[Snort-users] Snort and SysLogging, warning

Imran William Smith iwsmith at ...487...
Thu Jun 20 17:54:04 EDT 2002


If you're going to send signature files in, or alerts out, of a snort
box, the best way is to do this either compressed or encrypted or
both, so the activity doesn't trigger snort.

Try ftp'ing a snort signature file into a snort box from outside, or emailing
a snort signature file out of a snort box, etc.  You'll get dozens of
alerts.

I'm not sure the details of how to do compressed or encrypted syslog,
sorry.


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia





----- Original Message ----- 
From: "Don" <Don at ...5881...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, June 21, 2002 7:59 AM
Subject: [Snort-users] Snort and SysLogging, warning


| here's something for all of us to note
| 
| let me give you a scenario
| multiple snort sensors, scattered throughout, on varying networks, all, of
| course, rcvng variety of alerts, suddenly, i notice one sensor, getting tons
| of alerts, the tcpdump on this sensor, indicates that this system has been
| compromised somehow, hmm, hopefully not, but, i kept investigating, to find,
| all the alerts, appear to be being prompted by the syslog, sensor A reports
| to syslog at ...780...(B), sensor @host(B) alerts since it see's traffic with the
| exact content it is designed to alert on, so, when sensor A alerts to say a
| web-iis script access or sa login failed, it sends the syslog message to
| syslog on host B, host B reads the syslog message and logs it accordingly,
| and, at the same time, snort sensor on host B reads the same message as an
| attack of the same type, and therefore, prompts an alert. what makes this
| hard, is, i run snort in tcpdump and -s for remote syslog, so, when i try to
| output the dump file to an alert structure, it just hangs, seems to never
| finish, while one file under host(B) address in the alert dir structure,
| continues to climb in size, for one tcpdump, the size continued to climb
| until i ran out of drive space, then everything stopped. so i tried another
| file, and it did basically the same thing, how i finally found this, was to
| start the snort sensor on the host in question, let it run for about 5
| minutes, then perform the extraction, resulting in the finding of something
| like this
| 
| .W.....V....I.n.
| s.e.r.t. .i.n.t.
| o. .S.y.s.l.o.g.
| d. .(.M.S.G.D.A.
| T.E.,. .M.S.G.T.
| I.M.E.,. .M.S.G.
| P.R.I.O.R.I.T.Y.
| ,. .M.S.G.H.O.S.
| T.N.A.M.E.,. .M.
| S.G.T.E.X.T.). .
| V.a.l.u.e.s. .(.
| '.2.0.0.2.-.0.6.
| -.2.0.'.,. .'.1.
| 6.:.3.1.:.2.2.'.
| ,. .'.A.u.t.h...
| A.l.e.r.t.'.,. .
| '.6.4...1.6.3...
| 7.0...2.1.'.,. .
| '. . . .s.n.o.r.
| t.[.2.3.9.2.].:.
|  .[.1.:.1.2.9.5.
| :.4.]. .N.E.T.B.
| I.O.S. .n.i.m.d.
| a. .R.I.C.H.E.D.
| 2.0...D.L.L. .[.
| C.l.a.s.s.i.f.i.
| c.a.t.i.o.n.:. .
| P.o.t.e.n.t.i.a.
| l.l.y. .B.a.d. .
| T.r.a.f.f.i.c.].
|  .[.P.r.i.o.r.i.
| t.y.:. .2.].:. .
| {.T.C.P.}. .6.4.
| 
| this is from the tcp2209-139.ids file under my ip directory. as you can see,
| snort seems to be alerting on its own alerts, since of course, it does see
| the exact traffic it is designed to alert upon
| anyway, i'm just passing this bit along, since it had me really stumped for
| a bit, i was disconnecting things from the network til i realized this.
| altho, i am still a bit confused about a few things, i think this is what
| has happened., any objections.
| 
| Don
| 
| 
| 
| -------------------------------------------------------
| Sponsored by:
| ThinkGeek at http://www.ThinkGeek.com/
| _______________________________________________
| Snort-users mailing list
| Snort-users at lists.sourceforge.net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users
| 





More information about the Snort-users mailing list