gmane.comp.security.ids.snort.devel

Unified2 with EXTRA_DATA fields

Jaime Blasco — 2012-05-24T11:14:07

Hi,

I want to explain a problem that we have while adapting our Unified2 parser
to the new extra-data fields.

The problem is that when you want to parse the vents in real time you don't
have a way to know if the Event will have an ExtraData later in the file.

Example:

(Event)
  1663     sensor id: 0    event id: 31    event second: 1337848659
 event microsecond: 228367
  1664     sig id: 99999   gen id: 1   revision: 1  classification: 0
  1665     priority: 0 ip source: 188.40.16.205    ip destination:
192.168.2.183
  1666     src port: 80    dest port: 49892    protocol: 6 impact_flag: 0
 blocked: 0
  1667
  1668 Packet
  1669     sensor id: 0    event id: 31    event second: 1337848659
  1670     packet second: 1337848659   packet microsecond: 228367
  1671     linktype: 1 packet_length: 1506

...
...

1768 (ExtraDataHdr)
  1769     event type: 4   event length: 62
  1770
  1771 (ExtraData)
  1772     sensor id: 0    event id: 14    event second: 1337848659
  1773     type: 9 datatype: 1 bloblength: 38  HTTP URI:
/forums/showthread.php?t=57055
  1774
  1775 (ExtraDataHdr)
  1776     event type: 4   event length: 50
  1777
  1778 (ExtraData)
  1779     sensor id: 0    event id: 14    event second: 1337848659
  1780     type: 10    datatype: 1 bloblength: 26  HTTP Hostname:
www.howtoforge.com
  1781
  1782 (ExtraDataHdr)
  1783     event type: 4   event length: 62
  1784
  1785 (ExtraData)
  1786     sensor id: 0    event id: 15    event second: 1337848659
  1787     type: 9 datatype: 1 bloblength: 38  HTTP URI:
/forums/showthread.php?t=57055
  1788
  1789 (ExtraDataHdr)
  1790     event type: 4   event length: 50
  1791
  1792 (ExtraData)
  1793     sensor id: 0    event id: 15    event second: 1337848659
  1794     type: 10    datatype: 1 bloblength: 26  HTTP Hostname:
www.howtoforge.com

...


So, is there a way of knowing if an Event will have an ExtraData entry
later?

Best Regards

Bug in SSL preproc or doc update/clarification?

Will Metcalf — 2012-05-23T17:26:24

I was trying to come up with sigs to hit on a C&C that uses malformed
SSLv3 client hello followed by server data that does not contain an
SSL fatal alert of some kind.  For the sake simplicity below is a rule
I would expect to match on the fatal alert from the server in response
to a malformed client hello. Based on documentation in the snort
manual it seems this rule should fire with default snort.conf but it
doesn't on 2.9.2.3. Removing both "trustservers, noinspect_encrypted"
from the ssl preproc allows this rule to fire. Bug? Expected Behavior?
User Error? pcap available upon request....

Regards,

Will

#Manual Entry
"Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP
to inspect port 443 and enabling the noinspect_encrypted option, only
the SSL handshake of each connection will be inspected. Once the
traffic is determined to be encrypted, no further inspection of the
data on the connection is made.

By default, SSLPP looks for a handshake followed by encrypted traffic
traveling to both sides. If one side responds with an indication that
something has failed, such as the handshake, the session is not marked
as encrypted. Verifying that faultless encrypted traffic is sent from
both endpoints ensures two things: the last client-side handshake
packet was not crafted to evade Snort, and that the traffic is
legitimately encrypted. "

#Rule
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET BLAH SSL 3.0
Fatal Alert (Expected Behavior)"; flow:from_server,established;
content:"|15 03 00 00 02 02|"; depth:6; classtype:trojan-activity;
sid:6014637; rev:1;)

#Preproc setting and results.

#doesn't alert
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers,
noinspect_encrypted
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }, noinspect_encrypted

#alerts
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort 2.9.3 Beta Now Available

Snort Releases — 2012-05-18T13:55:44

Snort 2.9.3 Beta is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Development
Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.3 introduces the following new capabilities:

[*] New additions
  * Updates to flowbit rule option to allow for OR and AND
    of individual bits within a single rule, and allow flowbits
    to be used in multiple groups.  See README.flowbits and
    the Snort manual for details.

  * Dynamic output plugin architecture to provide an API that
    developers can write their own output mechanisms to log alert
    and packet data from Snort.  Some output plugins have been
    removed as a result of this to be maintained by their
    respective authors.

  * Update to dcerpc2 preprocessor for improved accuracy and
    handling of different OSs for SMB processing.  See README.dcerpc2
    and the Snort manual for details.

  * Updates to reputation preprocessor for handling of whitlelist
    and trustlists and zone information.  See README.reputation
    and the Snort manual for details.

  * Updates to the packet decoders to support pflog v4.

[*] Improvements
  * Update to return error messages through the control socket.

  * Updates to the processing of email attachments for better
    handling of non-encoded attachments, and improved memory
    management for attachment processing.

  * Improvements in HTTP Inspect for better performance with gzip
    decompression.  Also improvements for handling simple responses,
    encoded query strings, transfer encoding and chunk encoding
    processing.

  * Fix logging of multiple unified2 alerts with reassembled packets.

  * Compiler warning cleanup across multiple platforms.

  * Added 116:458 and 116:459 to cover fragmentation issues.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta< at >sourcefire.com.

Happy Snorting!
The Snort Release Team


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Perfmonitor Issue

Abdelmonaim Mokadem — 2012-05-16T18:10:58

Hi all,

I have an issue using the perfmonitor preprocessor for snort inline  to
provide the "Max performance snort stats" with the following parameters:

 

  preprocessor perfmonitor: time 300 pktcnt 5000 events max console

 

Here are the options used to launch snort :

 

        -A none \

        --dynamic-engine-lib "${SNORT_ENG}" 

        --dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"

        --dynamic-detection-lib-dir "${SNORT_DYNRULDIR}" 

        --daq-dir "${DAQ_DIR}" 

        -i "${INTERFACE}" 

        -c "${SNORT_CONF}" 

        --perfmon-file "${LOG_DIR}/snort.stats" 

        -l "${LOG_DIR}" 

        -Q

 

Since I'm using the "max " and  "console" parameters, my console should
display the results, based on the following code:

if(iFlags & MAX_PERF_STATS)

{

      .

      .

  LogMessage("uSeconds/Pkt\n");

  LogMessage("----------------\n");

  LogMessage("Snort:
%.3f\n",sfBaseStats->usecs_per_packet.usertime);

  LogMessage("Sniffing:
%.3f\n",sfBaseStats->usecs_per_packet.systemtime);

  LogMessage("Combined:
%.3f\n\n",sfBaseStats->usecs_per_packet.totaltime);

  .

  .

}

But it doesn't...

It doesn't print me the Snort Max Performance at all..

The usec_per_packet structure is filled when "GetuSecondsPerPacket"  is
called but it seems like we never enter in the "if" clause 

and when I try to debug with gdb, I can see that "iFlag" is always equal
to 0 for an unknown reason and since "MAX_PERF_STATS" is equal to 1, the
"if" test fail.

 

FYI, here are the options used to compile snort :

 

--enable-dynamicplugin --enable-perfprofiling --enable-linux-smp-stats
--enable-targetbased --enable-ipv6 --enable-ppm --enable-gre
--enable-static-daq=no --enable-64bit-gcc=no 

 

 

If someone has an idea about the origin of the problem here...

 

Regards,

 

Abdelmonaim Mokadem.   

 

 

 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort 2.9.2.3 Now Available

Snort Releases — 2012-05-15T19:56:27

Snort 2.9.2.3 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.3 includes changes for the following:

  * Update to GTP preprocessor to better handle GTPv1 data.

  * Update to DNP3 preprocessor to add stricter checking on
    packets before processing by dnp3.  Improved checking
    on reassembly buffer

  * Update to PCRE rule option processing to prevent issues
    seen w/ libpcre-8.30 and certain rules.

  * Update to dcerpc2 to not abort reassembly if target-based
    protocol is undefined.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs< at >snort.org.

Happy Snorting!
The Snort Release Team


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

AF_PACKET zero copy mode

Guillaume Daleux — 2012-05-10T13:28:39

Hi all,

Is it possible to know if the implementation of AF_PACKET capture mode with zero copy mode is currently under development in Snort ?

https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/


Thanks for your answer,

Guillaume DALEUX
Junior Research Engineer
Ingénieur Junior en Recherchetel : 450.430.8166 ext. 2279 | guillaume.daleux< at >abovesecurity.com
sans frais / toll free : 1.866.430.8166 | fax: 450.430.1858
 Managed Security Services ? Information Risk Management
Surveillance ? Gestion des Risques Informationnels
203 - 1919 boul. Lionel-Bertrand ? Boisbriand ? QC ? Canada ? J7H 1N8
www.abovesecurity.com




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Question regarding snort statistics

Efthymia Tsamoura — 2012-05-04T10:45:35

Hi all,

My name is Efi and Im a PhD student. Im writing this email, since I  
want to find out how to monitor for each rule and for each input  
packet which of the rule's predicates were satisfied and which not for  
the specific packet that is currently being processed. For example,  
given the rule

alert tcp 1.1.1.1 any -> 2.2.2.2 80 (content:"BOB"; gid:1000001;  
sid:1; rev:1;),

i want for each packet statistics of the form:

Packet 1 satisfied Protocol=tcp and srcIp = 1.1.1.1
and did not satisfy destIp = 2.2.2.2 and destport = 80 and content = "BOB"

What are the modifications that need to be performed to the src to get  
this info? For example, which functions, data structures hold this  
info ...

Best Regards,
Efi



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Active response on two interfaces

Jon Larson — 2012-05-01T23:46:18

I/we need to get snort to operate on two interfaces.  For simplicity, 
let's just say I want to have snort monitor traffic on eth0, but then 
send its resets out on eth1.  What's the configuration magic to allow this?

I've tried something like this in the snort.conf:
config response: device eth1 attempts 2

This, however, seems to get snort into this mode (when it detects some 
TCP connection it's configured to reset) where it "sniffs" back in the 
RST packet (on the other interface), then sends another RST packet.  
Kinda like "eating it's own tail".  The snort process consumes the CPU 
and floods the network in this mode.

Also is there documentation someone could point me to regarding 
configuring snort for multiple interfaces?

Any and all information would be greatly appreciated!
Jonny L.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

SPDY Awareness

Brian Wilhide — 2012-05-01T20:46:10

Have you guys looked into SPDY awareness within Snort?
http://en.wikipedia.org/wiki/SPDY

Brian Wilhide
brian.wilhide< at >gmail.com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

wirshark diameter snort

asiaimbiss — 2012-04-23T12:26:14

Can i use the wireshark parsing code for snort?(e.g 
packet_diameter.c)?...need to decode diameter protocol
Since both are written in C, and both are using libpcap...it should 
work, isnt it?

any idea guys?

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Core dump with SID 17647?

Lukas Matt — 2012-04-19T09:40:06

Hi everybody,

We have with the snort version 2920 some problems.
Sometimes following core dump occurs:

#0 rule17647eval (p=0xffe29b5c)
at web-client_cve-2007-0071-swf-definesceneandframelabeldata-rce.c:245
cursor_normal = 0x9aad86e <Address 0x9aad86e out of bounds>
end_of_payload = 0xe5c91638 <Address 0xe5c91638 out of bounds>
type_and_length = 975
tag_length = 601998450
001 0xf6da4844 in CheckRule (p=0xffe29b5c, r=0xf6c5ba60)
at sf_snort_detection_engine.c:189
No locals.
#2 0x080b7053 in DynamicCheck (option_data=0x23e1c472, p=0xffe29b5c)
at sp_dynamic.c:265
result = <optimized out>

I recognized that the flowbit of the rule 17647 has changed from 
http.swf to file.swf since 2904
and with this older version of snort we have never had this core dump 
before.

It may be that an error was made when the change happend?
If the problem is already known, can it be fixed by a simple version update?

Thanks in advance,
Lukas Matt

(no subject)

Indrajeet Gupta — 2012-04-11T07:18:27

how to open log files of snort.......

 my log file position  is-  var/log/snort/ stored log files list
and log fire type is application/octet-stream
 i also used wireshark then it is showing - "The file
"/var/log/snort/snort.u2.1333102054" isn't a capture file in a format
Wireshark understands."

please help me............






Indrajeet Gupta

07735657121
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

(no subject)

karan singhania — 2012-04-10T11:11:41

hi everyone,
does anyone know how to parse diameter protocol traffic with snort?
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort.org Blog: VRT Rule Update for 4/3/2012,Rule-Recategorization

Joel Esler — 2012-04-03T21:35:41

http://blog.snort.org/2012/04/vrt-rule-update-for-432012-rule.html

VRT Rule Update for 4/3/2012, Rule-Recategorization

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 30 new rules and made modifications to 169 additional rules.

The following changes made to the snort.conf in this release, these can be added to the bottom of the snort.conf where the rule declarations are made:

include $RULE_PATH/file-office.rules
include $RULE_PATH/file-other.rules
include $RULE_PATH/file-pdf.rules
include $RULE_PATH/indicator-compromise.rules
include $RULE_PATH/indicator-obfuscation.rules
include $RULE_PATH/policy-multimedia.rules
include $RULE_PATH/policy-other.rules
include $RULE_PATH/policy-social.rules
include $RULE_PATH/pua-p2p.rules
include $RULE_PATH/pua-toolbars.rules
include $RULE_PATH/server-mail.rules

 In VRT's rule release: 
Synopsis: This release introduces eleven new rule categories and contains new and modified rules in several categories. 
Details: This release introduces eleven new rule categories: 
File-Office
File-Other
File-PDF
Indicator-Compromise
Indicator-Obfuscation
Policy-Multimedia
Policy-Other
Policy-Social
PUA-P2P
PUA-Toolbars
Server-Mail
These categories have been populated with rules that were formerly in policy.rules, leaving 36 rules in that category.  These will be moved in the near future. 
This release contains new and modified rules in the backdoor, botnet-cnc, dos, exploit, file-identify, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, mysql, policy-multimedia, policy-other, policy-social, pua-p2p, pua-toolbars, server-mail, specific-threats, spyware-put, voip, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

[PATCH]: RFC3514 Support for simplifying the task ofdetecting Evil.

Joshua Kinard — 2012-04-01T09:17:47

Hi snort-devel,

The attached patch introduces RFC3514 support (The Security Flag in the IPv4
Header) into Snort.  Also known as the "Evil Bit", support of this flag
greatly simplifies the the task of detecting network traffic with evil
intentions.  Entire rulesets can be replaced by one, single rule:

alert ip any any <> any any (msg:"Evil Network Traffic Detected!";
fragbits:E; sid:42003514; rev:1; gid:1; classtype:bad-unknown;)

More information on this oft-overlooked RFC can be found here:
http://www.ietf.org/rfc/rfc3514.txt


Cheers! :)

Packet Capturing

Mahammed Faiz Aboalmaali — 2012-03-26T05:35:01

Dear All,
Have a good day,
I have a question about how snort capture the packets using libpcap. From my understanding in libpcap there are two function for capturing packets, pcap_loop() and pcap_next_ex(). which one of them used by Snort and why?. and generally which one of there function is more preferable (faster) for high speed links ? . Sorry if my question is not reliable.  
by the way, I found these two function in the tutorials of WinPcap, but I think that both, libpcap and winpcap are compatible. 
Regards,
Mohammed Faiz Aboalmaaly
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort 2.9.2.2 Now Available

Snort Releases — 2012-03-27T21:25:03

Snort 2.9.2.2 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.2 includes changes for the following:

  * Updates to HTTP Inspect to handle normalization with large
    number of directories, eliminate false positives when chunks
    span multiple packets, and remove the upper limit on the
    gzip memcap.

  * Update stream handling for TCP session cleanup with RSTs and
    other TCP state tracking.

  * Update for active responses to fragmented IPv6 traffic and to
    the react page configuration.

  * Updates to SIP preprocessor to limit false positives.

  * Update for correct logging in unified2 when interface is passive.

  * Add stats for SMTP preprocessor at termination.

  * State tracking improvements to SMB processing in the dcerpc2
    preprocessor when missing packets on a session.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs< at >snort.org.

Happy Snorting!
The Snort Release Team


------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

support current pflog format (>= OpenBSD 4.9)

Ryan McBride — 2012-03-25T06:17:29

pflog format changed over a year ago, here is a patch against 2.9.2.1 to
support the expanded pflog header size.


--- decode.h.origFri Jan 13 07:11:40 2012
+++ decode.hSun Mar 25 14:22:47 2012
< at >< at > -797,13 +797,14 < at >< at > typedef struct _SLLHdr {
 
 
 /*
- * Snort supports 3 versions of the OpenBSD pflog header:
+ * Snort supports 4 versions of the OpenBSD pflog header:
  *
  * Pflog1_Hdr:  CVS = 1.3,  DLT_OLD_PFLOG = 17,  Length = 28
  * Pflog2_Hdr:  CVS = 1.8,  DLT_PFLOG     = 117, Length = 48
  * Pflog3_Hdr:  CVS = 1.12, DLT_PFLOG     = 117, Length = 64
+ * Pflog4_Hdr:  CVS = 1.16, DLT_PFLOG     = 117, Length = 100
  *
- * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
+ * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished
  * by their actual length.  The minimum required length excludes
  * padding.
  */
< at >< at > -871,6 +872,33 < at >< at > typedef struct _Pflog3_hdr
 #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
 #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
 
+typedef struct _Pflog4_hdr
+{
+    uint8_t  length;
+    uint8_t  af;
+    uint8_t  action;
+    uint8_t  reason;
+    char     ifname[IFNAMSIZ];
+    char     ruleset[PFLOG_RULELEN];
+    uint32_t rulenr;
+    uint32_t subrulenr;
+    uint32_t uid;
+    uint32_t pid;
+    uint32_t rule_uid;
+    uint32_t rule_pid;
+    uint8_t  dir;
+    uint8_t  rewritten;
+    uint8_t  naf;
+    u_int8_t pad[1];
+    uint8_t  saddr[16];
+    uint8_t  daddr[16];
+    uint16_t sport;
+    uint16_t dport;
+} Pflog4Hdr;
+
+#define PFLOG4_HDRLEN (sizeof(struct _Pflog4_hdr))
+#define PFLOG4_HDRMIN (PFLOG4_HDRLEN)/* no trailing padding */
+
 /*
  * ssl_pkttype values.
  */
< at >< at > -1760,6 +1788,7 < at >< at > typedef struct _Packet
     Pflog1Hdr *pf1h;            /* OpenBSD pflog interface header - version 1 */
     Pflog2Hdr *pf2h;            /* OpenBSD pflog interface header - version 2 */
     Pflog3Hdr *pf3h;            /* OpenBSD pflog interface header - version 3 */
+    Pflog4Hdr *pf4h;            /* OpenBSD pflog interface header - version 4 */
 
 #ifdef DLT_LINUX_SLL
     const SLLHdr *sllh;         /* Linux cooked sockets header */
--- decode.c.origFri Jan 13 07:11:40 2012
+++ decode.cSun Mar 25 14:22:51 2012
< at >< at > -6865,20 +6865,36 < at >< at > void DecodePflog(Packet * p, const DAQ_PktHdr_t * pkth
         return;
     }
     /* lay the pf header structure over the packet data */
-    if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN )
+    switch(*((uint8_t*)pkt))
     {
-        p->pf2h = (Pflog2Hdr*)pkt;
-        pflen = p->pf2h->length;
-        hlen = PFLOG2_HDRLEN;
-        af = p->pf2h->af;
+        case PFLOG2_HDRMIN:
+            p->pf2h = (Pflog2Hdr*)pkt;
+            pflen = p->pf2h->length;
+            hlen = PFLOG2_HDRLEN;
+            af = p->pf2h->af;
+            break;
+        case PFLOG3_HDRMIN:
+            p->pf3h = (Pflog3Hdr*)pkt;
+            pflen = p->pf3h->length;
+            hlen = PFLOG3_HDRLEN;
+            af = p->pf3h->af;
+            break;
+        case PFLOG4_HDRMIN:
+            p->pf4h = (Pflog4Hdr*)pkt;
+            pflen = p->pf4h->length;
+            hlen = PFLOG4_HDRLEN;
+            af = p->pf4h->af;
+            break;
+        default:
+            if (ScLogVerbose())
+            {
+                ErrorMessage("unrecognized pflog header length! "
+                        "(%d)\n", *((uint8_t*)pkt));
+            }
+            PREPROC_PROFILE_END(decodePerfStats);
+            return;
     }
-    else
-    {
-        p->pf3h = (Pflog3Hdr*)pkt;
-        pflen = p->pf3h->length;
-        hlen = PFLOG3_HDRLEN;
-        af = p->pf3h->af;
-    }
+   
     /* now that we know a little more, do a little more validation */
     if(cap_len < hlen)
     {

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Falses on 2011032/ET SCAN HTTP POST invalid methodcase?

Packet Hack — 2012-03-22T13:32:33

I seem to be getting falses on this where the HTTP headers
are not present, but a non-all-upcase 'post' appears in the
body.

1) I would think that a 'post' not at the beginning of the of the packet
  wouldn't get flagged as an HTTP method

2) I'm doing load-balancing with the PF_RING DAQ and I
   was wondering if perhaps that would chop up the flows
   so different snort processes would get chunks from the
   same TCP stream, so the snort process that received this
   packet wouldn't know it wasn't the first packet in the stream.
   However, I'm also seeing this on a non-PF_RING-enabled
   host.

Snort info:

 - version 2.9.2.1

 - configure flags: CFLAGS="-O2 -I/opt/local/include"
   LDFLAGS="-L/opt/local/lib -Wl,-rpath=/opt/local/lib" ./configure
   --prefix=/opt/pf --enable-ipv6 --enable-zlib --enable-reload
   --enable-flexresp3  --with-libpfring-includes=/opt/local/include
   --with-libpfring-libraries=/opt/local/lib --enable-perfprofiling

 - 1 PFRING-enabled sensor:
    uname -a:
      Linux <server name>
      2.6.38-13-server #52-Ubuntu SMP Tue Nov 8 17:11:08 UTC 2011
      x86_64 x86_64 x86_64 GNU/Linux
    CL:
      /opt/local/bin/snort -i eth5 --daq-dir=/opt/local/lib/daq --daq
      pfring --daq-var clusterid=44 --daq-var bindcpu=3
      -c /etc/snort/ufirt-snort-pf-ewan.conf -l /var/log/snort3 -R 3
    Rules: 2865 ET and local rules

 - 1 non-PFRING-enabled sensor:
    uname -a:
      Linux <server name> 2.6.32-33-server #72-Ubuntu SMP
      Fri Jul 29 21:21:55 UTC 2011 x86_64 GNU/Linux
    CL:
      /opt/local/bin/snort -D -i eth1 --daq-dir=/opt/local/lib/daq --daq pcap
      --daq-var clusterid=44 --daq-var bindcpu=1
      -c /etc/snort/ufirt-snort-pf.conf -l /var/log/snort1 -R 1
    Rules: 3452 ET and local rules

Offending rule:

 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
 HTTP POST invalid method case"; flow:established,to_server;
 content:"post"; http_method; nocase; content:!"POST"; http_method;
 reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
 reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown;
 sid:2011032; rev:4;)

Actual text has been replaced with "<text>" .

Pleae let me know if you need anything else.

log_tcpdump does not log

Han Boetes — 2012-03-19T11:59:23

Hi,

I am trying to look if packetfence is generating a false positive or not
on certain packages and to get that I would like to capture the packets
that generated an alert with log_tcpdump into a file.

Snort starts fine with that line in the configuration but the file isn't
generated after alerts. Yes snort can write to the given directory.

Actually I have three machines running snort and it works on one and not
the other two.



hboetes< at >oink /etc/snort % snort --version
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.5

hboetes< at >oink /etc/snort % l /var/log/snort/tcpdump.log.133*
-rw------- 1 root root 8.0M Mar 19 12:47
/var/log/snort/tcpdump.log.1332123032
hboetes< at >oink /etc/snort % stripcom snort.conf|grep tcpdump
output log_tcpdump: tcpdump.log


hboetes< at >ds2 /usr/local/pf/conf % snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.5

hboetes< at >ds2 /usr/local/pf/conf % stripcom
/usr/local/pf/conf/snort.conf|grep tcpdump
output log_tcpdump: /usr/local/pf/var/tcpdump.log
% ls /usr/local/pf/var/tcpdump.log*
zsh: no matches found: /usr/local/pf/var/tcpdump.log*

hboetes< at >ds1 ~ % snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.1 IPv6 GRE (Build 107)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

hboetes< at >ds1 ~ % stripcom /usr/local/pf/var/conf/snort.conf|grep tcpdump
output log_tcpdump: /usr/local/pf/var/violation_pcap
hboetes< at >ds1 ~ % l /usr/local/pf/var/violation_pcap*
zsh: no matches found: /usr/local/pf/var/violation_pcap*
hboetes< at >ds1 ~ % pg snort
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
pf        1322 20.6  0.5  67900 43860 ?        Ssl  12:57   0:02
/usr/sbin/snort -u pf -c /usr/local/pf/var/conf/snort.conf -i eth1 -N -D
-l /usr/local/pf/var --pid-path /usr/local/pf/var/run

Met vriendelijke groet,


Han Boetes

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Deprecated support prelude on snort 2.9.3

Albert Monfà — 2012-02-28T08:45:22

Hi,

I have seen in the snort manual 2.9.2 that prelude plugin has considered 
deprecated in the next version 2.9.3.

This seems indicate that support of prelude will be not avaible anymore? 
is it true? why?

Thanks