[Snort-users] snort tsnmp trap

naganandas naganandas at ...6743...
Fri Feb 13 03:37:02 EST 2004


hi 
i installed snort-2.0.1 on one machine.
also installed opennms on other machine.
in snort i enabled snmptrap plugin,included snort mibfile in nms.
but snort is not sending any alerts like portscan,stelthscan etc.
plz help regading this

snort-users at lists.sourceforge.net wrote:
Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: Updating Rules? (Vines Scott D 2d Lt AFFTC/IT)
   2. Re: Updating Rules? (Andy Richter)
   3. RE: Updating Rules? (John Creegan)
   4. Re: Updating Rules? (=?iso-8859-1?Q?Andreas_=D6stling?=)
   5. Re: Updating Rules? (Dusty Hall)
   6. Re: snort-2.2.1-RC1 compile error (Ken Bergquist)
   7. RE: Email (Michael Steele)
   8. RE: Updating Rules? (Paul Schmehl)
   9. RE: ACID (DeBerry, Casey)
  10. Re: Updating Rules? (Paul Schmehl)
  11. RE: ACID (Michael Steele)
  12. Re: SNORT (Linux) / MySQL (Win32) (JP Vossen)

--__--__--

Message: 1
From: Vines Scott D 2d Lt AFFTC/IT <Scott.Vines at ...11171...>
To: Dusty Hall <halljer at ...8709...>, snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Updating Rules?
Date: Thu, 12 Feb 2004 13:04:11 -0800

While we're on the subject of updating rules:  I have customized my own rule
files by disabling certain alerts within the files (but not turning off the
entire rule set)...is there a graceful way to update rules without having to
turn these off again?

-----Original Message-----
From: Dusty Hall [mailto:halljer at ...8709...] 
Sent: Thursday, February 12, 2004 12:17 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Updating Rules?


I'm curious about the process of updating Snort 2.1.0 (NOT 2.1.1 RC1)
rules.  Snort.org list the following for rule packages:

CURRENT - development is done here. Be careful if you use CURRENT
2_1 - the "stable" branch, where we do bug fixes for the currently
"shipping" snort. probably ok for production, might not be release
quality yet
2_0 - the "deprecated" branch, most definately release quality, but not
really worked on, except for rule updates

Which should I use for 2.1.0?   Is 2.1.1 RC1 the "currently "shipping"
snort"?  Should I update? 

Thank goodness I don't use oinkmaster to autoupdate...

Thanks,


-Dusty



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--__--__--

Message: 2
Cc: Dusty Hall <halljer at ...8709...>, snort-users at lists.sourceforge.net
From: Andy Richter <jarichte at ...546...>
Subject: Re: [Snort-users] Updating Rules?
Date: Thu, 12 Feb 2004 16:32:08 -0500
To: Vines Scott D 2d Lt AFFTC/IT <Scott.Vines at ...11171...>

oinkmaster

http://oinkmaster.sourceforge.net/

--andy richter

On Feb 12, 2004, at 4:04 PM, Vines Scott D 2d Lt AFFTC/IT wrote:

> While we're on the subject of updating rules:  I have customized my 
> own rule
> files by disabling certain alerts within the files (but not turning 
> off the
> entire rule set)...is there a graceful way to update rules without 
> having to
> turn these off again?
>
> -----Original Message-----
> From: Dusty Hall [mailto:halljer at ...8709...]
> Sent: Thursday, February 12, 2004 12:17 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Updating Rules?
>
>
> I'm curious about the process of updating Snort 2.1.0 (NOT 2.1.1 RC1)
> rules.  Snort.org list the following for rule packages:
>
> CURRENT - development is done here. Be careful if you use CURRENT
> 2_1 - the "stable" branch, where we do bug fixes for the currently
> "shipping" snort. probably ok for production, might not be release
> quality yet
> 2_0 - the "deprecated" branch, most definately release quality, but not
> really worked on, except for rule updates
>
> Which should I use for 2.1.0?   Is 2.1.1 RC1 the "currently "shipping"
> snort"?  Should I update?
>
> Thank goodness I don't use oinkmaster to autoupdate...
>
> Thanks,
>
>
> -Dusty
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--__--__--

Message: 3
Date: Thu, 12 Feb 2004 15:31:40 -0600
From: "John Creegan" <jcreegan at ...9729...>
To: <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Updating Rules?

When you say 'your own rule files', do you mean that you created your
own rules files, and that you are updating with oinkmaster?

If you are updating with oinkmaster, you can specify files to skip (not
update) by adding "skipfile" lines to your oinkmaster.conf file.

>>> Vines Scott D 2d Lt AFFTC/IT <Scott.Vines at ...11171...> 02/12/04
03:04PM >>>
While we're on the subject of updating rules:  I have customized my own
rule
files by disabling certain alerts within the files (but not turning off
the
entire rule set)...is there a graceful way to update rules without
having to
turn these off again?

-----Original Message-----
From: Dusty Hall [mailto:halljer at ...8709...] 
Sent: Thursday, February 12, 2004 12:17 PM
To: snort-users at lists.sourceforge.net 
Subject: [Snort-users] Updating Rules?


I'm curious about the process of updating Snort 2.1.0 (NOT 2.1.1 RC1)
rules.  Snort.org list the following for rule packages:

CURRENT - development is done here. Be careful if you use CURRENT
2_1 - the "stable" branch, where we do bug fixes for the currently
"shipping" snort. probably ok for production, might not be release
quality yet
2_0 - the "deprecated" branch, most definately release quality, but
not
really worked on, except for rule updates

Which should I use for 2.1.0?   Is 2.1.1 RC1 the "currently "shipping"
snort"?  Should I update? 

Thank goodness I don't use oinkmaster to autoupdate...

Thanks,


-Dusty



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click 
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users 


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click 
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



--__--__--

Message: 4
Date: Thu, 12 Feb 2004 22:39:33 +0100 (CET)
From: =?iso-8859-1?Q?Andreas_=D6stling?= <andreaso at ...236...>
To: Dusty Hall <halljer at ...8709...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Updating Rules?


On Thu, 12 Feb 2004, Dusty Hall wrote:

> Which should I use for 2.1.0?   Is 2.1.1 RC1 the "currently "shipping"
> snort"?  Should I update? 

Because of the alert mixup bug in Snort 2.1.0, I think it should be 
avoided. Snort 2.1.1 RC1 works fine from what I can tell, so I think you 
should use 2.1.1 RC1 and the 2_1 rules (or 2.0.6 and the 2_0 rules until 
2.1.1 is released). Another reason to avoid 2.1.0 is that it doesn't have 
the flowbits feature which the 2_1 rules currently requires (which I guess 
they really shouldn't, but that's a known issue that has already been 
mentioned on the lists, and it doesn't really matter as 2.1.1 RC1 is the 
way to go anyway).


> Thank goodness I don't use oinkmaster to autoupdate...

Can you please explain what you mean by this?
Autoupdate is of course always a risk, especially if you for some 
mysterious reason do it without using snort -T on the new rules before 
loading them. I haven't had any problems with Oinkmaster or the update 
process.

Btw, for those who actually use Oinkmaster and Snort 2.1.1 and want to use 
the 2_1 rules, a simple workaround to disable all the 'flowbits' rules
(temporary, until you use a Snort that can handle them) can be (assuming 
Oinkmaster >= 0.9):

modifysid * "(.*\bflowbits:.*)" | "#$1"

Or simply "disablesid 2192,2350,2348,2349,2352", or use some modifysid 
statement or sed command or whatever to remove only the 'flowbits' parts 
if that is what you want.

/Andreas


--__--__--

Message: 5
Date: Thu, 12 Feb 2004 15:59:53 -0600
From: "Dusty Hall" <halljer at ...8709...>
To: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Updating Rules?

I guess I'll update as soon as possible...  I think this needs to be =
changed though:

http://www.snort.org/dl/rules/  reads:

->  If you are using 2.1.*, please use snortrules-snapshot-2_1 rules. <-

Because snortrules-snapshot-2_1 rules.tar.gz BREAKS 2.1.0.  If I was using =
autoupdate with Oinkmaster and used that info I would have had problems =
due to the flowbits addition.  Luckily I manually update my rules using =
Oinkmaster and inspect the results :).


-Dusty



>>> Andreas =D6stling <andreaso at ...236...> 2/12/2004 3:39:33 PM >>>

On Thu, 12 Feb 2004, Dusty Hall wrote:

> Which should I use for 2.1.0?   Is 2.1.1 RC1 the "currently "shipping"
> snort"?  Should I update?=20

Because of the alert mixup bug in Snort 2.1.0, I think it should be=20
avoided. Snort 2.1.1 RC1 works fine from what I can tell, so I think =
you=20
should use 2.1.1 RC1 and the 2_1 rules (or 2.0.6 and the 2_0 rules =
until=20
2.1.1 is released). Another reason to avoid 2.1.0 is that it doesn't =
have=20
the flowbits feature which the 2_1 rules currently requires (which I =
guess=20
they really shouldn't, but that's a known issue that has already been=20
mentioned on the lists, and it doesn't really matter as 2.1.1 RC1 is =
the=20
way to go anyway).


> Thank goodness I don't use oinkmaster to autoupdate...

Can you please explain what you mean by this?
Autoupdate is of course always a risk, especially if you for some=20
mysterious reason do it without using snort -T on the new rules before=20
loading them. I haven't had any problems with Oinkmaster or the update=20
process.

Btw, for those who actually use Oinkmaster and Snort 2.1.1 and want to =
use=20
the 2_1 rules, a simple workaround to disable all the 'flowbits' rules
(temporary, until you use a Snort that can handle them) can be (assuming=20=

Oinkmaster >=3D 0.9):

modifysid * "(.*\bflowbits:.*)" | "#$1"

Or simply "disablesid 2192,2350,2348,2349,2352", or use some modifysid=20
statement or sed command or whatever to remove only the 'flowbits' =
parts=20
if that is what you want.

/Andreas



--__--__--

Message: 6
Date: Thu, 12 Feb 2004 16:53:47 -0500
Subject: Re: [Snort-users] snort-2.2.1-RC1 compile error
From: Ken Bergquist <kbergquist at ...11196...>
To: snort-users at lists.sourceforge.net

Will do. Thanks for the heads-up. This is being compiled on an Apple 
B&W G3 - OS X 10.1.5 (Darwin), by hand.

./configure --with-mysql=/usr/local/mysql
make
<break>

No fink, I think. I'd rather use my thinker, lest it rot and stink. 
Though I may have it installed  on this box. Why do you ask? Could it 
have an impact on this? Some library substitution perhaps?

>> I hope someone can shed some light on this. While making on OS X 10.1
>> (Darwin) the following error occurs first in the output:
>
> Could you check out HEAD (or get snort-current from snort.org) and try
> that? The libintsnort stuff was removed, as it was causing problems
> for a couple people. I've only seen this problem, in the case of
> Solaris, where people were compiling/linking snort using third party
> tools, and not the system tools. Out of curiosity, is this the same
> situation for you... are you using anything out of fink?
>
> In either case, check out HEAD and the problem should be fixed. Let me
> know if it isn't.

-- 
Ken Bergquist
Director Internet Systems
Walt Klein & Associates
http://www.wka.com



--__--__--

Message: 7
From: "Michael Steele" <michaels at ...9077...>
To: <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Email
Date: Thu, 12 Feb 2004 13:56:19 -0800

Check out Swatch for UNIX

Check out EventWatchNT for Windows

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Syed Ali
> Sent: Thursday, February 12, 2004 12:48 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Email
> 
> Hi,
> 
> Can some tell me how to setup email Alerts in Snort. Snort box will be
> behind the firewall. I want to get a Alert if someone has success full
> attack on our web server so I get email notification. I am using Acid.
> 
> Thanks,
> Syed
> 
> 
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





--__--__--

Message: 8
Date: Thu, 12 Feb 2004 15:59:37 -0600
From: Paul Schmehl <pauls at ...6838...>
To: "Vines Scott D 2d Lt AFFTC/IT" <Scott.Vines at ...11171...>,
	snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Updating Rules?

--On Thursday, February 12, 2004 01:04:11 PM -0800 "Vines Scott D 2d Lt 
AFFTC/IT" <Scott.Vines at ...11171...> wrote:

> While we're on the subject of updating rules:  I have customized my own
> rule files by disabling certain alerts within the files (but not turning
> off the entire rule set)...is there a graceful way to update rules
> without having to turn these off again?

Yes.  Oinkmaster.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


--__--__--

Message: 9
From: "DeBerry, Casey" <Casey.DeBerry at ...9117...>
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] ACID
Date: Thu, 12 Feb 2004 15:41:44 -0700

What OS are you running things on?
Are you showing any events in your database?
Are you logging any events locally?


-----Original Message-----
From: Oliver [mailto:quemit at ...131...]
Sent: Monday, February 09, 2004 4:58 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ACID


Installed ACID on Linux9. It look as if my SNort is
functioning
properly.
My ACID web view is not displaying any events
happening. I've
preformed a couple of scans inside my network, still
nothing is
showing up on ACID. I've checked my snort.conf, it
looks correct to
me. Oh, by the way I'm new at this.
Any suggestion?
Thx


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--__--__--

Message: 10
Date: Thu, 12 Feb 2004 17:36:28 -0600
From: Paul Schmehl <pauls at ...6838...>
To: Dusty Hall <halljer at ...8709...>,
	snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Updating Rules?

--On Thursday, February 12, 2004 03:59:53 PM -0600 Dusty Hall 
<halljer at ...8709...> wrote:

> I guess I'll update as soon as possible...  I think this needs to be
> changed though:
>
> http://www.snort.org/dl/rules/  reads:
>
> ->  If you are using 2.1.*, please use snortrules-snapshot-2_1 rules. <-
>
> Because snortrules-snapshot-2_1 rules.tar.gz BREAKS 2.1.0.  If I was
> using autoupdate with Oinkmaster and used that info I would have had
> problems due to the flowbits addition.  Luckily I manually update my
> rules using Oinkmaster and inspect the results :).

I updated mine with oinkmaster.  All I had to do was grep the rules files 
for "flowbits" and add the rules returned to the "disablesid" list in 
oinkmaster.conf.  End of problem.  When the flowbits "problem" gets fixed, 
I'll re-enable them.  Piece of cake.

Oinkmaster rules.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


--__--__--

Message: 11
From: "Michael Steele" <michaels at ...9077...>
To: <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] ACID
Date: Thu, 12 Feb 2004 17:58:54 -0800

Create a file called test.rules and insert the 3 rules below in that file
and save it to your /rules folder. Now in your snort.conf add a new include
line at the bottom for "test.rules". Now restart Snort and generate some
browser traffic and you should see all kinds of alerts in ACID being
generated.

Be sure to hash (#) out the new include line after the test is successful or
you will fill your database up. Be sure to restart Snort after you has the
line out. 

Test Rules: 

alert tcp any any -> any any (msg:"Alert: Got a TCP Packet";) 
alert udp any any -> any any (msg:"Alert: Got a UDP Packet";) 
alert icmp any any -> any any (msg:"Alert: Got a ICMP Packet";) 


Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: Oliver [mailto:quemit at ...131...]
> Sent: Monday, February 09, 2004 4:58 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] ACID
> 
> 
> Installed ACID on Linux9. It look as if my SNort is
> functioning
> properly.
> My ACID web view is not displaying any events
> happening. I've
> preformed a couple of scans inside my network, still
> nothing is
> showing up on ACID. I've checked my snort.conf, it
> looks correct to
> me. Oh, by the way I'm new at this.
> Any suggestion?
> Thx




--__--__--

Message: 12
Date: Fri, 13 Feb 2004 02:01:04 -0500 (EST)
From: JP Vossen <vossenjp at ...8683...>
To: "M. Salman Farisi" <msalmanf at ...11176...>
cc: Snort Users List <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] SNORT (Linux) / MySQL (Win32)

On Wed, 11 Feb 2004, M. Salman Farisi wrote:

> I've tried the rpms of snort but there were problems :
>
> when i tried to restart snortd /etc/init.d/snortd restart [FAILED]
> when i test snort : snort -T -c /etc/snort/snort.conf it said :
>
> ERROR : /etc/snort/snort.conf(285) =>invalid file name for IIS Unicode Map
> file, Fatal Error, Quitting..

That's a known issue.  What RPMs are you using and where did you get them
from?

Try the more recent RPMs at: http://www.starken.com/snort

OR, grab the Snort.org tarball, extract unicode.map and copy it to your
/etc/snort directory.


> Do the rpms packages create database automatically?

No, you must do that yourself when you install ACID.  ACID is NOT included in
any of the RPMs.


> what should i do then?
> I have checked mysql database for user snort but no database created after
> the installation

Read any of the Snort/ACID config guides mentioned in the list archives [1]
for details.  I'd love to have an ACID RPM but don't have the time to build
one...

HTH,
JP

[1] http://www.snort.org/lists.html
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest
Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com

 Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com

Bid for for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to http://airsahara.indiatimes.com and Bid Now!





More information about the Snort-users mailing list