[Snort-users] Snort-sigs Digest, Vol 76, Issue 14

PR oly562 at ...11827...
Tue Sep 11 15:06:36 EDT 2012


in quotes?

also, what im trying to do is log and capture any sid/event from audit
software aimed at this snort server. i wish to capture it all, on base.

base works, but now that i enabled $RULES and removed the entry in
local.rules, when i fire up snort/barnyard2 with the same cmds - here
they are again - its not logging attacks/audits attempts to base
anymore.... i doubt i need to enter in all the stuff i want in
local.rules. that would be hard for me. i should be able to enable the
preproc so rules, regular 2.9.3.1 rules in /etc/snort/rules, so on so
forth... do i need to specify everything i want in snort.conf?
specificially? isn't this a Vanilla snort.conf minus specifying the home
net? or host system?

i need to read the manual for snort now.... 


more to follow... sighs...



On Tue, 2012-09-11 at 13:29 -0400, Joel Esler wrote:
> Your HOME_NET should read "ipvar HOME_NET 192.168.1.0/24"
> 
> If that's what you are trying to do.
> 
> On Sep 11, 2012, at 1:24 PM, PR <oly562 at ...11827...> wrote:
> 
> > when i ran a script, bash simple with 2 lines just like i type them into
> > the cmdline, it said ipvar 192.168.1.0/24 cant be something... i have
> > since just ran the cmds one at a time, and i dont see that anymore, but
> > it said failed or errored... something like that. sorry i missed it...
> > maybe its in the logs? i cant read the logs as they are in unified
> > format. i guess... lol....
> > 
> > ls /var/log/snort/
> > alert                 snort.log.1347321601  snort.log.1347374349
> > snort.log.1347320873  snort.log.1347325626  snort.log.1347382370
> > snort.log.1347321584  snort.log.1347346937  snort.log.1347382486
> > snort.log.1347321592  snort.log.1347347097  snort.log.1347383400
> > 
> > this is what i mean, i can't less them:
> > 
> > less /var/log/snort/snort.log.1347320873 
> > "/var/log/snort/snort.log.1347320873" may be a binary file.  See it
> > anyway?
> > 
> > your thoughts?
> > 
> > thanks pete
> > 
> > 
> > On Tue, 2012-09-11 at 17:04 +0000,
> > snort-sigs-request at lists.sourceforge.net wrote:
> >> Send Snort-sigs mailing list submissions to
> >> 	snort-sigs at lists.sourceforge.net
> >> 
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >> 	https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >> or, via email, send a message with subject or body 'help' to
> >> 	snort-sigs-request at lists.sourceforge.net
> >> 
> >> You can reach the person managing the list at
> >> 	snort-sigs-owner at lists.sourceforge.net
> >> 
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of Snort-sigs digest..."
> >> 
> >> 
> >> Today's Topics:
> >> 
> >>   1. Re: Couple sigs (lists at ...14939...)
> >>   2. Re: Couple sigs (Alex Kirk)
> >>   3. Re: Couple sigs (lists at ...14939...)
> >>   4. Re: Up and Running (Joel Esler)
> >> 
> >> 
> >> ----------------------------------------------------------------------
> >> 
> >> Message: 1
> >> Date: Mon, 10 Sep 2012 10:40:16 -0500
> >> From: "lists at ...14939..." <lists at ...14939...>
> >> Subject: Re: [Snort-sigs] Couple sigs
> >> To: Alex Kirk <akirk at ...1935...>
> >> Cc: Snort-sigs <snort-sigs at lists.sourceforge.net>
> >> Message-ID: <504E09E0.3080403 at ...14939...>
> >> Content-Type: text/plain; charset="us-ascii"
> >> 
> >> On 09/10/12 10:30, Alex Kirk wrote:
> >>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION
> >>> hidden iframe - potential include of malicious content"; flow:to_client,
> >>> established; file_data; content:"<iframe "; nocase; content:"width=1"; nocase;
> >>> distance:0; within:50; content:"height=1"; nocase; distance:-40; within:80;
> >>> content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
> >>> classtype:bad-unknown;)
> >> 
> >> I've seen \x22 and \x27 being used occasionally to quote the in-line style
> >> declaration.
> >> 
> >> Cheers,
> >> Nathan
> >> 
> >> 
> >> 
> >> 
> >> ------------------------------
> >> 
> >> Message: 2
> >> Date: Mon, 10 Sep 2012 12:00:04 -0400
> >> From: Alex Kirk <akirk at ...1935...>
> >> Subject: Re: [Snort-sigs] Couple sigs
> >> To: "lists at ...14939..." <lists at ...14939...>
> >> Cc: Snort-sigs <snort-sigs at lists.sourceforge.net>
> >> Message-ID:
> >> 	<CABed_ZcRBwOY4tP2-WcSHrQS8RO-5hvqwUbBQfewyxjvaVP+Rg at ...11828...>
> >> Content-Type: text/plain; charset="iso-8859-1"
> >> 
> >> On Mon, Sep 10, 2012 at 11:40 AM, lists at ...14939... <lists at ...14939...
> >>> wrote:
> >> 
> >>> On 09/10/12 10:30, Alex Kirk wrote:
> >>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> >>> (msg:"INDICATOR-OBFUSCATION
> >>>> hidden iframe - potential include of malicious content"; flow:to_client,
> >>>> established; file_data; content:"<iframe "; nocase; content:"width=1";
> >>> nocase;
> >>>> distance:0; within:50; content:"height=1"; nocase; distance:-40;
> >>> within:80;
> >>>> content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
> >>>> classtype:bad-unknown;)
> >>> 
> >>> I've seen \x22 and \x27 being used occasionally to quote the in-line style
> >>> declaration.
> >>> 
> >>> Cheers,
> >>> Nathan
> >>> 
> >>> 
> >>> Which, of course, goes back to the whole issue of "HTML is such a
> >> relatively free-form mockup language that there's a zillion ways to evade
> >> any sort of detection."
> >> 
> >> If this concept isn't totally blown out of the water by lots of legitimate
> >> web sites using hidden iframes, then it seems to me that the best way to
> >> proceed is to figure out what's the least performance-intensive way of
> >> accounting for all of the potential permutations. This may end up being
> >> several rules, or potentially even a single rule with a PCRE; I'm honestly
> >> agnostic as to how the end result is achieved, so long as it works when
> >> we're done. Long-term, it might even make sense to have additional Snort
> >> functionality to normalize cases like this (i.e. standardize how quotes
> >> appear in a normalized buffer) to make things more sane, but that's
> >> something we'd need to debate fairly extensively within the community
> >> before implementing, I'm sure.
> >> 
> >> In the meantime, thanks for the input, you make a very good point.
> >> 
> >> -- 
> >> Alex Kirk
> >> AEGIS Program Lead
> >> Sourcefire Vulnerability Research Team
> >> +1-410-423-1937
> >> alex.kirk at ...1935...
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> 
> >> ------------------------------
> >> 
> >> Message: 3
> >> Date: Mon, 10 Sep 2012 11:09:41 -0500
> >> From: "lists at ...14939..." <lists at ...14939...>
> >> Subject: Re: [Snort-sigs] Couple sigs
> >> To: Alex Kirk <akirk at ...1935...>
> >> Cc: Snort-sigs <snort-sigs at lists.sourceforge.net>
> >> Message-ID: <504E10C5.70708 at ...14939...>
> >> Content-Type: text/plain; charset="us-ascii"
> >> 
> >> On 09/10/12 11:00, Alex Kirk wrote:
> >>> single rule with a PCRE
> >> 
> >> I'm kind of partial to:
> >> 
> >> file_data; content:"<iframe "; nocase; content:"visibility|3a|hidden";
> >> within:100; nocase; pcre:"/\x3ciframe[^\x3e]+[heigwdth]{5,6}[^\x3d]*?=[0-1][^\d]/i";
> >> 
> >> Not really sure though how to make that one performance friendly since the PCRE
> >> engine may be invoked often.
> >> 
> >> Either way, good conversation James and Alex, I believe this theme to be very
> >> useful.
> >> 
> >> 
> >> 
> >> ------------------------------
> >> 
> >> Message: 4
> >> Date: Tue, 11 Sep 2012 13:04:35 -0400
> >> From: Joel Esler <jesler at ...1935...>
> >> Subject: Re: [Snort-sigs] Up and Running
> >> To: PR <oly562 at ...11827...>
> >> Cc: snort-sigs <snort-sigs at lists.sourceforge.net>
> >> Message-ID: <28EBC923-168A-4444-A8F7-34501E42481E at ...1935...>
> >> Content-Type: text/plain; charset="us-ascii"
> >> 
> >> On Sep 11, 2012, at 1:02 PM, PR <oly562 at ...11827...> wrote:
> >> 
> >>> 4. only thing i see complaining so far was the ipvar option for
> >>> 192.168.1.0/24, and the No White/Black_list.rules that are there.
> >>> maybe perms or chown needed on rules dir?
> >> 
> >> What complained about the ipvar option for HOME_NET?
> >> 
> >> But, white and black list rules are not in our standard ruleset at this time.
> >> 
> >> --
> >> Joel Esler
> >> Senior Research Engineer, VRT
> >> OpenSource Community Manager
> >> Sourcefire
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> 
> >> ------------------------------
> >> 
> >> ------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and 
> >> threat landscape has changed and how IT managers can respond. Discussions 
> >> will include endpoint security, mobile security and the latest in malware 
> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> 
> >> ------------------------------
> >> 
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >> http://www.snort.org
> >> 
> >> 
> >> Please visit http://blog.snort.org for the latest news about Snort!
> >> 
> >> End of Snort-sigs Digest, Vol 76, Issue 14
> >> ******************************************
> > 
> 





More information about the Snort-users mailing list