gmane.comp.security.ids.snort.general

installation problems

Giuseppe Triolo — 2012-05-26T21:42:32

Hi all . I am arrived on the page 9 of the maual snortinstallguide for ubuntu 10.4 LTS.I am inside the directory cd barnyard-2.19.  When i type on the termial the command: sudo ./configure --with -mysql.  I receive the following errors:Error unable to find mysqlclient library (libmysqlclient.*)checked in the followin places:        /usr        /usr/lib        /usr/mysql        /usr/mysql/lib        /usr/lib/mysql        /usr/local        /usr/local/lib        /usr/local/mysql        /usr/local/mysql/lib        /usr/local/lib/mysqlthe system i am using is in V.M. ubuntu 12.04   32 bit desktop version with all updates installed in and all the package of the requirements.I have followed step by step the manual and all was correctly made by me. Damn wath is the problem
       ------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can re

Snort alarm sameip

Philip Edwards — 2012-05-26T12:12:15

Hi,

Can anyone hazard a guess why the sameip keyword is triggering an alarm on a DHCP request.
The source is 0.0.0.0 the destination is 255.255.255.255 
The rule is the default: bad-traffic rule

alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)

phil< at >Rangoon:~$ snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4



I could add exceptions to filter this out but would i like to know why it's being triggered.

Thanks

Phil Edwards



------------------------------------------------------------------------------
Live Security Virtual Conference
Excl

Testing snort

Sandip Bankewar — 2012-05-24T10:04:08

Hi All,

I want to test snort using large packets.
I started wireshark and started to capture traffic. I am planning to save .pcap file and load it into a system running snort.
My question is how can I load .pcap or wireshark file to that system?
Is there any tool?

Is there any other method to test it?


Regards,
Sandip Bankewar

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-

Daemonlogger native package now in OpenWRT trunk!

Robert Vineyard — 2012-05-23T23:14:17

My patch for building Daemonlogger as a native OpenWRT package has been 
accepted into the mainline distribution and committed to trunk. 
Pre-built binary packages are now available for all supported 
architectures in the nightly snapshots tree.

Unfortunately these packages only work on the latest trunk firmware 
builds at the moment, and the 3.2 kernel along with the extra software 
included in these builds does not leave enough free JFFS space or usable 
RAM to run daemonlogger effectively. I'm trying to convince the 
developers to include this in the next stable release of Backfire 
(10.03.2) based on the 2.6 kernel, but no luck yet.

For the time being you can still grab my binary package from my GitHub 
repository. This one *does* install and run cleanly on the current 
stable version of Backfire (10.03.1).

   - Announcement: http://goo.gl/Wy5G8
   - Downloads: https://github.com/vineyard/WRT-SPAN

Cheers,
Robert Vineyard

------------------------------------------------------------------------------

Snort and real-time alerting

Jeronimo L. Cabral — 2012-05-23T14:10:05

Dear, I have a Snort 2.9 with Base running OK, but I need a real time
alerting mechanism via email if possible.

How can I do that ??? Any extra module to use in that way ???

Special thanks

JeLo

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

subcribe

Lawrence R. Hughes, Sr. — 2012-05-22T14:24:36

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort Stream5 Support

Turnbough, Bradley E. — 2012-05-22T14:22:10

Very new to snort.

I seem to be having some issues with getting Stream5 support up and running.  Here is the rule:

[root< at >hostname]# cat /tmp/test.rule
log tcp any any ->  xx.xx.xx.xx/29 23
alert tcp any any -> xx.xx.xx.xx/29 22 (\
msg:"Potential SSH Brute Force";\
flow:to_server;\
flags:S;\
threshold:type threshold, track by_src, count 3, seconds 60;\
classtype:attempted-dos;\
sid:2001218;\
rev:4;\
resp:rst-all;\
)

Using the following options to startup:

snort -d -i eth0 -c /tmp/test.rule -l /tmp/log

Produces a nasty error:

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/tmp/test.rule"
Tagged Packet Limit: 256
Log directory = /tmp/log

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /tmp/test.rule(11): Stream5 must be enabled to use the 'to_server' option.
Fatal Error, Quitting..



Review of the snort.conf file, it appears I DO have Stream5 support enabl

Logging URI too long

Nelo Belda — 2012-05-22T11:55:27

Hi all,

I realized a behaviour in Snort that I want to share with all of you. Snort
is now logging URI and Hostname as Extra Data but, what if URI is too long?
I've seen alerts related with error 500 that uri is present but when alert
is 414 (URI too long) there's no extra data.

I've made a patch in BASE to show Extra Data Info and tried with u2spewfoo
as well but it seems that in this case it's not logged. That
post<http://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html>says:

"When a HTTP Request URI is greater than 2048 or when a HTTP hostname
(specified in the "Host" Request header) is greater than 256, Snort will
log the truncated the URI and/or hostname. A preprocessor alert with
GID:119 and SID:25 is generated when hostname exceeds 256 bytes."

Where is truncated? How can I get Extra Data of a "URI Too Long" alert? Is
it logged in that case?

Best regards
Un saludo
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive li

vendor list surfing

Sallee, Stephen (Jake — 2012-05-21T21:51:50

< at > whoever called me from safemedia.com

I joined this list to get advice and assistance from people who use snort, NOT a commercial.

If you have a product that you feel will assist me I am willing to listen, but please contact me via email and off this list.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/

New snort install question

Sallee, Stephen (Jake — 2012-05-21T19:37:39

Hello all!

I work for a small private university and we are looking into deploying snort for monitoring our internal network.

We have 50+ buildings on campus and the idea is to place a single snort box in each building and have it sniff the uplink traffic, then report back to our NAC system (Packetfence).  The goal was to be able to use some of our older desktops (Dell 960s) as kind of snort nodes with no keyboard, mouse or monitor.

We would prefer to be able to manage all of these distributed snort boxes from a single place or at least from a web GUI on each box.

#1. Am I way off base thinking about using snort this way?
#2. What kind of tools exist to manage multiple snort boxes?
#3. Am I missing something crucial that would make me look like an idiot when I go to set this up?

I have other questions but I will not spam the list with them all at once.  Please let me know your ideas and or suggestions.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
B

barnyard2 database and java

Gregor Binder — 2012-05-21T13:38:19

hi,

i build an analyzer for barnyard2 in java. my tool can currently read from the barnyard2 database get get all values but i have problems how to interpret data_paylod from the data table.
how can i read work with the data_payload values from the data table?
has anybody some example for that?
i need to analyze sip records only.

king regards
gregor binder

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler

please ! unsuscribe me !!! I have done several timesbut it doesn't work

Adriana Solé — 2012-05-20T20:23:14

snort inline mode

eddie — 2012-05-18T22:59:42

Hello the snort users:
I want to get an ips who block attacks so i study a little bit snort and 
download it from the Ubuntu repository but wenn i set snort in inline 
mode, the only --daq-mode who works without fatal error is the dump mode 
with what i test a nmap scan and sea that snort allow it after pressing 
crtl+c...
So i compile the source with libnet, daq, and snort: the daq compile 
instructions don't work, i don't mind and used the daq from the 
repository. but i have the same problem with the --daq-mode who only 
work without fatal error with the dump mode who is not an really inline 
mode after the snort manual.

I have sea that the most actions from the snort rules are alert and i 
want to know how snort could work in inline mode with alert action 
instead of block.

extract from snort launching:
Rule application order: 
activation->dynamic->pass->drop->sdrop->reject->alert->log

If you want to answers me i have 2 questions:
-How patch the daq to bring it work in another mode ?
-Can i get snort

daq for inline mode

Eddie BRUGGEMANN — 2012-05-20T06:05:16

Hello the Snort Users,
I take snort in the hand to let him work as an ips with the inline mode: i get the 2.9.2.0 version from the Ubuntu repository like libnet and daq and wenn i try to run snort in inline mode an fatal error appear to prevent me that snort can't find the daq with the nfq, ipq daq types. the ipwf type work but by stopping snort with crtl+c i get this traceback:
Can't acquire (-1) - ipfw_daq_acquire: can't select divert socket (Interrupted system call)
the dump daq type work without problems but isn't made for inline mode about the snort manual.
I think the best packets acquire type (--daq type) for Ubuntu is nfq but wenn trying with it i get this traceback:
ERROR: Can't find nfq DAQ!
Fatal Error, Quitting..
and i can't compile the daqs from source: the ./configure works but not the make.
If someone know how to patch this problem thank's to answers.------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover a

Alert management

hamid alaei — 2012-05-19T12:28:19

Dear all,
 I wonder if someone can advise me some alert correlation software for
Snort alerts to give me better protection. I recently heard of ACARM-ng,
but I am not sure about using it and I don't know how it wort with Snort.
Thanks
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Getting alerts from Snort to a SQL Server 2008

Michael Steele — 2012-05-18T21:35:07

Has anyone found a solution of getting alerts from Snort to a Microsoft SQL
Server 2008, other than using the output database option? 

Mes-


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users< at >lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

php, base issue

Dennis Circolone — 2012-05-18T16:37:02

Hello,
I have configured snort-2.9.2.2 on an opensuse 12.1 box, everything is
working great except for the portscan traffic stays at 0% after an NMAP
test and when I select source ports link or dest ports link I recieve an
error.Does anyone know how I can resolve this issue?


 Basic Analysis and Security Engine (BASE)

    - Today's alerts:
unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+>
listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1>
Source
IP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occu

Snort 2.9.3 Beta Now Available

Snort Releases — 2012-05-18T13:56:01

Snort 2.9.3 Beta is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Development
Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.3 introduces the following new capabilities:

[*] New additions
  * Updates to flowbit rule option to allow for OR and AND
    of individual bits within a single rule, and allow flowbits
    to be used in multiple groups.  See README.flowbits and
    the Snort manual for details.

  * Dynamic output plugin architecture to provide an API that
    developers can write their own output mechanisms to log alert
    and packet data from Snort.  Some output plugins have been
    removed as a result of this to be maintained by their
    respective authors.

  * Update to dcerpc2 preprocessor for improved accuracy and
    handling of different OSs for SMB processing.  See README.dcerpc2
    and the Snort manual for details.

  * Updates to reputation preprocessor for handling of wh

Snort 2.8->2.9 upgrade, DAQ and libpcap

Maurizio Molina — 2012-05-18T05:46:39

Hi,
I'm trying to upgrade from 2.8 to 2.9.2.3, and I'm getting this error

checking for dlsym in -ldl... yes
./configure: line 15188: daq-modules-config: command not found
checking for daq_load_modules in -ldaq_static... no

    ERROR! daq_static library not found, go get it from
    http://www.snort.org/.
make: *** [snort_configure] Error 1

and from what I read here:
http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html
pcap > 1.0.0 is required. I am still running pcap 0.9.8

Can somebody confirm that I can't continue working with the old pcap 
version?

Thanks,
Maurizio Molina

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
______________________________

Snort & Pulled Pork questions

Weir, Jason — 2012-05-17T13:20:49

Working on updating to the latest version of snort (2.9.2.3) and using
pulledpork (0.6.1).

 

For those of us that are not paying subscribers of the VRT rule set
updating to the latest issue within the first 30 days causes issues..

 

I updated from 2.9.2.2 to 2.9.2.3 yesterday, when pulled pork runs it
detects the snort version and attempts to download the correct rule set,
well for me there is no rule set and won't be for 30 days..

 

Now I can manually set the snort version to 2.9.2.2 in pulledpork.conf
as long as 2.9.2.2 rules are compatible with 2.9.2.3 (which Joel
indicated they are.  This time..).

 

What happens when a change is made that make the older rules not
compatible?

 

Are my choices to (1) not upgrade to the latest snort version for 30
days, until "free" rules are available, or (2) purchase a rule
subscription?

 

Thanks,

Jason

_____________________________________________________________________________________________

Please visit www.nhrs.o

Perfmonitor Issue

Abdelmonaim Mokadem — 2012-05-16T18:10:58

Hi all,

I have an issue using the perfmonitor preprocessor for snort inline  to
provide the "Max performance snort stats" with the following parameters:

 

  preprocessor perfmonitor: time 300 pktcnt 5000 events max console

 

Here are the options used to launch snort :

 

        -A none \

        --dynamic-engine-lib "${SNORT_ENG}" 

        --dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"

        --dynamic-detection-lib-dir "${SNORT_DYNRULDIR}" 

        --daq-dir "${DAQ_DIR}" 

        -i "${INTERFACE}" 

        -c "${SNORT_CONF}" 

        --perfmon-file "${LOG_DIR}/snort.stats" 

        -l "${LOG_DIR}" 

        -Q

 

Since I'm using the "max " and  "console" parameters, my console should
display the results, based on the following code:

if(iFlags & MAX_PERF_STATS)

{

      .

      .

  LogMessage("uSeconds/Pkt\n");

  LogMessage("----------------\n");

  LogMessage("Snort:
%.3f\n",sfBaseStats->usecs_per_packet.usertime);

  LogMessage("Sniffing:
%.3f\n",sfBaseStats->usecs_per_packet.syst