[Snort-users] RE: Snort-users digest, Vol 1 #4222 - 9 msgs

Danista R. Lata dlata001 at ...11795...
Wed May 12 13:15:42 EDT 2004


Where can I find info on slowing down packet traffic
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
snort-users-request at lists.sourceforge.net
Sent: Tuesday, May 11, 2004 3:08 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #4222 - 9 msgs

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: Log file owned by root problem (SRH-Lists)
   2. Re: Snort and reserved words (Matt Kettler)
   3. different logging options. (Timothy W Morrison)
   4. Re: snort >= 2.1.2 on OpenBSD -current and memory limits (Jon
Hart)
   5. Re: Is there such a thing as a morning after IDS? (M. Morgan)
   6. Re: How do I convert a snort source IP Number to IP address in
Microsoft SQL Server (b311b-snort at ...6044...)
   7. Re: different logging options. (Jason Monroe "JC")
   8. RE: about some error (Harper, Patrick)
   9. RE: Snort sensor and mysql setup (Harper, Patrick)

--__--__--

Message: 1
From: SRH-Lists <giermo at ...8381...>
To: "'bitless at ...1364...'" <bitless at ...1364...>, 
	snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Log file owned by root problem
Date: Mon, 10 May 2004 12:28:36 -0500


> Hi,
> 
> Snort seems to start fine but the problem is when the log 
> files are written the uid/gid is root/root I need them to be 
> snort/snort. My startup line is as follows,
> 
> snort -c /etc/snort/snort_eth0/snort.conf -i eth0 -u snort -g 
> snort
> 
> Shouldn't this output a log file with uid/gid snort/snort.
> All dirs and files are uid/gid snort/snort and anything else 
> I could think of.
> 
> If anyone has any suggestion I would greatly appreciate them.
> 
> TIA
> 
> Dan

snort opens the log file for writing prior to dropping privs to the
UID/GID specified on the commandline.  There is a long explanation as to
why this is, but I am not the one to explain it.

There is, however, a workaround. add a -m 022 to tell snort to use a
umask of 022 for the logfile.

-steve 


--__--__--

Message: 2
Date: Mon, 10 May 2004 14:38:09 -0400
To: "PATENAUDE, PATRICK" <patrick.patenaude at ...11784...>,
   snort-users at lists.sourceforge.net
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] Snort and reserved words

At 11:34 AM 5/10/2004, PATENAUDE, PATRICK wrote:
>Can anybody tell me what are snorts reserved words?

In what context?

The list of "reserved" words varies depending on where you are in the 
middle of a rule. Clearly in the middle of a quoted text string, most
words 
which are reserved elsewhere won't matter.

Probably your best source of info is going to be the manual:

http://www.snort.org/docs/snort_manual/





--__--__--

Message: 3
To: snort-users at lists.sourceforge.net
From: Timothy W Morrison <morriswt at ...2135...>
Date: Mon, 10 May 2004 13:39:17 -0500
Subject: [Snort-users] different logging options.

This is a multipart message in MIME format.
--=_alternative 0066605905256E90_=
Content-Type: text/plain; charset="US-ASCII"

I was wondering what people are using as far as logging options go. I 
would like to have alerts generated and emailed in real-time and have
the 
full packet detail logged to a mysql database. Is this asking too much
and 
is there a better way to do this? I am using barnyard right now and 
logging to a mysql database. I appreciate your input on these questions.

Tim Morrison
--=_alternative 0066605905256E90_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">I was wondering what people are using
as far as logging options go. I would like to have alerts generated and
emailed in real-time and have the full packet detail logged to a mysql
database. Is this asking too much and is there a better way to do this?
I am using barnyard right now and logging to a mysql database. I
appreciate
your input on these questions.</font>
<br>
<br><font size=2 face="sans-serif">Tim Morrison</font>
--=_alternative 0066605905256E90_=--


--__--__--

Message: 4
Date: Mon, 10 May 2004 14:40:57 -0400
From: Jon Hart <warchild at ...8039...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort >= 2.1.2 on OpenBSD -current and memory
limits

On Fri, Apr 30, 2004 at 09:36:28AM -0400, Jon Hart wrote:
> If anyone has run into this problem, or has suggestions regarding how
> this can be fixed, I'm all ears.

Thanks to some clues from qru and srh from #snort and a few others
elsewhere, I've fixed my problem.

See the email at misc at ...590...:

http://marc.theaimsgroup.com/?l=openbsd-misc&m=108420932715604&w=2


-jon


--__--__--

Message: 5
Date: Mon, 10 May 2004 14:42:43 -0400 (GMT-04:00)
From: "M. Morgan" <mikemorgan at ...468...>
Reply-To: "M. Morgan" <mikemorgan at ...468...>
To: "Jacob,Raymond A Jr" <raymond.jacob at ...7622...>, 
	snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Is there such a thing as a morning after IDS?

you can probably modify the code for SnortSlinger.

http://www.venom600.org/code/SnortSlinger/



-----Original Message-----
From: "Jacob, Raymond A Jr" <raymond.jacob at ...7622...>
Sent: May 8, 2004 2:54 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Is there such a thing as a morning after IDS?

I am looking for a tool that will report the number of attacks the
associated source ip addresses and destination network addresses that
occurred on the previous day.

 Number of attacks     | Signature | Source IP | Source port |
Destination IP | Destination Port
-----------------------+------------------------------------------------
------------------------
      128              | P2P       |172.16.82.3| 443         | 127.0.0.1
| 443
    ... 

------------------------------------------------------------------------
------------------------
    1400               |Grand Total



 Number of attacks     | Signature | Source IP | Source port |
Destination IP | Destination Port
-----------------------+------------------------------------------------
------------------------
      128              | Web Traver|192.99.32.7|445         |
128.23.45.8    | 80
    ... 

------------------------------------------------------------------------
------------------------
    15000              |Grand Total


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

Message: 6
Date: Mon, 10 May 2004 14:57:05 -0400
From: b311b-snort at ...6044...
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] How do I convert a snort source IP Number to
IP address in Microsoft SQL Server

> > The ACID web page has a FAQ which describes how this should
theoretically
> > work:
> > http://acidlab.sourceforge.net/acid_faq.html#faq_e1
> > Let IP  = the 32-bit unsigned integer representation of the IP
address
> >     ip1 = octet 1 of 4 (high-order)
> >     ip2 = octet 2 of 4
> >     ip3 = octet 3 of 4
> >     ip4 = octet 4 of 4 (low-order)
> >
> >     >>  = bitwise shift right operator; takes an operand of the
number
> > bits to shift
> >     AND = bitwise AND operator
> >
> > Then,
> >    ip1 = IP >> 24
> >    ip2 = (IP AND 00000000 11111111 00000000 00000000) >> 16
> >    ip3 = (IP AND 00000000 00000000 11111111 00000000) >> 8
> >    ip4 = (IP AND 00000000 00000000 00000000 11111111)
> >
> >    IP = ip1 . ip2 . ip3 . ip4
> > ***problem*** There is no >> operator in Microsoft SQL.

I don't know MS-SQL and I'm sure there's an easier way, but basically:

    3232236087/2^24 = 192 and 3232236087 mod (192*2^24) = 11010615
    11010615/2^16 = 168 and 11010615 mod (168*2^16) = 567
    567/2^8 = 2 and 567 mod (2*2^8) = 55
    
    3232236087 = 192.168.2.55

Brenda Bell
Henniker (the only one on earth)
New Hampshire (the state with 5 seasons: black fly, tourist, foliage,
ski and mud)




--__--__--

Message: 7
Subject: Re: [Snort-users] different logging options.
From: "Jason Monroe \"JC\"" <monroe at ...5738...>
To: Timothy W Morrison <morriswt at ...2135...>,
        snort-users at lists.sourceforge.net
Date: Mon, 10 May 2004 12:14:46 -0700

We don't have that requirement, but I would suggest making use of
another output module and then using swatch, logwatch, or any other app
to watch growing files for entries of interest.

See:
http://www.linuxsecurity.com/feature_stories/feature_story-144-2.html

Ps: use the archives Luke

On Mon, 2004-05-10 at 11:39, Timothy W Morrison wrote:
> I was wondering what people are using as far as logging options go. I
> would like to have alerts generated and emailed in real-time and have
> the full packet detail logged to a mysql database. Is this asking too
> much and is there a better way to do this? I am using barnyard right
> now and logging to a mysql database. I appreciate your input on these
> questions.
> 
> Tim Morrison


--__--__--

Message: 8
From: "Harper, Patrick" <patrick.harper at ...11593...>
To: "ajay sahasrabudhe" <ajay_sahasrabudhe2001 at ...131...>,
	<snort-users at lists.sourceforge.net>
Date: Mon, 10 May 2004 11:03:29 -0500
Subject: RE: [Snort-users] about some error

This is a multi-part message in MIME format.

----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

did you copy the unicode.map file to /etc/snort?

=20

  _____ =20

From: ajay sahasrabudhe [mailto:ajay_sahasrabudhe2001 at ...131...]=20
Sent: Wednesday, May 05, 2004 8:22 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] about some error


Hi,
i have configured snort to work on windows 2000 machine.Its working ok
in packet logging mode.i have also configured the snort.conf
file.However while running snort in IDS mode i am getting alert as=20
ERROR: snort.conf(285) =3D> Invalid file name for IIS Unicode Map file.
Fatal Error, Quitting..
=20
What is the problem?.Can anyone help me out.
=20
regards,
ajay sahasrabudhe
=20
=20

  _____ =20

Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
<http://pa.yahoo.com/*http://us.rd.yahoo.com/hotjobs/hotjobs_mail_signat
ure_footer_textlink/evt=3D23983/*http://hotjobs.sweepstakes.yahoo.com/ca
re
ermakeover>=20



Disclaimer:
This electronic message, including any attachments, is confidential and
int=
ended solely for use of the intended recipient(s). This message may
contain=
 information that is privileged or otherwise protected from disclosure
by a=
pplicable law. Any unauthorized disclosure, dissemination, use or
reproduct=
ion is strictly prohibited. If you have received this message in error,
ple=
ase delete it and notify the sender immediately.=20



----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html;
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2096" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><SPAN
class=3D410080316-10052004></SPAN><FONT 
size=3D2>d<SPAN class=3D410080316-10052004>id you copy the unicode.map
file=
 to=20
/etc/snort?</SPAN><BR></FONT></DIV>
<DIV> </DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> ajay sahasrabudhe=20
[mailto:ajay_sahasrabudhe2001 at ...131...] <BR><B>Sent:</B> Wednesday, May
05=
,=20
2004 8:22 AM<BR><B>To:</B>
snort-users at lists.sourceforge.net<BR><B>Subject:=
</B>=20
[Snort-users] about some error<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Hi,</DIV>
<DIV>i have configured snort to work on windows 2000 machine.Its working
ok=
 in=20
packet logging mode.i have also configured the snort.conf file.However
whil=
e=20
running snort in IDS mode i am getting alert as </DIV>
<DIV>ERROR: snort.conf(285) =3D> Invalid file name for IIS Unicode
Map 
file.<BR>Fatal Error, Quitting..</DIV>
<DIV> </DIV>
<DIV>What is the problem?.Can anyone help me out.</DIV>
<DIV> </DIV>
<DIV>regards,</DIV>
<DIV>ajay sahasrabudhe</DIV>
<DIV> </DIV>
<DIV> </DIV>
<P>
<HR SIZE=3D1>
<FONT face=3Darial size=3D-1>Do you Yahoo!?<BR><A=20
href=3D"http://pa.yahoo.com/*http://us.rd.yahoo.com/hotjobs/hotjobs_mail
_si=
gnature_footer_textlink/evt=3D23983/*http://hotjobs.sweepstakes.yahoo.co
m/c=
areermakeover">Win=20
a $20,000 Career Makeover at Yahoo! HotJobs
</A></FONT><br><br><br><br>Disc=
laimer:<br>This electronic message, including any attachments, is
confident=
ial and intended solely for use of the intended recipient(s). This
message =
may contain information that is privileged or otherwise protected from
disc=
losure by applicable law. Any unauthorized disclosure, dissemination,
use o=
r reproduction is strictly prohibited. If you have received this message
in=
 error, please delete it and notify the sender immediately.
<br><br><br></B=
ODY></HTML>

----=_NextPart_ST_11_03_30_Monday_May_10_2004_7761--



--__--__--

Message: 9
From: "Harper, Patrick" <patrick.harper at ...11593...>
To: "Lance Boon" <lbtf73_99 at ...131...>,
	<snort-users at lists.sourceforge.net>
Date: Mon, 10 May 2004 11:03:35 -0500
Subject: RE: [Snort-users] Snort sensor and mysql setup

That should do it for you.  After you give the remote snort user
permissions on the mysql box (make sure you have the port open for
mysql) then it should work fine.  I will be adding this to the next
revision of that document.


-----Original Message-----
From: Lance Boon [mailto:lbtf73_99 at ...131...]=20
Sent: Thursday, May 06, 2004 9:45 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort sensor and mysql setup

I'm having a problem getting snort Version 2.1.2 (Build 25)set to log to
a remote mysql server, I've followed Patrick Harpers guide in setting up
the apache, mysql server, now I want the sensor setup on a seperate
machine to log back to the mysql/apache server. I know where the problem
lies, just unsure on how to correct it.=20

ERROR: database: mysql_error: Access denied for user:
'snort at ...11780...' (Using password: YES) Fatal Error, Quitting..

I understand that snort can't login to the remote mysql server, If I try
to enter the following

[root at ...11781... snortcenter]# mysql -h10.0.16.16 -usnort -p snort Enter
password:
ERROR 1045: Access denied for user: 'snort at ...11780...'
(Using password: YES)

If I would login to the mysql server directly and=20

SET PASSWORD FOR snort at ...11780...=3DPASSWORD 'new_password');

Then grant the permissions that are needed:

grant CREATE, INSERT, SELECT, DELETE, UPDATE on
snort.* to snort at ...11780...;

grant CREATE, INSERT, SELECT, DELETE, UPDATE on
snort.* to snort;

Would that take care of my problem?

If anybody has a better suggestion for setting this up any assistance
would be greatly appreciated, I'm using snort Version 2.1.2 on Fedora
core 1. Eventually I would like to have 6 sensors logging to this
database.
But right now just need to get the one working.

Thanks
Lance


=09
	=09
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
http://hotjobs.sweepstakes.yahoo.com/careermakeover=20


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software Learn developer
strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher
performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=3Dosdnemail3
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users






Disclaimer:
This electronic message, including any attachments, is confidential and
int=
ended solely for use of the intended recipient(s). This message may
contain=
 information that is privileged or otherwise protected from disclosure
by a=
pplicable law. Any unauthorized disclosure, dissemination, use or
reproduct=
ion is strictly prohibited. If you have received this message in error,
ple=
ase delete it and notify the sender immediately.=20






--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest






More information about the Snort-users mailing list