gmane.comp.security.ids.snort.general

Re: Testing snort

Sandip Bankewar — 2012-05-25T06:35:50

Hi Romskie,

That's great, Thanks.

AT the time of installing tcpreplay I am getting following error.

checking for libpcap... configure: error: Unable to find matching library for header file in /usr
Does anyone face this issue ever.

Regards,
Sandip

-----Original Message-----
From: Romskie L [mailto:rslaranjo< at >gmail.com] 
Sent: 25 May 2012 11:28
To: snort-users< at >lists.sourceforge.net
Cc: Sandip Bankewar
Subject: Re: [Snort-users] Testing snort

Hi Sandip,

The error says you need to install flex. If you are using ubuntu, you can apt-get install flex to install it.


Regards,

Rommel L.

On Fri, May 25, 2012 at 1:29 PM, Sandip Bankewar <sbankewar< at >cloudaccess.com> wrote:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. htt

Re: Testing snort

Sandip Bankewar — 2012-05-25T05:54:07

Hi Paul,

Thanks for your help.

My intention is to test the EPS handling capacity.

This way I think we need to run same command from number of terminals right?

Sandip Bankewar


-----Original Message-----
From: Paul Halliday [mailto:paul.halliday< at >gmail.com] 
Sent: 24 May 2012 18:04
To: Nick Moore
Cc: Sandip Bankewar; snort-users< at >lists.sourceforge.net
Subject: Re: [Snort-users] Testing snort

Sounds complicated :)

Couldn't he just feed the pcap directly to snort:

snort -r <file.pcap> ?

On Thu, May 24, 2012 at 9:19 AM, Nick Moore <nmoore< at >sourcefire.com> wrote:



--
Paul Halliday
http://www.squertproject.org/



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___

Re: Testing snort

Romskie L — 2012-05-25T05:57:47

Hi Sandip,

The error says you need to install flex. If you are using ubuntu, you
can apt-get install flex to install it.


Regards,

Rommel L.

On Fri, May 25, 2012 at 1:29 PM, Sandip Bankewar
<sbankewar< at >cloudaccess.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: Testing snort

Sandip Bankewar — 2012-05-25T05:29:33

Hi Nick,

Yes I have installed tcpreplay successfully on Linux. Thanks for your help.


While installing libpcap I am getting following error:

configure: error: Your operating system's lex is insufficient to compile
libpcap.  flex is a lex replacement that has many advantages, including
being able to compile libpcap.  For more information, see
http://www.gnu.org/software/flex/flex.html.

Could you please help me out.

Regards,
Sandip Bankewar

From: Nick Moore [mailto:nmoore< at >sourcefire.com]
Sent: 24 May 2012 17:50
To: Sandip Bankewar
Cc: snort-users< at >lists.sourceforge.net
Subject: Re: [Snort-users] Testing snort

Sandip,

I have only used it in Linux and Mac OSX. I have to confess that I haven't used Windows as my primary workstation for over six years and am not familiar with current tools for it. The website mentions Cygwin, which if I remember correctly creates a Linux-like environment for Windows. So you're pretty much back to square one.

If there are other users on the list who are more knowledgable re

Re: Testing snort

Sandip Bankewar — 2012-05-25T05:46:22

Hi Joel,

Thanks for your help.
My intention for this is to test EPS handling capacity of system.

Regards,
Sandip Bankewar


-----Original Message-----
From: Joel Esler [mailto:jesler< at >sourcefire.com] 
Sent: 24 May 2012 18:03
To: Sandip Bankewar
Cc: snort-users< at >lists.sourceforge.net
Subject: Re: [Snort-users] Testing snort

Snort can read pcap files directly.

snort -c /etc/snort/conf -r <file.pcap>


Joel

On May 24, 2012, at 6:04 AM, Sandip Bankewar wrote:





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe

Re: Snort and real-time alerting

JJC — 2012-05-24T19:40:17

I understand what you are saying, and in theory it can certainly
provide some insight into attacks against what it is that "you" are
"trying" to "protect".. that said.. why are you even allowing mysql
from the outside in your example, seems like a bad practice in the
first place, this is the kind of thing that generic firewalls and
logging thereof are for, no?  That type of thing notwithstanding, if
you can turn on more rules and look at traffic that may be "real"
attack traffic against things that "you" "don't" have, and still be
able to manage your alert volume, then more power to ya, I say if it
works for you then stick with it.. certainly not my methodology though
and I don't see how it's scalable in an environment with significant
traffic volume and a potentially large attack surface.

JJC

On Thu, May 24, 2012 at 10:09 AM, waldo kitty <wkitty42< at >windstream.net> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event wil

Re: Snort and real-time alerting

waldo kitty — 2012-05-24T16:09:20

agreed...


that's a bad thing? if "you" attempt to see if "i" have mysql accessible from 
the outside by trying to throw an attack at it, "i" want you blocked... 
period... even if "i" never use mysql ever... the same statement applies if 
"you" throw wordpress hacks at my network and "i'm" not running any dynamic 
pages at all... or VOIP SIP scans... or SOLARIS telnet buffer overruns... etc...

"you" tried something dirty... that's all the proof needed in my book... 
watching only for traffic that might affect the stuff you do run is allowing a 
whole mash of other unnecessary traffic into your network that is attempting to 
attack stuff you don't run... why allow any bad traffic at all? would you like 
someone to test your house/apartment front door all the time every day to see if 
it is unlocked or would you do something about it? ;)



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's sec

Re: Testing snort

Joel Esler — 2012-05-24T12:33:08

Snort can read pcap files directly.

snort -c /etc/snort/conf -r <file.pcap>


Joel

On May 24, 2012, at 6:04 AM, Sandip Bankewar wrote:



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: Testing snort

Paul Halliday — 2012-05-24T12:33:37

Sounds complicated :)

Couldn't he just feed the pcap directly to snort:

snort -r <file.pcap> ?

On Thu, May 24, 2012 at 9:19 AM, Nick Moore <nmoore< at >sourcefire.com> wrote:

Re: Testing snort

Nick Moore — 2012-05-24T12:19:56

Sandip,

I have only used it in Linux and Mac OSX. I have to confess that I haven't
used Windows as my primary workstation for over six years and am not
familiar with current tools for it. The website mentions Cygwin, which if I
remember correctly creates a Linux-like environment for Windows. So you're
pretty much back to square one.

If there are other users on the list who are more knowledgable regarding
Windows and available tcpreplay-like utilities, please chime in.

Regarding installation instructions, installing from source is pretty much
the same as any package:

   - tar -zxvf tcpreplay-3.x.x.tar.gz
   - cd tcpreplay-3.x.x
   - ./configure && make && make install

If you run Debian or Ubuntu, you can use apt-get. Most RPM based distro's
should have tcpreplay. (blatantly plagiarizing from the website).

To quote Marty Roesch "Learn to use Linux. Like eating your broccoli, it's
good for you." A really good start would be to download a Snort set up doc
for Ubuntu or CentOS and follow it through. David G

Testing snort

Sandip Bankewar — 2012-05-24T10:04:08

Hi All,

I want to test snort using large packets.
I started wireshark and started to capture traffic. I am planning to save .pcap file and load it into a system running snort.
My question is how can I load .pcap or wireshark file to that system?
Is there any tool?

Is there any other method to test it?


Regards,
Sandip Bankewar

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-

Daemonlogger native package now in OpenWRT trunk!

Robert Vineyard — 2012-05-23T23:14:17

My patch for building Daemonlogger as a native OpenWRT package has been 
accepted into the mainline distribution and committed to trunk. 
Pre-built binary packages are now available for all supported 
architectures in the nightly snapshots tree.

Unfortunately these packages only work on the latest trunk firmware 
builds at the moment, and the 3.2 kernel along with the extra software 
included in these builds does not leave enough free JFFS space or usable 
RAM to run daemonlogger effectively. I'm trying to convince the 
developers to include this in the next stable release of Backfire 
(10.03.2) based on the 2.6 kernel, but no luck yet.

For the time being you can still grab my binary package from my GitHub 
repository. This one *does* install and run cleanly on the current 
stable version of Backfire (10.03.1).

   - Announcement: http://goo.gl/Wy5G8
   - Downloads: https://github.com/vineyard/WRT-SPAN

Cheers,
Robert Vineyard

------------------------------------------------------------------------------

Re: Snort and real-time alerting

JJC — 2012-05-23T19:45:19

Tune that system.. I can fairly safely assume that if you have 20,000
rules enabled, you are looking for attacks against stuff that you
don't have.

JJC

On Wed, May 23, 2012 at 8:51 AM, Jeronimo L. Cabral
<jelocabral< at >gmail.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: Snort and real-time alerting

Jeremy Hoel — 2012-05-23T15:03:31

Sguil can do auto email on some events only.. it can email by
category, priority or just sid..

On Wed, May 23, 2012 at 2:57 PM, Lay, James <james.lay< at >wincofoods.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: Snort and real-time alerting

Lay, James — 2012-05-23T14:57:16

Have the watching app look for specific things...perhaps only certain
classifications ("A Network Trojan was Detected") or something of the
like.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: Snort and real-time alerting

Jeronimo L. Cabral — 2012-05-23T14:51:50

Something else: suppose I use logsurfer/swatch/logwatch to alert in
real time the Snorts events. Actually I have near 5 events per minute.

What is the criteria to take just a few number of critical events of
Snort ??? Because I have 20.000 signatures...

On Wed, May 23, 2012 at 11:40 AM, Jeronimo L. Cabral
<jelocabral< at >gmail.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?lis

Re: Snort and real-time alerting

Lay, James — 2012-05-23T14:47:12

Hehe...whatever works :)

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: Snort and real-time alerting

Jeronimo L. Cabral — 2012-05-23T14:40:30

What about Swatch ??? Is it more appropriate ???

On Wed, May 23, 2012 at 11:13 AM, Lay, James <james.lay< at >wincofoods.com> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: Snort and real-time alerting

Lay, James — 2012-05-23T14:13:57

Log to fast alert then use wots/logsurfer/logwatch to tail/watch the
file and email out.  Assuming linux/BSD/OSX.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort and real-time alerting

Jeronimo L. Cabral — 2012-05-23T14:10:05

Dear, I have a Snort 2.9 with Base running OK, but I need a real time
alerting mechanism via email if possible.

How can I do that ??? Any extra module to use in that way ???

Special thanks

JeLo

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Re: New snort install question

livio Ricciulli — 2012-05-22T01:27:29

Good plan. Power supplies always go; it is not a question of if, it is a 
question of when..
As a back of the envelope calculation. If you use PF_RING (to run 3-4 
snort processes in parallel on you 3-4 hyperthreads), roughly, you will 
be able to monitor 100-300 Mbps with ~6000 rules.
See www.*snort*.org/assets/186/*PF_RING*_*Snort*_Inline_Instructions.pdf
You are smart.. Internal monitoring can be challenging because of the 
rule tuning required; but it is also very important in my opinion. Today 
smart phones/ laptops traverse firewalls every day; so perimeter 
defenses are getting obsolete.. You are going to need a good event 
management system..


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.co