gmane.comp.security.ids.snort.general

Snort alarm sameip

Philip Edwards — 2012-05-26T12:12:15

Hi,

Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
The source is 0.0.0.0 the destination is 255.255.255.255 
The rule is the default: bad-traffic rule

alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)

phil< at >Rangoon:~$ snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4



I could add exceptions to filter this out but would i like to know why it's being triggered.

Thanks

Phil Edwards



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Testing snort

Sandip Bankewar — 2012-05-24T10:04:08

Hi All,

I want to test snort using large packets.
I started wireshark and started to capture traffic. I am planning to save .pcap file and load it into a system running snort.
My question is how can I load .pcap or wireshark file to that system?
Is there any tool?

Is there any other method to test it?


Regards,
Sandip Bankewar

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Daemonlogger native package now in OpenWRT trunk!

Robert Vineyard — 2012-05-23T23:14:17

My patch for building Daemonlogger as a native OpenWRT package has been 
accepted into the mainline distribution and committed to trunk. 
Pre-built binary packages are now available for all supported 
architectures in the nightly snapshots tree.

Unfortunately these packages only work on the latest trunk firmware 
builds at the moment, and the 3.2 kernel along with the extra software 
included in these builds does not leave enough free JFFS space or usable 
RAM to run daemonlogger effectively. I'm trying to convince the 
developers to include this in the next stable release of Backfire 
(10.03.2) based on the 2.6 kernel, but no luck yet.

For the time being you can still grab my binary package from my GitHub 
repository. This one *does* install and run cleanly on the current 
stable version of Backfire (10.03.1).

   - Announcement: http://goo.gl/Wy5G8
   - Downloads: https://github.com/vineyard/WRT-SPAN

Cheers,
Robert Vineyard

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort and real-time alerting

Jeronimo L. Cabral — 2012-05-23T14:10:05

Dear, I have a Snort 2.9 with Base running OK, but I need a real time
alerting mechanism via email if possible.

How can I do that ??? Any extra module to use in that way ???

Special thanks

JeLo

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

subcribe

Lawrence R. Hughes, Sr. — 2012-05-22T14:24:36

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort Stream5 Support

Turnbough, Bradley E. — 2012-05-22T14:22:10

Very new to snort.

I seem to be having some issues with getting Stream5 support up and running.  Here is the rule:

[root< at >hostname]# cat /tmp/test.rule
log tcp any any ->  xx.xx.xx.xx/29 23
alert tcp any any -> xx.xx.xx.xx/29 22 (\
msg:"Potential SSH Brute Force";\
flow:to_server;\
flags:S;\
threshold:type threshold, track by_src, count 3, seconds 60;\
classtype:attempted-dos;\
sid:2001218;\
rev:4;\
resp:rst-all;\
)

Using the following options to startup:

snort -d -i eth0 -c /tmp/test.rule -l /tmp/log

Produces a nasty error:

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/tmp/test.rule"
Tagged Packet Limit: 256
Log directory = /tmp/log

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /tmp/test.rule(11): Stream5 must be enabled to use the 'to_server' option.
Fatal Error, Quitting..



Review of the snort.conf file, it appears I DO have Stream5 support enabled:

preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
        161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \
        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
    ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 \
        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
        7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
preprocessor stream5_udp: timeout 180



Why am I getting the error?
This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Logging URI too long

Nelo Belda — 2012-05-22T11:55:27

Hi all,

I realized a behaviour in Snort that I want to share with all of you. Snort
is now logging URI and Hostname as Extra Data but, what if URI is too long?
I've seen alerts related with error 500 that uri is present but when alert
is 414 (URI too long) there's no extra data.

I've made a patch in BASE to show Extra Data Info and tried with u2spewfoo
as well but it seems that in this case it's not logged. That
post<http://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html>says:

"When a HTTP Request URI is greater than 2048 or when a HTTP hostname
(specified in the "Host" Request header) is greater than 256, Snort will
log the truncated the URI and/or hostname. A preprocessor alert with
GID:119 and SID:25 is generated when hostname exceeds 256 bytes."

Where is truncated? How can I get Extra Data of a "URI Too Long" alert? Is
it logged in that case?

Best regards
Un saludo
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

vendor list surfing

Sallee, Stephen (Jake — 2012-05-21T21:51:50

< at > whoever called me from safemedia.com

I joined this list to get advice and assistance from people who use snort, NOT a commercial.

If you have a product that you feel will assist me I am willing to listen, but please contact me via email and off this list.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

New snort install question

Sallee, Stephen (Jake — 2012-05-21T19:37:39

Hello all!

I work for a small private university and we are looking into deploying snort for monitoring our internal network.

We have 50+ buildings on campus and the idea is to place a single snort box in each building and have it sniff the uplink traffic, then report back to our NAC system (Packetfence).  The goal was to be able to use some of our older desktops (Dell 960s) as kind of snort nodes with no keyboard, mouse or monitor.

We would prefer to be able to manage all of these distributed snort boxes from a single place or at least from a web GUI on each box.

#1. Am I way off base thinking about using snort this way?
#2. What kind of tools exist to manage multiple snort boxes?
#3. Am I missing something crucial that would make me look like an idiot when I go to set this up?

I have other questions but I will not spam the list with them all at once.  Please let me know your ideas and or suggestions.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

barnyard2 database and java

Gregor Binder — 2012-05-21T13:38:19

hi,

i build an analyzer for barnyard2 in java. my tool can currently read from the barnyard2 database get get all values but i have problems how to interpret data_paylod from the data table.
how can i read work with the data_payload values from the data table?
has anybody some example for that?
i need to analyze sip records only.

king regards
gregor binder

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

please ! unsuscribe me !!! I have done several timesbut it doesn't work

Adriana Solé — 2012-05-20T20:23:14

snort inline mode

eddie — 2012-05-18T22:59:42

Hello the snort users:
I want to get an ips who block attacks so i study a little bit snort and 
download it from the Ubuntu repository but wenn i set snort in inline 
mode, the only --daq-mode who works without fatal error is the dump mode 
with what i test a nmap scan and sea that snort allow it after pressing 
crtl+c...
So i compile the source with libnet, daq, and snort: the daq compile 
instructions don't work, i don't mind and used the daq from the 
repository. but i have the same problem with the --daq-mode who only 
work without fatal error with the dump mode who is not an really inline 
mode after the snort manual.

I have sea that the most actions from the snort rules are alert and i 
want to know how snort could work in inline mode with alert action 
instead of block.

extract from snort launching:
Rule application order: 
activation->dynamic->pass->drop->sdrop->reject->alert->log

If you want to answers me i have 2 questions:
-How patch the daq to bring it work in another mode ?
-Can i get snort rules who have inline actions like block or does the 
inline mode work otherwise with alert ?

Thank's for your answers.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

daq for inline mode

Eddie BRUGGEMANN — 2012-05-20T06:05:16

Hello the Snort Users,
I take snort in the hand to let him work as an ips with the inline mode: i get the 2.9.2.0 version from the Ubuntu repository like libnet and daq and wenn i try to run snort in inline mode an fatal error appear to prevent me that snort can't find the daq with the nfq, ipq daq types. the ipwf type work but by stopping snort with crtl+c i get this traceback:
Can't acquire (-1) - ipfw_daq_acquire: can't select divert socket (Interrupted system call)
the dump daq type work without problems but isn't made for inline mode about the snort manual.
I think the best packets acquire type (--daq type) for Ubuntu is nfq but wenn trying with it i get this traceback:
ERROR: Can't find nfq DAQ!
Fatal Error, Quitting..
and i can't compile the daqs from source: the ./configure works but not the make.
If someone know how to patch this problem thank's to answers.------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Alert management

hamid alaei — 2012-05-19T12:28:19

Dear all,
 I wonder if someone can advise me some alert correlation software for
Snort alerts to give me better protection. I recently heard of ACARM-ng,
but I am not sure about using it and I don't know how it wort with Snort.
Thanks
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Getting alerts from Snort to a SQL Server 2008

Michael Steele — 2012-05-18T21:35:07

Has anyone found a solution of getting alerts from Snort to a Microsoft SQL
Server 2008, other than using the output database option? 

Mes-


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

php, base issue

Dennis Circolone — 2012-05-18T16:37:02

Hello,
I have configured snort-2.9.2.2 on an opensuse 12.1 box, everything is
working great except for the portscan traffic stays at 0% after an NMAP
test and when I select source ports link or dest ports link I recieve an
error.Does anyone know how I can resolve this issue?


 Basic Analysis and Security Engine (BASE)

    - Today's alerts:
unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1>
Source
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
Destination
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
-
Last 24 Hours alerts:
unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1>
Source
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
Destination
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
-
Last 72 Hours alerts:
unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1>
Source
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
Destination
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
-
Most recent 15 Alerts: any
protocol<http://10.2.7.170/base/base_qry_main.php?new=1&caller=last_any&num_result_rows=-1&submit=Last%20Any>
TCP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&caller=last_tcp&num_result_rows=-1&submit=Last%20TCP>
UDP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&caller=last_udp&num_result_rows=-1&submit=Last%20UDP>
ICMP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&caller=last_icmp&num_result_rows=-1&submit=Last%20ICMP>
-
Last Source Ports: any
protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=-1&sort_order=last_d>
TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=6&sort_order=last_d>
UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=17&sort_order=last_d>
-
Last Destination Ports: any
protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=-1&sort_order=last_d>
TCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=6&sort_order=last_d>
UDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=17&sort_order=last_d>
-
Most Frequent Source Ports: any
protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=-1&sort_order=occur_d>
TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=6&sort_order=occur_d>
UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=17&sort_order=occur_d>
-
Most Frequent Destination Ports: any
protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=-1&sort_order=occur_d>
TCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=6&sort_order=occur_d>
UDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=17&sort_order=occur_d>
-
Most frequent 15 Addresses:
Source<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=1&sort_order=occur_d>
Destination<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=2&sort_order=occur_d>
-
Most recent 15 Unique
Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=last_alerts&sort_order=last_d>
-
Most frequent 5 Unique
Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=most_frequent&sort_order=occur_d>
 *Queried on *: Fri May 18, 2012 16:34:43
*Database:* snort< at >localhost    (*Schema Version:* 107)
*Time Window:* [2012-05-18 11:05:19] - [2012-05-18 11:06:55]
 *Search <http://10.2.7.170/base/base_qry_main.php?new=1>*
*Graph Alert Data <http://10.2.7.170/base/base_graph_main.php>*
Graph Alert Detection Time <http://10.2.7.170/base/base_stat_time.php>

------------------------------
  *Sensors/Total:* 1 <http://10.2.7.170/base/base_stat_sensor.php> / 2
*Unique Alerts:* 1 <http://10.2.7.170/base/base_stat_alerts.php>
*Categories: *1<http://10.2.7.170/base/base_stat_class.php?sort_order=class_a>
*Total Number of Alerts:*
48<http://10.2.7.170/base/base_qry_main.php?&num_result_rows=-1&submit=Query+DB&current_view=-1>

   - Src IP addrs: 13<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1>
   - Dest. IP addrs: 1<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2>
   - Unique IP links 13 <http://10.2.7.170/base/base_stat_iplink.php>
   -

   Source Ports:
2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=-1>
   -
      - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=6>)
 UDP
      ( 2 <http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=17>)
   - Dest Ports:
2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=-1>
   -
      - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=6>)
 UDP
      ( 2 <http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=17>)

*Traffic Profile by Protocol*  TCP
(0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
   UDP (100%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>
     ICMP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>

------------------------------
  Portscan Traffic
(0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=RawIP&num_result_rows=-1&sort_order=time_d&submit=Query+DB>


  Basic Analysis and Security Engine (BASE)
  Home <http://10.2.7.170/base/base_main.php>  |
Search<http://10.2.7.170/base/base_qry_main.php?new=1>

  [ Back <http://10.2.7.170/base/base_main.php?back=1&> ]

/srv/www/htdocs/base/includes/base_cache.inc.php:556: ERROR:
$number_sensors_array is NOT an array!


/srv/www/htdocs/base/includes/base_cache.inc.php:564: ERROR:
$number_sensors_array is either NULL or empty!

 *Queried on* : Fri May 18, 2012 16:36:23      Meta Criteria *   any *   IP
Criteria *   any *   Layer 4 Criteria *   none * Payload Criteria *   any *


*No Alerts were found.*

         <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_a>
 Port ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_a>
 Sensor ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_a>
 Occurrences ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_a>
Unique Alerts ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_a>
 Src. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_a>
 Dest. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_a>
 First ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_d>
   <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_a>
 Last ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_d>
    ACTION
{ action }ADD to AG (by ID)ADD to AG (by Name)Create AG (by Name)Delete
alert(s)Email alert(s) (full)Email alert(s) (summary)Email alert(s)
(csv)Archive
alert(s) (copy)Archive alert(s) (move)
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort 2.9.3 Beta Now Available

Snort Releases — 2012-05-18T13:56:01

Snort 2.9.3 Beta is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Development
Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.3 introduces the following new capabilities:

[*] New additions
  * Updates to flowbit rule option to allow for OR and AND
    of individual bits within a single rule, and allow flowbits
    to be used in multiple groups.  See README.flowbits and
    the Snort manual for details.

  * Dynamic output plugin architecture to provide an API that
    developers can write their own output mechanisms to log alert
    and packet data from Snort.  Some output plugins have been
    removed as a result of this to be maintained by their
    respective authors.

  * Update to dcerpc2 preprocessor for improved accuracy and
    handling of different OSs for SMB processing.  See README.dcerpc2
    and the Snort manual for details.

  * Updates to reputation preprocessor for handling of whitlelist
    and trustlists and zone information.  See README.reputation
    and the Snort manual for details.

  * Updates to the packet decoders to support pflog v4.

[*] Improvements
  * Update to return error messages through the control socket.

  * Updates to the processing of email attachments for better
    handling of non-encoded attachments, and improved memory
    management for attachment processing.

  * Improvements in HTTP Inspect for better performance with gzip
    decompression.  Also improvements for handling simple responses,
    encoded query strings, transfer encoding and chunk encoding
    processing.

  * Fix logging of multiple unified2 alerts with reassembled packets.

  * Compiler warning cleanup across multiple platforms.

  * Added 116:458 and 116:459 to cover fragmentation issues.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta< at >sourcefire.com.

Happy Snorting!
The Snort Release Team


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort 2.8->2.9 upgrade, DAQ and libpcap

Maurizio Molina — 2012-05-18T05:46:39

Hi,
I'm trying to upgrade from 2.8 to 2.9.2.3, and I'm getting this error

checking for dlsym in -ldl... yes
./configure: line 15188: daq-modules-config: command not found
checking for daq_load_modules in -ldaq_static... no

    ERROR! daq_static library not found, go get it from
    http://www.snort.org/.
make: *** [snort_configure] Error 1

and from what I read here:
http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html
pcap > 1.0.0 is required. I am still running pcap 0.9.8

Can somebody confirm that I can't continue working with the old pcap 
version?

Thanks,
Maurizio Molina

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort & Pulled Pork questions

Weir, Jason — 2012-05-17T13:20:49

Working on updating to the latest version of snort (2.9.2.3) and using
pulledpork (0.6.1).

 

For those of us that are not paying subscribers of the VRT rule set
updating to the latest issue within the first 30 days causes issues..

 

I updated from 2.9.2.2 to 2.9.2.3 yesterday, when pulled pork runs it
detects the snort version and attempts to download the correct rule set,
well for me there is no rule set and won't be for 30 days..

 

Now I can manually set the snort version to 2.9.2.2 in pulledpork.conf
as long as 2.9.2.2 rules are compatible with 2.9.2.3 (which Joel
indicated they are.  This time..).

 

What happens when a change is made that make the older rules not
compatible?

 

Are my choices to (1) not upgrade to the latest snort version for 30
days, until "free" rules are available, or (2) purchase a rule
subscription?

 

Thanks,

Jason

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Perfmonitor Issue

Abdelmonaim Mokadem — 2012-05-16T18:10:58

Hi all,

I have an issue using the perfmonitor preprocessor for snort inline  to
provide the "Max performance snort stats" with the following parameters:

 

  preprocessor perfmonitor: time 300 pktcnt 5000 events max console

 

Here are the options used to launch snort :

 

        -A none \

        --dynamic-engine-lib "${SNORT_ENG}" 

        --dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"

        --dynamic-detection-lib-dir "${SNORT_DYNRULDIR}" 

        --daq-dir "${DAQ_DIR}" 

        -i "${INTERFACE}" 

        -c "${SNORT_CONF}" 

        --perfmon-file "${LOG_DIR}/snort.stats" 

        -l "${LOG_DIR}" 

        -Q

 

Since I'm using the "max " and  "console" parameters, my console should
display the results, based on the following code:

if(iFlags & MAX_PERF_STATS)

{

      .

      .

  LogMessage("uSeconds/Pkt\n");

  LogMessage("----------------\n");

  LogMessage("Snort:
%.3f\n",sfBaseStats->usecs_per_packet.usertime);

  LogMessage("Sniffing:
%.3f\n",sfBaseStats->usecs_per_packet.systemtime);

  LogMessage("Combined:
%.3f\n\n",sfBaseStats->usecs_per_packet.totaltime);

  .

  .

}

But it doesn't...

It doesn't print me the Snort Max Performance at all..

The usec_per_packet structure is filled when "GetuSecondsPerPacket"  is
called but it seems like we never enter in the "if" clause 

and when I try to debug with gdb, I can see that "iFlag" is always equal
to 0 for an unknown reason and since "MAX_PERF_STATS" is equal to 1, the
"if" test fail.

 

FYI, here are the options used to compile snort :

 

--enable-dynamicplugin --enable-perfprofiling --enable-linux-smp-stats
--enable-targetbased --enable-ipv6 --enable-ppm --enable-gre
--enable-static-daq=no --enable-64bit-gcc=no 

 

 

If someone has an idea about the origin of the problem here...

 

Regards,

 

Abdelmonaim Mokadem.   

 

 

 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

False positive

Philip Edwards — 2012-05-16T11:08:34


Hi,

I have recently installed snort on ubuntu and am just attempting to tune out the noise.
For some reason the BAD-TRAFFIC (same source and destination) rule is firing on DHCP broadcasts.

The source is 0.0.0.0 port 67 and the destination is 255.255.255.255 port 68.

Since the source and destination are different can anyone clue me in?

Thanks

Phil Edwards
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!