[Snort-users] Re: Snort-users digest, Vol 1 #659 - 15 msgs

securgrl lsmith147 at ...2053...
Fri May 18 16:41:46 EDT 2001


have a great day mr.lucom
----- Original Message -----
From: <snort-users-request at lists.sourceforge.net>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, May 18, 2001 3:05 PM
Subject: Snort-users digest, Vol 1 #659 - 15 msgs


> Send Snort-users mailing list submissions to
> snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> snort-users-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. wont create any graphics in Graph Alert data (alexus)
>    2. Error in snort start (Duplicate processor keyword) (Denis Augusto A.
de Souza)
>    3. Re: Alert messages and rule identification (Subba Rao)
>    4. Name resolution (Subba Rao)
>    5. Re: Name resolution (Kendall Lister)
>    6. Guardian ENHANCED (fm at ...2050...)
>    7. Help with Adapter (mike huang)
>    8. RE: Help with Adapter (van Oosterom, Peter)
>    9. RE: Help with Adapter (Thomas Whipp)
>   10. Re: Help with Adapter (Chris Green)
>   11. Version 1.8-beta5 (Build 24) (Scott A. McIntyre)
>   12. Re: Name resolution (John Sage)
>   13. DNS TO 137 (Togan Muftuoglu)
>   14. Re: Error in snort start (Duplicate processor keyword) (Neil Dickey)
>   15. Re: Name resolution (Dan Cuthbert)
>
> --__--__--
>
> Message: 1
> From: "alexus" <ml at ...1718...>
> To: <roman at ...438...>
> Cc: <snort-users at lists.sourceforge.net>
> Date: Thu, 17 May 2001 16:07:21 -0400
> Subject: [Snort-users] wont create any graphics in Graph Alert data
>
> i compiled php --with-gd (http://box.nexgen.com/info.php)
> i installed phplot, i specify in acid_conf.ph
>
> and when i go to
>
> http://box.nexgen.com/acid/acid_graph_main.php
>
> no mater which options i select i dont see any graphics
>
> any ideas?
>
>                 _/_/   _/         _/_/_/   _/     _/   _/     _/  _/_/_/
>               _/  _/  _/        _/    _/  _/     _/   _/     _/ _/    _/
>             _/    _/ _/        _/          _/  _/    _/     _/ _/
>            _/    _/ _/        _/_/_/       _/_/     _/     _/  _/_/_/
>           _/_/_/_/ _/        _/          _/  _/    _/     _/       _/
>          _/    _/ _/     _/ _/     _/  _/     _/  _/     _/ _/    _/
>         _/    _/ _/_/_/_/    _/_/_/   _/      _/   _/_/_/   _/_/_/
>
>                    (W)orld(W)ide(W)eb: http://box.nexgen.com/
>               (I)nternet(R)elay(C)hat: EFnet #aLeXuS
>
>
****************************************************************************
> ***
> The information contained in this e-mail is confidential, may be
privileged
> and
> is intended only for the use of the recipient named above.   If you are
not
> the
> intended recipient  or  a representative of the intended recipient,    you
> have
> received this e-mail in error and must not copy,   use or disclose the
> contents
>
>
>
>
> --__--__--
>
> Message: 2
> From: "Denis Augusto A. de Souza" <denis.souza at ...2049...>
> To: <snort-users at lists.sourceforge.net>
> Date: Thu, 17 May 2001 19:56:49 -0300
> Subject: [Snort-users] Error in snort start (Duplicate processor keyword)
>
> Dear friends,
>
>
> I installed the snort 1.7 and I'm using the snort.conf sample
> of snort site. I'm stating the snort program with:
>
>     snort -Afull -c /etc/snort.conf
>
>
> And the snort send me:
>
>
>     --== Initializing Snort ==--
>
> Initializing Network Interface eth0
> Decoding Ethernet on Interface eth0
> Initializing Preprocessors!
> ERROR (null) (0) => Duplicate preprocessor keyword!
>
> I don't found this duplicate in my snort.conf file!!!!
> There are a solution for me????
>
>
> Thanks in advance,
>
>
>         Denis
>
>
> --__--__--
>
> Message: 3
> Date: Thu, 17 May 2001 18:54:11 +0000
> From: Subba Rao <subba9 at ...530...>
> To: Chris Green <cmg at ...671...>
> Cc: Snort Users <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Alert messages and rule identification
> Reply-To: Subba Rao <subba9 at ...530...>
>
> On  0, Chris Green <cmg at ...671...> wrote:
> > >
> > > The original datagram says it is a DNS query. I get notified via ICMP
> > > that the destination is unreachable. This looks normal to me. How do I
> > > find out which rule has triggered this alert. I am not going to remove
> > > that alert but will modify my DNS resolution.
> > >
> > > Is there a way to make snort dump the rule ID along with the alert
dump?
> > >
> > > Any info appreciated.
> > >
> > > TIA.
> >
> > grep -n 'ICMP Destination Unreachable' *.rules
> >
> > There is no rule id field in snort rules ( something that would often
> > come in handy )
> >
>
> Thank you very for this tip. In my rules list, I do have several 'ICMP
> Destination Unreacable' filters. I had to use the icode and itype to
pinpoint
> the rule.
>
> --
>
> Subba Rao
> subba9 at ...530...
> http://members.home.net/subba9/
>
> GPG public key ID 27FC9217
>
>
> --__--__--
>
> Message: 4
> Date: Thu, 17 May 2001 19:12:56 +0000
> From: Subba Rao <subba9 at ...530...>
> To: Snort Users <snort-users at lists.sourceforge.net>
> Reply-To: Subba Rao <subba9 at ...530...>
> Subject: [Snort-users] Name resolution
>
> Hi,
>
> This is going to be a very basic question. I do see (on daily basis)
attempts
> to connect to the sunrpc services (port 111). When I try to resolve the IP
> address, I always get,
>
> *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain
>
> How are these hackers conducting the hacks? They should get some response
back
> from my machine. If their host/domain does not exist, then where are the
> replies from my system going?
>
> Thanks for any info.
> --
>
> Subba Rao
> subba9 at ...530...
> http://members.home.net/subba9/
>
> GPG public key ID 27FC9217
>
>
> --__--__--
>
> Message: 5
> Date: Fri, 18 May 2001 09:40:21 +1000 (EST)
> From: Kendall Lister <krl at ...1908...>
> To: Snort Users <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Name resolution
>
> On Thu, 17 May 2001, Subba Rao wrote:
>
> > This is going to be a very basic question. I do see (on daily basis)
> > attempts to connect to the sunrpc services (port 111). When I try to
> > resolve the IP address, I always get,
> >
> > *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain
> >
> > How are these hackers conducting the hacks? They should get some
> > response back from my machine. If their host/domain does not exist,
> > then where are the replies from my system going?
>
> There is no need for a particular IP address to have a corresponding DNS
> host name; all TCP/IP traffic actually occurs between hosts identified
> by IP addresses. So, for example, you could "telnet aa.bb.cc.dd" to try to
> connetc to the systems that are probing you - you don't need to sue a host
> name to get through.
>
> Kendall
> krl at ...1907...
>
>
>
> --__--__--
>
> Message: 6
> Date: Thu, 17 May 2001 20:40:17 -0400 (EDT)
> From: <fm at ...2050...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Guardian ENHANCED
>
>
> Hi folks,
>
> I've been using the fine Guardian script by Anthony Stevens for a while
> now. The only shortcoming that I found was the unmanagable number of hosts
> that get put into denial in such a short period. To keep this number
> managable, I have added these features to the Guardian script:
>
> -Timer logic added to hosts in denial. Hosts will be removed
> from denial when timer expires. Set timeLimit in config file.
>
> -Gracefull shutdown (kill <pid>) will cause script to remove
> the hosts from denial on shutdown. This can be turned off.
> Set cleanRules in config file.
>
> -Sending the script a USR1 signal will cause it to flush all
>  IP's from the denial list. This is useful when you want to
> flush the rules while the script is running.
>
> I have attempted to contact Anthony Stevens via email regarding these
> changes and have had no response. Thus, I offer it here. Full credit
> belongs to him. My changes are merely trivial hacks.
>
> Script can be found here:
> http://home.golden.net/~elim/guardian-1.1.0.tar.gz
>
> Please direct all comments to fm at ...2050...
>
>
>
>
>
> --__--__--
>
> Message: 7
> Reply-To: <mikeh at ...2052...>
> From: "mike huang" <mikeh at ...2052...>
> To: <snort-users at lists.sourceforge.net>
> Date: Fri, 18 May 2001 13:19:44 +1000
> Subject: [Snort-users] Help with Adapter
>
>
> Hi all:
>
> I am having some problem when I trying to start snort. The error it
complain
> is
>
>
>         --== Initializing Snort ==--
>
> Initializing Network Interface
> \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935
> 285}
> ERROR: OpenPcap() device
> \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935285} open:
>         Error opening adapter
>
> thanks for your help
>
> mike
>
>
>
>
>
> --__--__--
>
> Message: 8
> From: "van Oosterom, Peter" <Peter.vanOosterom at ...1380...>
> To: "'mikeh at ...2052...'" <mikeh at ...2052...>,
snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Help with Adapter
> Date: Fri, 18 May 2001 09:06:12 +0200
>
> Try using Tcpdump, to see whether it is an actual prbolem with the
Library,
> and not Snort as it uses the same Library as Snort
>
> - Peter
>
> -----Original Message-----
> From: mike huang [mailto:mikeh at ...2052...]
> Sent: Friday, May 18, 2001 5:20 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Help with Adapter
>
>
>
> Hi all:
>
> I am having some problem when I trying to start snort. The error it
complain
> is
>
>
>         --== Initializing Snort ==--
>
> Initializing Network Interface
> \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935
> 285}
> ERROR: OpenPcap() device
> \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935285} open:
>         Error opening adapter
>
> thanks for your help
>
> mike
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --__--__--
>
> Message: 9
> From: Thomas Whipp <tkw at ...1885...>
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Help with Adapter
> Date: Fri, 18 May 2001 09:15:46 +0100
>
> although that might not be a fair test as pcap is statically
> linked with snort (or at least it didn't show with a ldd on
> my binary)!
>
> To to a fair test you will probably need to compile TcpDump
> using the same library as you used to build snort.
>
> Tom
>
> > -----Original Message-----
> > From: van Oosterom, Peter
> [mailto:Peter.vanOosterom at ...1380...]
> > Sent: 18 May 2001 08:06
> > To: 'mikeh at ...2052...'; snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Help with Adapter
> >
> >
> > Try using Tcpdump, to see whether it is an actual prbolem
> > with the Library,
> > and not Snort as it uses the same Library as Snort
> >
> > - Peter
> >
> > -----Original Message-----
> > From: mike huang [mailto:mikeh at ...2052...]
> > Sent: Friday, May 18, 2001 5:20 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Help with Adapter
> >
> >
> >
> > Hi all:
> >
> > I am having some problem when I trying to start snort. The
>
> > error it complain
> > is
> >
> >
> >         --== Initializing Snort ==--
> >
> > Initializing Network Interface
> > \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935
> > 285}
> > ERROR: OpenPcap() device
> > \Device\Packet_{7997B190-05F8-405F-951B-D60BFE935285}
> open:
> >         Error opening adapter
> >
> > thanks for your help
> >
> > mike
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> --__--__--
>
> Message: 10
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Help with Adapter
> From: Chris Green <cmg at ...671...>
> Date: 18 May 2001 08:09:12 -0500
>
> Thomas Whipp <tkw at ...1885...> writes:
>
> > although that might not be a fair test as pcap is statically
> > linked with snort (or at least it didn't show with a ldd on
> > my binary)!
> >
> > To to a fair test you will probably need to compile TcpDump
> > using the same library as you used to build snort.
> >
>
> Just a note that it looked like the original poster was using snort
> under Windows where it's always linked against libpcap.dll AFAIK (
> thought it was interesting that the error message looked like registry
> keys ).
> --
> Chris Green <cmg at ...671...>
> A good pun is its own reword.
>
>
> --__--__--
>
> Message: 11
> Date: Fri, 18 May 2001 15:50:08 +0200
> From: "Scott A. McIntyre" <scott at ...1050...>
> To: Snort Mailing List <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Version 1.8-beta5 (Build 24)
>
>
> Hi,
>
> Is there any reason why the linux "-i any" argument to listen on any
> interface would break the VLAN parsing code?
>
> Using version 1.8-beta5 (Build 24) I can bind to one particular
> interface and it works fine, but if I bind to "any" then almost all
> traffic is recognized only as type "other" and snort doesn't snort.
>
> Thanks for any ideas.
>
> Scott
>
>
>
> --__--__--
>
> Message: 12
> Date: Fri, 18 May 2001 06:56:28 -0700
> From: John Sage <jsage at ...2022...>
> Organization: FinchHaven
> To: Subba Rao <subba9 at ...530...>
> CC: Snort Users <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Name resolution
>
> Subba:
>
> Subba Rao wrote:
>
> > Hi,
> >
> > This is going to be a very basic question. I do see (on daily basis)
attempts
> > to connect to the sunrpc services (port 111). When I try to resolve the
IP
> > address, I always get,
> >
> > *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain
> >
> > How are these hackers conducting the hacks? They should get some
response back
> > from my machine. If their host/domain does not exist, then where are the
> > replies from my system going?
>
> If you really want to determine as much as you can about who/where/what
these
> IP's are, you need to use whois services at one of these:
>
> ARIN: ttp://whois.arin.net/whois/index.html
>
> Europe: http://www.ripe.net/cgi-bin/whois
>
> Asia/Pacific generally: http://www.apnic.net/
>
> Japan NIC:  http://whois.nic.ad.jp/cgi-bin/whois_gw
>
> Korea NIC: http://www.nic.or.kr/www/english/
>
> Taiwan NIC: http://www.twnic.net/English/Index.htm
>
> Internic: http://www.internic.net/whois.html
>
> The appropriate whois service will get you to the netblock holder, and in
> many cases get you down to the specific administrative level of the
domain..
>
> I've found that all URI's with more than the domain.tld (ie:
server.domain.tld)
> will never resolve from an IP address under my local nslookup.
>
> HTH..
>
> - John
>
> --
> John Sage
> FinchHaven, Vashon Island, WA, USA
> http://www.finchhaven.com/
> mailto:jsage at ...2022...
> "The web is so, like, five minutes ago..."
>
>
>
> --__--__--
>
> Message: 13
> Date: Fri, 18 May 2001 17:25:03 +0300
> From: Togan Muftuoglu <toganm at ...603...>
> To: snort <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] DNS TO 137
>
>
> Hi
> As you can see clearly below thre is a traffic from port 53 to 137
> (netbios) now those two ips are the nameservers for my isp that I have
> an ADSL Connection which I use roaring penquin.
>
> I have my resolve.conf
>
> nameserver 127.0.0.1
> search my.domain
>
> and there is no forwarding in the named.conf I do want to believe that
> this is indeed bad traffic but with five second intervals from two
> named servers to my pc on port 137 is questioning for me.
>
> TIA
>
> --
> Togan Muftuoglu
>
> =-=-=-=-=-=-=-=-=-=
> May 18 16:10:03 gardiyan snort: MISC source port 53 to <1024
[Classification: Potentially Bad Traffic   Priority: 2]: 212.156.4.4:53 ->
212.156.196.133:137
> May 18 16:10:08 gardiyan snort: MISC source port 53 to <1024
[Classification: Potentially Bad Traffic   Priority: 2]: 212.156.4.20:53 ->
212.156.196.133:137
>
>
>
>
>
>
>
>
> --__--__--
>
> Message: 14
> Date: Fri, 18 May 2001 09:21:52 -0500 (CDT)
> From: Neil Dickey <neil at ...1633...>
> Reply-To: Neil Dickey <neil at ...1633...>
> Subject: Re: [Snort-users] Error in snort start (Duplicate processor
keyword)
> To: snort-users at lists.sourceforge.net
>
>
> "Denis Augusto A. de Souza" <denis.souza at ...2049...> wrote asking:
>
> > I installed the snort 1.7 and I'm using the snort.conf sample
> >of snort site. I'm stating the snort program with:
> >    snort -Afull -c /etc/snort.conf
> > And the snort send me:
> >    --== Initializing Snort ==--
> >Initializing Network Interface eth0
> >Decoding Ethernet on Interface eth0
> >Initializing Preprocessors!
> >ERROR (null) (0) => Duplicate preprocessor keyword!
> >
> > I don't found this duplicate in my snort.conf file!!!!
> >There are a solution for me????
>
> In order for us to help you, you'll have to post the relevant parts
> of your snort.conf file for us to look at.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
>
>
> --__--__--
>
> Message: 15
> Date: Fri, 18 May 2001 15:29:40 +0100
> From: Dan Cuthbert <dcuthbert at ...1623...>
> To: John Sage <jsage at ...2022...>
> Cc: Subba Rao <subba9 at ...530...>,
>    Snort Users <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Name resolution
>
> Hi
>
> Ive found that whois.geektools.com searches all of those for you!
>
>
> Dan
>
>
> * John Sage (jsage at ...2022...) scribbled away:
> > Subba:
> >
> > Subba Rao wrote:
> >
> > > Hi,
> > >
> > > This is going to be a very basic question. I do see (on daily basis)
attempts
> > > to connect to the sunrpc services (port 111). When I try to resolve
the IP
> > > address, I always get,
> > >
> > > *** myhost.mydom.com can't find sys.no.edu: Non-existent host/domain
> > >
> > > How are these hackers conducting the hacks? They should get some
response back
> > > from my machine. If their host/domain does not exist, then where are
the
> > > replies from my system going?
> >
> > If you really want to determine as much as you can about who/where/what
these
> > IP's are, you need to use whois services at one of these:
> >
> > ARIN: ttp://whois.arin.net/whois/index.html
> >
> > Europe: http://www.ripe.net/cgi-bin/whois
> >
> > Asia/Pacific generally: http://www.apnic.net/
> >
> > Japan NIC:  http://whois.nic.ad.jp/cgi-bin/whois_gw
> >
> > Korea NIC: http://www.nic.or.kr/www/english/
> >
> > Taiwan NIC: http://www.twnic.net/English/Index.htm
> >
> > Internic: http://www.internic.net/whois.html
> >
> > The appropriate whois service will get you to the netblock holder, and
in
> > many cases get you down to the specific administrative level of the
domain..
> >
> > I've found that all URI's with more than the domain.tld (ie:
server.domain.tld)
> > will never resolve from an IP address under my local nslookup.
> >
> > HTH..
> >
> > - John
> >
> > --
> > John Sage
> > FinchHaven, Vashon Island, WA, USA
> > http://www.finchhaven.com/
> > mailto:jsage at ...2022...
> > "The web is so, like, five minutes ago..."
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> Dan Cuthbert
> Network Security Consultant
> IdSec
> Key fingerprint = 9BFB 60F1 1B46 F9F0 4E2C  84A6 8D04 E771 54A6 1116
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest





More information about the Snort-users mailing list