gmane.comp.security.ids.snort.devel

Unified2 with EXTRA_DATA fields

Jaime Blasco — 2012-05-24T11:14:07

Hi,

I want to explain a problem that we have while adapting our Unified2 parser
to the new extra-data fields.

The problem is that when you want to parse the vents in real time you don't
have a way to know if the Event will have an ExtraData later in the file.

Example:

(Event)
  1663     sensor id: 0    event id: 31    event second: 1337848659
 event microsecond: 228367
  1664     sig id: 99999   gen id: 1   revision: 1  classification: 0
  1665     priority: 0 ip source: 188.40.16.205    ip destination:
192.168.2.183
  1666     src port: 80    dest port: 49892    protocol: 6 impact_flag: 0
 blocked: 0
  1667
  1668 Packet
  1669     sensor id: 0    event id: 31    event second: 1337848659
  1670     packet second: 1337848659   packet microsecond: 228367
  1671     linktype: 1 packet_length: 1506

...
...

1768 (ExtraDataHdr)
  1769     event type: 4   event length: 62
  1770
  1771 (ExtraData)
  1772     sensor id: 0    event id: 14    event second: 1337848659
  1773     type: 9 datatype: 1 bloblength: 3

Bug in SSL preproc or doc update/clarification?

Will Metcalf — 2012-05-23T17:26:24

I was trying to come up with sigs to hit on a C&C that uses malformed
SSLv3 client hello followed by server data that does not contain an
SSL fatal alert of some kind.  For the sake simplicity below is a rule
I would expect to match on the fatal alert from the server in response
to a malformed client hello. Based on documentation in the snort
manual it seems this rule should fire with default snort.conf but it
doesn't on 2.9.2.3. Removing both "trustservers, noinspect_encrypted"
from the ssl preproc allows this rule to fire. Bug? Expected Behavior?
User Error? pcap available upon request....

Regards,

Will

#Manual Entry
"Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP
to inspect port 443 and enabling the noinspect_encrypted option, only
the SSL handshake of each connection will be inspected. Once the
traffic is determined to be encrypted, no further inspection of the
data on the connection is made.

By default, SSLPP looks for a handshake followed by encrypted traffic
traveling to both

Snort 2.9.3 Beta Now Available

Snort Releases — 2012-05-18T13:55:44

Snort 2.9.3 Beta is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Development
Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.3 introduces the following new capabilities:

[*] New additions
  * Updates to flowbit rule option to allow for OR and AND
    of individual bits within a single rule, and allow flowbits
    to be used in multiple groups.  See README.flowbits and
    the Snort manual for details.

  * Dynamic output plugin architecture to provide an API that
    developers can write their own output mechanisms to log alert
    and packet data from Snort.  Some output plugins have been
    removed as a result of this to be maintained by their
    respective authors.

  * Update to dcerpc2 preprocessor for improved accuracy and
    handling of different OSs for SMB processing.  See README.dcerpc2
    and the Snort manual for details.

  * Updates to reputation preprocessor for handling of wh

Perfmonitor Issue

Abdelmonaim Mokadem — 2012-05-16T18:10:58

Hi all,

I have an issue using the perfmonitor preprocessor for snort inline  to
provide the "Max performance snort stats" with the following parameters:

 

  preprocessor perfmonitor: time 300 pktcnt 5000 events max console

 

Here are the options used to launch snort :

 

        -A none \

        --dynamic-engine-lib "${SNORT_ENG}" 

        --dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"

        --dynamic-detection-lib-dir "${SNORT_DYNRULDIR}" 

        --daq-dir "${DAQ_DIR}" 

        -i "${INTERFACE}" 

        -c "${SNORT_CONF}" 

        --perfmon-file "${LOG_DIR}/snort.stats" 

        -l "${LOG_DIR}" 

        -Q

 

Since I'm using the "max " and  "console" parameters, my console should
display the results, based on the following code:

if(iFlags & MAX_PERF_STATS)

{

      .

      .

  LogMessage("uSeconds/Pkt\n");

  LogMessage("----------------\n");

  LogMessage("Snort:
%.3f\n",sfBaseStats->usecs_per_packet.usertime);

  LogMessage("Sniffing:
%.3f\n",sfBaseStats->usecs_per_packet.syst

Snort 2.9.2.3 Now Available

Snort Releases — 2012-05-15T19:56:27

Snort 2.9.2.3 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.3 includes changes for the following:

  * Update to GTP preprocessor to better handle GTPv1 data.

  * Update to DNP3 preprocessor to add stricter checking on
    packets before processing by dnp3.  Improved checking
    on reassembly buffer

  * Update to PCRE rule option processing to prevent issues
    seen w/ libpcre-8.30 and certain rules.

  * Update to dcerpc2 to not abort reassembly if target-based
    protocol is undefined.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs< at >snort.org.

Happy Snorting!
The Snort Release Team


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat land

AF_PACKET zero copy mode

Guillaume Daleux — 2012-05-10T13:28:39

Hi all,

Is it possible to know if the implementation of AF_PACKET capture mode with zero copy mode is currently under development in Snort ?

https://home.regit.org/2012/02/using-af_packet-zero-copy-mode-in-suricata/


Thanks for your answer,

Guillaume DALEUX
Junior Research Engineer
Ingénieur Junior en Recherchetel : 450.430.8166 ext. 2279 | guillaume.daleux< at >abovesecurity.com
sans frais / toll free : 1.866.430.8166 | fax: 450.430.1858
 Managed Security Services ? Information Risk Management
Surveillance ? Gestion des Risques Informationnels
203 - 1919 boul. Lionel-Bertrand ? Boisbriand ? QC ? Canada ? J7H 1N8
www.abovesecurity.com




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl0

Question regarding snort statistics

Efthymia Tsamoura — 2012-05-04T10:45:35

Hi all,

My name is Efi and Im a PhD student. Im writing this email, since I  
want to find out how to monitor for each rule and for each input  
packet which of the rule's predicates were satisfied and which not for  
the specific packet that is currently being processed. For example,  
given the rule

alert tcp 1.1.1.1 any -> 2.2.2.2 80 (content:"BOB"; gid:1000001;  
sid:1; rev:1;),

i want for each packet statistics of the form:

Packet 1 satisfied Protocol=tcp and srcIp = 1.1.1.1
and did not satisfy destIp = 2.2.2.2 and destport = 80 and content = "BOB"

What are the modifications that need to be performed to the src to get  
this info? For example, which functions, data structures hold this  
info ...

Best Regards,
Efi



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security,

Active response on two interfaces

Jon Larson — 2012-05-01T23:46:18

I/we need to get snort to operate on two interfaces.  For simplicity, 
let's just say I want to have snort monitor traffic on eth0, but then 
send its resets out on eth1.  What's the configuration magic to allow this?

I've tried something like this in the snort.conf:
config response: device eth1 attempts 2

This, however, seems to get snort into this mode (when it detects some 
TCP connection it's configured to reset) where it "sniffs" back in the 
RST packet (on the other interface), then sends another RST packet.  
Kinda like "eating it's own tail".  The snort process consumes the CPU 
and floods the network in this mode.

Also is there documentation someone could point me to regarding 
configuring snort for multiple interfaces?

Any and all information would be greatly appreciated!
Jonny L.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how

SPDY Awareness

Brian Wilhide — 2012-05-01T20:46:10

Have you guys looked into SPDY awareness within Snort?
http://en.wikipedia.org/wiki/SPDY

Brian Wilhide
brian.wilhide< at >gmail.com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

wirshark diameter snort

asiaimbiss — 2012-04-23T12:26:14

Can i use the wireshark parsing code for snort?(e.g 
packet_diameter.c)?...need to decode diameter protocol
Since both are written in C, and both are using libpcap...it should 
work, isnt it?

any idea guys?

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Core dump with SID 17647?

Lukas Matt — 2012-04-19T09:40:06

Hi everybody,

We have with the snort version 2920 some problems.
Sometimes following core dump occurs:

#0 rule17647eval (p=0xffe29b5c)
at web-client_cve-2007-0071-swf-definesceneandframelabeldata-rce.c:245
cursor_normal = 0x9aad86e <Address 0x9aad86e out of bounds>
end_of_payload = 0xe5c91638 <Address 0xe5c91638 out of bounds>
type_and_length = 975
tag_length = 601998450
001 0xf6da4844 in CheckRule (p=0xffe29b5c, r=0xf6c5ba60)
at sf_snort_detection_engine.c:189
No locals.
#2 0x080b7053 in DynamicCheck (option_data=0x23e1c472, p=0xffe29b5c)
at sp_dynamic.c:265
result = <optimized out>

I recognized that the flowbit of the rule 17647 has changed from 
http.swf to file.swf since 2904
and with this older version of snort we have never had this core dump 
before.

It may be that an error was made when the change happend?
If the problem is already known, can it be fixed by a simple version update?

Thanks in advance,
Lukas Matt

(no subject)

Indrajeet Gupta — 2012-04-11T07:18:27

how to open log files of snort.......

 my log file position  is-  var/log/snort/ stored log files list
and log fire type is application/octet-stream
 i also used wireshark then it is showing - "The file
"/var/log/snort/snort.u2.1333102054" isn't a capture file in a format
Wireshark understands."

please help me............






Indrajeet Gupta

07735657121
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

(no subject)

karan singhania — 2012-04-10T11:11:41

hi everyone,
does anyone know how to parse diameter protocol traffic with snort?
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort.org Blog: VRT Rule Update for 4/3/2012,Rule-Recategorization

Joel Esler — 2012-04-03T21:35:41

http://blog.snort.org/2012/04/vrt-rule-update-for-432012-rule.html

VRT Rule Update for 4/3/2012, Rule-Recategorization

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 30 new rules and made modifications to 169 additional rules.

The following changes made to the snort.conf in this release, these can be added to the bottom of the snort.conf where the rule declarations are made:

include $RULE_PATH/file-office.rules
include $RULE_PATH/file-other.rules
include $RULE_PATH/file-pdf.rules
include $RULE_PATH/indicator-compromise.rules
include $RULE_PATH/indicator-obfuscation.rules
include $RULE_PATH/policy-multimedia.rules
include $RULE_PATH/policy-other.rules
include $RULE_PATH/policy-social.rules
include $RULE_PATH/pua-p2p.rules
include $RULE_PATH/pua-toolbars.rules
include $RULE_PATH/server-mail.rules

 In VRT's rule release: 
Synopsis: This release introduces eleven new rule categories and contains new and modified rules in several categ

[PATCH]: RFC3514 Support for simplifying the task ofdetecting Evil.

Joshua Kinard — 2012-04-01T09:17:47

Hi snort-devel,

The attached patch introduces RFC3514 support (The Security Flag in the IPv4
Header) into Snort.  Also known as the "Evil Bit", support of this flag
greatly simplifies the the task of detecting network traffic with evil
intentions.  Entire rulesets can be replaced by one, single rule:

alert ip any any <> any any (msg:"Evil Network Traffic Detected!";
fragbits:E; sid:42003514; rev:1; gid:1; classtype:bad-unknown;)

More information on this oft-overlooked RFC can be found here:
http://www.ietf.org/rfc/rfc3514.txt


Cheers! :)

Packet Capturing

Mahammed Faiz Aboalmaali — 2012-03-26T05:35:01

Dear All,
Have a good day,
I have a question about how snort capture the packets using libpcap. From my understanding in libpcap there are two function for capturing packets, pcap_loop() and pcap_next_ex(). which one of them used by Snort and why?. and generally which one of there function is more preferable (faster) for high speed links ? . Sorry if my question is not reliable.  
by the way, I found these two function in the tutorials of WinPcap, but I think that both, libpcap and winpcap are compatible. 
Regards,
Mohammed Faiz Aboalmaaly
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure_______________________________________________
Snort-devel mailing list
Snort-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Snort 2.9.2.2 Now Available

Snort Releases — 2012-03-27T21:25:03

Snort 2.9.2.2 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.2 includes changes for the following:

  * Updates to HTTP Inspect to handle normalization with large
    number of directories, eliminate false positives when chunks
    span multiple packets, and remove the upper limit on the
    gzip memcap.

  * Update stream handling for TCP session cleanup with RSTs and
    other TCP state tracking.

  * Update for active responses to fragmented IPv6 traffic and to
    the react page configuration.

  * Updates to SIP preprocessor to limit false positives.

  * Update for correct logging in unified2 when interface is passive.

  * Add stats for SMTP preprocessor at termination.

  * State tracking improvements to SMB processing in the dcerpc2
    preprocessor when missing packets on a session.

Please see the Release Notes and ChangeLog for more

support current pflog format (>= OpenBSD 4.9)

Ryan McBride — 2012-03-25T06:17:29

pflog format changed over a year ago, here is a patch against 2.9.2.1 to
support the expanded pflog header size.


--- decode.h.origFri Jan 13 07:11:40 2012
+++ decode.hSun Mar 25 14:22:47 2012
< at >< at > -797,13 +797,14 < at >< at > typedef struct _SLLHdr {
 
 
 /*
- * Snort supports 3 versions of the OpenBSD pflog header:
+ * Snort supports 4 versions of the OpenBSD pflog header:
  *
  * Pflog1_Hdr:  CVS = 1.3,  DLT_OLD_PFLOG = 17,  Length = 28
  * Pflog2_Hdr:  CVS = 1.8,  DLT_PFLOG     = 117, Length = 48
  * Pflog3_Hdr:  CVS = 1.12, DLT_PFLOG     = 117, Length = 64
+ * Pflog4_Hdr:  CVS = 1.16, DLT_PFLOG     = 117, Length = 100
  *
- * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
+ * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished
  * by their actual length.  The minimum required length excludes
  * padding.
  */
< at >< at > -871,6 +872,33 < at >< at > typedef struct _Pflog3_hdr
 #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
 #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
 
+typedef struct _Pflog4

Falses on 2011032/ET SCAN HTTP POST invalid methodcase?

Packet Hack — 2012-03-22T13:32:33

I seem to be getting falses on this where the HTTP headers
are not present, but a non-all-upcase 'post' appears in the
body.

1) I would think that a 'post' not at the beginning of the of the packet
  wouldn't get flagged as an HTTP method

2) I'm doing load-balancing with the PF_RING DAQ and I
   was wondering if perhaps that would chop up the flows
   so different snort processes would get chunks from the
   same TCP stream, so the snort process that received this
   packet wouldn't know it wasn't the first packet in the stream.
   However, I'm also seeing this on a non-PF_RING-enabled
   host.

Snort info:

 - version 2.9.2.1

 - configure flags: CFLAGS="-O2 -I/opt/local/include"
   LDFLAGS="-L/opt/local/lib -Wl,-rpath=/opt/local/lib" ./configure
   --prefix=/opt/pf --enable-ipv6 --enable-zlib --enable-reload
   --enable-flexresp3  --with-libpfring-includes=/opt/local/include
   --with-libpfring-libraries=/opt/local/lib --enable-perfprofiling

 - 1 PFRING-enabled sensor:
    uname -a:
      Linux <server

log_tcpdump does not log

Han Boetes — 2012-03-19T11:59:23

Hi,

I am trying to look if packetfence is generating a false positive or not
on certain packages and to get that I would like to capture the packets
that generated an alert with log_tcpdump into a file.

Snort starts fine with that line in the configuration but the file isn't
generated after alerts. Yes snort can write to the given directory.

Actually I have three machines running snort and it works on one and not
the other two.



hboetes< at >oink /etc/snort % snort --version
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.5

hboetes< at >oink /etc/snort % l /var/log/snort/tcpdump.log.133*
-rw------- 1 root root 8.0M Mar 19 12:47
/var/log/snort/tcpdump.log.1332123032
hboetes< at >oink /etc/snort % stripcom snort.conf|grep tcpdump
output

Deprecated support prelude on snort 2.9.3

Albert Monfà — 2012-02-28T08:45:22

Hi,

I have seen in the snort manual 2.9.2 that prelude plugin has considered 
deprecated in the next version 2.9.3.

This seems indicate that support of prelude will be not avaible anymore? 
is it true? why?

Thanks