[Snort-users] Snort 2.9.4.5 rules using pp

James Lay digitalx00 at ...11827...
Wed Apr 24 08:37:35 EDT 2013


Ok let's test this out…go to in a browser (harmless):

registry.pw

This will fire:

Apr 24 06:34:57 gateway snort[7518]: [1:2016777:7] ET CURRENT_EVENTS HTTP Request to a *.pw domain [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.2:50494 -> 174.122.92.75:80

I'd also add:

output alert_fast: snortalert.fast

to see if you see anything in that text log file as well.

James

On Apr 24, 2013, at 5:38 AM, Ashraf Ali <ashrafali.ibs at ...11827...> wrote:

> 
> i have just 
> 
> include $RULE_PATH/snort.rules
> 
> 
> 
> 
> On Wed, Apr 24, 2013 at 4:49 PM, James Lay <digitalx00 at ...11827...> wrote:
> I'm assuming you only have something like this:
> 
> include $RULE_PATH/snort.rules
> include $RULE_PATH/local.rules
> 
> in your snort.conf file…and not a bunch of these?  And that rules file you have should work fine.
> 
> James
> 
> 
> On Apr 24, 2013, at 12:07 AM, Ashraf Ali <ashrafali.ibs at ...11827...> wrote:
> 
>> 
>> Can some body  pls check ...
>> 
>> Below are some the rules from snort.rules file , which PP has created.
>> 
>> # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir.htr access"; flow:to_server,established; content:"/bdir.htr"; nocase; http_uri; metadata:service http; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:22;)
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established; content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:16;)
>> # alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT Putty Server key exchange buffer overflow attempt"; flow:to_client,established,no_stream; content:"SSH-"; depth:4; isdataat:1000,relative; pcre:"/SSH-0*([2-9]\d*|1\d+)\.[^-]*-[^\n]*\n\x00\x00.{3}\x14.{1000}/s"; reference:bugtraq,6407; reference:cve,2002-1359; reference:url,www.rapid7.com/advisories/R7-0009.html; classtype:attempted-user; sid:10010; rev:6;)
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Novell NetMail APPEND command buffer overflow attempt"; flow:established,to_server; content:"AP"; nocase; isdataat:256,relative; pcre:"/\sAP[A-Za-z]{4}\s[^\n]{256}/smi"; metadata:policy security-ips drop, service imap; reference:bugtraq,21723; reference:cve,2006-6425; classtype:misc-attack; sid:10011; rev:11;)
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CCRP FolderTreeView ActiveX clsid access"; flow:to_client,established; file_data; content:"19B7F2D6-1610-11D3-BF30-1AF820524153"; fast_pattern:only; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*19B7F2D6-1610-11D3-BF30-1AF820524153\s*}?\s*\1/si"; metadata:policy security-ips drop, service http; reference:bugtraq,22092; reference:url,ccrp.mvps.org/index.html?controls/ccrpftv6.htm; classtype:attempted-user; sid:10013; rev:11;)
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle ORADC ActiveX clsid access"; flow:to_client,established; file_data; content:"EC4CF635-D196-11CE-9027-02608C4BF3B5"; fast_pattern:only; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\4.*\3\.(UpdateRecord)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(UpdateRecord)\(/siO"; metadata:policy security-ips drop, service http; reference:bugtraq,22026; classtype:attempted-user; sid:10015; rev:13;)
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Oracle ORADC ActiveX function call access"; flow:to_client,established; file_data; content:"ORADC.ORADCCtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\3\s*\.\s*(UpdateRecord)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\7\s*\.\s*(UpdateRecord)\s*\()/smi"; metadata:policy security-ips drop, service http; reference:bugtraq,22026; classtype:attempted-user; sid:10017; rev:9;)
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:38; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:10018; rev:9;)
>> \d)?\x27)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=n)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; reference:bugtraq,22196; reference:bugtraq,33469; reference:cve,2007-0018; reference:url,www.kb.cert.org/vuls/id/292713; classtype:attempted-user; sid:10086; rev:10;)
>> 
>> 
>> and in the snort.conf file i have HOME_NET AND EXTERNAL_NET variables configured as below.
>>  
>> ipvar HOME_NET any
>> 
>> ipvar EXTERNAL_NET any
>> 
>> i have manually downloaded the latest snapshot of rules from snort.org and copied some of the rules files in to a single file called new.rules, then configured the snort.conf to use this rule file only, restarted the snort services ,Its working fine. i can see the alerts , log file is also filling up.
>> 
>> But could not figure out what the problem with snort.rules file which PP has created.
>> 
>> Regards,
>> Ashraf
>> 
>> 
>> 
>> 
>> 
>> On Tue, Apr 23, 2013 at 4:44 PM, James Lay <jlay at ...13475...> wrote:
>> Let's see one of the rules, and what sdo your HOME_NET and EXTERNAL_NET look like?
>> 
>> James
>> 
>> On Apr 22, 2013, at 10:40 PM, Ashraf Ali <ashrafali.ibs at ...11827...> wrote:
>> 
>>> yes, if i use the command (snort -c /usr/local/snort/snort.conf -i eth0 -A)  and can see lots of traffic on the console but nothing is getting dump in the log file, it is still 0 Bytes.
>>> 
>>> i did a R&D , by creating a file called local.rules in the same rules folder and added a signature (alert tcp any any -> any any(msg:"Tcp traffic found" sid:1000001);
>>> in the snort.conf file i put a # before include statement of snort.rules line and added local.rules 
>>> later restarted both snort and barnyard2 Deamons , Guess what i can see log file filling up, and in GUI i can see the alerts.
>>> 
>>> There seems to be some problem with the snort.rules file which PP has created.
>>> 
>>> Regards,
>>> Ashraf
>>> Security System Engineer.
>>> 
>>> 
>>>  
>>> 
>>> 
>>> On Mon, Apr 22, 2013 at 9:37 PM, Y M <snort at ...15979...> wrote:
>>> If you run snort with -A console or -A cmg, do you see any alerts on the console?
>>> 
>>> Also run tcpdump against the interface you are listening from, simply
>>> 
>>> tcpdump -i ethX -v
>>> 
>>> Do you see any traffic? Replace ethX with your interface.
>>> From: Ashraf Ali
>>> Sent: 4/22/2013 3:37 PM
>>> To: snort-users at lists.sourceforge.net
>>> Subject: [Snort-users] Snort 2.9.4.5 rules using pp
>>> 
>>> Hi All,
>>> 
>>> recently i have deployed snort in ubuntu 12.04 using Autosnort , during the installation PP asked for Oinkcode ,as i am a registered user so i have provided the same.
>>> After completion of the installation, i have seen that snort and barnyard2 services are running in Deamon mode, and in /var/log/snort folder a file with name snort.u2.1366**** is also created but empty(0 bytes).
>>> 
>>> -rw-r--r--  1 snort snort    2056 Apr 22 17:54 barnyard2.waldo
>>> -rw-------  1 snort snort         0 Apr 22 17:54 snort.u2.136662*****
>>> 
>>> there is a single rules file called snort.rules in /usr/local/snort/rules folder which has all the downloaded snort rules, and same is included in the snort.conf file.  
>>> Even i have run the snort in test mode using -T , it does not shows up any problem, its working fine but not generating any logs.
>>> 
>>> I have formated the server , and re-installed every thing manually this time. still the same problem. file is getting created but no logs.
>>> 
>>> pls Advice.
>>> 
>>> Ashraf
>>> Security System Egnineer
>>> 
>>>  
>>> 
>>> ------------------------------------------------------------------------------
>>> Try New Relic Now & We'll Send You this Cool Shirt
>>> New Relic is the only SaaS-based application performance monitoring service 
>>> that delivers powerful full stack analytics. Optimize and monitor your
>>> browser, app, & servers with just a few lines of code. Try New Relic
>>> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> Try New Relic Now & We'll Send You this Cool Shirt
>> New Relic is the only SaaS-based application performance monitoring service
>> that delivers powerful full stack analytics. Optimize and monitor your
>> browser, app, & servers with just a few lines of code. Try New Relic
>> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Try New Relic Now & We'll Send You this Cool Shirt
>> New Relic is the only SaaS-based application performance monitoring service 
>> that delivers powerful full stack analytics. Optimize and monitor your
>> browser, app, & servers with just a few lines of code. Try New Relic
>> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service 
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130424/6bda9b6e/attachment.html>


More information about the Snort-users mailing list