[Snort-users] Content "c:"

Graham M Locke graham at ...2320...
Wed Jun 20 08:31:02 EDT 2001


I think the problem is that snort is interpreting the ':' in the content string
(incorectly ?).
So you have to escape the ':' with a '\'.
I have tested the following, and it seems to work, although the ':' in the msg
gets dropped, you can escape that ':',
but the logged message then contains 'C:\'
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing C:"; content:"c\:";
nocase;)

Hope this helps

Graham


>From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
>Date: Tue Jun 19 2001 - 14:47:28 CDT 
>I'm trying to create a rule that searches for content of "c:" in packets.
>But Snort complains that a closing quote is needed. In a prior posting I had

>asked about "c:\" and someone mentioned the backslash was a problem. Even
>without the backslash this still fails. Ths is the latest test rule I tried:

>
>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:
>"c:"; nocase;)
>
>Snort complains that content needs an ending quote. Apparently the colon
>after the "c" is what is messing this up. Does anyone know how to make a
>content rule with "c:" or any drive letter as the content?
>
>
>Thanks,
>Paul
>
>
>
>
>Message: 5
>Date: Tue, 19 Jun 2001 12:18:17 -0700 (PDT)
>From: Andrew Daviel <andrew at ...523...>
>Reply-To: Andrew Daviel <advax at ...524...>
>To: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
>cc: "'Snort-users at lists.sourceforge.net'" <Snort-users at lists.sourceforge.net>

>Subject: Re: [Snort-users] getcontact utility
>In-Reply-To: <4BC7BAFE07ADD31197C500508B6F4C2808E311A1 at ...2219...>

>Message-ID: <Pine.LNX.4.33.0106191152210.2117-100000 at ...523...>
>MIME-Version: 1.0
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>Sender: snort-users-admin at lists.sourceforge.net
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>

>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>

>List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <http://lists.sourceforge.net/archives//snort-users/>
>
>On Mon, 18 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
>
>> Hello,
>>
>> I am looking for a utility to use with Snort (running on Linux) similar to

>> the "Getcontact" utility seen on snort.org. It would be nice to be able to

>> automatically lookup contacts for the different ISPs and send out emails

>> when certain attacks occur. Does anyone have a script they could share that

>> could do this?
>
>My reporter script (the subject of some criticism for one false alert :-7)

>has a contact lookup module.
>Like most of my stuff, it's ugly Perl (what do you expect from an
>ex-FORTRAN programmer). http://andrew.triumf.ca/pub/security/reporter/
>
>The contact lookup algorithm keeps evolving. Currently, it works like
>this:
>
>Try to resolve the ip with DNS
>Failing that, try to get an Apache error message. Failing that, a sendmail

>banner  (many APNIC sites don't resolve)
>Work along the name looking for an MX record.
>Look up the org. in a private database.
>Look up the org at whois.abuse.net
>Try mailing to "abuse" anyhow, and watch for a bounce.
>If it doesn't resolve,
>dig through whois records starting at whois.arin.net.
>Mail to "abuse" if it exists in the whois record.
>If the technical contact address seems to match  the netblock, as it does
>for major ISPs & orgs, try mailing "abuse at ...2334...".
>Otherwise, mail any email address found in the record, except if
>it's IANA, meaning it's a private netblock and I didn't notice.
>Try not to mail people like "nic at ...2335..." if I can help it.
>
>dshield.org is doing something similar with aggregate records. They cache
>whois contacts and store them in a database. There's an SQL dump on the
>web. Abuse.net is really for spam complaints but I've started
>using their database for resolved names except where I know a more
>appropriate one, e.g. "security-nonverbose at ...2336..." or whatever.
>
>As has been pointed out to me, an automated reporter is vulnerable to
>scans with spoofed source addresses as an attack on the credibility
>of the reporter. (Maybe I need a "credible limit" of total scans/hour)
>
>-- 
>Andrew Daviel, TRIUMF, Canada
>Tel. +1 (604) 222-7376
>security at ...524...
>
>
>
>
>
>Message: 6
>From: "Bill Marquette" <wlmarque at ...8...>
>To: Kiira Triea <kiira-t at ...2241...>
>cc: snort-users at lists.sourceforge.net
>Message-ID: <86256A70.006FBA82.00 at ...10...>
>Date: Tue, 19 Jun 2001 15:19:51 -0500
>Subject: Re: [Snort-users] Starting snort against multiple interfaces?
>Mime-Version: 1.0
>Content-type: text/plain; charset=us-ascii
>Content-Disposition: inline
>Sender: snort-users-admin at lists.sourceforge.net
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>

>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>

>List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <http://lists.sourceforge.net/archives//snort-users/>
>
>
>
>Kiira,
>     http://snort.sourceforge.net/snort-daily.tar.gz contains a daily snapshot

>of the CVS tree.  Be warned though, I believe it's a tarball of the actual
CVS
>tree, not the export (or checked out) tree.  This should at least get you around

>your firewall issues :)  Alternately, I make a snapshot at midnight CDT, that
is
>a checked out version, it's available (if you want to trust me :)) at:
>http://www.danger.ms/~billm/snort-current.tgz
>
>--Bill
>
>
>|--------+------------------------------->
>|        |          Kiira Triea          |
>|        |          <kiira-t at ...2337...|
>|        |          .org>                |
>|        |                               |
>|        |          06/19/2001 01:52 PM  |
>|        |                               |
>|--------+------------------------------->
>  >-------------------------------------------------------------------------|

>  |                                                                       
 |
>  |      To:   fygrave at ...121... (Fyodor)                             
 |
>  |      cc:   snort-users at lists.sourceforge.net                          
 |
>  |      Client:                                                          
 |
>  |      Subject:   Re: [Snort-users] Starting snort against multiple     
 |
>  |       interfaces?                                                     
 |
>  >-------------------------------------------------------------------------|

>
>
>
>
>
>
>
>Hi,
>
>
>> On Tue, Jun 19, 2001 at 12:30:45PM -0400, Kiira Triea wrote:
>> >
>> > Ok, it's my day for goofy questions I guess. I have recompiled
>> > snort using Sebastian Krahmer's patched libpcap, I am using a
>> > 2.2.16 kernel and all went well with the build. If I understand
>> > the docs I've found on this I should be able to start snort like:
>> > './snort -D -i any -c snort.conf' and have it read from all nics?
>> >
>> > Instead I get
>> >
>> > Initializing Network Interface any
>> > ioctl(SIOCGIFMTU): No such device
>> > ERROR: Can not get MTU of an interface any!
>> >
>> > ????
>>
>> Looks like old snort (1.7x something) is used here. :) We have done a
>> few fixes here:
>> 1. It's recomended to use recent version from www.tcpdump.org, they have

>> fixed a few things in Sebastian's code and incorporated the patch.
>> 2. More recent snort, we have fixed support of interface 'any' in it :)
>
>
>Yes Ok, I am using ver 1.7 from snort.org. Poop. When is ver. 8
>expected ready for prime time? Getting cvs working is not going
>through my firewall it looks.
>
>thanks,
>
>Kiira
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
>Message: 7
>Date: Tue, 19 Jun 2001 13:23:39 -0700 (PDT)
>From: Erek Adams <erek at ...577...>
>To: Kiira Triea <kiira-t at ...2241...>
>cc: Fyodor <fygrave at ...121...>, <snort-users at lists.sourceforge.net>
>Subject: Re: [Snort-users] Starting snort against multiple interfaces?
>In-Reply-To: <200106191852.f5JIqIm07625 at ...2242...>
>Message-ID: <Pine.GSO.4.32.0106191321410.127-100000 at ...578...>

>MIME-Version: 1.0
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>Sender: snort-users-admin at lists.sourceforge.net
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>

>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>

>List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <http://lists.sourceforge.net/archives//snort-users/>
>
>On Tue, 19 Jun 2001, Kiira Triea wrote:
>
>> Yes Ok, I am using ver 1.7 from snort.org. Poop. When is ver. 8
>> expected ready for prime time? Getting cvs working is not going
>> through my firewall it looks.
>
>Actually, save yourself some effort:
>
>http://snort.sourceforge.net/snort-daily.tar.gz
>
>Thank Fydor for that!  :)
>
>-----
>Erek Adams
>Nifty-Type-Guy
>TheAdamsFamily.Net
>
>
>
>
>Message: 8
>Date: Tue, 19 Jun 2001 13:28:12 -0700 (PDT)
>From: Erek Adams <erek at ...577...>
>To: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
>cc: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
>Subject: Re: [Snort-users] Content "c:"
>In-Reply-To: <4BC7BAFE07ADD31197C500508B6F4C2808E311CB at ...2219...>

>Message-ID: <Pine.GSO.4.32.0106191326560.127-200000 at ...578...>

>MIME-Version: 1.0
>Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-758783491-992982492=:127"

>Sender: snort-users-admin at lists.sourceforge.net
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>

>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>

>List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <http://lists.sourceforge.net/archives//snort-users/>
>
>  This message is in MIME format.  The first part should be readable text,

>  while the remaining parts are likely unreadable without MIME-aware tools.

>  Send mail to mime at ...29... for more info.
>
>
>On Tue, 19 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
>
>>
>> I'm trying to create a rule that searches for content of "c:" in packets.

>> But Snort complains that a closing quote is needed. In a prior posting I
had
>> asked about "c:\" and someone mentioned the backslash was a problem. Even

>> without the backslash this still fails. Ths is the latest test rule I tried:

>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:

>> "c:"; nocase;)
>>
>> Snort complains that content needs an ending quote. Apparently the colon

>> after the "c" is what is messing this up. Does anyone know how to make a

>> content rule with "c:" or any drive letter as the content?
>
>Paul,
>
>	Have a look at the attached message.
>
>-----
>Erek Adams
>Nifty-Type-Guy
>TheAdamsFamily.Net
>
>
>
>
>Message: 9
>Date: Tue, 19 Jun 2001 21:43:06 +0100
>From: Lee Smallbone <lee at ...2318...>
>Reply-To: Lee Smallbone <lee at ...2318...>
>Message-ID: <16904.010619 at ...2318...>
>To: Snort-users at lists.sourceforge.net
>Subject: Re[2]: [Snort-users] performance snort question
>References: <3B2F3B0D.864A667D at ...1415...>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>Sender: snort-users-admin at lists.sourceforge.net
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>

>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>

>List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <http://lists.sourceforge.net/archives//snort-users/>
>
>RW> I you use logging into MySQL, you must have a better configuration.
>RW> But, yes, I think this works fine when just Snort logs into txt file.
>
> Not a major concern in my instance as all logging is made to a central
> MySQL server. If you intend to log locally to an SQL server, consider
> doubling the below specification, especially if you intend to also run
> something like ACID on the same box.
>
>/Lee
>
>>>
>>> Lee Smallbone <lee at ...2318...> writes:
>>>
>>> > Tuesday, June 19, 2001, 8:44:42 AM, you wrote:
>>> >
>>> >EHS> I haven't seen an answer to Roeland's questions so far.  I am
>>> >EHS> currently considering building a snort box wich should be able to

>>> >EHS> withstand a saturated 100mbps in worst-case, and have been unable
to
>>> >EHS> find even the slightest hint on what hardware requirement would be

>>> >EHS> needed to do that.
>>> >
>>> >  The author seems fairly sure that a 486 should be able to keep up
>>> >  with a 100mbit/s link. I'd go one step further and use the following

>>> >  configuration so I know it would be there if it was needed:
>>> >
>>> >                o) old pentium of some sort (P90/100)
>>> >                o) 32-64mb ram
>>> >                o) Large disk to cope with logs (pref SCSI or ATA100)
>>> >                o) Decent, trusted 100mbit/s NIC
>>>
>>> Thank you very much for your answer!  I really needed this information
>>> to support my push for building a snort based IDS box :)
>>>
>>> /Esben
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> http://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>RW> --
>RW> Netland Internet Services
>RW> bedrijfsmatige internetoplossingen
>
>RW> http://www.netland.nl   Kruislaan 419              1098 VA Amsterdam
>RW> info: 020-5628282       servicedesk: 020-5628280   fax: 020-5628281
>
>
>
>
>Best regards,
> Lee                            mailto:lee at ...2318...
>
>
>
>
>
>Message: 10
>Message-ID: <4BC7BAFE07ADD31197C500508B6F4C2808E311D0 at ...2219...>

>From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
>To: 'Erek Adams' <erek at ...577...>, "Sheahan, Paul (PCLN-NW)"
>	 <Paul.Sheahan at ...2218...>
>Cc: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] Content "c:"
>Date: Tue, 19 Jun 2001 17:25:05 -0400
>MIME-Version: 1.0
>Content-Type: text/plain;
>	charset="iso-8859-1"
>Sender: snort-users-admin at lists.sourceforge.net
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>

>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>

>List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <http://lists.sourceforge.net/archives//snort-users/>
>
>I'm not using a "\" (backslash). I am strictly searching for a letter
>followed by a colon.
>
>I will give Jim's advice a try. Thanks!
>
>
>-----Original Message-----
>From: Erek Adams [mailto:erek at ...577...]
>Sent: Tuesday, June 19, 2001 4:28 PM
>To: Sheahan, Paul (PCLN-NW)
>Cc: Snort List (E-mail)
>Subject: Re: [Snort-users] Content "c:"
>
>
>On Tue, 19 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
>
>>
>> I'm trying to create a rule that searches for content of "c:" in packets.

>> But Snort complains that a closing quote is needed. In a prior posting I

>had
>> asked about "c:\" and someone mentioned the backslash was a problem. Even

>> without the backslash this still fails. Ths is the latest test rule I
>tried:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:

>> "c:"; nocase;)
>>
>> Snort complains that content needs an ending quote. Apparently the colon

>> after the "c" is what is messing this up. Does anyone know how to make a

>> content rule with "c:" or any drive letter as the content?
>
>Paul,
>
>	Have a look at the attached message.
>
>-----
>Erek Adams
>Nifty-Type-Guy
>TheAdamsFamily.Net
>
>
>
>Message: 11
>Message-ID: <3B2FC554.FD91536D at ...312...>
>Date: Tue, 19 Jun 2001 17:34:12 -0400
>From: Brian Caswell <bmc at ...312...>
>Organization: The MITRE Corporation
>MIME-Version: 1.0
>To: Bill Marquette <wlmarque at ...8...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Starting snort against multiple interfaces?
>References: <86256A70.006FBA82.00 at ...10...>
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>Sender: snort-users-admin at lists.sourceforge.net
>Precedence: bulk
>List-Help: <mailto:snort-users-request at lists.sourceforge.net?subject=help>

>List-Post: <mailto:snort-users at lists.sourceforge.net>
>List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=subscribe>
>List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>

>List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,

>	<mailto:snort-users-request at lists.sourceforge.net?subject=unsubscribe>
>List-Archive: <http://lists.sourceforge.net/archives//snort-users/>
>
>Bill Marquette wrote:
>>      http://snort.sourceforge.net/snort-daily.tar.gz contains a daily snapshot

>> of the CVS tree.  Be warned though, I believe it's a tarball of the actual
CVS
>> tree, not the export (or checked out) tree.  This should at least get you
around
>> your firewall issues :)  Alternately, I make a snapshot at midnight CDT,
that is
>> a checked out version, it's available (if you want to trust me :)) at:
>> http://www.danger.ms/~billm/snort-current.tgz
>
>Did you actually LOOK before stating this?
>
>snort-daily.tar.gz is a snapshot of the latest version of snort
>generated daily.  If you want the latest (and sometimes greatest)
>bleeding edge snort, get snort-daily.tar.gz from
>snort.sourceforge.net.  "Current" is not for general consumption, but
>it is usually what is being actively looked by the developers.
>
>-- 
>Brian Caswell
>The MITRE Corporation
>
>
>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>http://lists.sourceforge.net/lists/listinfo/snort-users
>
>
>
>End of Snort-users Digest
>
>




More information about the Snort-users mailing list