[Snort-users] Snort-users Digest, Vol 66, Issue 25

Matthew Meersman mmeersman at ...15442...
Wed Nov 30 15:42:28 EST 2011


On 11/30/11, snort-users-request at lists.sourceforge.net
<snort-users-request at lists.sourceforge.net> wrote:
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> 	snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> 	snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. CanSecWest 2012 Mar 7-9;	2nd call for papers, closes next
>       week, Monday. Dec 5 2011 (Dragos Ruiu)
>    2. Re: Some alerts not logging packet data (James Lay)
>    3. How to best do DB *and* syslog logging? (Miguel Alvarez)
>    4. Re: How to best do DB *and* syslog logging? (Joel Esler)
>    5. Re: How to best do DB *and* syslog logging? (Eoin Miller)
>    6. Re: How to best do DB *and* syslog logging? (beenph)
>    7. Re: How to best do DB *and* syslog logging? (Martin Holste)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 29 Nov 2011 17:59:54 -0800
> From: Dragos Ruiu <dr at ...381...>
> Subject: [Snort-users] CanSecWest 2012 Mar 7-9;	2nd call for papers,
> 	closes next week, Monday. Dec 5 2011
> To: snort-users at lists.sourceforge.net
> Message-ID: <201111291759.54537.dr at ...381...>
> Content-Type: text/plain;  charset="iso-8859-1"
>
> So after a dozen years or so organizing conferences, you
> get the urge to pull levers and try experimenting with
> things. So this year I sent out the CanSecWest CFP
> only over Twitter, and G+ publicly. Just curious as to the
> adoption and information dispersion rate, and some
> estimate of the attention these newer channels are getting.
>
> So after this experiment I hear about people having
> submissions and missing ?the CFP. So for my control set,
> here is the normal announce message to different e-mail
> lists. We'll do a Second CanSecWest CFP, but a brief one.
> Send us your proposal by the end of Monday next week,
> December 5, 2011.
>
> The questions and information needed is the same as
> usual (see website), also for my curiosity could you
> include:
>
> 12. Where did you hear about the CFP from?
>
> cheers,
> --dr
>
> --
> World Emerging Security Technology
> Vancouver, March 7-9  http://cansecwest.com
> pgpkey http://cansecwest.com/ kyxpgp
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 30 Nov 2011 07:08:37 -0700
> From: James Lay <jlay at ...13475...>
> Subject: Re: [Snort-users] Some alerts not logging packet data
> To: Snort <snort-users at lists.sourceforge.net>
> Message-ID: <CAFB85A8.EA48%jlay at ...13475...>
> Content-Type: text/plain; charset="us-ascii"
>
> Haven't received much on this, so I thought I'd try and add some more info.
> Here's the hit:
> 11/27-10:52:18.548118  [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
> [**] [Classification: Sensitive Data was Transmitted Across the Network]
> [Priority: 2] {TCP} INT_IP:51126 -> EX_IP:25
>
>
> u2spewfoo output:
> (Event)
>         sensor id: 0    event id: 1312  event second: 1322416338
> event microsecond: 548118
>         sig id: 2       gen id: 138     revision: 1      classification: 35
>         priority: 2     ip source: IN_IP     ip destination: EXT_IP
>         src port: 51126 dest port: 25   protocol: 6     impact_flag: 0
> blocked: 0
>
> There's no information in the tcpdump.log file.
>
> Not sure this matters or not, but here is smtp relevant entries:
> preprocessor smtp: ports { 25 465 587 691 } \
>     inspection_type stateful \
>     b64_decode_depth 0 \
>     qp_decode_depth 0 \
>     bitenc_decode_depth 0 \
>     uu_decode_depth 0 \
>     log_mailfrom \
>     log_rcptto \
>     log_filename \
>     log_email_hdrs \
>     normalize cmds \
>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
> ESOM ETRN EVFY } \
>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT
> RSET
> SAML SEND SOML } \
>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
> X-ERCP X-EXCH50 } \
>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN
> XLICENSE XQUE XSTA XTRN XUSR } \
>     max_command_line_len 512 \
>     max_header_line_len 1000 \
>     max_response_line_len 512 \
>     alt_max_command_line_len 260 { MAIL } \
>     alt_max_command_line_len 300 { RCPT } \
>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM
> ESND ESOM EVFY IDENT NOOP RSET } \
>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET
> QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR
> XAUTH
> XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND
> ESOM
> ETRN EVFY } \
>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
> SAML SEND SOML } \
>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP
> X-ERCP X-EXCH50 } \
>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
> XQUE XSTA XTRN XUSR } \
>     xlink2state { enabled }
>
> Does anyone have any hints or ideas?  Thank you.
>
> James
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Wed, 30 Nov 2011 09:45:00 -0700
> From: Miguel Alvarez <miguellvrz9 at ...11827...>
> Subject: [Snort-users] How to best do DB *and* syslog logging?
> To: Snort Users <snort-users at lists.sourceforge.net>
> Message-ID:
> 	<CAMCxHFTm8wv_bJCFJ-s8KW+ETw2s2nJ+zWfuSWc7XfFxmrrbFg at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Right now, I'm logging my snort alerts back to a syslog server but I'd
> like to start playing with Snorby.  Please correct me if I'm wrong but
> I think the ideal way to do this would be to log via unified2 and use
> barnyard to send the alert data to snorby's DB but I can't lose my
> syslog functionality.  I really wish barnyard was able to do this on
> non-Windows boxes!  But what would be the best way to achieve this
> short of running two separate snort instances?
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 30 Nov 2011 11:53:19 -0500
> From: Joel Esler <jesler at ...1935...>
> Subject: Re: [Snort-users] How to best do DB *and* syslog logging?
> To: Miguel Alvarez <miguellvrz9 at ...11827...>
> Cc: Snort Users <snort-users at lists.sourceforge.net>
> Message-ID: <C1B2AFFC-E894-455B-B636-705922F50873 at ...1935...>
> Content-Type: text/plain; charset=us-ascii
>
> Snorby reads the unified2 file directly.  No need for barnyard2
>
> J
>
> On Nov 30, 2011, at 11:45 AM, Miguel Alvarez wrote:
>
>> Right now, I'm logging my snort alerts back to a syslog server but I'd
>> like to start playing with Snorby.  Please correct me if I'm wrong but
>> I think the ideal way to do this would be to log via unified2 and use
>> barnyard to send the alert data to snorby's DB but I can't lose my
>> syslog functionality.  I really wish barnyard was able to do this on
>> non-Windows boxes!  But what would be the best way to achieve this
>> short of running two separate snort instances?
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 30 Nov 2011 16:55:16 +0000
> From: Eoin Miller <eoin.miller at ...14586...>
> Subject: Re: [Snort-users] How to best do DB *and* syslog logging?
> To: snort-users at lists.sourceforge.net
> Message-ID: <4ED65FF4.4050105 at ...14586...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Barnyard2 does multiple outputs simultaneously.
>
> http://www.securixlive.com/barnyard2/
>
> -- Eoin
>
> On 11/30/2011 4:45 PM, Miguel Alvarez wrote:
>> Right now, I'm logging my snort alerts back to a syslog server but I'd
>> like to start playing with Snorby.  Please correct me if I'm wrong but
>> I think the ideal way to do this would be to log via unified2 and use
>> barnyard to send the alert data to snorby's DB but I can't lose my
>> syslog functionality.  I really wish barnyard was able to do this on
>> non-Windows boxes!  But what would be the best way to achieve this
>> short of running two separate snort instances?
>>
>
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 30 Nov 2011 14:03:17 -0500
> From: beenph <beenph at ...11827...>
> Subject: Re: [Snort-users] How to best do DB *and* syslog logging?
> To: Miguel Alvarez <miguellvrz9 at ...11827...>
> Cc: barnyard2-users at ...14071...,	Snort Users
> 	<snort-users at lists.sourceforge.net>
> Message-ID:
> 	<CAFU9AX91KN3zDfoa8dQTzsu5z+B9mvODzm4YrD5mRzaB+DEqAQ at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 at ...11827...>
> wrote:
>> Right now, I'm logging my snort alerts back to a syslog server but I'd
>> like to start playing with Snorby. ?Please correct me if I'm wrong but
>> I think the ideal way to do this would be to log via unified2 and use
>> barnyard to send the alert data to snorby's DB but I can't lose my
>> syslog functionality. ?I really wish barnyard was able to do this on
>> non-Windows boxes! ?But what would be the best way to achieve this
>> short of running two separate snort instances?
>>
> If you need local syslog and forward them, barnyard2 currently support
> this on windows and non windows system.
>
> If you need remote syslog logging
>
> You can access the feature in its current branch branch via
>
> https://github.com/binf/barnyard2/tree/RemoteSyslogFix
>
> Also
> If you look in the provided barnyard2.conf you can see output plugin
> conf example.
>
> Note that it use a slightly different logging message format from the
> default snort format,
> but you have the possibility to configure field delimiters and
> separators from the config file.
>
> Configuration example for remote syslog
> # alert_syslog
> #
> ----------------------------------------------------------------------------
> #
> # Purpose:
> # This output module provides the abilty to output alert information
> to local syslog
> #
> # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
> # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
> #
> # Examples:
> # output alert_syslog
> # output alert_syslog: LOG_AUTH LOG_INFO
> #
> # syslog_full
> #-------------------------------
> # Available as both a log and alert output plugin. Used to output data
> via TCP/UDP
> # Arguments:
> # sensor_name $sensor_name - unique sensor name
> # server $server - server the device will report to
> # protocol $protocol - protocol device will report over (tcp/udp)
> # port $port - destination port device will report to (default: 514)
> # detail $detail_threshold - specify full/complete log reporting or
> only summaries.
> # delimiters - define a character that will delimit message sections
> ex: "|", will use | as message section delimiters. (default: |)
> # separators - define field separator included in each message ex: " "
> , will use space as field separator. (default: [:space:])
> # output alert_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514
> # output log_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol udp, port 514
> # output alert_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol tcp, port 514
> # output log_syslog_full: sensor_name snortIds1-eth2, server
> xxx.xxx.xxx.xxx, protocol tcp, port 514
>
> If you have barnyard2 related question, your also welcome to send it
> over the by2 ML's.
>
> -elz
>
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 30 Nov 2011 13:32:41 -0600
> From: Martin Holste <mcholste at ...11827...>
> Subject: Re: [Snort-users] How to best do DB *and* syslog logging?
> To: beenph <beenph at ...11827...>
> Cc: barnyard2-users at ...14071...,	Snort Users
> 	<snort-users at lists.sourceforge.net>
> Message-ID:
> 	<CANpnLHj=mPnts5iGNPQ1MScVFoouw4KFR8S-=9jC=VWYB6RE9w at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> It's tough to beat Snorby for just Snort data, but if you'd also like
> your console to contain URL data and router/server logs, and since
> you're already doing syslog, you may want to check out my ELSA
> project: http://code.google.com/p/enterprise-log-search-and-archive/ .
>
> On Wed, Nov 30, 2011 at 1:03 PM, beenph <beenph at ...11827...> wrote:
>> On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 at ...11827...>
>> wrote:
>>> Right now, I'm logging my snort alerts back to a syslog server but I'd
>>> like to start playing with Snorby. ?Please correct me if I'm wrong but
>>> I think the ideal way to do this would be to log via unified2 and use
>>> barnyard to send the alert data to snorby's DB but I can't lose my
>>> syslog functionality. ?I really wish barnyard was able to do this on
>>> non-Windows boxes! ?But what would be the best way to achieve this
>>> short of running two separate snort instances?
>>>
>> If you need local syslog and forward them, barnyard2 currently support
>> this on windows and non windows system.
>>
>> If you need remote syslog logging
>>
>> You can access the feature in its current branch branch via
>>
>> https://github.com/binf/barnyard2/tree/RemoteSyslogFix
>>
>> Also
>> If you look in the provided barnyard2.conf you can see output plugin
>> conf example.
>>
>> Note that it use a slightly different logging message format from the
>> default snort format,
>> but you have the possibility to configure field delimiters and
>> separators from the config file.
>>
>> Configuration example for remote syslog
>> # alert_syslog
>> #
>> ----------------------------------------------------------------------------
>> #
>> # Purpose:
>> # This output module provides the abilty to output alert information
>> to local syslog
>> #
>> # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO)
>> # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0)
>> #
>> # Examples:
>> # output alert_syslog
>> # output alert_syslog: LOG_AUTH LOG_INFO
>> #
>> # syslog_full
>> #-------------------------------
>> # Available as both a log and alert output plugin. Used to output data
>> via TCP/UDP
>> # Arguments:
>> # sensor_name $sensor_name - unique sensor name
>> # server $server - server the device will report to
>> # protocol $protocol - protocol device will report over (tcp/udp)
>> # port $port - destination port device will report to (default: 514)
>> # detail $detail_threshold - specify full/complete log reporting or
>> only summaries.
>> # delimiters - define a character that will delimit message sections
>> ex: "|", will use | as message section delimiters. (default: |)
>> # separators - define field separator included in each message ex: " "
>> , will use space as field separator. (default: [:space:])
>> # output alert_syslog_full: sensor_name snortIds1-eth2, server
>> xxx.xxx.xxx.xxx, protocol udp, port 514
>> # output log_syslog_full: sensor_name snortIds1-eth2, server
>> xxx.xxx.xxx.xxx, protocol udp, port 514
>> # output alert_syslog_full: sensor_name snortIds1-eth2, server
>> xxx.xxx.xxx.xxx, protocol tcp, port 514
>> # output log_syslog_full: sensor_name snortIds1-eth2, server
>> xxx.xxx.xxx.xxx, protocol tcp, port 514
>>
>> If you have barnyard2 related question, your also welcome to send it
>> over the by2 ML's.
>>
>> -elz
>>
>> ------------------------------------------------------------------------------
>> All the data continuously generated in your IT infrastructure
>> contains a definitive record of customers, application performance,
>> security threats, fraudulent activity, and more. Splunk takes this
>> data and makes sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-novd2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>>
>
>
>
> ------------------------------
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 66, Issue 25
> *******************************************
>

-- 
Sent from my mobile device


***********************************************************

Matthew Meersman

Senior Systems Engineer

National Democratic Institute for International Affairs

455 Mass. Ave., NW, Eighth Floor

Washington, DC 20001-2621

Direct:                  (202) 728-5621

Main:                    (202) 728-5500

Cell:                      (202) 302-1594

Fax:                      (202) 728-5523

Email:                   mmeersman at ...15442...




More information about the Snort-users mailing list