-stats

 

--enable-dynamicplugin --enable-perfprofiling --enable-targetbased
--enable-ipv6 --enable-ppm --enable-gre --enable-static-daq=no
--enable-64bit-gcc=no 

 

Regards,

 

Guillaume DALEUX

 

 

From: Abdelmonaim Mokadem [mailto:abdelmonaim.mokadem< at >abovesecurity.com]

Sent: Wednesday, May 16, 2012 2:11 PM
To: snort-users< at >lists.sourceforge.net; snort-devel< at >lists.sourceforge.net
Subject: [Snort-users] Perfmonitor Issue

 

Hi all,

I have an issue using the perfmonitor preprocessor for snort inline  to
provide the "Max performance snort stats" with the following parameters:

 

  preprocessor perfmonitor: time 300 pktcnt 5000 events max console

 

Here are the options used to launch snort :

 

        -A none \

        --dynamic-engine-lib "${SNORT_ENG}" 

        --dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"

        --dynamic-detection-lib-dir "${SNORT_DYNRULDIR}" 

        --daq-dir "${DAQ_DIR}" 

        -i "${INTERFACE}" 

        -c "${SNORT_CONF}" 

        --perfmon-file "${LOG_DIR}/snort.stats" 

        -l "${LOG_DIR}" 

        -Q

 

Since I'm using the "max " and  "console" parameters, my console should
display the results, based on the following code:

if(iFlags & MAX_PERF_STATS)

{

      .

      .

  LogMessage("uSeconds/Pkt\n");

  LogMessage("----------------\n");

  LogMessage("Snort:
%.3f\n",sfBaseStats->usecs_per_packet.usertime);

  LogMessage("Sniffing:
%.3f\n",sfBaseStats->usecs_per_packet.systemtime);

  LogMessage("Combined:
%.3f\n\n",sfBaseStats->usecs_per_packet.totaltime);

  .

  .

}

But it doesn't...

It doesn't print me the Snort Max Performance at all..

The usec_per_packet structure is filled when "GetuSecondsPerPacket"  is
called but it seems like we never enter in the "if" clause 

and when I try to debug with gdb, I can see that "iFlag" is always equal
to 0 for an unknown reason and since "MAX_PERF_STATS" is equal to 1, the
"if" test fail.

 

FYI, here are the options used to compile snort :

 

--enable-dynamicplugin --enable-perfprofiling --enable-linux-smp-stats
--enable-targetbased --enable-ipv6 --enable-ppm --enable-gre
--enable-static-daq=no --enable-64bit-gcc=no 

 

 

If someone has an idea about the origin of the problem here...

 

Regards,

 

Abdelmonaim Mokadem.   

 

 

 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Perfmonitor Issue

Abdelmonaim Mokadem — 2012-05-16T18:10:58

Hi all,

I have an issue using the perfmonitor preprocessor for snort inline  to
provide the "Max performance snort stats" with the following parameters:

 

  preprocessor perfmonitor: time 300 pktcnt 5000 events max console

 

Here are the options used to launch snort :

 

        -A none \

        --dynamic-engine-lib "${SNORT_ENG}" 

        --dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"

        --dynamic-detection-lib-dir "${SNORT_DYNRULDIR}" 

        --daq-dir "${DAQ_DIR}" 

        -i "${INTERFACE}" 

        -c "${SNORT_CONF}" 

        --perfmon-file "${LOG_DIR}/snort.stats" 

        -l "${LOG_DIR}" 

        -Q

 

Since I'm using the "max " and  "console" parameters, my console should
display the results, based on the following code:

if(iFlags & MAX_PERF_STATS)

{

      .

      .

  LogMessage("uSeconds/Pkt\n");

  LogMessage("----------------\n");

  LogMessage("Snort:
%.3f\n",sfBaseStats->usecs_per_packet.usertime);

  LogMessage("Sniffing:
%.3f\n",sfBaseStats->usecs_per_packet.systemtime);

  LogMessage("Combined:
%.3f\n\n",sfBaseStats->usecs_per_packet.totaltime);

  .

  .

}

But it doesn't...

It doesn't print me the Snort Max Performance at all..

The usec_per_packet structure is filled when "GetuSecondsPerPacket"  is
called but it seems like we never enter in the "if" clause 

and when I try to debug with gdb, I can see that "iFlag" is always equal
to 0 for an unknown reason and since "MAX_PERF_STATS" is equal to 1, the
"if" test fail.

 

FYI, here are the options used to compile snort :

 

--enable-dynamicplugin --enable-perfprofiling --enable-linux-smp-stats
--enable-targetbased --enable-ipv6 --enable-ppm --enable-gre
--enable-static-daq=no --enable-64bit-gcc=no 

 

 

If someone has an idea about the origin of the problem here...

 

Regards,

 

Abdelmonaim Mokadem.   

 

 

 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort 2.9.2.3 Now Available

Snort Releases — 2012-05-15T19:56:27

Snort 2.9.2.3 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.3 includes changes for the following:

  * Update to GTP preprocessor to better handle GTPv1 data.

  * Update to DNP3 preprocessor to add stricter checking on
    packets before processing by dnp3.  Improved checking
    on reassembly buffer

  * Update to PCRE rule option processing to prevent issues
    seen w/ libpcre-8.30 and certain rules.

  * Update to dcerpc2 to not abort reassembly if target-based
    protocol is undefined.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs< at >snort.org.

Happy Snorting!
The Snort Release Team


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Snort

2012-05-15T07:07:49

Snort i will always make this my priority from now on http://cnbcnews.net this is going to change everything 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: AF_PACKET zero copy mode

Joel Esler — 2012-05-10T13:39:10

We generally don't comment on future plans, however, yes, we are looking at this for several different things.

J

On May 10, 2012, at 9:28 AM, "Guillaume Daleux" <guillaume.daleux< at >abovesecurity.com> wrote:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

AF_PACKET zero copy mode

Guillaume Daleux — 2012-05-10T13:28:39

Hi all,

Is it possible to know if the implementation of AF_PACKET capture mode with zero copy mode is currently under development in Snort ?

https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/


Thanks for your answer,

Guillaume DALEUX
Junior Research Engineer
Ingénieur Junior en Recherchetel : 450.430.8166 ext. 2279 | guillaume.daleux< at >abovesecurity.com
sans frais / toll free : 1.866.430.8166 | fax: 450.430.1858
 Managed Security Services ? Information Risk Management
Surveillance ? Gestion des Risques Informationnels
203 - 1919 boul. Lionel-Bertrand ? Boisbriand ? QC ? Canada ? J7H 1N8
www.abovesecurity.com




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Active response on two interfaces

Russ Combs — 2012-05-09T17:27:30

You may get different results with a newer Snort.

On Wed, May 9, 2012 at 1:18 PM, Jon Larson <jlarson< at >catbird.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Active response on two interfaces

Jon Larson — 2012-05-09T17:18:44

Snort is Version 2.9.0.5
DAQ is 0.5 I think.

The storm occurs when I have a rule configured like this:
alert tcp [192.168.10.10] any -> [192.168.20.11] any (resp:reset_both; 
flow:to_server,established; )

Anyway, snort isn't really *supposed* to be used like a firewall in this 
manner so we've moved on.

On 5/8/2012 9:57 PM, Russ Combs wrote:
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Active response on two interfaces

Russ Combs — 2012-05-09T04:57:30

What version of Snort and DAQ are you using?  Snort has a check to prevent
RST to RST.

On Tue, May 1, 2012 at 7:46 PM, Jon Larson <jlarson< at >catbird.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: SPDY Awareness

Graham Bignell — 2012-05-02T18:43:00

It's probably how you are pulling down bits from a Google service if
you run chrome.
Locally it's mod_spdy on Apache with Chrome clients.  It's all encrypted.

\\//,
Lorax

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Question regarding snort statistics

Russ Combs — 2012-05-04T14:38:37


If you look for DETECTION_OPTION_MATCH and DETECTION_OPTION_NO_MATCH you
will find what you need.

J
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: Question regarding snort statistics

Joel Esler — 2012-05-04T13:49:06

The Snort code is available at www.snort.org.  I suggest you take a look at it and see how you can modify it to fit your purpose.

J

On May 4, 2012, at 6:45 AM, Efthymia Tsamoura wrote:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Question regarding snort statistics

Efthymia Tsamoura — 2012-05-04T10:45:35

Hi all,

My name is Efi and Im a PhD student. Im writing this email, since I  
want to find out how to monitor for each rule and for each input  
packet which of the rule's predicates were satisfied and which not for  
the specific packet that is currently being processed. For example,  
given the rule

alert tcp 1.1.1.1 any -> 2.2.2.2 80 (content:"BOB"; gid:1000001;  
sid:1; rev:1;),

i want for each packet statistics of the form:

Packet 1 satisfied Protocol=tcp and srcIp = 1.1.1.1
and did not satisfy destIp = 2.2.2.2 and destport = 80 and content = "BOB"

What are the modifications that need to be performed to the src to get  
this info? For example, which functions, data structures hold this  
info ...

Best Regards,
Efi



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: SPDY Awareness

Joel Esler — 2012-05-04T01:50:03

It won't be in 2.9.3. That version is already baked.  I'll keep you updated as we work on it. 

--
Joel Esler
Sent from my.. NO ONE CARES

On May 3, 2012, at 9:43 PM, Joshua Kinard <kumba< at >gentoo.org> wrote:


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Re: SPDY Awareness

Joshua Kinard — 2012-05-04T01:43:09



I believe Firefox plans to enable SPDY support by default in FF 13.  Not
sure what your roadmap is, but 12 just came out, so maybe a beta
preprocessor in Snort-2.9.3 or 2.9.4?

I haven't looked at it yet myself.  Wireshark doesn't even have a dissector
for it I believe.

Re: SPDY Awareness

Russ Combs — 2012-05-02T17:06:49

It is on the roadmap.  Are you seeing SPDY traffic now?  Can you tell us
about what the client and server are running?  Is any of the SPDY traffic
encrypted?

Thanks
Russ

On Tue, May 1, 2012 at 4:46 PM, Brian Wilhide <brian.wilhide< at >gmail.com>wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!