[Snort-users] unsubscribe

Ryan McClure (Systems Admin) - United Shipping rmcclure at ...2011...
Fri May 11 09:46:06 EDT 2001


-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Thursday, May 10, 2001 3:10 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #632 - 2 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. DNS Query Logging? (Richard, Jeff)
   2. subsidy (Ryan McClure (Systems Admin) - United Shipping)

--__--__--

Message: 1
From: "Richard, Jeff" <Jeff-Richard at ...562...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Date: Thu, 10 May 2001 16:47:34 -0400
Subject: [Snort-users] DNS Query Logging?

I hope someone can give a hand on this.  I need to get a count of how many
DNS queries my DNS servers are receiving.  What should a rule for DNS
queries look like?  I'm not failure with DNS traffic, but realize that UDP
53, is the protocol/port, just not sure of any signature(s).

-Jeff


--__--__--

Message: 2
From: "Ryan McClure (Systems Admin) - United Shipping"
	 <rmcclure at ...2011...>
To: snort-users at lists.sourceforge.net
Date: Thu, 10 May 2001 15:09:39 -0600
Subject: [Snort-users] subsidy



-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Thursday, May 10, 2001 2:43 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #631 - 4 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. redundant rules (Watson, Ed)
   2. Re: redundant rules (Martin Roesch)
   3. My apologies (Kevin.Brown at ...1022...)
   4. ******unsubscribe****** (Ryan McClure (Systems Admin) - United
Shipping)

-- __--__-- 

Message: 1
From: "Watson, Ed" <ewatson at ...2004...>
To: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
Date: Thu, 10 May 2001 13:27:14 -0700
Subject: [Snort-users] redundant rules

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0D98F.99649370
Content-Type: text/plain;
	charset="iso-8859-1"

The default rules don't seem to pick up port scans, even obvious ones. I
thought if I used the vision.rules, that would be more effective, and it
hasn't. Could redundant rules cause it to not log these events?
 
1166 rules read...
1166 Option Chains linked into 257 Chain Headers
0 Dynamic rules
 
System
      Dell 1550
        dual PIII 833
        1gb ram
        100baseTX FDX
    Resource usage
        Mem .6%
        CPU  .1%
OS
    RH7

Ed Watson



------_=_NextPart_001_01C0D98F.99649370
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">


<META content="MSHTML 5.00.3211.1700" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>The default
rules 
don't seem to pick up port scans, even obvious ones. I thought if I used the

vision.rules, that would be more effective, and it hasn't. Could redundant
rules 
cause it to not log these events?</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>1166 rules 
read...</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>1166 Option
Chains 
linked into 257 Chain Headers</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=677301720-10052001>0 Dynamic 
rules</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001>System</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001>      Dell 
1550</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001>        dual
PIII 
833</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001>        1gb 
ram</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001>       
100baseTX 
FDX</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=677301720-10052001>    
Resource usage</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001>        Mem 
.6%</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001>       
CPU  
.1%</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=677301720-10052001>OS</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=677301720-10052001>    
RH7</SPAN></FONT></DIV>
<P><FONT size=2>Ed Watson<BR></FONT></P></BODY></HTML>

------_=_NextPart_001_01C0D98F.99649370--


-- __--__-- 

Message: 2
Date: Thu, 10 May 2001 16:31:05 -0400
From: Martin Roesch <roesch at ...1935...>
To: "Watson, Ed" <ewatson at ...2004...>
CC: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] redundant rules

What are your HOME_NET and EXTERNAL_NET variables set to?  Are you
portscanning yourself from the same network that you're monitoring?

   -Marty

> "Watson, Ed" wrote:
> 
> The default rules don't seem to pick up port scans, even obvious ones.
> I thought if I used the vision.rules, that would be more effective,
> and it hasn't. Could redundant rules cause it to not log these events?
> 
> 1166 rules read...
> 1166 Option Chains linked into 257 Chain Headers
> 0 Dynamic rules
> 
> System
>       Dell 1550
>         dual PIII 833
>         1gb ram
>         100baseTX FDX
>     Resource usage
>         Mem .6%
>         CPU  .1%
> OS
>     RH7
> 
> Ed Watson

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org


-- __--__-- 

Message: 3
Date: Thu, 10 May 2001 13:35:42 -0700 (MST)
From: Kevin.Brown at ...1022...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] My apologies

I don't know what happened but the mail I send from outlook gets turned into
html garbage when I send to this list.  I verified my options in both
outlook
and with sourceforge, so somewhere between the two (maybe the damn exchange
server) is converting my plain text messages into htmlized junk.



-- __--__-- 

Message: 4
From: "Ryan McClure (Systems Admin) - United Shipping"
	 <rmcclure at ...2011...>
To: snort-users at lists.sourceforge.net
Date: Thu, 10 May 2001 14:43:37 -0600
Subject: [Snort-users] ******unsubscribe******



-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Thursday, May 10, 2001 2:17 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #630 - 8 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort + Acid w/ MySQL question(s) (roman at ...438...)
   2. unsubscribe (Ryan McClure (Systems Admin) - United Shipping)
   3. Re: loggin issue (roman at ...438...)
   4. Rules vs performance (Robinson, Ken)
   5. RE: Rules vs performance (Kevin Brown)
   6. Re: Rule Managment Tool (shawn . moyer)
   7. RE: Rule Managment Tool (Jeff Dell)
   8. RE: New Conundrum (Kevin Brown)

--  __--__--  

Message: 1
To: alexus <ml at ...1718...>
Cc: snort-users at lists.sourceforge.net
From: roman at ...438...
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
Date: Thu, 10 May 2001 15:18:07 US/Eastern

One observation:

- ACID 0.9.5 does not use ADODB.  This DB abstraction was
introduced in 0.9.6b2 (Jan 2001).  Hence, this addition into
acid_conf.php will be ignored.

Two recommendations:

- are you sure that you have CREATE permissions on the DB
user set in acid_conf.php?  If all else fails, try using the 
"create_acid_tbls_mysql.sql" to manually create the ACID 
tables.

- upgrade to a more recent version of ACID => 0.9.6b9.  There
are significant feature improvements as well as bug fixes.  If you
prefer an older version, upgrade to at least 0.9.6b1 for it has
a number of important bug fixes

cheers,
Roman

> I'm using the following:
> 
> FreeBSD 4.3 - RELEASE (STABLE)
> ACID-0.9.5 - RELEASE (STABLE)
> ADODB v1.0.1 - RELEASE (STABLE)
> PHP - 4.0.5 - RELEASE (STABLE)
> APACHE - 1.3.19 - RELEASE (STABLE)
> SNORT - 1.7 - RELEASE (STABLE)
> 
> to compile snort i used following line:
> ../configure --with-mysql=/usr/local/mysql;make;make install
> 
> i did change acid_conf.php i put path to adodb
> 
> in adodb
> 
> i put local path in adodb.inc.php
> 
> when i go to http://localhost/acid it redirects me to acid_main.php and
when
> it gets there i get this:
> 
> The underlying database alexus at ...274... apears to be invalid.
> 
> The database version is valid, but the ACID DB structure (table: acid_ag)
is
> not present. Use the Setup page to configure and optimize the DB
> 
> when i click on "Setup page"
> 
> in status window i get "DONE" for "Search Indexes" and i have "Create ACID
> AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
> I do that nothing happenes, it won't disappear or it won't change status
to
> "DONE".. what am i missing?
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/




--  __--__--  

Message: 2
From: "Ryan McClure (Systems Admin) - United Shipping"
	 <rmcclure at ...2011...>
To: snort-users at lists.sourceforge.net
Date: Thu, 10 May 2001 13:33:14 -0600
Subject: [Snort-users] unsubscribe



-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Thursday, May 10, 2001 1:06 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #629 - 4 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: High CPU (Jon Bentley)
   2. Re: alert message containing info from the packet? (Andreas Hasenack)
   3. loggin issue (Koaps)
   4. Re: snort pgsql keepalive (roman at ...438...)

--   __--__--   

Message: 1
From: "Jon Bentley" <jon at ...1741...>
To: "Steve" <stlukacs at ...2010...>, <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] High CPU
Date: Thu, 10 May 2001 13:22:31 -0400

Hi, Steve.  What type of system are you running on, and how many packets
are you generating?

----- Original Message -----
From: "Steve" <stlukacs at ...2010...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 12:40 PM
Subject: [Snort-users] High CPU


> I am currently testing snort 1.7 and find the CPU to be very high (87%). I
> am running 1.6.3 in production and the CPU is about 9%... I've disabled
all
> pre-processors, turned on binary loggind and have seen no change... anyone
> experienced this?
>
> Thank-you
>
> Steve Lukacs
> Qunara
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--   __--__--   

Message: 2
Date: Thu, 10 May 2001 14:58:26 -0300
From: Andreas Hasenack <andreas at ...814...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] alert message containing info from the packet?

Em Thu, May 10, 2001 at 12:08:09PM -0300, Andreas Hasenack escreveu:
> Would it be feasable for snort's alert messages to contain
> some information from the packet that caused the alert?

Answering to myself, this would probably be better handled with
the analysis tool...



--   __--__--   

Message: 3
From: "Koaps" <koaps at ...1804...>
To: "Snort" <snort-users at lists.sourceforge.net>
Date: Thu, 10 May 2001 11:27:56 -0700
Subject: [Snort-users] loggin issue

I don't get it....

I have Snort 1.7 on OpenBSd

it's telling me it's seeing Packets, it's sending alerts, but I see no data
in mysql....


============================================================================
===
Snort received 5065 packets and dropped 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 5048       (99.664%)         ALERTS: 7
    UDP: 0          (0.000%)          LOGGED: 7
   ICMP: 12         (0.237%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
=======================================

connect info

Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = ids
database: password is set
database: database name = snortdb
database:          host = 192.168.69.5
database:   sensor name = 192.168.69.12
database:     sensor id = 2
database: using the "log" facility
796 Snort rules read...
796 Option Chains linked into 114 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


I am using ACID to look at the SnortDB
I can see it's registered in the database as a sensor...

I just see no data from it



L8rZ,

  )\_/(
 < o,0 >
    ~
   \ /

KoAps






--   __--__--   

Message: 4
To: Alexandre Dulaunoy <adulau-snort at ...1558...>
Cc: snort-users at lists.sourceforge.net
From: roman at ...438...
Subject: Re: [Snort-users] snort pgsql keepalive
Date: Thu, 10 May 2001 15:02:21 US/Eastern

I did some checking on Snort behavior when the DB server dies:

Snort 1.7: alerts dropped
Snort 1.8: alert dropped, Snort issues FatalError(), quits

In either case, the behavior is incorrect.  The fact that 1.8 quits
instead of merely dropping (ala 1.7) is immaterial since neither version
will cache dropped alerts.  Thus, without caching there is no
reason to even keep the sensor up, since no logging is occuring
(unless you have other logging mechanisms other than 
the DB-plugin).

I believe that the correct action is to attempt a re-connect
to the DB when Snort detects a disconnect (i.e. when either
the Select() or Insert() fails with the appropriate error code, call 
Connect() again, if this fails only then FatalError() ).

Roman

> Hello,
> 
> When the sensor got a connection to the postmaster (postgres) and if the
> postmaster goes down, the sensor will stop. 
> 
> Is there anyway to keep the sensor up and when the connection are coming
> back of the postmaster ? like a keepalive and reconnect...
> 
> Thanks
> 
> alx
> 
> -- 
> ---
> Alexandre J.D. Dulaunoy  | "Engineering is the implementation of science;
> AD993-RIPE               | Politics is the implementation of faith".
> http://www.foo.be/       |                      Another usenet quote...
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/





--   __--__--   

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest


--  __--__--  

Message: 3
To: Koaps <koaps at ...1804...>
Cc: snort-users at lists.sourceforge.net
From: roman at ...438...
Subject: Re: [Snort-users] loggin issue
Date: Thu, 10 May 2001 15:35:26 US/Eastern

Is it logging anywhere else (e.g. to a file)? What does you 
command line look like?  Does it have a "-A", if so remove it.

Roman

> I don't get it....
> 
> I have Snort 1.7 on OpenBSd
> 
> it's telling me it's seeing Packets, it's sending alerts, but I see no
data
> in mysql....
> 
> 
>
============================================================================
> ===
> Snort received 5065 packets and dropped 0(0.000%) packets
> 
> Breakdown by protocol:                Action Stats:
>     TCP: 5048       (99.664%)         ALERTS: 7
>     UDP: 0          (0.000%)          LOGGED: 7
>    ICMP: 12         (0.237%)          PASSED: 0
>     ARP: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 0          (0.000%)
> DISCARD: 0          (0.000%)
> =======================================
> 
> connect info
> 
> Initializing rule chains...
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = ids
> database: password is set
> database: database name = snortdb
> database:          host = 192.168.69.5
> database:   sensor name = 192.168.69.12
> database:     sensor id = 2
> database: using the "log" facility
> 796 Snort rules read...
> 796 Option Chains linked into 114 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> 
> I am using ACID to look at the SnortDB
> I can see it's registered in the database as a sensor...
> 
> I just see no data from it
> 
> 
> 
> L8rZ,
> 
>   )\_/(
>  < o,0 >
>     ~
>    \ /
> 
> KoAps
> 
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/




--  __--__--  

Message: 4
From: "Robinson, Ken" <ken.robinson at ...1563...>
To: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
Date: Thu, 10 May 2001 15:41:30 -0400
Subject: [Snort-users] Rules vs performance

Hello,

Are there any rule-of-thumb, or such on how the number of Snort rules
affects the performance?   

In doing some lab tests, we found that has the amount of traffic went up, we
detected fewer and fewer test attacks.     CPU usage was high, but not
peaked right out.     The lab boxes were PIII 800Mhz systems with 100Mbit
NICs and 256Meg RAM.  

I don't know of the misses were due to an issue with the hardware (NIC
missing packets?), or if there were too many rules to sort through for the
Snort software, or too much logging? 

We've looked through the snort rules from Whitehats and found many cases
were we could reduce the rules by either dropping them (i.e. don't care),
reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
instead of detecting which OS),  or making groups of them as activate rules
(i.e. the DeepThroat backdoor rules).    We could also use the Activate
rules to log the next 50 packets and then run a full set or rules on those
logged packets.  

So, any advise for us?   Should we use Activate rules as much as possible?
Should we generalize rules?   Or is all of this not going to make much of a
difference? 

Thanks. 

----
Ken Robinson





--  __--__--  

Message: 5
Date: Thu, 10 May 2001 12:53:00 -0700
From: Kevin Brown <Kevin.M.Brown at ...1022...>
Subject: RE: [Snort-users] Rules vs performance
To: "'Robinson, Ken'" <ken.robinson at ...1563...>,
 "Snort List (E-mail)" <snort-users at lists.sourceforge.net>

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0D98A.D121EE70
Content-Type: text/plain;
	charset="iso-8859-1"

I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s link
the snort was clocking 40% of the cpu with absolutely no rules or plugins.
I don't remember the specifics, but I was removing rules from the list till
snort dropped to 80% or less and of the ruleset of 400 rules I had to drop
all but 50 I believe to get it down.  I'm currently using a Sparc 500 and it
is clocking 50% of the CPU (same link) with the full ruleset in place
(snort1.8b5 build 20).  I downloaded top and compiled it and just watch the
processes and notice that with just the database and spp plugins snort is
slowing eating up my 1GB of memory.  I don't know if that is a memory leak
or just a lot of memory caching going on within snort.

-----Original Message-----
From: Robinson, Ken [mailto:ken.robinson at ...1563...]
Sent: Thursday, May 10, 2001 12:42
To: Snort List (E-mail)
Subject: [Snort-users] Rules vs performance


Hello,

Are there any rule-of-thumb, or such on how the number of Snort rules
affects the performance?   

In doing some lab tests, we found that has the amount of traffic went up, we
detected fewer and fewer test attacks.     CPU usage was high, but not
peaked right out.     The lab boxes were PIII 800Mhz systems with 100Mbit
NICs and 256Meg RAM.  

I don't know of the misses were due to an issue with the hardware (NIC
missing packets?), or if there were too many rules to sort through for the
Snort software, or too much logging? 

We've looked through the snort rules from Whitehats and found many cases
were we could reduce the rules by either dropping them (i.e. don't care),
reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
instead of detecting which OS),  or making groups of them as activate rules
(i.e. the DeepThroat backdoor rules).    We could also use the Activate
rules to log the next 50 packets and then run a full set or rules on those
logged packets.  

So, any advise for us?   Should we use Activate rules as much as possible?
Should we generalize rules?   Or is all of this not going to make much of a
difference? 

Thanks. 

----
Ken Robinson




_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------_=_NextPart_001_01C0D98A.D121EE70
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] Rules vs performance</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>I know on the Intel box I was testing out (PII 450 =
256MB) on a 100Mb/s link the snort was clocking 40% of the cpu with =
absolutely no rules or plugins.  I don't remember the specifics, =
but I was removing rules from the list till snort dropped to 80% or =
less and of the ruleset of 400 rules I had to drop all but 50 I believe =
to get it down.  I'm currently using a Sparc 500 and it is =
clocking 50% of the CPU (same link) with the full ruleset in place =
(snort1.8b5 build 20).  I downloaded top and compiled it and just =
watch the processes and notice that with just the database and spp =
plugins snort is slowing eating up my 1GB of memory.  I don't know =
if that is a memory leak or just a lot of memory caching going on =
within snort.</FONT></P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Robinson, Ken [<A =
HREF=3D"mailto:ken.robinson at ...1563...">mailto:ken.robinson at ...2013...=
rc.gc.ca</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 12:42</FONT>
<BR><FONT SIZE=3D2>To: Snort List (E-mail)</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Rules vs performance</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Hello,</FONT>
</P>

<P><FONT SIZE=3D2>Are there any rule-of-thumb, or such on how the =
number of Snort rules</FONT>
<BR><FONT SIZE=3D2>affects the performance?   </FONT>
</P>

<P><FONT SIZE=3D2>In doing some lab tests, we found that has the amount =
of traffic went up, we</FONT>
<BR><FONT SIZE=3D2>detected fewer and fewer test =
attacks.     CPU usage was high, but not</FONT>
<BR><FONT SIZE=3D2>peaked right out.     The lab =
boxes were PIII 800Mhz systems with 100Mbit</FONT>
<BR><FONT SIZE=3D2>NICs and 256Meg RAM.  </FONT>
</P>

<P><FONT SIZE=3D2>I don't know of the misses were due to an issue with =
the hardware (NIC</FONT>
<BR><FONT SIZE=3D2>missing packets?), or if there were too many rules =
to sort through for the</FONT>
<BR><FONT SIZE=3D2>Snort software, or too much logging? </FONT>
</P>

<P><FONT SIZE=3D2>We've looked through the snort rules from Whitehats =
and found many cases</FONT>
<BR><FONT SIZE=3D2>were we could reduce the rules by either dropping =
them (i.e. don't care),</FONT>
<BR><FONT SIZE=3D2>reducing them (i.e. all the ICMP Itype 8 could just =
be recorded as ping</FONT>
<BR><FONT SIZE=3D2>instead of detecting which OS),  or making =
groups of them as activate rules</FONT>
<BR><FONT SIZE=3D2>(i.e. the DeepThroat backdoor =
rules).    We could also use the Activate</FONT>
<BR><FONT SIZE=3D2>rules to log the next 50 packets and then run a full =
set or rules on those</FONT>
<BR><FONT SIZE=3D2>logged packets.  </FONT>
</P>

<P><FONT SIZE=3D2>So, any advise for us?   Should we use =
Activate rules as much as possible?</FONT>
<BR><FONT SIZE=3D2>Should we generalize rules?   Or is all of =
this not going to make much of a</FONT>
<BR><FONT SIZE=3D2>difference? </FONT>
</P>

<P><FONT SIZE=3D2>Thanks. </FONT>
</P>

<P><FONT SIZE=3D2>----</FONT>
<BR><FONT SIZE=3D2>Ken Robinson</FONT>
</P>
<BR>
<BR>
<BR>

<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or =
unsubscribe:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://lists.sourceforge.net/lists/listinfo/snort-users" =
TARGET=3D"_blank">http://lists.sourceforge.net/lists/listinfo/snort-user=
s</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C0D98A.D121EE70--


--  __--__--  

Message: 6
Date: Thu, 10 May 2001 14:54:31 -0500
From: "shawn . moyer" <shawn at ...1184...>
To: Cedric Guillotin <guillo_c at ...1938...>
Cc: Jeff Dell <jdell at ...912...>,
	snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rule Managment Tool


By the way, I pulled this down, still twiddling with it, but the first
thing I noticed is it needs MSCOMCTL.OCX -- I dl'd this from:

http://www.microxl.com/wintersasj/download/mscomctl.zip



--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"May the forces of evil become 
confused on the way to your house."

                    --George Carlin


--  __--__--  

Message: 7
From: Jeff Dell <jdell at ...912...>
To: "'shawn . moyer'" <shawn at ...1184...>, Cedric Guillotin
	 <guillo_c at ...1938...>
Cc: Jeff Dell <jdell at ...912...>, snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Rule Managment Tool
Date: Thu, 10 May 2001 16:03:21 -0400

yea.. it needs ms visual basic runtimes installed. they should be included
in win2k.

Jeff

-----Original Message-----
From: shawn . moyer [mailto:shawn at ...1184...]
Sent: Thursday, May 10, 2001 3:55 PM
To: Cedric Guillotin
Cc: Jeff Dell; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rule Managment Tool



By the way, I pulled this down, still twiddling with it, but the first
thing I noticed is it needs MSCOMCTL.OCX -- I dl'd this from:

http://www.microxl.com/wintersasj/download/mscomctl.zip



--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"May the forces of evil become 
confused on the way to your house."

                    --George Carlin


--  __--__--  

Message: 8
Date: Thu, 10 May 2001 13:15:30 -0700
From: Kevin Brown <Kevin.M.Brown at ...1022...>
Subject: RE: [Snort-users] New Conundrum
To: snort-users at lists.sourceforge.net

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0D98D.F5EA8F20
Content-Type: text/plain;
	charset="iso-8859-1"

OK, did some more digging and I'm still under the impression that
something's not right.  I finally figured out that for each sensor it
creates a new cid entry in the event table that is unique only against the
sid (e.g. if you have 4 sensors logging you could have four rows with a cid
of 1000 with a unique sid attached to each).  So with that in hand I did a
select statement to find the cids for just the sun box and came up with:

 sid |  cid   | signature |       timestamp        
-----+--------+-----------+------------------------
   3 |     30 | 424       | 2001-05-09 05:07:40-07
   3 |     31 | 424       | 2001-05-09 05:07:40-07
   3 |     32 | 668       | 2001-05-14 02:10:41-07	<----
   3 |     33 | 424       | 2001-05-09 05:07:41-07
   3 |     34 | 5538      | 2001-05-09 05:07:41-07
   3 |     35 | 1250      | 2001-05-14 02:10:42-07	<----
   3 |     36 | 424       | 2001-05-09 05:07:42-07
   3 |     37 | 424       | 2001-05-09 05:07:42-07
   3 |     38 | 424       | 2001-05-09 05:07:42-07
   3 |     39 | 424       | 2001-05-09 05:07:42-07
   3 |     40 | 424       | 2001-05-09 05:07:42-07
   3 |     41 | 5541      | 2001-01-28 22:19:42-07	<----
   3 |     42 | 1053      | 2001-05-14 02:10:43-07	<----

Notice that the timestamp field jumps around in date even though the Cid of
the events are sequential.  I don't know where this problem is introduced,
but it doesn't seem to have happened to the Linux (RH6.2 kernel 2.2.19) box
that was in the wild.


-----Original Message-----
From: Kevin Brown [mailto:Kevin.M.Brown at ...1022...]
Sent: Wednesday, May 09, 2001 16:03
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] New Conundrum

Got a new little thing I found.  I just finished putting that Netra T1 into
place to begin testing.  I have it logging to the same database as the PII
450 that was out there.  I went looking through the database to verify that
it is indeed logging and found that the timestamp for the events being
logged by the Sun box are 5 days behind today (5/4/2001).  I discovered this
by just doing a "select timestamp from event where cid = <count of rows>;".

The box has the following on it. 
Solaris 8 
psql 7.0.3 (for the shared libs to send data to a remote sql box) 
snort 1.8b4 (build 14) 

running date returns the following: Wed May  9 15:58:05 MST 2001 
which is only off by a minute or less from current local time. 

The linux box that had been there (PII 450) last logged a packet at 10:44AM,
Wed May 9 which is the time that I shut it down to put the Sun in its place.

------_=_NextPart_001_01C0D98D.F5EA8F20
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] New Conundrum</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>OK, did some more digging and I'm still under the =
impression that something's not right.  I finally figured out that =
for each sensor it creates a new cid entry in the event table that is =
unique only against the sid (e.g. if you have 4 sensors logging you =
could have four rows with a cid of 1000 with a unique sid attached to =
each).  So with that in hand I did a select statement to find the =
cids for just the sun box and came up with:</FONT></P>

<P><FONT SIZE=3D2> sid |  cid   | signature =
|       =
timestamp        </FONT>
<BR><FONT =
SIZE=3D2>-----+--------+-----------+------------------------</FONT>
<BR><FONT SIZE=3D2>   3 |     30 | =
424       | 2001-05-09 05:07:40-07</FONT>
<BR><FONT SIZE=3D2>   3 |     31 | =
424       | 2001-05-09 05:07:40-07</FONT>
<BR><FONT SIZE=3D2>   3 |     32 | =
668       | 2001-05-14 =
02:10:41-07      <----</FONT>
<BR><FONT SIZE=3D2>   3 |     33 | =
424       | 2001-05-09 05:07:41-07</FONT>
<BR><FONT SIZE=3D2>   3 |     34 | =
5538      | 2001-05-09 05:07:41-07</FONT>
<BR><FONT SIZE=3D2>   3 |     35 | =
1250      | 2001-05-14 =
02:10:42-07      <----</FONT>
<BR><FONT SIZE=3D2>   3 |     36 | =
424       | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2>   3 |     37 | =
424       | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2>   3 |     38 | =
424       | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2>   3 |     39 | =
424       | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2>   3 |     40 | =
424       | 2001-05-09 05:07:42-07</FONT>
<BR><FONT SIZE=3D2>   3 |     41 | =
5541      | 2001-01-28 =
22:19:42-07      <----</FONT>
<BR><FONT SIZE=3D2>   3 |     42 | =
1053      | 2001-05-14 =
02:10:43-07      <----</FONT>
</P>

<P><FONT SIZE=3D2>Notice that the timestamp field jumps around in date =
even though the Cid of the events are sequential.  I don't know =
where this problem is introduced, but it doesn't seem to have happened =
to the Linux (RH6.2 kernel 2.2.19) box that was in the wild.</FONT></P>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Kevin Brown [<A =
HREF=3D"mailto:Kevin.M.Brown at ...1022...">mailto:Kevin.M.Brown at ...1022...</A>]<=
/FONT>
<BR><FONT SIZE=3D2>Sent: Wednesday, May 09, 2001 16:03</FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] New Conundrum</FONT>
</P>

<P><FONT SIZE=3D2>Got a new little thing I found.  I just finished =
putting that Netra T1 into place to begin testing.  I have it =
logging to the same database as the PII 450 that was out there.  I =
went looking through the database to verify that it is indeed logging =
and found that the timestamp for the events being logged by the Sun box =
are 5 days behind today (5/4/2001).  I discovered this by just =
doing a "select timestamp from event where cid =3D <count of =
rows>;".</FONT></P>

<P><FONT SIZE=3D2>The box has the following on it. </FONT>
<BR><FONT SIZE=3D2>Solaris 8 </FONT>
<BR><FONT SIZE=3D2>psql 7.0.3 (for the shared libs to send data to a =
remote sql box) </FONT>
<BR><FONT SIZE=3D2>snort 1.8b4 (build 14) </FONT>
</P>

<P><FONT SIZE=3D2>running date returns the following: Wed May  9 =
15:58:05 MST 2001 </FONT>
<BR><FONT SIZE=3D2>which is only off by a minute or less from current =
local time. </FONT>
</P>

<P><FONT SIZE=3D2>The linux box that had been there (PII 450) last =
logged a packet at 10:44AM, Wed May 9 which is the time that I shut it =
down to put the Sun in its place.</FONT></P>

</BODY>
</HTML>
------_=_NextPart_001_01C0D98D.F5EA8F20--



--  __--__--  

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest



-- __--__-- 

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list