[Snort-users] snort and demarc frontend and Promiscuous mode

Lavin, John JLavin at ...6786...
Wed Sep 4 12:04:43 EDT 2002


Do I need two network cards in order to run snort in Promiscuous mode?

I am running this on a linux box with one nic card right now. So currently
if I do a nmap scan from another linux box right at the box with snort
loaded on it....

 nmap -O (ip address of the box)

It will trigger the alerts.
However If I scan another pc plugged into the same hub it does not report
finding anything.
so I think I need to adjust the mode or install another nic card then setup
the Promiscuous mode.

 Can anyone please let me know how to do this or point me to the correct
documentation.
I know how to put in the nic and set it up, I just want to find out what the
interfaces are labeled from snorts point of view and know what options I
need to add to snort when I start it up.

Thanks in advance,

John Lavin

-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Tuesday, September 03, 2002 10:33 AM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #2240 - 16 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Hard choice: Preprocessor or Tagging (Chris Green)
   2. Re: -b binary logging question (Chris Green)
   3. Snort Minimum permissions (Richard Hall)
   4. Re: Snort and creating new classtypes (Roman Danyliw)
   5. papers about installing snort (charella constansia)
   6. Re: NETBIOS NT NULL session (Ian Macdonald)
   7. Re: PORN Virgin (Ian Macdonald)
   8. Re: -b binary logging question (John Sage)
   9. Re: Another error message. Thx. (Keith Young)
  10. MS-SQL and ACID (Dhruv Chandra)
  11. MS-SQL and ACID (Dhruv Chandra)
  12. MS-SQL and ACID (Dhruv Chandra)
  13. MS-SQL and ACID (Dhruv Chandra)
  14. MS-SQL and ACID (Dhruv Chandra)
  15. MS-SQL and ACID (Dhruv Chandra)
  16. MS-SQL and ACID (Dhruv Chandra)

--__--__--

Message: 1
Date: Tue, 03 Sep 2002 08:22:43 -0400
From: Chris Green <cmg at ...1935...>
Subject: Re: [Snort-users] Hard choice: Preprocessor or Tagging
To: Michael Boman <michael.boman at ...4162...>
Cc: Snort Users List <snort-users at lists.sourceforge.net>
Reply-to: snort-users at lists.sourceforge.net

Michael Boman <michael.boman at ...4162...> writes:


>> Make it a option in the output line and I'll include it.
>
> Ok. Here is a diff against SNORT_1_8 CVS. I called the option 'ignore_bpf'
and 
> it's a boolean. I updated README.database documentation to reflect the
change 
> as well.

Would you change this to Snort 1.9 please. :)
-- 
Chris Green <cmg at ...1935...>
"Yeah, but you're taking the universe out of context."


--__--__--

Message: 2
Date: Tue, 03 Sep 2002 08:25:54 -0400
From: Chris Green <cmg at ...1935...>
Subject: Re: [Snort-users] -b binary logging question
To: John Sage <jsage at ...2022...>
Cc: snort-users at lists.sourceforge.net
Reply-to: snort-users at lists.sourceforge.net

John Sage <jsage at ...2022...> writes:

> Having a discussion off-list about the -b binary logging switch, and
> suddenly I'm wondering...
>
> Does the -b binary logging switch *always* record all packets on the
> interface?

No.  One thing that is confusing about snort is that it supports many
different modes.

>
> Or is the set of packets logged by -b changed when one starts to
> specify a snort.conf and thus check the packets against rules, whether
> alerts or passes?

Yes.  There is a difference between with a snort.conf and without.

>
>
> "If you're on a high speed network or you want to log the packets into
> a more compact form for later analysis you should consider logging in
> "binary mode". Binary mode logs the packets in "tcpdump format" to a
> single binary file in the logging directory:e

I really should rewrite that portion.  That only makes sense these
days if you've got a slow machine but fast disk IO.  Binary mode for a
log format + fast mode instead of an ascii logging  makes lots of
sense though.\

>
> ./snort -l ./log -b
>
> Note the command line changes here. We don't nee to specify a home
> network any longer because binary mode logs everything into a single
> file, which eliminates the need to tell it how to format the output
> directory structure."
>
> This implies that -b gets everything.
>

It does in that command line.

> OK: does it *always* get everything?
>

Nope.
-- 
Chris Green <cmg at ...1935...>
Don't use a big word where a diminutive one will suffice.


--__--__--

Message: 3
Date: Tue, 03 Sep 2002 13:40:02 +0100
From: Richard Hall <r.j.hall at ...3454...>
Organization: Information Security Group
CC: Snort Users List <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort Minimum permissions

Does anyone know what the absolute minimum permissions are on the MySQL 
database tables for the snort sensor account?   The guide states CREATE, 
INSERT, SELECT, DELETE and UPDATE on snort_db.* are all these needed?   
Does the sensor ever need CREATE, DELETE SELECT or UPDATE if it is just 
inserting information into the existing database tables?   My SQL (that 
is My as in Me not the program) is very limited and I wan't people in 
other less trusted locations to be able to still log sensor data back to 
a central location for analysis but without being to modify or read the 
existing data in the database.   Is this possible?

Cheers

Rich

=== === === === === === === === ===
Richard Hall
Systems Administrator
Information Security Group
Royal Holloway, University of London
Tel: +44 (0)1784 44 3111
Fax: +44 (0)1784 430766
=== === === === === === === === ===





--__--__--

Message: 4
Date: Tue, 3 Sep 2002 09:06:09 -0400 (EDT)
From: "Roman Danyliw" <roman at ...438...>
To: Matthew Wagenknecht <Matthew.Wagenknecht at ...6755...>
CC: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and creating new classtypes

This is the expected (if not necessarily the desired) behavior.  Meta
information about a signature (e.g., classification, priority) is stored in
the
database the first time that an event matching this signature is
encountered. 
Without an update to the revision number of the signature to denote that
something has changed, the meta information will not be updated despite a
manual
update to the configuration file.

ACID should probably provide primatives to manipulate signature
classifications.

Roman

On Thu, 29 Aug 2002 10:11:03 -0600, Matthew Wagenknecht
<Matthew.Wagenknecht at ...6755...> wrote :

> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> 
> In the snort rules, a number of virus rules have misc-activity. I want to
> move all virus signatures to a new classtype called virus. I created a new
> line in classifications.config like the following::
> 
> config classification: virus,Virus Detection,1
> 
> However when in ACID, it shows up under unclassified. Is there something
> else I need to do or is this and ACID issue?
> 
> 
> 
> ..:: Matt ::..  
> 
> 
> 


--__--__--

Message: 5
Date: Tue, 3 Sep 2002 06:50:38 -0700 (PDT)
From: charella constansia <sharella at ...131...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] papers about installing snort

Hi, 

Do you guys any good paper about installing Snort on
multiple sensors that logs to one console.
The platform must be redhat7.3.

thanks

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com


--__--__--

Message: 6
From: "Ian Macdonald" <secsnort at ...5528...>
To: "Tony Wong" <tony.wong at ...5535...>,
<snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] NETBIOS NT NULL session
Date: Tue, 3 Sep 2002 09:50:51 -0400

NT Null sessions are something that is used by MS operating systems to get
information about another server. It is a way to connect to a machine and
not authenticate (Null) then gather information from the machine. You can
use a null session to collect information about who is logged onto a
machine, what domain they are part of and some other stuff. I think you can
also make registry updates using Null sessions. You can restrict what
information can be viewed by null sessions by setting restrictanoymous in
the registry (doing a search on the web will bring up the exact location).
If you completely disable null sessions things will break but by making this
registry change you can limit the impact of the null sessions.

Ian
----- Original Message -----
From: "Tony Wong" <tony.wong at ...5535...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, August 28, 2002 3:29 PM
Subject: [Snort-users] NETBIOS NT NULL session


> Why am I getting these alerts to my NT Fileserver?
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing
> real-time communications platform! Don't just IM. Build it in!
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--__--__--

Message: 7
From: "Ian Macdonald" <secsnort at ...5528...>
To: "Phil Wood" <cpw at ...440...>, "Tony Wong" <tony.wong at ...5535...>
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] PORN Virgin
Date: Tue, 3 Sep 2002 09:55:16 -0400

This rule is disabled by default in the current snortrules-stable.tar.gz on
snort.org. Maybe you should update your rule set? I would look very closely
at the porn rules and see if they make sense, the there are a few rules in
there that match on a single word that will generate a lot of false
positives (These are disabled in the the rule set on snort.org)

Ian
----- Original Message -----
From: "Phil Wood" <cpw at ...440...>
To: "Tony Wong" <tony.wong at ...5535...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, August 28, 2002 6:53 PM
Subject: Re: [Snort-users] PORN Virgin


> On Wed, Aug 28, 2002 at 01:02:59PM -0700, Tony Wong wrote:
> > Everytime I bring up ACID from my workstation browser. I see "PORN
> > Virgin" from my workstation to the IDS box which is also running ACID.
> >
> > Why is that?
>
> Either someone is interested in "virgin wool", "a young virgin cow", or
> you are sending your rule set over the net and capturing it with your
> carefully configured snort IDS.  Have you bothered to look at the data
> surrounding the key word "virgin" (using ACID).  Also, check your
> collection of rules for the keyword "virgin".  Oh, heck I can do that!
>
> $ cd where-ever-your-rules-are
> $ grep -i virgin *
> porn.rules:# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:
"PORN virgin"; content: "virgin "; nocase; flow: to_client,established;
classtype: kickass-porn; sid:1796; rev:2;)
>
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Jabber - The world's fastest growing
> > real-time communications platform! Don't just IM. Build it in!
> > http://www.jabber.com/osdn/xim
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Phil Wood, cpw at ...440...
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing
> real-time communications platform! Don't just IM. Build it in!
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--__--__--

Message: 8
Date: Tue, 3 Sep 2002 07:29:03 -0700
From: John Sage <jsage at ...2022...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] -b binary logging question

Erek, Chris:

Thanks, guys..

- John


On Tue, Sep 03, 2002 at 08:25:54AM -0400, Chris Green wrote:
> John Sage <jsage at ...2022...> writes:
> 
> > Having a discussion off-list about the -b binary logging switch, and
> > suddenly I'm wondering...
> >
> > Does the -b binary logging switch *always* record all packets on the
> > interface?
> 
> No.  One thing that is confusing about snort is that it supports many
> different modes.
> 
> >
> > Or is the set of packets logged by -b changed when one starts to
> > specify a snort.conf and thus check the packets against rules, whether
> > alerts or passes?
> 
> Yes.  There is a difference between with a snort.conf and without.
> 
> >
> >
> > "If you're on a high speed network or you want to log the packets into
> > a more compact form for later analysis you should consider logging in
> > "binary mode". Binary mode logs the packets in "tcpdump format" to a
> > single binary file in the logging directory:e
> 
> I really should rewrite that portion.  That only makes sense these
> days if you've got a slow machine but fast disk IO.  Binary mode for a
> log format + fast mode instead of an ascii logging  makes lots of
> sense though.\
> 
> >
> > ./snort -l ./log -b
> >
> > Note the command line changes here. We don't nee to specify a home
> > network any longer because binary mode logs everything into a single
> > file, which eliminates the need to tell it how to format the output
> > directory structure."
> >
> > This implies that -b gets everything.
> >
> 
> It does in that command line.
> 
> > OK: does it *always* get everything?
> >
> 
> Nope.
> -- 
> Chris Green <cmg at ...1935...>
> Don't use a big word where a diminutive one will suffice.


--__--__--

Message: 9
Date: Tue, 03 Sep 2002 10:27:58 -0400
From: Keith Young <kyoung at ...6513...>
Reply-To: kyoung at ...6513...
Organization: V-ONE
To: gaojianwen at ...6771...
CC: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Another error message. Thx.

jordi wrote:
> HI, all
> 
> Gleen,Do u mean i remove the following lines? 
> #!/bin/sh
> #

Keep the file like it is.

Three things:
1) Is the file executable (ie "chmod +x snort")?
2) Did you FTP it from a Windows machine and need to convert the CR/LF 
(ie. "dos2unix snort snort")?
3) Do you have any whitespace after "/bin/sh"?

-- 

-- 
--Keith Young
-kyoung at ...6513...




--__--__--

Message: 10
From: "Dhruv Chandra" <dhruvc at ...125...>
To: snort-users at lists.sourceforge.net
Date: Tue, 03 Sep 2002 10:31:03 -0400
Subject: [Snort-users] MS-SQL and ACID

<html><div style='background-color:'><DIV>Hi Everyone. </DIV>
<DIV> </DIV>
<DIV>I am  new to  Snort and NIDS in general. I am trying
to incorporate Snort NIDS within our corporate network. </DIV>
<DIV> </DIV>
<DIV>Here is what I am planning to use. </DIV>
<DIV> </DIV>
<DIV>OS ->          
Windows 2000 </DIV>
<DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Send and
receive Hotmail on your mobile device: <a
href='http://g.msn.com/1HM1ENCA/c152??PI=44318'>Click Here</a><br></html>


--__--__--

Message: 11
From: "Dhruv Chandra" <dhruvc at ...125...>
To: snort-users at lists.sourceforge.net
Date: Tue, 03 Sep 2002 10:31:02 -0400
Subject: [Snort-users] MS-SQL and ACID

<html><div style='background-color:'><DIV>Hi Everyone. </DIV>
<DIV> </DIV>
<DIV>I am  new to  Snort and NIDS in general. I am trying
to incorporate Snort NIDS within our corporate network. </DIV>
<DIV> </DIV>
<DIV>Here is what I am planning to use. </DIV>
<DIV> </DIV>
<DIV>OS ->         Windows 2000
</DIV>
<DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>MSN Photos is
the easiest way to share and print your photos: <a
href='http://g.msn.com/1HM1ENCA/c156??PI=44318'>Click Here</a><br></html>


--__--__--

Message: 12
From: "Dhruv Chandra" <dhruvc at ...125...>
To: snort-users at lists.sourceforge.net
Date: Tue, 03 Sep 2002 10:31:01 -0400
Subject: [Snort-users] MS-SQL and ACID

<html><div style='background-color:'><DIV>Hi Everyone. </DIV>
<DIV> </DIV>
<DIV>I am  new to  Snort and NIDS in general. I am trying
to incorporate Snort NIDS within our corporate network. </DIV>
<DIV> </DIV>
<DIV>Here is what I am planning to use. </DIV>
<DIV> </DIV>
<DIV>OS ->     Windows 2000 </DIV>
<DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Join the
world's largest e-mail service with MSN Hotmail. <a
href='http://g.msn.com/1HM1ENCA/c157??PI=44318'>Click Here</a><br></html>


--__--__--

Message: 13
From: "Dhruv Chandra" <dhruvc at ...125...>
To: snort-users at lists.sourceforge.net
Date: Tue, 03 Sep 2002 10:31:03 -0400
Subject: [Snort-users] MS-SQL and ACID

<html><div style='background-color:'><DIV>Hi Everyone. </DIV>
<DIV> </DIV>
<DIV>I am  new to  Snort and NIDS in general. I am trying
to incorporate Snort NIDS within our corporate network. </DIV>
<DIV> </DIV>
<DIV>Here is what I am planning to use. </DIV>
<DIV> </DIV>
<DIV>OS ->          Windows
2000 </DIV>
<DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Send and
receive Hotmail on your mobile device: <a
href='http://g.msn.com/1HM1ENCA/c152??PI=44318'>Click Here</a><br></html>


--__--__--

Message: 14
From: "Dhruv Chandra" <dhruvc at ...125...>
To: snort-users at lists.sourceforge.net
Date: Tue, 03 Sep 2002 10:31:01 -0400
Subject: [Snort-users] MS-SQL and ACID

<html><div style='background-color:'><DIV>Hi Everyone. </DIV>
<DIV> </DIV>
<DIV>I am  new to  Snort and NIDS in general. I am trying
to incorporate Snort NIDS within our corporate network. </DIV>
<DIV> </DIV>
<DIV>Here is what I am planning to use. </DIV>
<DIV> </DIV>
<DIV>OS ->  Windows 2000 </DIV>
<DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Join the
world's largest e-mail service with MSN Hotmail. <a
href='http://g.msn.com/1HM1ENCA/c157??PI=44318'>Click Here</a><br></html>


--__--__--

Message: 15
From: "Dhruv Chandra" <dhruvc at ...125...>
To: snort-users at lists.sourceforge.net
Date: Tue, 03 Sep 2002 10:31:02 -0400
Subject: [Snort-users] MS-SQL and ACID

<html><div style='background-color:'><DIV>Hi Everyone. </DIV>
<DIV> </DIV>
<DIV>I am  new to  Snort and NIDS in general. I am trying
to incorporate Snort NIDS within our corporate network. </DIV>
<DIV> </DIV>
<DIV>Here is what I am planning to use. </DIV>
<DIV> </DIV>
<DIV>OS ->      Windows 2000 </DIV>
<DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>MSN Photos is
the easiest way to share and print your photos: <a
href='http://g.msn.com/1HM1ENCA/c156??PI=44318'>Click Here</a><br></html>


--__--__--

Message: 16
From: "Dhruv Chandra" <dhruvc at ...125...>
To: snort-users at lists.sourceforge.net
Date: Tue, 03 Sep 2002 10:31:01 -0400
Subject: [Snort-users] MS-SQL and ACID

<html><div style='background-color:'><DIV>Hi Everyone. </DIV>
<DIV> </DIV>
<DIV>I am  new to  Snort and NIDS in general. I am trying
to incorporate Snort NIDS within our corporate network. </DIV>
<DIV> </DIV>
<DIV>Here is what I am planning to use. </DIV>
<DIV> </DIV>
<DIV>OS ->    Windows 2000 </DIV>
<DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Join the
world's largest e-mail service with MSN Hotmail. <a
href='http://g.msn.com/1HM1ENCA/c157??PI=44318'>Click Here</a><br></html>



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list