[Snort-devel] Email Alerts

Dinesh Raj dinesh.v at ...1833...
Tue Mar 4 05:53:10 EST 2003


hi all,
   Can anyone help me in solving this issue.
 I have snort , i want the alerts to come in emails taking the data in the
mysql , is there any one is having some script or explaining me the steps to
do will he greatfull to me .


Thanks in advance

Regards,

V.Dinesh Raj
Engineer Networking
Net 4 India Ltd.,
No-17,Khader Nawaz khan road,
Nungambakkam,
Chennai-600024,
Tel: +91 044 8203511 Extn.310

URL: http://www.net4india.com

_______________________________________________
This message may contain confidential and/or privileged
information. If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any
information herein. If you have received this message in
error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation.
_______________________________________________

----- Original Message -----
From: <snort-users-request at lists.sourceforge.net>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, March 04, 2003 5:47 AM
Subject: Snort-users digest, Vol 1 #2856 - 3 msgs


> Send Snort-users mailing list submissions to
> snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> snort-users-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Signature for IPSec encrypted VPN tunnel (Matt Kettler)
>    2. SMB alerts doesn't work. (Jimmy Hernandez)
>    3. snort 1.9.x still holds fd open on sighup (Michael Scheidell)
>
> --__--__--
>
> Message: 1
> Date: Mon, 03 Mar 2003 17:44:15 -0500
> To: NTD <ntd100566 at ...1823...>, snort-users at lists.sourceforge.net
> From: Matt Kettler <mkettler at ...1834...>
> Subject: Re: [Snort-users] Signature for IPSec encrypted VPN tunnel
>
> Well, one REALLY simple way to do this is look for esp/ip or ah/ip type
> packets. These are IP protocols 50 and 51 respectively. No non-ipsec
> traffic will generate these.
>
> IPSec does not use normal tcp/ip or udp/ip (note: ISAKMP does use udp, but
> that only applies if they are doing dynamic key exchange).
>
> Unfortunately snort currently doesn't understand the idea of protocols
> other than ip, tcp, udp or arp. It would be nice to be able to do
something
> like:
>
> alert ip any any -> any any (transportprotocol:50; msg:"Ipsec ESP data";)
> alert ip any any -> any any (transportprotocol:51; msg:"Ipsec AH data";)
>
> In theory, if you specify the transport protocol by number, and limit
> yourself to the IP layer, it shouldn't be hard for snort to support stuff
> like this, but it currently does not (at least, not to my knowledge). It
> would however be a GREAT way to shim in some minimal processing of
> transport layer protocols other than tcp or udp by examining them at the
IP
> layer and constricting it to that transport protocol.... you wouldn't have
> built-in parsing of the fields in that header, but it's better than
nothing.
>
>
> Actually, with a bit of thinking about depth and offset, might be able to
> fake this rule... the protocol is the 10th byte of the IP layer header..
>
> alert ip any any -> any any (content"|32|";depth:0; offset:10; msg:"Ipsec
> ESP data";)
>
> Anyone have any feedback on this rule attempting to check for the hex byte
> 0x32 (aka 50) at an offset from 10 bytes from the start of the IP header?
> or does snort calculate the offset from the start of the data instead of
> the header, making this not work?
>
>
>
> At 01:28 PM 2/28/2003 +1100, you wrote:
>
> >Hi All,
> >
> >Does anyone know that how to create a signature for IPSec encrypted VPN
> >tunnel i.e authentication using cryptographic hashes such as SHA and MD5
?
> >or and IDS currently have that feature?
> >
> >
> >
> >Thanks in advance
> >
> >Nguyen
> >
> >
> >
>
><http://au.rd.yahoo.com/mail/tagline/?http://http://au.mobile.yahoo.com/sms
/msgr/>Yahoo!
> >Mobile
> >- Exchange IMs with Messenger friends on your Telstra or Vodafone mobile
> >phone.
>
>
>
> --__--__--
>
> Message: 2
> Date: Mon, 3 Mar 2003 14:35:03 -0800
> From: "Jimmy Hernandez" <jimmyh at ...1835...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] SMB alerts doesn't work.
>
> This is a multi-part message in MIME format.
>
> ------=_NextPartTM-000-34d6cdc0-60d5-4338-a4b2-a099f9d60c1b
> Content-Type: multipart/alternative;
> boundary="----_=_NextPart_001_01C2E1D5.21BB8FDA"
>
> ------_=_NextPart_001_01C2E1D5.21BB8FDA
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> I am currently using snort 1.9.0 on OpenBSD 3.2. I am having a problem
> with the smbalerts. I checked the snort configure file and it have the
> plug in for smbalerts. I also ran it specifying the switch ./configure
> --enable-smbalerts then make and make install all looks good but when I
> try to run snort -c snort.conf -b -M workstation   I keep getting the
> Error : "SMB support not compiled into program, exiting...   Fatal
> Error, Quitting..=20
>
> I made sure that the /etc/services file has all the appropriate settings
> for netbios etc.. Everything else I've tried is running fine.
>
> I can't find any whitepapers that would help me fix that. I am using
> SAMBA 2.2.7 and snort 1.9.0 do you think I should downgrade snort to
> 1.8.0? Is anyone else having this problem?
>
> Thanks,
>
> Jimmy Hernandez
>
> Network Systems Engineer
>
> jimmyh at ...1835...
>
> =20
>
>
> ------_=_NextPart_001_01C2E1D5.21BB8FDA
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <html>
>
> <head>
> <meta http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
>
> <style>
> <!--
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0in;
> margin-bottom:.0001pt;
> font-size:12.0pt;
> font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> {color:blue;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {color:purple;
> text-decoration:underline;}
> p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
> {margin:0in;
> margin-bottom:.0001pt;
> font-size:12.0pt;
> font-family:"Times New Roman";}
> span.EmailStyle17
> {font-family:Arial;
> color:windowtext;}
> @page Section1
> {size:8.5in 11.0in;
> margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
> {page:Section1;}
> -->
> </style>
>
> </head>
>
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
>
> <div class=3DSection1>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>I am currently using snort 1.9.0 on OpenBSD 3.2. I am =
> having
> a problem with the smbalerts. I checked the snort configure file and it =
> have
> the plug in for smbalerts. I also ran it specifying the switch <font
> color=3D"#3366ff"><span style=3D'color:#3366FF'>./configure =
> --enable-smbalerts</span></font>
> then make and make install all looks good but when I try to run snort =
> <font
> color=3D"#3366ff"><span style=3D'color:#3366FF'>–c snort.conf =
> –b
> –M workstation</span></font>   I keep getting the Error =
> : “SMB
> support not compiled into program, exiting…   Fatal =
> Error,
> Quitting.. </span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>I made sure that the /etc/services file has all the
> appropriate settings for netbios etc.. Everything else I’ve tried =
> is
> running fine.</span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>I can’t find any whitepapers that would help me =
> fix
> that. I am using SAMBA 2.2.7 and snort 1.9.0 do you think I should =
> downgrade
> snort to 1.8.0? Is anyone else having this problem?</span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>Thanks,</span></font></p>
>
> <p class=3DMsoAutoSig><b><font size=3D3 face=3D"Times New Roman"><span
> style=3D'font-size:12.0pt;font-weight:bold'>Jimmy =
> Hernandez</span></font></b></p>
>
> <p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>Network Systems Engineer</span></font></p>
>
> <p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'>jimmyh at ...1835...</span></font></p>
>
> <p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> </span></font></p>
>
> </div>
>
> </body>
>
> </html>
> =00
> ------_=_NextPart_001_01C2E1D5.21BB8FDA--
>
> ------=_NextPartTM-000-34d6cdc0-60d5-4338-a4b2-a099f9d60c1b--
>
>
>
> --__--__--
>
> Message: 3
> To: snort-users at lists.sourceforge.net
> Date: Mon, 3 Mar 2003 17:54:48 -0500 (EST)
> From: Michael Scheidell <scheidell at ...1197...>
> Subject: [Snort-users] snort 1.9.x still holds fd open on sighup
>
> Snort starting with I think 1.8.7, when compiled with --enable-flexresp
> will hold an extra fd open on sighup.
>
> I had reported this before, and am sorry for not totally tracking it
> down, but it still does in on snort 1.9.1
>
> this compiled without --enable-flexresp:, hup works fine:
>
> sockstat | grep snort
> root     snort    34180    4 dgram  syslogd[76]:3
> killall -HUP snort
> sockstat | grep snort
> root     snort    34180    4 dgram  syslogd[76]:3
>
> looks fine, only on fd open.
>
> now, compile with --enable-flexresp. (using libnet 1.02a from fbsd ports)
> each hup will leave the original fd open, and open a second.
> start snort:
> sockstat | grep snort
> root     snort    41101   10 ip64   *:*                   *:*
> root     snort    41101    4 dgram  syslogd[76]:3
>
> killall -HUP snort
> sockstat | grep snort
>
> root     snort    41124   10 ip64   *:*                   *:*
> root     snort    41124   12 ip64   *:*                   *:*
> root     snort    41124    4 dgram  syslogd[76]:3
>
> subsequent hup will open up additional fd's till, well, you know.
>
> --
> Michael Scheidell, CEO
> SECNAP Network Security, LLC
> Sales: 866-SECNAPNET / (1-866-732-6276)
> Main: 561-368-9561 / www.secnap.net
> Looking for a career in Internet security?
> http://www.secnap.net/employment/
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest
>





More information about the Snort-devel mailing list