[Snort-users] Re: Snort-users digest, Vol 1 #1553 - 15 msgs

Wynn Fenwick wfenwick at ...2714...
Tue Feb 5 16:29:02 EST 2002


I would speculate the only way to do this is to fully populate the table with the alerts in it before any alerts are submitted. This way they are all in sync together. However, this will have to be repeated when new signatures come out with new sids. The problem is that the sid table's index does not use the sid of the signature directly.

For your existing setup, you'll likely have to do some UPDATEs on the sid table so they are all in synch manually. Ouch.

I suspect that binding them in ACID itself would cause other problems, but I'm sure Roman can speculate much more in-depth than I.

W

snort-users-request at lists.sourceforge.net wrote:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>   ------------------------------------------------------------------------
> Today's Topics:
>
>    1. Suspicious email message intercepted ('IT Virus Filter')
>    2. Re: what does flags: A+ mean in the snort rules? (James Hoagland)
>    3. RE: what does flags: A+ mean in the snort rules? (Wirth, Jeff)
>    4. Re: what does flags: A+ mean in the snort rules? (James Hoagland)
>    5. Re: (new?) worm or bot signature - echo request (Stephane Nasdrovisky)
>    6. Yahoo Messenger? (tyler at ...4440...)
>    7. centralized mysql collation (David E. Wach)
>    8. (no subject) (Edward Cole)
>    9. RE: what does flags: A+ mean in the snort rules? (Grimes, Shawn (NIA/IRP))
>   10. Re: what does flags: A+ mean in the snort rules? (Charles)
>   11. Signaled Stop/Start? (Chip Kelly)
>   12. Re: [Snort-devel] 1.8.4-beta1 feedback? (Jeff Nathan)
>   13. 2 Issues (David Chait)
>   14. RE: mySQL Data Question (Graham, Randy (RAW) )
>   15. RE: [Snort-devel] 1.8.4-beta1 feedback? (Smith, Donald )
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] Suspicious email message intercepted
> Date: Tue, 5 Feb 2002 13:46:45 -0500 (EST)
> From: "'IT Virus Filter'" <virus at ...4873...>
> To: <snort-users at lists.sourceforge.net>
>
> Hello-
>
> You are receiving this message because an email message with a
> suspicious attachment was intercepted by the POP server.  It
> is possible that the message was actually valid, and simply
> shared some common features with email viruses such as the
> 'lovebug' virus.
>
>         Replies to virus at ...4873... are not read; this
> is an automated process to facilitate forwarding the executable
> attachment. You must follow these instructions exactly in order
> for the software to forward the email.
>
> If you can confirm that this is indeed a valid email message,
> and not a virus, then simply respond to this message, pasting the
> following information into the Subject: field (copied exactly, all
> on one line, starting with "Message re-delivery"):
> example: Message re-delivery request -459023xadf-27af834-_12350_0
>
> Message re-delivery request -003501c1ae73-d03d87d0-b467e4c3-swsdb-_28895_0
>
> Some identifying information about the message:
>         Sender:         "Szilagyi Gergely" <szilagyi at ...3673...>
>         Subject:        Re: [Snort-users] Snort and MsSQL
>         Attachment:     "Re_ [Snort-users] Having Snort log to a remote SQL server....eml"
>         Attachment:     "spo_database.c"
>         Attachment:     "Re_ [Snort-users] How to place Snort machine on the network _.eml"
>         Attachment:     "Fw_ [Snort-users] what changes are required to move from MySQL toMSSQL_.eml"
>         Attachment:     "Re_ [Snort-users] what changes are required to move from MySQL toMSSQL_.eml"
>
> We realize that this process is somewhat cumbersome, but, given the
> amount of damage that can be caused by email viruses, this is less
> disruptive in the long run.
>
> Please send email to <helpdesk at ...2755...> if you have any questions
> or concerns.
>
> Thank you-
> Genuity IT
>
>   ------------------------------------------------------------------------
>
> Subject: Re: [Snort-users] what does flags: A+ mean in the snort rules?
> Date: Tue, 5 Feb 2002 11:09:06 -0800
> From: James Hoagland <hoagland at ...47...>
> To: Charles <quanxing at ...4668...>
> CC: snort-users at lists.sourceforge.net
> References: <Pine.SOL.4.10.10202051220100.14362-100000 at ...4870...>
>
> At 12:27 PM -0600 2/5/02, Charles wrote:
> >I know A is for ack bit, but what does the + mean here?
>
> 'A+' means the ack bit must be set, and other TCP flag bits may also
> be set.  'A' by itself means that ack is the only bit set.
>
> -- Jim
> --
> |*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
> |*            --- Silicon Defense: IDS Solutions ---             *|
> |*  hoagland at ...47..., http://www.silicondefense.com/  *|
> |*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
>
>   ------------------------------------------------------------------------
>
> Subject: RE: [Snort-users] what does flags: A+ mean in the snort rules?
> Date: Tue, 5 Feb 2002 14:17:37 -0500
> From: "Wirth, Jeff" <WirthJe at ...4876...>
> To: "'Charles'" <quanxing at ...4668...>
> CC: snort-users at lists.sourceforge.net
>
> + All flag, match on all specified flags plus any others...
>
> - Jeff
>
> -----Original Message-----
> From: Charles [mailto:quanxing at ...4668...]
> Sent: Tuesday, February 05, 2002 1:28 PM
> Cc: snort-users at lists.sourceforge.net
> Subject: [Snort-users] what does flags: A+ mean in the snort rules?
>
> I know A is for ack bit, but what does the + mean here?
>
> Thank you very much!
>
> Charles
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>   ------------------------------------------------------------------------
>
> Subject: Re: [Snort-users] what does flags: A+ mean in the snort rules?
> Date: Tue, 5 Feb 2002 11:09:06 -0800
> From: James Hoagland <hoagland at ...47...>
> To: Charles <quanxing at ...4668...>
> CC: snort-users at lists.sourceforge.net
> References: <Pine.SOL.4.10.10202051220100.14362-100000 at ...4870...>
>
> At 12:27 PM -0600 2/5/02, Charles wrote:
> >I know A is for ack bit, but what does the + mean here?
>
> 'A+' means the ack bit must be set, and other TCP flag bits may also
> be set.  'A' by itself means that ack is the only bit set.
>
> -- Jim
> --
> |*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
> |*            --- Silicon Defense: IDS Solutions ---             *|
> |*  hoagland at ...47..., http://www.silicondefense.com/  *|
> |*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
>
>   ------------------------------------------------------------------------
>
> Subject: Re: [Snort-users] (new?) worm or bot signature - echo request
> Date: Tue, 05 Feb 2002 20:39:32 +0100
> From: "Stephane Nasdrovisky" <stephane.nasdrovisky at ...4735...>
> Organization: uniwayers
> To: Scott Nursten <scottn at ...4526...>
> CC: snort-users at lists.sourceforge.net
> References: <B88494BE.10C%scottn at ...4526...>
>
> Scott Nursten wrote:
>
> > What version of Snort is this? If it's 1.8.3,
>
> It was a snort 1.8.1 on solaris 8/sparc
>
> > there were some problems with the stream4 (I think) preprocessor which was
> > allowing for some pretty
> > unbelievable packet mangling by the time it hit the log :)
>
> > Your packet looks like a ICMP mangled with DHCP/BOOTP...!?
>
> > I could be wrong, but I don't see why DHCP info would be in an ICMP packet...!
>
> I don't see either. There is no dhcp server on the network snort is listening on,
> our dhcp server is not serving any 192.168.0.* address, the mac address is not one
> of ours.
> I bet the icmp packet did really contained this data, it is probably not a snort
> bug.
> Another alternative is a flaw in the ip stack of the sender. I've sometimes seen
> packets (especially reset) containing data they should not contain (i.e. a browser
> sending back part of the server's answer). Although I sometimes suspect some snort
> undocumented features, I've seen the same king of behaviour in snoop outputs.
>
> I had never looked at dhcp packets, at least, I learned what dhcp packets looks like
> now. I was thinking of some malicious code reporting back their activity.
>
> > Anyone else got any ideas?
> >
> > > I received a strange icmp packet. The payload contains
> > > SERVER Offered         | Offering: 192.168.0.31  To: 0030651278CF  By:19
> > >
> > > 213.221.141.64 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] Yahoo Messenger?
> Date: Tue, 5 Feb 2002 14:41:21 -0500
> From: tyler at ...4440...
> To: snort-users at lists.sourceforge.net
>
> Anyone had any success with a sig for yahoo messenger traffic [including the
> proxy-over-http configurations?]  or, better still, a surefire way to block
> it?
>
> tf.
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager at postmaster at ...4441...
> **********************************************************************
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] centralized mysql collation
> Date: Tue, 5 Feb 2002 11:51:37 -0800
> From: "David E. Wach" <david at ...4877...>
> To: <snort-users at lists.sourceforge.net>
>
> Hello all,
>
> I'm currently running snort at 3 remote sites with logging going to the local mysql daemon on each sensor.  I'm using the binary logging in mysql and transfer the logs periodically to my central log server.  I then run the binary logs through mysqlbinlog to "replay" the sql and insert the events into my main database.  This way I don't have to leave a connection up to each of the sites 24/7.
>
> The problem i'm running into is the way the mysql schema is set up.  Since the entries in the "signature" table are inserted on-the-fly on the remote databases, they don't match the "signature" table on my master database.  What might be "WEB-IIS _mem_bin access" on one IDS server ends up being "Traceroute UDP" on the other.  Any ideas on how to get all the signatures to correlate to each other?  I've got the same problem with the references too.
>
> Anybody else run into this and come up with a solution?
>
> Thanks for any insight,
> -david
>
> --
> ===============================================
> David E. Wach
> Senior Managed Security Architect
> david at ...4877...
> InfoGroup Northwest 541.485.0957 x168
> ===============================================
>
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] (no subject)
> Date: Tue, 05 Feb 2002 19:50:17
> From: "Edward Cole" <elcole at ...125...>
> To: snort-users at lists.sourceforge.net
>
> Folks,
>
> Is there a way to add mysql database support after snort has already been
> complied??  How do I configure the snort.conf file??
>
> Ed Cole
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] RE: what does flags: A+ mean in the snort rules?
> Date: Tue, 5 Feb 2002 14:51:46 -0500
> From: "Grimes, Shawn (NIA/IRP)" <GrimesSh at ...3368...>
> To: "'snort-users at lists.sourceforge.net'"
>      <snort-users at lists.sourceforge.net>
>
> It means any packet with the Ack bit set and any other flag.
>
> -- __--__--
>
> Message: 4
> Date: Tue, 5 Feb 2002 12:27:34 -0600 (CST)
> From: Charles <quanxing at ...4668...>
> cc: snort-users at lists.sourceforge.net
> Subject: [Snort-users] what does flags: A+ mean in the snort rules?
>
> I know A is for ack bit, but what does the + mean here?
>
> Thank you very much!
>
> Charles
>
> -- __--__--
>
>   ------------------------------------------------------------------------
>
> Subject: Re: [Snort-users] what does flags: A+ mean in the snort rules?
> Date: Tue, 5 Feb 2002 13:53:53 -0600 (CST)
> From: Charles <quanxing at ...4668...>
> To: James Hoagland <hoagland at ...47...>
> CC: snort-users at lists.sourceforge.net
>
> Thank you very much!
>
> Charles
>
> On Tue, 5 Feb 2002, James Hoagland wrote:
>
> > At 12:27 PM -0600 2/5/02, Charles wrote:
> > >I know A is for ack bit, but what does the + mean here?
> >
> > 'A+' means the ack bit must be set, and other TCP flag bits may also
> > be set.  'A' by itself means that ack is the only bit set.
> >
> > -- Jim
> > --
> > |*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
> > |*            --- Silicon Defense: IDS Solutions ---             *|
> > |*  hoagland at ...47..., http://www.silicondefense.com/  *|
> > |*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
> >
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] Signaled Stop/Start?
> Date: Tue, 5 Feb 2002 15:11:41 -0500
> From: Chip Kelly <Chip.Kelly at ...4824...>
> To: snort-users at lists.sourceforge.net
>
> Is there a way to quickly, and gracefully, stop SNORT and re-start it to pick up configuration file changes? I'm using
>
> ps -ael | grep snort | kill ` awk ' { print $4 } ' `
> snort .... parameters ....
>
> in a script, but is there a signal that I can pass to snort that causes a restart? Similar to the signal that causes stats to be dumped without actually stopping and starting the process.
>
> Thanks. -chip
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] Re: [Snort-devel] 1.8.4-beta1 feedback?
> Date: Tue, 05 Feb 2002 13:42:19 -0800
> From: Jeff Nathan <jeff at ...950...>
> To: "Smith, Donald" <Donald.Smith at ...4852...>
> CC: "'Jeff Nathan'" <jeff at ...950...>, Martin Roesch <roesch at ...1935...>,
>      snort-users <snort-users at lists.sourceforge.net>,
>      snort-dev <snort-devel at lists.sourceforge.net>
> References: <2D00AD0E4D36D411BD300008C786E424069BF0C8 at ...4853...>
>
> "Smith, Donald" wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Jeff, what happened to the synscan kill code I sent you.
> > Did you reject it for some reason?
> >
> > Donald.Smith at ...4852... GCIA
> > QIS/WWN Security
> > 303-226-9939 Office
> > 720-320-1537 cell
>
> Donald,
>
> I still have the code, thanks for spending the time working on it.  As
> of now it hasn't been integrated into snort due to the use of static
> data used within the proof of concept code as well as our desire to
> simplify and optimize the code.
>
> We're looking at what can be added to the sp_respond code to try and
> shutdown backdoors, etc but I suspect there will be some debate before
> that is completed.
>
> -Jeff
>
> --
> http://jeff.wwti.com            (pgp key available)
> "Common sense is the collection of prejudices acquired by age eighteen."
> - Albert Einstein
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] 2 Issues
> Date: Tue, 5 Feb 2002 13:59:11 -0800
> From: "David Chait" <davidc at ...4306...>
> To: <snort-users at lists.sourceforge.net>
>
> Greetings,
>         I am reletively new to snort and need to do the following, any assistance
> would be greatly appreciated:
>
> #1 My current snort sensor constantly stops scanning within 24 hours, it is
> not overloaded, so I was wondering what could be causing this behavior
>
> #2 I need to add a second snort sensor to report to the same mysql database,
> how?
>
> Thanks,
> David Chait
>
>   ------------------------------------------------------------------------
>
> Subject: RE: [Snort-users] mySQL Data Question
> Date: Tue, 5 Feb 2002 17:10:22 -0500
> From: "Graham, Randy (RAW) " <RAW at ...4721...>
> To: snort-users at lists.sourceforge.net
>
> If you get any answers to this question, please share it.  I'm just getting
> snort going with mysql at my site, but we will face this issue soon.
>
> Randy Graham
> --
> The Internet?  Bah!  Is that thing still around?  -- Homer Simpson
> http://www.securitynewbie.com/ - for people like me
>
> > -----Original Message-----
> > From: Mike Walter [mailto:mike at ...3781...]
> > Sent: Monday, February 04, 2002 12:22 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] mySQL Data Question
> >
> >
> > Okay, so I have looked in the archive lists and the FAQ.
> > What is the best way to archive data from the mySQL database
> > of SNORT.  I have over 2 million records and it's running
> > slow.  I'd like to move the data into the archive_database by
> > date range.
> >
> > Mike Walter, MCP
> > PCD Network Solutions, Inc.
> > 3z.net a PCD Company
> > <http://www.3z.net>
> > "When Success is the Only Solution t h i n K 3z.net"
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>   ------------------------------------------------------------------------
>
> Subject: [Snort-users] RE: [Snort-devel] 1.8.4-beta1 feedback?
> Date: Tue, 5 Feb 2002 16:11:26 -0700
> From: "Smith, Donald " <Donald.Smith at ...4852...>
> To: "'Jeff Nathan'" <jeff at ...950...>,
>      "Smith, Donald "
>      <Donald.Smith at ...4852...>
> CC: Martin Roesch <roesch at ...1935...>,
>      snort-users
>      <snort-users at lists.sourceforge.net>,
>      snort-dev
>      <snort-devel at lists.sourceforge.net>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeff I believe the static data your referring to is hardcoded data
> because that is what it takes to kill synscan1.5 or 1.6.
> A packet from www.microsoft.de on port 80 to port 31337 on the
> scanning machine.
> I realize this is a little specialized but it would affect a large
> number of scanners.
> Since a large part of the scanning being
> done on the net is still using synscan1.5/1.6 code
> I had hoped to get this patch accepted soon.
>
> I did send you two versions. Just to be sure you have the correct
> version I am including
> the latest version. It is for 1.8.3 not 1.8.4. and precaches the
> tcpsyn packet.
>
> Donald.Smith at ...4852... GCIA
> QIS/WWN Security
> 303-226-9939 Office
> 720-320-1537 cell
>
> > -----Original Message-----
> > From: Jeff Nathan [mailto:jeff at ...950...]
> > Sent: Tuesday, February 05, 2002 2:42 PM
> > To: Smith, Donald
> > Cc: 'Jeff Nathan'; Martin Roesch; snort-users; snort-dev
> > Subject: Re: [Snort-devel] 1.8.4-beta1 feedback?
> >
> >
> > "Smith, Donald" wrote:
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Jeff, what happened to the synscan kill code I sent you.
> > > Did you reject it for some reason?
> > >
> > > Donald.Smith at ...4852... GCIA
> > > QIS/WWN Security
> > > 303-226-9939 Office
> > > 720-320-1537 cell
> >
> > Donald,
> >
> > I still have the code, thanks for spending the time working on it.
> > As of now it hasn't been integrated into snort due to the use of
> > static data used within the proof of concept code as well as our
> > desire to simplify and optimize the code.
> >
> > We're looking at what can be added to the sp_respond code to try
> > and shutdown backdoors, etc but I suspect there will be some debate
> > before that is completed.
> >
> > -Jeff
> >
> >
> > --
> > http://jeff.wwti.com            (pgp key available)
> > "Common sense is the collection of prejudices acquired by age
> > eighteen."
> > - Albert Einstein
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
>
> iQA/AwUBPGBpQkPxB2evAO3MEQLeMgCeKgHj+yx5Xtg4KQ6f4YkGANxrv1AAoNKR
> Af9CjbiWbNV+UcYQBHub3DwF
> =/g0+
> -----END PGP SIGNATURE-----
>
>   ------------------------------------------------------------------------
>                     Name: SNORT_1.8.tar
>    SNORT_1.8.tar    Type: Unix Tape Archive (application/x-tar)
>                 Encoding: base64
>
>   ------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users





More information about the Snort-users mailing list