[Snort-users] snort 2.9.4.6 not logging

Maged Shenouda maged67 at ...125...
Fri Jul 19 08:45:46 EDT 2013


 
Hi
 
I changed the snort.conf as follow
 
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
 
preprocessor reputation: \
   memcap 500, \
   priority whitelist, \
   nested_ip inner, \
   whitelist $WHITE_LIST_PATH/RPP_white.rules, \
   blacklist $BLACK_LIST_PATH/RPP_black.rules 

in the /etc/snort/rules  I rename the files to RPP_black.rules & RPP_white.rules but there was another file name blacklist.rules which is listed at the bottom of the snort.conf file
 
# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
I restarted the snort but still get the same errorProcessing blacklist file /etc/snort/rules/RPP_black.rules
Jul 19 08:13:34 mm-proxy snort[12340]:       (22) => Invalid IP Address: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2;)
Jul 19 08:13:34 mm-proxy snort[12340]:       (23) => Invalid IP Address: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2;)
All those rules are located in /etc/snort/rules
 
Here is part of the RPP_black.rules, not sure if this is the correct format
-----------------
# BLACKLIST RULES
#-----------------
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain secuurity.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23803; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain gowin7.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23804; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23800; rev:2;)
 
 
 
 
> Date: Thu, 18 Jul 2013 20:47:02 -0400
> From: wkitty42 at ...14940...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> 
> On 7/18/2013 14:28, Maged Shenouda wrote:
> > Here is the snort.conf file configuration
> >
> > ipvar HOME_NET 192.168.0.0/24
> > ipvar EXTERNAL_NET any
> > ipvar SMTP_SERVERS $HOME_NET
> >
> > and so on,,,, don't think the format is worng?
> 
> you are correct... but wait! what are the names of your blacklist and whitelist 
> files as defined for the reputation processor? there is known confusion between 
> (EG:) GID:1 blacklist.rules and reputation processor black_list.rules files and 
> that is exacerbated when both sets reside in the same directory...
> 
> the ones for the reputation processor are in simple IP and/or IP/CIDR format 
> whereas the others are in the standard text rules format... looking closer at 
> the error message, it specifically states "invalid IP address" which leads me to 
> believe that the file name(s) for your reputation processor are incorrect...
> 
> so, check your snort.conf at the reputation processor and see what those file 
> names are that are specified there... then make sure that those names are /not/ 
> included in the list of rules files at the bottom of snort.conf...
> 
> [HINT: more specifically, one set of file names has an underscore '_' in it and 
> the other does not... watch for this and do not get confused by it...
> 
> RECOMMENDATION: name the files specific to the reputation processor to something 
> significantly different than the normal textual blacklist rules file... maybe 
> RPP_black.rules and RPP_white.rules where RPP stands for Reputation 
> Preprocessor... anything that is different from the others and will alleviate 
> the confusion]
> 
> 
> >  > Date: Thu, 18 Jul 2013 13:55:36 -0400
> >  > From: wkitty42 at ...14940...
> >  > To: snort-users at lists.sourceforge.net
> >  > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  >
> >  > On 7/18/2013 13:38, Maged Shenouda wrote:
> >  > > Snort logging still not working evev after rmoving the -A -b parameters
> >  > >
> >  > > Any other clue?
> >  >
> >  > looking at the reply below... what is your HOME_NET set to?? have you fixed it
> >  > to accurately cover your actual protected network(s)??
> >  >
> >  > >
> > --------------------------------------------------------------------------------
> >  > > From: jesler at ...1935...
> >  > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > Date: Thu, 18 Jul 2013 11:55:25 -0400
> >  > > To: maged67 at ...125...
> >  > >
> >  > > No, it looks like you have something messed up in your HOME_NET
> >  > >
> >  > >
> >  > > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 at ...125...
> >  > > <mailto:maged67 at ...125...>> wrote:
> >  > >
> >  > > Also when snort started, it checked the black list rules and here is part of
> >  > > system log
> >  > >
> >  > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing whitelist file
> > /etc/snort/rules/white_list.rules
> >  > > Jul 18 11:17:29 mm-proxy snort[10868]: Reputation entries loaded: 0,
> > invalid: 0, re-defined: 0 (from file /etc/snort/rules/white_list.rules)
> >  > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing blacklist file
> > /etc/snort/rules/black_list.rules
> >  > > Jul 18 11:17:29 mm-proxy snort[10868]: (22) => Invalid IP Address: alert
> > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
> > domaindatajunction.org <http://datajunction.org/> - Gauss "; flow:to_server;
> > byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only;
> > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
> > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
> > reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
> > <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
> > classtype:trojan-activity; sid:23802; rev:2;)
> >  > > Jul 18 11:17:29 mm-proxy snort[10868]: (23) => Invalid IP Address: alert
> > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
> > domainguest-access.net <http://guest-access.net/> - Gauss "; flow:to_server;
> > byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only;
> > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
> > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
> > reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
> > <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
> > classtype:trojan-activity; sid:23799; rev:2;)
> >  > >
> >  > > is there something wrong with the black list rules ??
> >  > >
> >  > >
> > --------------------------------------------------------------------------------
> >  > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
> >  > > From: jesler at ...1935... <mailto:jesler at ...1935...>
> >  > > Date: Wed, 17 Jul 2013 12:02:40 -0400
> >  > > CC: lists.sourceforge.net <http://lists.sourceforge.net>
> >  > > snort-users at lists.sourceforge.net <mailto:snort-users at ...3054...forge.net>
> >  > > To: maged67 at ...125... <mailto:maged67 at ...125...>
> >  > >
> >  > > Remove your “-A full -b” from your command line. Those are overriding your
> >  > > unified2 output line in your snort.conf.
> >  > >
> >  > >
> >  > > On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 at ...125...
> >  > > <mailto:maged67 at ...125...>> wrote:
> >  > >
> >  > > I properly configured the snort.conf and installed all the source files
> >  > > for snort, barnyard2, daq...
> >  > > The problem is when I run the snort from the console, I can see that it
> >  > > is working fine but when I run the snort to read the snort.conf it
> >  > > doesn't save the log file at all
> >  > >
> >  > > /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
> >  > > /etc/snort/snort.conf -l /var/log/snort
> >  > >
> >  > > and off course since there is no log files, barnyard2 read an empty file
> >  > > and does not transfer it so mysql
> >  > >
> >  > > I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help with
> >  > > this one
> >  > >
> >  > > Thanks
> 
> 
> 
> -- 
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130719/26871e45/attachment.html>


More information about the Snort-users mailing list