[Snort-users] RE: Snort-users digest, Vol 1 #1490 - 13 msgs

Stephen Shepherd StephenShepherd at ...3353...
Wed Jan 16 08:34:11 EST 2002


I think you can do this with Unix ODBC, but I don't know of anyone doing
it.  Seems most of the nix users are logging to MySQL or PostGRES..

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
snort-users-request at lists.sourceforge.net
Sent: Tuesday, January 15, 2002 21:40
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #1490 - 13 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Having Snort log to a remote SQL server... (ALEX RAMS)
   2. RE: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet (Dan
Hollis)
   3. WHy no alerts using eth0_ADDRESS? (Dr. Richard W. Tibbs)
   4. RE: WHy no alerts using eth0_ADDRESS? (Hutchinson, Andrew)
   5. RE: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet (Matt
Kettler)
   6. Flex but no response .... (skill2die4)
   7. ICMP Fragment Reassembly time exceeded (Sheahan, Paul (PCLN-NW))
   8. Re: Flex but no response .... (Joe McAlerney)
   9. Puzzled with snort rules... (Edwin Gaton Pua, Engineer BIE,SCV)
  10. RE: Red Hat or Mandrake? (Abe L. Getchell)
  11. RE: Snort and Synflood alerts (Abe L. Getchell)
  12. Newbie Question.. (Edwin Pua)
  13. segfault caused by double free in spo_database.c (Kervin Pierre)

--__--__--

Message: 1
From: "ALEX RAMS" <alex_rams at ...125...>
To: snort-users at lists.sourceforge.net
Date: Tue, 15 Jan 2002 14:13:17 -0600
Subject: [Snort-users] Having Snort log to a remote SQL server...

I have three computers using Snort in Network Intrusion Detection Mode 
running Linux.  Yet, I'd like to have the Linux boxes running Snort log
to a 
Windows 2000 Sever Box running a SQL server.  The goal is to log to this

central console and than run ACID through IIS.  Can this be done and if
so 
please link me in the right direction.  To anyone who helps - Thank you,
in 
advance.

ALEX RAMS


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com



--__--__--

Message: 2
Date: Tue, 15 Jan 2002 12:26:13 -0800 (PST)
From: Dan Hollis <goemon at ...20...>
To: "Austad, Jay" <austad at ...432...>
cc: "'Matt Kettler'" <mkettler at ...4108...>,
   =?iso-8859-1?Q?=27Lars_J=F8rgensen_IT=27?= <Lars.Jorgensen at ...979...4490...>,
   "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>,
   "'bugtraq at ...35...'" <bugtraq at ...35...>
Subject: RE: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet

On Tue, 15 Jan 2002, Austad, Jay wrote:
> Here's a description of the probe from the help provided in the
> configuration interface for the 3dns units:
> DNS_DOT (DNS Dot)
> [...]
> DNS_REV (Reverse IP address lookup)
> [...]

The mysterious malformed packets described in incidents are neither of 
these.

The f5 seems to be sending malformed DNS packets, and the DNS servers
are 
responding (correctly) with a format error.

Is this a bug or intentional on behalf of f5?

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]




--__--__--

Message: 3
Date: Tue, 15 Jan 2002 15:37:58 -0500
From: "Dr. Richard W. Tibbs" <ccamp at ...4532...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] WHy no alerts using eth0_ADDRESS?

I am puzzled mildly by some remarks in the snort.conf  file:
....
#
# or use global variable $<interfacename>_ADDRESS
# which will be always initialized to IP address and
# netmask of the network interface which you run
# snort at.
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
#var HOME_NET any

By the comments above, I am led to believe that snort will always
initialize the $eth0_ADDRESS variable to the home net.
Snort has always worked "out of the shrink wrap" with no mods to 
snort.conf and finds eth0, my only active NIC;
snort -v reports packet as usual.

However ......

In an exploration with snort, I tried
var HOME_NET $eth0_ADDRESS
output alert_unixsock
alert icmp $HOME_NET any -> any any (msg: "OUT" ;)
alert icmp any any -> $HOME_NET any (msg: "IN" ;)

and I, when I ping another machine I get no alerts,
although the snort summary output counts as many packets as ping sends &

receives. (i.e., the snort output is like:
Breakdown by protocol:               Action Stats:
...                                   Akerts: 0
  ICMP: 12
...

But when I use
var HOME_NET 192.168.1.0/32
output alert_unixsock
alert icmp $HOME_NET any  -> any any (msg: "OUT" ;)
alert icmp any any  -> $HOME_NET any (msg: "IN" ;)

I get the appropriate equal amounts of INs and OUTs alerted to the
socket.

How come no alerts in the first case?
Do I actually have to set the eth0_ADDRESS variable myself?




--__--__--

Message: 4
Subject: RE: [Snort-users] WHy no alerts using eth0_ADDRESS?
Date: Tue, 15 Jan 2002 15:08:26 -0600
From: "Hutchinson, Andrew" <Andrew.Hutchinson at ...3639...>
To: <snort-users at lists.sourceforge.net>
Cc: "Dr. Richard W. Tibbs" <ccamp at ...4532...>

I believe that the issue is this:

when you use

var HOME_NET $eth0_ADDRESS

then your $HOME_NET is set to the _single_ ip address of eth0.  For =
instance, if eth0 is 192.168.1.1/32, then snort will _only_ alert when =
the ICMP packet is coming from or headed to eth0 on the sensor itself.
=
So, if your ping was from the sensor, I would expect alerts, whereas if
=
the ping is simply passing through the sensor, the $HOME_NET is not =
matched and thus no alert generated.

However, when you have=20

var HOME_NET 192.168.1.0/24

or the like, the entire subnet is matched by $HOME_NET, and the =
signature is matched and an alert generated.

Hope this helps,

Andrew


Andrew Hutchinson CNE MCSE
Informatics/NCS/Network Security
Vanderbilt University Medical Center
615.936.2856 - voice
615.936.0643 - fax
andrew.hutchinson at ...3295...


-----Original Message-----
From: Dr. Richard W. Tibbs [mailto:ccamp at ...4532...]
Sent: Tuesday, January 15, 2002 2:38 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] WHy no alerts using eth0_ADDRESS?


I am puzzled mildly by some remarks in the snort.conf  file:
....
#
# or use global variable $<interfacename>_ADDRESS
# which will be always initialized to IP address and
# netmask of the network interface which you run
# snort at.
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
#var HOME_NET any

By the comments above, I am led to believe that snort will always
initialize the $eth0_ADDRESS variable to the home net.
Snort has always worked "out of the shrink wrap" with no mods to=20
snort.conf and finds eth0, my only active NIC;
snort -v reports packet as usual.

However ......

In an exploration with snort, I tried
var HOME_NET $eth0_ADDRESS
output alert_unixsock
alert icmp $HOME_NET any -> any any (msg: "OUT" ;)
alert icmp any any -> $HOME_NET any (msg: "IN" ;)

and I, when I ping another machine I get no alerts,
although the snort summary output counts as many packets as ping sends &
=

receives. (i.e., the snort output is like:
Breakdown by protocol:               Action Stats:
...                                   Akerts: 0
  ICMP: 12
...

But when I use
var HOME_NET 192.168.1.0/32
output alert_unixsock
alert icmp $HOME_NET any  -> any any (msg: "OUT" ;)
alert icmp any any  -> $HOME_NET any (msg: "IN" ;)

I get the appropriate equal amounts of INs and OUTs alerted to the =
socket.

How come no alerts in the first case?
Do I actually have to set the eth0_ADDRESS variable myself?



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users


--__--__--

Message: 5
Date: Tue, 15 Jan 2002 16:40:40 -0500
To: Dan Hollis <goemon at ...20...>, "Austad, Jay"
<austad at ...432...>
From: Matt Kettler <mkettler at ...4108...>
Subject: RE: SV: [Snort-users] BAD TRAFFIC data in TCP SYN packet
Cc: "'Lars =?iso-8859-1?Q?J=F8rgensen?= IT'" <Lars.Jorgensen at ...4592.....>,
   "'snort-users at lists.sourceforge.net'"
  <snort-users at lists.sourceforge.net>,
   "'bugtraq at ...35...'" <bugtraq at ...35...>

Yes, what you say is true, but if you scroll down, not only are they 
invalid DNS packets, they are also TCP syn packets to port 53 which
contain 
data.

------------------------------------
digging deeper, it appears they are also using TCP:

20:30:15.070616 172.20.78.202.3000 > dns-server.53: S
1839760761:1839760825(64) win 2048
aaaa 0300 0000 0800 4500 0068 7985 0000
f406 9cb9 ac14 4eca c0a8 1004 0bb8 0035
6da8 8579 0000 0000 5002 0800 f842 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
-------------------------------


At 12:26 PM 1/15/2002 -0800, Dan Hollis wrote:
>On Tue, 15 Jan 2002, Austad, Jay wrote:
> > Here's a description of the probe from the help provided in the
> > configuration interface for the 3dns units:
> > DNS_DOT (DNS Dot)
> > [...]
> > DNS_REV (Reverse IP address lookup)
> > [...]
>
>The mysterious malformed packets described in incidents are neither of
>these.
>
>The f5 seems to be sending malformed DNS packets, and the DNS servers
are
>responding (correctly) with a format error.
>
>Is this a bug or intentional on behalf of f5?
>
>-Dan
>--
>[-] Omae no subete no kichi wa ore no mono da. [-]



--__--__--

Message: 6
From: "skill2die4" <skill2die4 at ...131...>
To: <snort-users at lists.sourceforge.net>
Date: Tue, 15 Jan 2002 17:28:50 -0500
Subject: [Snort-users] Flex but no response ....

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort and related utilities version numbers :

libnet-1.0.2a-1snort.i386.rpm
libnet.tar.gz (1.0.2a)
libpcap (0.6)
snort -1.8.3 (built 88) [configured option=flexResp]
snort-plain+flexresp.1.8.3-5-i386.rpm
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

scenario :
-----------
10.0.0.3 --- pings to ---> 10.0.0.3

rule file ::
--------------
flexRESP.rules
alert icmp 10.0.0.3 any ---> any any (msg:"Not allowed";resp:icmp_host;)

snort activation
-------------------
snort -A full -c flexRESP.rules


Observation 
-------------
a. snort intialization reads -->

    1 snort rules read .... 
    1 option chain linked into 1 chain header
    0 dynamic rules

b. the PING from 10.0.0.3 works and gets back a result from 10.0.0.2;
   snort only WRITES to the ALERT file

 I tried using the REACT with "TCP && BLOCK , MSG" options and telnet
 from 10.0.0.3,the connect was refused ... however i didnt got any
 VISIBLE BLOCK MESSAGE from the other side.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



--__--__--

Message: 7
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
To: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
Date: Tue, 15 Jan 2002 17:52:59 -0500
Subject: [Snort-users] ICMP Fragment Reassembly time exceeded


Hello,

In my Snort logs I am seeing "ICMP Fragment Reassembly time exceeded" on
a
daily basis being sent as a response from our web servers to random
clients
on the Internet. I am running Snort Version 1.8.1-RELEASE (Build 78)
under
Red Hat Linux 7.0.

Can anyone tell me or point me in the right direction on how a client is
able to force a web server to respond with this ICMP message? I assume
it is
a means of a client gathering information from a server but want to get
more
information.


Thanks!
Paul



--__--__--

Message: 8
Date: Tue, 15 Jan 2002 15:22:04 -0800
From: Joe McAlerney <joey at ...47...>
To: skill2die4 <skill2die4 at ...131...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Flex but no response ....

You might want to try sniffing the line with tcpdump or snort -v to see
if the spoofed ICMP message is actually being sent.  Most people using
flex resp on a speedy network (I.E, one that does not have the latency
inherent on the Internet) will find that while the spoofed packet is
being created, the actual one makes it back to the sender.  There's more
on this in the archives.

HTH,

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey at ...47...
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

skill2die4 wrote:
> 
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> snort and related utilities version numbers :
> 
> libnet-1.0.2a-1snort.i386.rpm
> libnet.tar.gz (1.0.2a)
> libpcap (0.6)
> snort -1.8.3 (built 88) [configured option=flexResp]
> snort-plain+flexresp.1.8.3-5-i386.rpm
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> 
> scenario :
> -----------
> 10.0.0.3 --- pings to ---> 10.0.0.3
> 
> rule file ::
> --------------
> flexRESP.rules
> alert icmp 10.0.0.3 any ---> any any (msg:"Not
allowed";resp:icmp_host;)
> 
> snort activation
> -------------------
> snort -A full -c flexRESP.rules
> 
> Observation
> -------------
> a. snort intialization reads -->
> 
>     1 snort rules read ....
>     1 option chain linked into 1 chain header
>     0 dynamic rules
> 
> b. the PING from 10.0.0.3 works and gets back a result from 10.0.0.2;
>    snort only WRITES to the ALERT file
> 
>  I tried using the REACT with "TCP && BLOCK , MSG" options and telnet
>  from 10.0.0.3,the connect was refused ... however i didnt got any
>  VISIBLE BLOCK MESSAGE from the other side.
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--__--__--

Message: 9
From: "Edwin Gaton Pua, Engineer BIE,SCV" <EDWIN at ...4577...>
To: hoagland at ...47...
Cc: snort-users at lists.sourceforge.net
Date: Wed, 16 Jan 2002 09:55:18 +0800
Subject: [Snort-users] Puzzled with snort rules...




> Hi,
> 
>      I've installed the snort-1.8.3-5.i386.rpm into my RH7.2 box as my
ID
> sensor and it works so far when i ran commands in sniffer and packet
> logger mode (with -dv and -l) switches. It shows the real time packets
and
> logged them into /var/log/snort directory.
> 
>       But i want to run snort in NIDS mode and i am just puzzled on
how to
> configure my snort.conf  to communicate with the default snort rules
> located in /etc/snort/ddos.rules, /etc/snort/exploit.rules, etc... do
you
> have sample config of snort.conf that communicates properly with snort
> rules?
>  
>       Grateful to your response.
> 
> Regards,
> Edwin
> 
> 
> 
> 
Subscribe to 6 mths of SCV MaxTV & get a Free Dining voucher worth $128!
Minimum subscription of $30 required. Call 873 3333 to subscribe now. Ts
&
Cs apply.

************************************************************************
*** 
This e-mail is confidential and may also be privileged. If you are not
the 
intended recipient, please delete it and notify us at
itsyteam at ...4577...
immediately. You should 
not copy or use it for any purpose, nor disclose its contents to any
other 
person. Thank you. 
************************************************************************
*** 




--__--__--

Message: 10
Reply-To: <abegetchell at ...530...>
From: "Abe L. Getchell" <abegetchell at ...530...>
To: "'Erek Adams'" <erek at ...577...>
Cc: <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Red Hat or Mandrake?
Date: Tue, 15 Jan 2002 22:39:10 -0500
Organization: -

> Hello Abe!  Glad to see you're still alive and kickin'!

Hey Erek!  Yeah, still alive and kickin', just been lurking for the last
month or so.  Time is scarce these days between work, working out, and
spending time with my girlfriend.  Can't say I mind though, at least
about the latter! 8D

> *cough*  *cough*  I'm sorry, I couldn't hear that, I've got a 
> security hole in my RPMs.  ;-)

D'oh! =D

> <snip> "Use the _best_ OS for the job." <snip>

This is _the best_ advice someone could take when trying to decide on
what OS to run Snort.  Use what you know _you_ (or your client) can
manage, secure, and squeeze all the performance out of... unless of
course it's Solaris x86.  I'm kidding!  I'm kidding! ;-)

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...



--__--__--

Message: 11
Reply-To: <abegetchell at ...530...>
From: "Abe L. Getchell" <abegetchell at ...530...>
To: "'Scott Teeters Jr'" <steeters at ...4297...>
Cc: <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Snort and Synflood alerts
Date: Tue, 15 Jan 2002 22:59:02 -0500
Organization: -

Hi Scott!

Well, since a SYN is a SYN is a SYN, there's really no way of saying
that one SYN packet is part of a SYN flood attack and one isn't.  There
_are_ special characteristics you'll see _occasionally_ with poorly
written SYN flood DoS and DDoS software such as a static IP
identification number, a static source port, a static TCP sequence
number, or even data on the SYN (which is discussed in a different
capacity in another thread on the list right now); I've seen all of
these in the wild.  Snort has all the rules you need to detect the
control channels for the zombie processes which generate the DoS
packets, but Snort really can't tell you if you're experiencing a SYN
flood.

It seems that the portscan preprocessor could be pretty easily modified
to allow it to detect X number of SYN packets, instead of packets to X
number of ports, in a specified amount of time.  Kind of sort of a SYN
flood packet rate detector type thingy.  I might just have to add this
too the list of projects I'll never get time to complete... <sigh>

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Scott Teeters Jr
> Sent: Tuesday, January 15, 2002 11:56 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort and Synflood alerts
> 
> 
> I am working on implementing Snort as our defacto IDS. One of 
> the items my 
> manager wants to see is our synflood activity. Synfloods have 
> been a pain 
> in our side in the past and we want to be able to break out 
> the synflood 
> activity as a separate item in our reporting. I need to know 
> if anyone has 
> seen a Snort signature that specifically targets synfloods? 
> Thanks, Scott Teeters, Jr.
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



--__--__--

Message: 12
From: "Edwin Pua" <edwin1118 at ...125...>
To: bmc at ...950..., snort-users at lists.sourceforge.net
Date: Wed, 16 Jan 2002 04:11:28 +0000
Subject: [Snort-users] Newbie Question..

Hi,

  How will i enable my snort rules to communicate with snort.conf file
and 
run in NIDS mode?

  I edited my snort.conf file to call my snort rules under 
/etc/snort/ddos.rules, /etc/snort/porn.rules, etc.
   The default before in the snort.conf file is without the/etc/snort
path. 
Is this right to enable my snort rules?


# under /etc/snort/snort.conf

include /etc/snort/bad-traffic.rules
include /etc/snort/ddos.rules
include /etc/snort/porn.rules

   Thanx in advace.

rgds,
Edwin




_________________________________________________________________
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.



--__--__--

Message: 13
Date: Tue, 15 Jan 2002 23:44:22 -0500
From: Kervin Pierre <kpierre at ...4579...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] segfault caused by double free in spo_database.c


Hi,

I'm not a snort programmer but, it seems you have a double free in 
spo_datase.c ( snort 1.8.3 )

In the listing below, if sig_id is 0, select0 is going to be free'ed 
twice, line 748 and line 751 .

This has crashed snort a few times on my box.


-Kervin


#1  0x0805fd32 in Database (p=0xbfffef70, msg=0x85735c8 "MISC Large UDP 
Packet", arg=0x81b8868, event=0x8573394) at spo_database.c:751
751              free(select0);
(gdb) l
746              if(sig_id == 0)
747              {
748                free(select0);
749                ErrorMessage("database: Problem inserting a new 
signature '%s'\n", msg);
750              }
751              free(select0);
752
753              /* add the external rule references  */
754              if(otn_tmp)
755              {

-- 
http://linuxquestions.org/ - Ask linux questions, give linux help.




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list