[Snort-users] snort 2.9.4.6 not logging

waldo kitty wkitty42 at ...14940...
Fri Jul 19 13:10:17 EDT 2013


On 7/19/2013 08:45, Maged Shenouda wrote:
> I changed the snort.conf as follow
>
> var WHITE_LIST_PATH /etc/snort/rules
> var BLACK_LIST_PATH /etc/snort/rules

this is fine...

> preprocessor reputation: \
> memcap 500, \
> priority whitelist, \
> nested_ip inner, \
> whitelist $WHITE_LIST_PATH/RPP_white.rules, \
> blacklist $BLACK_LIST_PATH/RPP_black.rules

ok... this is fine now... what was it before?

> in the /etc/snort/rules I rename the files to RPP_black.rules & RPP_white.rules
> but there was another file name blacklist.rules which is listed at the bottom of
> the snort.conf file

ok... what does the following command return?

   ls -la /etc/snort/rules/*list*.rules

> # site specific rules
> include $RULE_PATH/local.rules
> include $RULE_PATH/app-detect.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/blacklist.rules

what are the contents of this blacklist.rules file? i suspect it may be the one 
that should have renamed as RPP_black.rules...


can you see the confusion between black_list.rules and blacklist.rules now? 
which one is which? ;)

there should also be a whitelist.rules OR white_list.rules file for the 
reputation processor... its name should be in the same format as the proper 
black list one for the reputation processor...  in other words...

   white_list.rules
   black_list.rules

OR

   whitelist.rules
   blacklist.rules

one of those is proper for the reputation processor... what is the name of your 
white list file? we will see that in the "ls -la" output from above ;)

> I restarted the snort but still get the same error
>
> Processing blacklist file /etc/snort/rules/RPP_black.rules
> Jul 19 08:13:34 mm-proxy snort[12340]:       (22) =>  Invalid IP Address: alert udp $HOME_NET any ->  any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2;)
> Jul 19 08:13:34 mm-proxy snort[12340]:       (23) =>  Invalid IP Address: alert udp $HOME_NET any ->  any 53 (msg:"BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:2;)

yes, this shows the format of that file is not the IP or IP/CIDR format 
expected... that file is a standard textual GID:1 rules file... we renamed the 
wrong black_?list.rules file...

> All those rules are located in /etc/snort/rules
>
> Here is part of the RPP_black.rules, not sure if this is the correct format
[trim]

yeah, definitely the standard textual rules format... not what the reputation 
processor wants... what was the original name of this file?


>  > Date: Thu, 18 Jul 2013 20:47:02 -0400
>  > From: wkitty42 at ...14940...
>  > To: snort-users at lists.sourceforge.net
>  > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  >
>  > On 7/18/2013 14:28, Maged Shenouda wrote:
>  > > Here is the snort.conf file configuration
>  > >
>  > > ipvar HOME_NET 192.168.0.0/24
>  > > ipvar EXTERNAL_NET any
>  > > ipvar SMTP_SERVERS $HOME_NET
>  > >
>  > > and so on,,,, don't think the format is worng?
>  >
>  > you are correct... but wait! what are the names of your blacklist and whitelist
>  > files as defined for the reputation processor? there is known confusion between
>  > (EG:) GID:1 blacklist.rules and reputation processor black_list.rules files and
>  > that is exacerbated when both sets reside in the same directory...
>  >
>  > the ones for the reputation processor are in simple IP and/or IP/CIDR format
>  > whereas the others are in the standard text rules format... looking closer at
>  > the error message, it specifically states "invalid IP address" which leads me to
>  > believe that the file name(s) for your reputation processor are incorrect...
>  >
>  > so, check your snort.conf at the reputation processor and see what those file
>  > names are that are specified there... then make sure that those names are /not/
>  > included in the list of rules files at the bottom of snort.conf...
>  >
>  > [HINT: more specifically, one set of file names has an underscore '_' in it and
>  > the other does not... watch for this and do not get confused by it...
>  >
>  > RECOMMENDATION: name the files specific to the reputation processor to something
>  > significantly different than the normal textual blacklist rules file... maybe
>  > RPP_black.rules and RPP_white.rules where RPP stands for Reputation
>  > Preprocessor... anything that is different from the others and will alleviate
>  > the confusion]
>  >
>  >
>  > > > Date: Thu, 18 Jul 2013 13:55:36 -0400
>  > > > From: wkitty42 at ...14940...
>  > > > To: snort-users at lists.sourceforge.net
>  > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > >
>  > > > On 7/18/2013 13:38, Maged Shenouda wrote:
>  > > > > Snort logging still not working evev after rmoving the -A -b parameters
>  > > > >
>  > > > > Any other clue?
>  > > >
>  > > > looking at the reply below... what is your HOME_NET set to?? have you
> fixed it
>  > > > to accurately cover your actual protected network(s)??
>  > > >
>  > > > >
>  > >
> --------------------------------------------------------------------------------
>  > > > > From: jesler at ...1935...
>  > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > > > Date: Thu, 18 Jul 2013 11:55:25 -0400
>  > > > > To: maged67 at ...125...
>  > > > >
>  > > > > No, it looks like you have something messed up in your HOME_NET
>  > > > >
>  > > > >
>  > > > > On Jul 18, 2013, at 11:48 AM, Maged Shenouda <maged67 at ...125...
>  > > > > <mailto:maged67 at ...125...>> wrote:
>  > > > >
>  > > > > Also when snort started, it checked the black list rules and here is
> part of
>  > > > > system log
>  > > > >
>  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing whitelist file
>  > > /etc/snort/rules/white_list.rules
>  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Reputation entries loaded: 0,
>  > > invalid: 0, re-defined: 0 (from file /etc/snort/rules/white_list.rules)
>  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: Processing blacklist file
>  > > /etc/snort/rules/black_list.rules
>  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (22) => Invalid IP Address: alert
>  > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
>  > > domaindatajunction.org <http://datajunction.org/> - Gauss "; flow:to_server;
>  > > byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|";
> fast_pattern:only;
>  > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
>  > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
>  > >
> reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
>  > >
> <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
>  > > classtype:trojan-activity; sid:23802; rev:2;)
>  > > > > Jul 18 11:17:29 mm-proxy snort[10868]: (23) => Invalid IP Address: alert
>  > > udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware
>  > > domainguest-access.net <http://guest-access.net/> - Gauss "; flow:to_server;
>  > > byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|";
> fast_pattern:only;
>  > > metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
>  > > service dns; reference:url,gauss.crysys.hu/ <http://gauss.crysys.hu/>;
>  > >
> reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan
>  > >
> <http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan>;
>  > > classtype:trojan-activity; sid:23799; rev:2;)
>  > > > >
>  > > > > is there something wrong with the black list rules ??
>  > > > >
>  > > > >
>  > >
> --------------------------------------------------------------------------------
>  > > > > Subject: Re: [Snort-users] snort 2.9.4.6 not logging
>  > > > > From: jesler at ...1935... <mailto:jesler at ...1935...>
>  > > > > Date: Wed, 17 Jul 2013 12:02:40 -0400
>  > > > > CC: lists.sourceforge.net <http://lists.sourceforge.net>
>  > > > > snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>
>  > > > > To: maged67 at ...125... <mailto:maged67 at ...125...>
>  > > > >
>  > > > > Remove your “-A full -b” from your command line. Those are overriding your
>  > > > > unified2 output line in your snort.conf.
>  > > > >
>  > > > >
>  > > > > On Jul 17, 2013, at 11:19 AM, Maged Shenouda <maged67 at ...125...
>  > > > > <mailto:maged67 at ...125...>> wrote:
>  > > > >
>  > > > > I properly configured the snort.conf and installed all the source files
>  > > > > for snort, barnyard2, daq...
>  > > > > The problem is when I run the snort from the console, I can see that it
>  > > > > is working fine but when I run the snort to read the snort.conf it
>  > > > > doesn't save the log file at all
>  > > > >
>  > > > > /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c
>  > > > > /etc/snort/snort.conf -l /var/log/snort
>  > > > >
>  > > > > and off course since there is no log files, barnyard2 read an empty file
>  > > > > and does not transfer it so mysql
>  > > > >
>  > > > > I am using SUSE Linux Enterprise 11 SP1 64bit. Realy need your help with
>  > > > > this one
>  > > > >
>  > > > > Thanks
>  >
>  >
>  >
>  > --
>  > NOTE: No off-list assistance is given without prior approval.
>  > Please keep mailing list traffic on the list unless
>  > private contact is specifically requested and granted.
>  >
>  > ------------------------------------------------------------------------------
>  > See everything from the browser to the database with AppDynamics
>  > Get end-to-end visibility with application monitoring from AppDynamics
>  > Isolate bottlenecks and diagnose root cause in seconds.
>  > Start your free trial of AppDynamics Pro today!
>  > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>  > _______________________________________________
>  > Snort-users mailing list
>  > Snort-users at lists.sourceforge.net
>  > Go to this URL to change user options or unsubscribe:
>  > https://lists.sourceforge.net/lists/listinfo/snort-users
>  > Snort-users list archive:
>  > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>  >
>  > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list