[Snort-users] Re: Snort-users digest, Vol 1 #491 - 9 msgs

Julio Mendez mendezcarta at ...125...
Wed Mar 21 16:04:08 EST 2001



>From: snort-users-request at lists.sourceforge.net
>Reply-To: snort-users at lists.sourceforge.net
>To: snort-users at lists.sourceforge.net
>Subject: Snort-users digest, Vol 1 #491 - 9 msgs
>Date: Wed, 21 Mar 2001 12:07:10 -0800
>
>Send Snort-users mailing list submissions to
>	snort-users at lists.sourceforge.net
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	http://lists.sourceforge.net/lists/listinfo/snort-users
>or, via email, send a message with subject or body 'help' to
>	snort-users-request at lists.sourceforge.net
>
>You can reach the person managing the list at
>	snort-users-admin at lists.sourceforge.net
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Snort-users digest..."
>
>
>Today's Topics:
>
>    1. Re: Intrusion S/W detection tools? (John_Delisle at ...1523...)
>    2. Re: Intrusion S/W detection tools? (shawn . moyer)
>    3. Re: Fun with IPF and Snort (thomas r stromberg)
>    4. Re: Intrusion S/W detection tools? (Andrew R. Baker)
>    5. Re: Load Balancing Snort Boxes (Andrew R. Baker)
>    6. Re: Intrusion S/W detection tools? (Franck Veysset)
>    7. Re: thoughts on load balancing snort boxen for high
>        traffic links (Andrew R. Baker)
>    8. We're Doing Commercial Support for Snort! (Stuart Staniford)
>
>--__--__--
>
>Message: 1
>Subject: Re: [Snort-users] Intrusion S/W detection tools?
>To: SWilcoxon at ...1386...
>Cc: snort-users at lists.sourceforge.net,
>	snort-users-admin at lists.sourceforge.net
>From: John_Delisle at ...1523...
>Date: Wed, 21 Mar 2001 10:43:03 -0600
>
>
>Take a look at Tripwire, it's free for Linux.
>
>It will watch all files on your box and tell you if they change. (ie
>someone added/removed/changed something).  It's a great product.
>
>John Delisle
>Corporate Technology
>Ceridian Canada Ltd
>204-975-5909
>
>
>
>                     SWilcoxon at ...1386...
>                     Sent by:                             To:     
>snort-users at lists.sourceforge.net
>                     snort-users-admin at ...635...        cc:
>                     eforge.net                           Subject:     
>[Snort-users] Intrusion S/W detection tools?
>
>
>                     2001/03/21 09:33 AM
>
>
>
>
>
>
>A little off the subject, but I feel it's related to IDS in general so this
>could be a helpful group.
>
>Are there any Open or Closed source tools for detecting that intruders have
>installed compromised tools, backdoors, etc on a Linux system? I know that
>many Virus Scanners can do this for files that are considered in that
>category by the developers, but do they really cover the other tools a
>Hacker may install on a System?
>
>No, I'm not trying to sanitize a system. I was just thinking that would be
>a
>good tool for people who may not have taken the proper safeguards for
>detecting binaries changing or files being added.
>
>S.W.
>swilcoxon at ...1386...
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
>--__--__--
>
>Message: 2
>Date: Wed, 21 Mar 2001 11:06:22 -0600
>From: "shawn . moyer" <shawn at ...1184...>
>To: SWilcoxon at ...1386...
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Intrusion S/W detection tools?
>
>SWilcoxon at ...1386... wrote:
>
> > What I was think is something that can be used after the fact for 
>detection
> > for the poor soles that may not be running tripwire or similar products.
>
>Sorta like the poor souls who forgot to update their Bind, Sendmail,
>Apache, etc.? They got 0wned. Sorry.
>
> > I agree that some detection can be done using RPM to see if a normal 
>file
> > was installed. But other tools create their own executables. Those users
> > wouldn't know where to look to see if they were compromised.
>
>Those users shouldn't be putting Unix servers on the Internet, and their
>vendors shouldn't be shipping OS's that are insecure by default. Anyway,
>Chris Green posted a link for rkdet, which may do the trick.
>
>But for the most part (I know I sound unsympathetic -- I am), if you
>drive without a seatbelt, and you go through the windshield, I feel bad
>for you, but the best measures for a case like that are always
>preventive and not after-the-fact. I can tell you how fast you were
>going, how hard you hit the glass, and even fix the windshield, but if
>you had your seatbelt on in the first place, you'd be a lot better off.
>
>
>
>
>
>
>--shawn
>
>--
>
>s h a w n   m o y e r
>shawn at ...1184...
>
>
>The universe did not invent justice; man did.
>Unfortunately, man must reside in the universe.
>
>                                         -- Zelazny
>
>
>--__--__--
>
>Message: 3
>Date: Tue, 20 Mar 2001 08:24:30 -0500
>From: thomas r stromberg <tstromberg at ...330...>
>To: Phil Wood <cpw at ...440...>
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Fun with IPF and Snort
>
>
>--4Ckj6UjgE2iN1+kY
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>Content-Transfer-Encoding: quoted-printable
>
>On 19-Mar-2001, Phil Wood popped this into my mailspool:
> >    I take it you have taken this into account:
> >=20
> >    % attack -s 66.26.231.27 -d 66.26.231.27 -forever
>
>    I run as an inetd service, so I react no differently then say,
>    telnetd with a large banner. Now, since there is no detail in your
>    demo attack, I'll just break down the possibilities.
>
>    Because I act like any other inetd service, that attack would just
>    as well work on ftpd. The only difference I have is, well, I send a
>    very large banner.
>
>    inetd protects me, because I have it set to a maximum of 5
>    connections from a host per minute (-C), and 16 connections per
>    minute to a service (-R). These limits are real low because, If I'm
>    getting that many, obviously the attacker is dropping the connection
>    real quick, rather then suffering any wrath ;) FreeBSD's inetd has
>    great rate limiting controls, check out the manpage.
>
>    If someone manages to spoof a complete 3 way TCP transaction, and
>    gets me to flood some other poor guy, well. The internet has other
>    problems to worry about if it's that easy to spoof the entire
>    transaction against FreeBSD 4.2.=20
>
>    If someone manages to just spoof a SYN, well... I'm no guru, but I
>    believe inetd will only exec() the program if a full transaction is
>    recieved. Otherwise, at most I load 16 of these things a minute,
>    assuming multiple spoofed sources. They sit at niceness 20 on a dual
>    processer machine, and since no real connect is at the other end,
>    they won't do much traffic wise other then try to complete the
>    transaction.
>
>    However! You are right in your assumption of what I did not take
>    account. Since I log all SYN packets to that host, well, I could
>    look like I'm attacking myself if someone spoofs me, and fill up
>    mysql forever. But.. I'd rather log myself to death then not log at
>    all I guess.
>
>    Of course, I still may be missing something.
>
>--=20
>: Thomas Stromberg                      work> tstromberg at ...330...  :
>: Research Triangle Commerce (ICC.net)  home> thomas at ...1617... :
>
>'Every word is like an unnecessary stain on silence and nothingness'=20
>     -- Beckett
>
>--4Ckj6UjgE2iN1+kY
>Content-Type: application/pgp-signature
>Content-Disposition: inline
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.4 (FreeBSD)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE6t1oMr345RqTSlmIRArbpAJ937oFzWzaCs1aylRG0PG2XK+OjWgCcCxjz
>AtXIeYj9wEx31FkXkAZRuOc=
>=jpg8
>-----END PGP SIGNATURE-----
>
>--4Ckj6UjgE2iN1+kY--
>
>
>--__--__--
>
>Message: 4
>Date: Wed, 21 Mar 2001 09:40:49 -0800
>From: "Andrew R. Baker" <andrewb at ...1150...>
>To: SWilcoxon at ...1386...
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Intrusion S/W detection tools?
>
>
>There are lots of simple commands you can use depending on how good the
>hacker
>was.  Using find to locate directories that should not exist and files
>that
>have been changed recently.  Comparing output of ps against /proc (only
>in linux), etc.
>These are very rudimentary and will not find some rootkits, but they
>still work well
>in the general case.  As far as pre-built tools, I have not used any.  I
>just keep
>writing more scripts ;)
>
>-A
>
>SWilcoxon at ...1386... wrote:
> >
> > Allow me to clarify a little more.
> >
> > What I was think is something that can be used after the fact for 
>detection
> > for the poor soles that may not be running tripwire or similar products.
> >
> > I'm just thinking of all the Linux users that didn't think they needed 
>to do
> > something like that and aren't sure if they were compromised or not.
> >
> > I agree that some detection can be done using RPM to see if a normal 
>file
> > was installed. But other tools create their own executables. Those users
> > wouldn't know where to look to see if they were compromised.
> >
> > S.W.
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>--__--__--
>
>Message: 5
>Date: Wed, 21 Mar 2001 09:47:26 -0800
>From: "Andrew R. Baker" <andrewb at ...1150...>
>To: Jason Robertson <jason at ...734...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Load Balancing Snort Boxes
>
>
>It is not very difficult to log the alerts using the database plugin and
>then create
>a daemon that performs a second pass analysis of the data.  The nice
>thing about
>using the database plugin is that you can store all of the packet data
>with the
>alert.
>
>-A
>
>Jason Robertson wrote:
> >
> > Okay a previous message, reminded me of a tread, I had going a long time
> > ago, and someone implemented to a slight degree.. but not to the same
> > degree as I made requests about.
> >
> > What I asked for was a multi-stage server.
> > The first part of the server, would actually connect to the NIC, on the
> > monitoring station and do cursory analysis such as in
> >
> > alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS";flags:PA;
> > content:"killme";)
> >
> > The First server would look for TCP Dest, port 27665, and packets with 
>the
> > flags PA.  If a packet matches it sends to the second Server, though 
>either
> > tcp socket, unix socket, or pipe.
> >
> > The Second Server, would then parse the data, and look for the content
> > "killme" and if there is a match it would log or make an alert.
> >
> > This could then have the implentation of a new flag, such as the dynamic
> > alerts, except, you define the beginning and ending packets to match.  
>So
> > you can match the first syn packet, and the last fin or rst packet, and 
>all
> > data that matches such the source, dest port and IP is analysed.
> >
> > Jason
> >
> > ---
> > Jason Robertson
> > Network Analyst
> > jason at ...734...
> > http://www.astroadvice.com
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>--__--__--
>
>Message: 6
>Date: Wed, 21 Mar 2001 18:55:46 +0100
>From: Franck Veysset <franck.veysset at ...1629...>
>Organization: Intranode
>To: snort-users at lists.sourceforge.net
>CC: "shawn . moyer" <shawn at ...1184...>, SWilcoxon at ...1386...
>Subject: Re: [Snort-users] Intrusion S/W detection tools?
>
>I don't want to play the devil advocate, but that's why my car have
>good seatbelts and airbags... :-)
>
>If you don't (that's bad) use tripwire, or similar crypto tools, =
>
>check this one... =
>
>http://www.hsc.fr/ressources/outils/rkscan/index.html.en
>
>rkscan might be for you.
>rkscan is a kernel-based module rootkit scanner for Linux, it detects =
>
>Adore (v0.14, v0.2b and v0.24) and knark (v0.59). =
>
>
>-Franck
>
>"shawn . moyer" a =E9crit :
> > =
>
> > SWilcoxon at ...1386... wrote:
> > =
>
> > > What I was think is something that can be used after the fact for det=
>ection
> > > for the poor soles that may not be running tripwire or similar produc=
>ts.
> > =
>
> > Sorta like the poor souls who forgot to update their Bind, Sendmail,
> > Apache, etc.? They got 0wned. Sorry.
> > =
>
> > > I agree that some detection can be done using RPM to see if a normal =
>file
> > > was installed. But other tools create their own executables. Those us=
>ers
> > > wouldn't know where to look to see if they were compromised.
> > =
>
> > Those users shouldn't be putting Unix servers on the Internet, and thei=
>r
> > vendors shouldn't be shipping OS's that are insecure by default. Anyway=
>,
> > Chris Green posted a link for rkdet, which may do the trick.
> > =
>
> > But for the most part (I know I sound unsympathetic -- I am), if you
> > drive without a seatbelt, and you go through the windshield, I feel bad=
>
> > for you, but the best measures for a case like that are always
> > preventive and not after-the-fact. I can tell you how fast you were
> > going, how hard you hit the glass, and even fix the windshield, but if
> > you had your seatbelt on in the first place, you'd be a lot better off.=
>
> > =
>
> > --shawn
> > =
>
> > --
> > =
>
> > s h a w n   m o y e r
> > shawn at ...1184...
> > =
>
> > The universe did not invent justice; man did.
> > Unfortunately, man must reside in the universe.
> > =
>
> >                                         -- Zelazny
>-- =
>
>Franck Veysset  E-mail: franck.veysset at ...1629...
>http://www.INTRANODE.com  -  Tel: +33 (0)2 23 45 55 04
>             -- Security Lab Engineer --
>
>       O   ascii ribbon campaign against html
>       |\    email and Microsoft attachments.
>
>
>--__--__--
>
>Message: 7
>Date: Wed, 21 Mar 2001 09:55:32 -0800
>From: "Andrew R. Baker" <andrewb at ...1150...>
>To: "Austad, Jay" <austad at ...432...>
>CC: "'snort-users at lists.sourceforge.net'"
>  <snort-users at lists.sourceforge.net>
>Subject: Re: [Snort-users] thoughts on load balancing snort boxen for high
>  traffic links
>
>
>A number of people have mentioned using the TopLayer boxes.  If you are
>on a budget,
>you can simulate some of the functionality.  Install a hub to do the
>sniffing from
>(as long as you have < 100Mbps to sniff).  Connect the span port to the
>hub and
>hang as many snort boxes as you need off of the hub.  Set the bpf
>options on
>the snort command line to split the traffic across all of the sensors.
>
>-A
>
>"Austad, Jay" wrote:
> >
> > I originally sent this message to another list of people, but I think 
>maybe
> > it's a good thing to post it here also:
> >
> > Ok, so I was thinking more on load balancing snort boxes for high 
>traffic
> > links, and here's one idea I had, let me know if this sounds like it may
> > work:
> >
> > Say I have one box that sits and runs the following command:
> > tcpdump -i eth1 -<some_options> | ./splitter -b 10M -h
> > 10.1.1.1:9999,10.1.1.2:9999,10.1.1.3:9999 &
> >
> > Where the program "splitter" takes the tcpdump output as stdin, fills a
> > buffer of size specified by the -b option, and then flushes the buffer
> > (UDP?) to the first host listed in the -h option, the next fill/flush 
>will
> > go to the second host, and so on.
> >
> > Each snort box has it's snort.conf set up to log to the same central
> > database, has a named pipe (mkfifo /dev/snortpipe), and runs something 
>like:
> >
> > nc -l -p 9999 -u > /dev/snortpipe &
> > snort -<some_options> -r /dev/snortpipe &
> >
> > I couldn't get snort to take stdin, hence the creation of the named 
>pipe.
> > The splitter program will most likely have to have multiple threads 
>running
> > so that when one is flushing the buffer, the next one can be filling 
>another
> > one so there is no interruption in collection of data.  As my 3 snort 
>boxes
> > start running out of resources because of growing traffic, I can just 
>add
> > another.  Obviously, you're probably going to hose some of the fragment
> > reassembly, but it shouldn't be too bad if your buffer size specified in 
>the
> > splitter program is large enough.
> >
> > Unless snort gets more efficient or takes advantage of multiple procs, 
>or
> > until we have 4Ghz proccessors, I don't see how I'm going to sniff links
> > that sustain any more than 20Mbit/sec worth of traffic.  Thoughts??
> >
> > ----------
> > Jay Austad
> > Network Administrator
> > CBS Marketwatch
> > 612.817.1271
> > austad at ...432... <mailto:austad at ...432...>
> > http://cbs.marketwatch.com
> > http://www.bigcharts.com
> >
> > ----------
> > Jay Austad
> > Network Administrator
> > CBS Marketwatch
> > 612.817.1271
> > austad at ...432... <mailto:austad at ...432...>
> > http://cbs.marketwatch.com
> > http://www.bigcharts.com
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>--__--__--
>
>Message: 8
>Date: Wed, 21 Mar 2001 11:10:07 -0800
>From: Stuart Staniford <stuart at ...155...>
>Organization: Silicon Defense
>To: Snort Users <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] We're Doing Commercial Support for Snort!
>
>
>Hi guys:
>
>Just to let everyone know that Silicon Defense is now going to be providing
>commercial support contracts for Snort.
>
>http://www.silicondefense.com/ for more info,
>
>or call  1-866-41-SNORT (1-866-417-6678) for sales
>
>Basically, we've hired some extra folks, had them installing and
>uninstalling and attacking and generally playing hard with snort, and now
>they pretty much know what they're doing.  Behind them stands the rest of
>us (Joey, Jim, Roel, me, etc) who've been working on Snort in different
>ways for the last eighteen months (contributing various plugins and new
>code and work on the rulesets).  Between all of us, we pretty much know
>Snort inside out - both how the code works, and what the issues are with
>using it on our own networks and client networks.
>
>And so for those of you who work in environments were it's helpful to have
>a commercial outfit supporting a product, we're here for you.  If you buy a
>support contract we'll provide rapid response help with your Snort related
>problems.  We really want to build a reputation for taking care of
>customers, and so we'll give your problem our best shot (if you're ever
>unhappy with our service, call me personally at the number below).  We've
>upgraded our phone system to handle your calls, or we can take tickets off
>email reports too.  We're working on web form submission for those
>customers that prefer that.
>
>For the rest of the community - we really hope this helps everyone.  The
>deal is this: if we can make money from supporting Snort, then it will give
>us more resources that we can plough back into the basic engineering of the
>tool (at the moment we do it as a kind of side effect of our government
>research business).  That will give us all a better product, which in turn
>will increase the size of the Snort market, and in turn let us do still
>more.
>
>If you have thoughts or questions on this, let us know what you think.  We
>want to stay open to the community and do this in a way that folks feel
>good about.  Marty's very pleased with the idea.  He said, "I can't think
>of a better organization to handle technical support for Snort and its
>related products," and "More than any other single commercial organization
>they have been involved with Snort since its infancy and have been active
>participants in user support, in developing new and interesting intrusion
>detection techniques, and providing key insight into Snort design and
>implementation.  I am truly excited at the prospect of Silicon Defense
>providing formalized support solutions for the Snort and its related
>products."
>
>We're excited!  Tell your friends!
>
>Stuart.
>
>--
>Stuart Staniford  ---  President  ---  Silicon Defense
>   ** Silicon Defense: Technical Support for Snort **
>mailto:stuart at ...155... http://www.silicondefense.com/
>(707) 445-4355                     (707) 445-4222 (FAX)
>
>
>
>--__--__--
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>http://lists.sourceforge.net/lists/listinfo/snort-users
>
>
>End of Snort-users Digest

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.





More information about the Snort-users mailing list