[Snort-users] Step by Step GUIDE Part I released

S. sleepy at ...7582...
Fri Dec 13 16:02:02 EST 2002


Hi, I wrote Part I of what I would like to be a series of tutorials both
administrative and coding to SNORT
it can be found at
http://www.maximumunix.org/modules.php?name=News&file=article&sid=6

I will appreciate your feedback
Thanks

----- Original Message -----
From: <snort-users-request at lists.sourceforge.net>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, December 13, 2002 3:39 PM
Subject: Snort-users digest, Vol 1 #2582 - 14 msgs


> Send Snort-users mailing list submissions to
> snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> snort-users-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. RE: New Trend: Intrusion Prevention (twig les)
>    2. Re: stopping snort (Bennett Todd)
>    3. Re: New Trend: Intrusion Prevention (Alberto Gonzalez)
>    4. Re: stopping snort (Alberto Gonzalez)
>    5. No Traffic stats showing in my acid main php browser (Salloum,
Camile)
>    6. Re: New Trend: Intrusion Prevention (Erick Mechler)
>    7. RE: New Trend: Intrusion Prevention (Chris Eidem)
>    8. RE: No Traffic stats showing in my acid main php br
>        owser (Axness, Bob)
>    9. Huge Amount of Port 1433 Scans From Asian IP's (Ibarra, Michael)
>   10. YASG :-) - yet another setup guide for snort (switched, Debian,
>        MySQL, etc) (Anton A. Chuvakin)
>   11. Re: New Trend: Intrusion Prevention (Martin Roesch)
>   12. snorting SSL/TLS traffic? (Todd Holloway)
>
> --__--__--
>
> Message: 1
> Date: Fri, 13 Dec 2002 12:26:57 -0800 (PST)
> From: twig les <twigles at ...131...>
> Subject: RE: [Snort-users] New Trend: Intrusion Prevention
> To: "Ibarra, Michael" <m.ibarra at ...7065...>,
>   "'Sheahan, Paul \(PCLN-NW\)'" <Paul.Sheahan at ...2218...>,
>   "Snort List \(E-mail\)" <snort-users at lists.sourceforge.net>
>
> I've seen a few of these for a couple years now, but
> generally I run into the host-based ones.  Eeye makes
> one for that retarded MS web server here:
> http://www.eeye.com/html/Products/SecureIIS/index.html
>
> I believe it intercepts kernel calls and blocks/passes
> them, kinda playing middleman.  Not sure though.
> Looks neat, but I don't see any silver bullet here
> either; not unless you want to slap this type of thing
> on your 500-5000 XP workstations too.
>
> --- "Ibarra, Michael" <m.ibarra at ...7065...> wrote:
> > -----Original Message-----
> > From: Sheahan, Paul (PCLN-NW)
> > [mailto:Paul.Sheahan at ...2218...]
> > Sent: Friday, December 13, 2002 12:31 PM
> > To: Snort List (E-mail)
> > Subject: [Snort-users] New Trend: Intrusion
> > Prevention
> >
> >
> >
> > I attended Infosecurity 2002 yesterday and there was
> > much talk about
> > intrusion detection going away, and intrusion
> > prevention replacing it. Does
> > anyone know if there are any plans to include
> > intrusion prevention
> > functionality into Snort in the future?
> >
> > Thanks,
> >
> > Paul Sheahan
> >
> > Can you elaborate on this? Do they mean that a
> > sensor will pro
> > actively block IP's/attacks?
> >
> > -mike
> >
> >
> >
> -------------------------------------------------------
> > This sf.net email is sponsored by:
> > With Great Power, Comes Great Responsibility
> > Learn to use your power at OSDN's High Performance
> > Computing Channel
> > http://hpc.devchannel.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> =====
> -----------------------------------------------------------
> If you give a man a fish, he can eat for a day
> If you bludgeon him to death, you can eat the fish yourself
> -----------------------------------------------------------
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
> --__--__--
>
> Message: 2
> Date: Fri, 13 Dec 2002 15:46:44 -0500
> From: Bennett Todd <bet at ...6163...>
> To: Don <Don at ...5881...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] stopping snort
>
>
> --d6Gm4EdcadzBjdND
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
>
> 2002-12-13-13:54:14 Don:
> > Has anyone found a way to stop snort, automatically, [...]
>
> That's very much a platform-specific question. On platforms on which
> I'd try and support snort, when it's installed the way I'd install
> it, I can always stop it with "/etc/init.d/snort stop".
>
> > what i want to do is have snort stop, if it gets more than 'x'
> > alerts in a single hour, or some time frame, then of course email
> > me that it has stopped.
>
> On the platorms where I'd support snort, I'd just use swatch with a
> rule to stop snort. No new engineering required. However, I wouldn't
> actually set this up; instead, I'd fix the underlying problem of
> looping errors.
>
> > i do go to syslog with alerts. any suggestions. I have a
> > particular sensor that periodically starts alerting on something,
> > that just causes a round robin effect, and fills up the logs with
> > the same error over and over and over, it gets really boring
> > actually.
>
> Sounds like the snort alert is re-triggering the alarm. You've got
> several choices.
>
> - don't ship the snort alerts off-system
> - don't ship them through an interface that snort is watching
> - fix the signature so it doesn't re-signal on its own alarm data
> - encapsulate the alarm data in something like SSL or SSH so snort
>   can't see the scary bits any more
> - write a BPF filter to blind snort to the traffic stream that's
>   carrying the alarms off-system
> - disable the alarm that's looping
>
> and maybe there are more alternatives.
>
> -Bennett
>
> --d6Gm4EdcadzBjdND
> Content-Type: application/pgp-signature
> Content-Disposition: inline
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
>
> iD8DBQE9+kc0HZWg9mCTffwRAh3eAKCZtpxYnIzDELE77aezgnDS2uO6SwCgmzOA
> MhrFfVgyDa1soZVQ6wD/mpI=
> =o9Zp
> -----END PGP SIGNATURE-----
>
> --d6Gm4EdcadzBjdND--
>
>
> --__--__--
>
> Message: 3
> Date: Fri, 13 Dec 2002 15:58:30 -0800
> From: Alberto Gonzalez <albertg at ...7149...>
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] New Trend: Intrusion Prevention
>
> Why would you want to use an IPS to stop a SYN|FIN sweep? Portscans are
> the same ol thing
> nowadays. Not like in the past few years where new techniques would keep
> getting released.
> Your IPS software(appliance) should be tuned to defend against attacks
> not mere probes at your
> network. Heck there methods to trick nmap out there. I think if
> intrusion prevention is going to get
> anywhere, it needs to just concentrate on attacks, you don't want to
> overwhelm it. Or is it just me
> that hasn't seen anything interesting in a portscan in the last oh say
year?
>
> These are my opinions, I would love to hear others but lets keep it
> off-list..
>
> Cheers!
>
>     - Alberto
>
> Bob Dehnhardt wrote:
>
> >Everything I've seen about IPS is that it's intended as another facet of
> >security, not as a replacement for IDS. IPS is useful for preventing
attacks
> >that can be identified with a high (99%+) degree of accuracy, like
SYN/FIN
> >sweeps. Attacks that may have a significant number of false positives are
> >outside IPS's realm, since having that traffic dropped would likely
affect
> >normal network operations. IDS with a real live decision-making person
will
> >be used in those cases, just as today.
> >
> >There is no single solution, probably never will be.
> >
> > - Bob
> >
> >Bob Dehnhardt
> >IT Operations Manager - Reno
> >TriNet
> >(775) 327-6407
> >
> > -----Original Message-----
> >From: Steve Halligan [mailto:giermo at ...187...]
> >Sent: Friday, December 13, 2002 10:16 AM
> >To: 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail)
> >Subject: RE: [Snort-users] New Trend: Intrusion Prevention
> >
> >
> >
> >>I attended Infosecurity 2002 yesterday and there was much talk about
> >>intrusion detection going away, and intrusion prevention
> >>replacing it. Does
> >>anyone know if there are any plans to include intrusion prevention
> >>functionality into Snort in the future?
> >>
> >>
> >
> >The future is now.
> >
> >http://www.snort.org/dl/contrib/patches/inline/
> >
> >Also see Hogwash at:
> >http://www.snort.org/dl/contrib/patches/hogwash/
> >
> >Now one could (and I would) debate the premise that you stated, but that
is
> >a whole 'nother can of worms.
> >
> >-steve
> >
> >
> >
> >
> >
>
> --
> The secret to success is to start from scratch and keep on scratching.
>
>
>
>
> --__--__--
>
> Message: 4
> Date: Fri, 13 Dec 2002 16:06:36 -0800
> From: Alberto Gonzalez <albertg at ...7149...>
> CC: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] stopping snort
>
> daemontools?
>
> Bennett Todd wrote:
>
> >2002-12-13-13:54:14 Don:
> >
> >
> >>Has anyone found a way to stop snort, automatically, [...]
> >>
> >>
> >
> >That's very much a platform-specific question. On platforms on which
> >I'd try and support snort, when it's installed the way I'd install
> >it, I can always stop it with "/etc/init.d/snort stop".
> >
> >
> >
> >>what i want to do is have snort stop, if it gets more than 'x'
> >>alerts in a single hour, or some time frame, then of course email
> >>me that it has stopped.
> >>
> >>
> >
> >On the platorms where I'd support snort, I'd just use swatch with a
> >rule to stop snort. No new engineering required. However, I wouldn't
> >actually set this up; instead, I'd fix the underlying problem of
> >looping errors.
> >
> >
> >
> >>i do go to syslog with alerts. any suggestions. I have a
> >>particular sensor that periodically starts alerting on something,
> >>that just causes a round robin effect, and fills up the logs with
> >>the same error over and over and over, it gets really boring
> >>actually.
> >>
> >>
> >
> >Sounds like the snort alert is re-triggering the alarm. You've got
> >several choices.
> >
> >- don't ship the snort alerts off-system
> >- don't ship them through an interface that snort is watching
> >- fix the signature so it doesn't re-signal on its own alarm data
> >- encapsulate the alarm data in something like SSL or SSH so snort
> >  can't see the scary bits any more
> >- write a BPF filter to blind snort to the traffic stream that's
> >  carrying the alarms off-system
> >- disable the alarm that's looping
> >
> >and maybe there are more alternatives.
> >
> >-Bennett
> >
> >
>
> --
> The secret to success is to start from scratch and keep on scratching.
>
>
>
>
> --__--__--
>
> Message: 5
> From: "Salloum, Camile" <SalloumC at ...7716...>
> To: "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
> Date: Fri, 13 Dec 2002 16:07:21 -0500
> Subject: [Snort-users] No Traffic stats showing in my acid main php
browser
>
> Hi.  I am at the point now where I have run the CIS Cerberus Scanner on my
> local host.  The machine is not conected to a good switch just a simple
> linksys switch.  I have ran the CIS Scanner and still get no traffic
stats.
> Why?  What am I missing here?  Why doesn't the web browser automatically
> refresh itself?  I am forced to refresh it manually.  Where can I check to
> troubleshoot?  Thank You.
>
> Camile L Salloum
>
>
>
>
>
> --__--__--
>
> Message: 6
> Date: Fri, 13 Dec 2002 13:14:07 -0800
> From: Erick Mechler <emechler at ...7719...>
> To: twig les <twigles at ...131...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] New Trend: Intrusion Prevention
>
> :: I believe it intercepts kernel calls and blocks/passes
> :: them, kinda playing middleman.  Not sure though.
> :: Looks neat, but I don't see any silver bullet here
> :: either; not unless you want to slap this type of thing
> :: on your 500-5000 XP workstations too.
>
> Okena makes one that my team is currently evaulating.  Twig, you're right,
> it sits between the application and the OS level and looks at all system
> calls that the applications are making.  Benefits of sitting this low: you
> can have extremely fine-grained control over what an application is
allowed
> to use/modify/read/etc.; you can analyze encrypted data since the
> application has already decrypted it.  Drawbacks: it takes a *lot* of
setup
> time to figure out exactly what certain applications need.
>
>   http://www.okena.com/areas/products/products_stormwatch.html
>
> Niels Provos also wrote something similar for UNIX, called systrace.
>
>   http://www.citi.umich.edu/u/provos/systrace/
>
> I'm not sure this is what Paul Sheahan was referring to when he was
talking
> about Intrusion Prevention, though, seeing as this is a host-based
> solution.  There are network-based Intrusion Prevention solutions, but in
> my opinion they're really not practial due to the fact that you need an
> extremely high degree of accuracy (as Bob already mentioned).
>
> Cheers - Erick
>
>
> --__--__--
>
> Message: 7
> Subject: RE: [Snort-users] New Trend: Intrusion Prevention
> Date: Fri, 13 Dec 2002 15:27:47 -0600
> From: "Chris Eidem" <ceidem at ...5503...>
> To: "twig les" <twigles at ...131...>,
> "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
>
> > -----Original Message-----
> > From: twig les [mailto:twigles at ...131...]
> > Sent: Friday, December 13, 2002 2:27 PM
> > To: Ibarra, Michael; 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail)
> > Subject: RE: [Snort-users] New Trend: Intrusion Prevention
> >=20
> >=20
> > I've seen a few of these for a couple years now, but
> > generally I run into the host-based ones.  Eeye makes
> > one for that retarded MS web server here:
> > http://www.eeye.com/html/Products/SecureIIS/index.html
> >=20
> > I believe it intercepts kernel calls and blocks/passes
> > them, kinda playing middleman.  Not sure though.=20
> > Looks neat, but I don't see any silver bullet here
> > either; not unless you want to slap this type of thing
> > on your 500-5000 XP workstations too.
>
> my retarded servers have enough trouble with their IIS miscommunicating
> with the kernal as it is.  i really don't want add another layer that
> could muck things up even more...
>
> my basic thought is this (IPS - that is) is too dangerous right now for
> this to be used in a production network.  the DOS potential against a
> system is way too high and you would have to 10000 rules to make sure
> that you have the right signature before you start blocking connections
> accurately.
>
> locking the doors and checking the windows is difficult enough without
> having to go out onto the sidewalk and chase any 'shady' looking person
> from your yard.
>
>  - chris
>
>
> --__--__--
>
> Message: 8
> From: "Axness, Bob" <BAxness at ...7743...>
> To: "'Salloum, Camile'" <SalloumC at ...7716...>,
>     "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] No Traffic stats showing in my acid main php br
>     owser
> Date: Fri, 13 Dec 2002 15:37:46 -0600
>
> I am a newbie to Snort but I think your problem is...
> The interface that is doing the listening needs to be on a hub or a switch
> capable of doing port mirroring/monitoring.
> If you are on a normal switch listening you won't see/hear anything.  Swap
> it out with a hub and I bet you'll see some stats.
>
> Bob
>
>
>
> -----Original Message-----
> From: Salloum, Camile [mailto:SalloumC at ...7716...]
> Sent: Friday, December 13, 2002 3:07 PM
> To: 'snort-users at lists.sourceforge.net'
> Subject: [Snort-users] No Traffic stats showing in my acid main php
> browser
>
>
> Hi.  I am at the point now where I have run the CIS Cerberus Scanner on my
> local host.  The machine is not conected to a good switch just a simple
> linksys switch.  I have ran the CIS Scanner and still get no traffic
stats.
> Why?  What am I missing here?  Why doesn't the web browser automatically
> refresh itself?  I am forced to refresh it manually.  Where can I check to
> troubleshoot?  Thank You.
>
> Camile L Salloum
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:
> With Great Power, Comes Great Responsibility
> Learn to use your power at OSDN's High Performance Computing Channel
> http://hpc.devchannel.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
>
> www.mimesweeper.com
> **********************************************************************
>
>
>
> --__--__--
>
> Message: 9
> From: "Ibarra, Michael" <m.ibarra at ...7065...>
> To: snort-users at lists.sourceforge.net
> Date: Fri, 13 Dec 2002 16:50:17 -0500
> Subject: [Snort-users] Huge Amount of Port 1433 Scans From Asian IP's
>
> Am I the only one who has seen an extremely large rise
> in scans to port 1433/ms-sql? While not a problem for me,
> we do not run this crap, just curious to find out why it hasn't
> stopped, the src addr's are mostly the same.
>
> -mike
>
>
> --__--__--
>
> Message: 10
> Date: Fri, 13 Dec 2002 17:17:42 -0500 (EST)
> From: "Anton A. Chuvakin" <anton at ...5376...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] YASG :-) - yet another setup guide for snort
(switched, Debian,
>  MySQL, etc)
>
> All,
>
> Covers Debian GNU/Linux based setup for single sensor and distributed
> environments, MySQL, ACID, etc.
>
> "Complete Snort-based IDS Architecture, Part One "
> http://online.securityfocus.com/infocus/1640
>
> "Complete Snort-based IDS Architecture, Part Two"
> http://online.securityfocus.com/infocus/1643
>
> Comments are welcome!
>
> Best,
> --
>   Anton A. Chuvakin, Ph.D., GCIA
>      http://www.chuvakin.org
>    http://www.info-secure.org
>
>
>
> --__--__--
>
> Message: 11
> Date: Fri, 13 Dec 2002 17:21:25 -0500
> Subject: Re: [Snort-users] New Trend: Intrusion Prevention
> Cc: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
> To: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
> From: Martin Roesch <roesch at ...1935...>
>
> Hi Paul,
>
> I went into this on the Focus-IDS mailing list a month or so ago.
> Basically, I believe IPS to be more of a threat to (or the future of)
> firewalls.  Network intrusion prevention devices sit in-line and
> provide permit/deny access control for packet streams based on whether
> or not they're attacks.  Presumably it would be relatively easy as a
> subset of functionality to add stateful packet filtering that's just as
> good or better than any existing firewalling mechanisms.  Netscreen and
> Checkpoint have figured this out which is why you see them making
> aggressive moves in the IPS space.  Intrusion detection devices have a
> VERY different role in the network security hierarchy, they provide
> *awareness* of what's happening on your network, verification of policy
> compliance and detection of potential threats and anomalies.
>
> Let me lay out two scenarios that illustrate why intrusion prevention
> != intrusion detection and why it's unlikely that IPS will ever replace
> IDS (and how everyone who's trying to tell you it will is trying to
> sell you something):
>
> 1) IPS devices only guard the peering points (at best) of the network.
> In the case of an attack between hosts on the same broadcast network
> (inside the peering point) you have absolutely no coverage from the
> IPS.  In that case you'll need to have an IDS to tell you what's going
> on.  For example, someone in engineering decides to give him self a
> raise by hacking into the accounting department and making it so, your
> IPS has no visibility into this traffic so it's quite worthless.  Your
> IDS can see this traffic, however, and collect the relevant information
> for detection/enforcement of policy and evidence for law enforcement.
>
> 2) No IPS is going to be perfect, so attacks are going to slip through
> them.  It can be attacks that they don't know about (new buffer
> overflows, etc) or even traffic that's legitimate but hostile in your
> environment, like non-anonymous logins to your anonymous FTP server.
> If an attack gets by an IDS, how will you know?  You better have a
> pretty good IDS to tell you, that's how.
>
> There are several other things I could highlight, but I think this
> illustrates the point pretty well and it's Friday and late and I feel
> like going home. :)
>
>       -Marty
>
>
> On Friday, December 13, 2002, at 12:30 PM, Sheahan, Paul (PCLN-NW)
> wrote:
>
> >
> > I attended Infosecurity 2002 yesterday and there was much talk about
> > intrusion detection going away, and intrusion prevention replacing it.
> > Does
> > anyone know if there are any plans to include intrusion prevention
> > functionality into Snort in the future?
> >
> > Thanks,
> >
> > Paul Sheahan
> > Manager of Information Security
> > Priceline.com
> > paul.sheahan at ...2218...
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:
> > With Great Power, Comes Great Responsibility
> > Learn to use your power at OSDN's High Performance Computing Channel
> > http://hpc.devchannel.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
>
>
> --__--__--
>
> Message: 12
> Date: Fri, 13 Dec 2002 17:37:54 -0600
> From: Todd Holloway <todd at ...4574...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] snorting SSL/TLS traffic?
>
>
> I've been playing with "ssldump" today and I've gotten it
> so that I can see (when giving it the proper private key) I can decrypt
> some traffic (how much I'm still not sure...but more than w/o the key).
>
> Is there a way I can get snort "see" the network the same way?
>
> Is somebody working on this...most of the traffic to our site is "https".
>
> thanks
> todd
>
> --
> [It] contains "vegetable stabilizer" which sounds ominous.  How unstable
are vegetables?
> Jeff Zahn
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest
>





More information about the Snort-users mailing list