[Snort-users] re: Which rules to get inline

James Affeld jamesaffeld at ...131...
Sun Mar 6 21:20:48 EST 2005


I'd be very wary of using rules that don't use the
'established' keyword.  The problem with IPS is that
it puts the firewall rules in the hands of the
attacker.  
The classic example is An attacker could spoof the
return address of your upstream router with a UDP
attack or a SYN scan, and if your IPS blocks it, your
router drops off the net.  (This presumes IPS in front
of router)

So you definitely want to be sure that you have a real
connection to the offending host before cutting it
off.
It's hard to spoof the source of tcp connections.  

I'd run Snort for a while to see what the reliable
rules are for your net, then think about blocking
automatically based on them.  
 
> Message: 1
> Date: Sun, 6 Mar 2005 22:25:42 +0100 (MET)
> From: mosquitooth at ...158...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Which rules to get inline
> 
> Hi,
> 
> as snort is able to get 'inline' and therefore act
> as an IPS. But, as there
> are still some false positives, it seems to me that
> not every rule is useful
> in an IPS environment - but which are? I think that
> especially the
> BAD_TRAFFIC and BACKDOOR rules won't fail often - so
> these would be of first
> choice when deploying an 'IPS'. Do you agree? Which
> rules do you think would
> serve this purpose?
> 
> Thanks for any answers on this poll,
> 
> Peter
> 
> -- 
> DSL Komplett von GMX +++ Supergünstig und stressfrei
> einsteigen!
> AKTION "Kein Einrichtungspreis" nutzen:
> http://www.gmx.net/de/go/dsl
> 
> 
> --__--__--
> 
> Message: 2
> From: "Neil" <nro at ...384...>
> To: <snort-users at lists.sourceforge.net>
> Date: Sun, 6 Mar 2005 18:09:42 -0500
> Subject: [Snort-users] take a .pcap file and convert
> to .csv file
> 
> This is a multi-part message in MIME format.
> 
> ------=_NextPart_000_0000_01C52277.AC14E3F0
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> 
> snort users list:
> 
>  
> 
> I am new to snort.
> 
> I am running snort on a windows XP box (sorry my
> *nix boxes are currently
> offline).
> 
> How do I simultaneously read a tcpdump file and
> output this same file to csv
> (for Excel use)?
> 
>  
> 
> I can read the tcpdump file
> 
> F:\snort\bin>snort -r  file.pcap 
> 
>  
> 
> and I have added the following to snort.conf
> 
> output alert_CSV: F:\Snort\log\alert.csv
> timestamp,msg,proto,src,srcport,dst,dstport
> 
>  
> 
>  
> 
> However, How do I combine both actions at once?
> 
>  
> 
> When I run F:\snort\bin>snort -r  file.pcap  a csv
> file never materializes.
> 
>  
> 
> I've read through several email archives, and did
> not quite see this issue,
> and tried a few things from answers to other
> questions with no luck.
> 
> Thanks
> 
> -neil
> 
> 
> ------=_NextPart_000_0000_01C52277.AC14E3F0
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html
> xmlns:o=3D"urn:schemas-microsoft-com:office:office"
> =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
> 
> <head>
> <META HTTP-EQUIV=3D"Content-Type"
> CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11
> (filtered medium)">
> <style>
> <!--
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> 	{color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{color:purple;
> 	text-decoration:underline;}
> span.EmailStyle17
> 	{mso-style-type:personal-compose;
> 	font-family:Arial;
> 	color:windowtext;}
> @page Section1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
> 	{page:Section1;}
> -->
> </style>
> 
> </head>
> 
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
> 
> <div class=3DSection1>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>snort
> users =
> list:<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
> nt></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>I am
> new to =
> snort.<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>I am
> running snort on a =
> windows XP
> box (sorry my *nix boxes are currently =
> offline).<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>How do
> I simultaneously =
> read a
> tcpdump file and output this same file to csv (for
> Excel =
> use)?<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
> nt></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>I can
> read the tcpdump =
> file<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'>F:\snort\bin>snort
> =
> -r  file.pcap <o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
> nt></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>and I
> have added the =
> following to
> snort.conf<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>output
> alert_CSV:
> F:\Snort\log\alert.csv =
>
timestamp,msg,proto,src,srcport,dst,dstport<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
> nt></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
> nt></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'>However,
> How do I combine =
> both
> actions at once?<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
> nt></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>When I
> run =
> F:\snort\bin>snort -r 
> file.pcap  a csv file never =
> materializes.<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
> nt></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>I've
> read through several =
> email
> archives, and did not quite see this issue, and
> tried a few things from =
> answers
> to other questions with no
> luck.<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal
> style=3D'text-autospace:none'><font size=3D2 =
> face=3DArial><span
>
style=3D'font-size:10.0pt;font-family:Arial'>Thanks<o:p></o:p></span></fo=
> nt></p>
> 
> <p class=3DMsoNormal><font size=3D2
> face=3DArial><span =
> style=3D'font-size:10.0pt;
>
font-family:Arial'>-neil<o:p></o:p></span></font></p>
> 
> </div>
> 
> </body>
> 
> </html>
> 
> ------=_NextPart_000_0000_01C52277.AC14E3F0--
> 
> 
> 
> --__--__--
> 
> Message: 3
> Date: Sun, 06 Mar 2005 19:29:05 -0500
> From: Jason <security at ...5028...>
> To: Neil <nro at ...384...>
> CC:  snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] take a .pcap file and
> convert to .csv file
> 
> if you are doing this offline and you want every
> packet to create a line 
> then you need a rule like follows as your only rule
> 
> alert ip any any -> any any (msg:"Insane logs";
> sid:3000000; rev:1)
> 
> There are likely better tools for creating a cvs
> file with header 
> information but it will work.
> 
> Neil wrote:
> > 
> > 
> > snort users list:
> > 
> >  
> > 
> > I am new to snort.
> > 
> > I am running snort on a windows XP box (sorry my
> *nix boxes are 
> > currently offline).
> > 
> > How do I simultaneously read a tcpdump file and
> output this same file to 
> > csv (for Excel use)?
> > 
> >  
> > 
> > I can read the tcpdump file
> > 
> > F:\snort\bin>snort -r  file.pcap
> > 
> >  
> > 
> > and I have added the following to snort.conf
> > 
> > output alert_CSV: F:\Snort\log\alert.csv 
> > timestamp,msg,proto,src,srcport,dst,dstport
> > 
> >  
> > 
> >  
> > 
> > However, How do I combine both actions at once?
> > 
> >  
> > 
> > When I run F:\snort\bin>snort -r  file.pcap  a csv
> file never materializes.
> > 
> >  
> > 
> > I've read through several email archives, and did
> not quite see this 
> > issue, and tried a few things from answers to
> other questions with no luck.
> > 
> > Thanks
> > 
> > -neil
> > 
> 
> 
> --__--__--
> 
> Message: 4
> Date: Sun, 6 Mar 2005 21:49:28 -0500
> From: Jason Benway <benwaynet at ...11827...>
> Reply-To: Jason Benway <benwaynet at ...11827...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] error starting snort
> 
> I started trying to update the snort rules using
> oinkmaster
> Before I started updating the rules everything was
> working.
> I have all my rules in /etc/snort/rules
> I did try adding the bleeding snort rules, but I've
> commented them out
> and I'm still getting the error.
> 
> But now I get
> ERROR: ./snort.conf(289) => Unable to open the IIS
> Unicode Map file
> './unicode.map'.
> Fatal Error, Quitting..
> 
> thanks,jb
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest
> 



	
		
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/




More information about the Snort-users mailing list