[Snort-users] Snort-users Digest, Vol 99, Issue 12

mehdi maleki mehdimlk2003 at ...131...
Wed Aug 6 03:58:32 EDT 2014



I’ve read faq but there is any solution for my problem. I’ve
used registered user rule set. my command line  and part of output  and
config-file are  as below:
./snort -A fast  -r /home/mahdi/darpa/outside.tcpdump -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort --pcap-show -k none

===============================================================================
Packet I/O Totals:
   Received:      1337777
   Analyzed:      1337777 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:      1340992 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:      1266758 ( 94.464%)
       Frag:          241 (  0.018%)
       ICMP:         1341 (  0.100%)
        UDP:        17029 (  1.270%)
        TCP:      1248147 ( 93.076%)
       ==============================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:      1276213 ( 95.398%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:        61564 (  4.602%)
  Blacklist:            0 (  0.000%)

part of config-file:

# Setup the network addresses you are protecting
ipvar HOME_NET any

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

# List of DNS servers on your network 
ipvar DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
ipvar SMTP_SERVERS $HOME_NET

# List of web servers on your network
ipvar HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
ipvar SQL_SERVERS $HOME_NET

# List of telnet servers on your network
ipvar TELNET_SERVERS $HOME_NET

# List of ssh servers on your network
ipvar SSH_SERVERS $HOME_NET

# List of ftp servers on your network
ipvar FTP_SERVERS $HOME_NET

# List of sip servers on your network
ipvar SIP_SERVERS $HOME_NET

# List of ports you run web servers on
portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712] 

# List of ports you want to look for SHELLCODE on.
portvar SHELLCODE_PORTS !80

# List of ports you might see oracle attacks on
portvar ORACLE_PORTS 1024:

# List of ports you want to look for SSH connections on:
portvar SSH_PORTS 22

# List of ports you run ftp servers on
portvar FTP_PORTS [21,2100,3535]

# List of ports you run SIP servers on
portvar SIP_PORTS [5060,5061,5600]

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

# List of GTP ports for GTP preprocessor
portvar GTP_PORTS [2123,2152,3386]

# other variables, these should not be modified
ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# If you are using reputation preprocessor set these
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

###################################################
# Step #2: Configure the decoder.  For more information, see README.decode
###################################################

# Stop generic decode events:
config disable_decode_alerts

# Stop Alerts on experimental TCP options
config disable_tcpopt_experimental_alerts

# Stop Alerts on obsolete TCP options
config disable_tcpopt_obsolete_alerts

# Stop Alerts on T/TCP alerts
config disable_tcpopt_ttcp_alerts

# Stop Alerts on all other TCPOption type events:
config disable_tcpopt_alerts

# Stop Alerts on invalid ip options
config disable_ipopt_alerts

# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
# config enable_decode_oversized_alerts

# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
# config enable_decode_oversized_drops

# Configure IP / TCP checksum mode
config checksum_mode: all

# Configure maximum number of flowbit references.  For more information, see README.flowbits
# config flowbits_size: 64

# Configure ports to ignore 
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53

# Configure active response for non inline operation. For more information, see REAMDE.active
# config response: eth0 attempts 2

# Configure DAQ related options for inline operation. For more information, see README.daq
#
# config daq: <type>
# config daq_dir: <dir>
# config daq_mode: <mode>
# config daq_var: <var>
#
# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
# <mode> ::= read-file | passive | inline
# <var> ::= arbitrary <name>=<value passed to DAQ
# <dir> ::= path as to where to look for DAQ module so's

# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options
#
# config set_gid:
# config set_uid:

# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README
#
# config snaplen:
#

# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
#
# config bpf_file:
#

# Configure default log directory for snort to log to.  For more information see snort -h command line options (-l)
#
# config logdir:


###################################################
# Step #3: Configure the base detection engine.  For more information, see  README.decode
###################################################

# Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500

# Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
config detection: search-method ac-split search-optimize max-pattern-len 20

# Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 8 log 5 order_events content_length




On Tuesday, August 5, 2014 10:46 PM, "snort-users-request at ...5870....net" <snort-users-request at lists.sourceforge.net> wrote:
 


Send Snort-users mailing list submissions to
    snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
    snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
    snort-users-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

   1. FW: Yumato (usuarionuevo nuevo nuevo)
   2. Re: darpa dataset problem(zero alert) (waldo kitty)
   3. Re: FW: Yumato (waldo kitty)
   4. Re: Event mismatch (Anshuman Anil Deshmukh)


----------------------------------------------------------------------

Message: 1
Date: Tue, 5 Aug 2014 16:57:37 +0200
From: usuarionuevo nuevo nuevo <estoesnuevo at ...16928...>
Subject: [Snort-users] FW: Yumato
To: "snort-users at lists.sourceforge.net"
    <snort-users at lists.sourceforge.net>
Message-ID: <BLU182-W7375FC4936A50C89E2FF40D7E30 at ...12678...>
Content-Type: text/plain; charset="iso-8859-1"

Hi, I'm new on this list, 
Anyone knows something about this snort signature:  ET TROJAN Dropper-497 (Yumato) Initial Checkin 
What does this alert means?
       Thx 
                             usuarionuevo

                                                     
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Tue, 05 Aug 2014 14:08:48 -0400
From: waldo kitty <wkitty42 at ...14940...>
Subject: Re: [Snort-users] darpa dataset problem(zero alert)
To: snort-users at lists.sourceforge.net
Message-ID: <53E11DB0.6060306 at ...14940...>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 8/5/2014 6:36 AM, mehdi maleki wrote:
> hi
> I've installed snort 2.9.6.2 on fedora 20 (vmware)and used as input file darpa
> dataset1999. I have not changed the default rule. Surprisingly it does not
> generate any alert.

have you checked the FAQ??

https://github.com/vrtadmin/snort-faq/blob/master/README.md

https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.



------------------------------

Message: 3
Date: Tue, 05 Aug 2014 14:10:31 -0400
From: waldo kitty <wkitty42 at ...14940...>
Subject: Re: [Snort-users] FW: Yumato
To: snort-users at lists.sourceforge.net
Message-ID: <53E11E17.5050802 at ...14940...>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 8/5/2014 10:57 AM, usuarionuevo nuevo nuevo wrote:
> Hi, I'm new on this list,
>
> Anyone knows something about this snort signature:  ET TROJAN Dropper-497
> (Yumato) Initial Checkin
>
> What does this alert means?

i responded on your other topic of this... please continue over there...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.



------------------------------

Message: 4
Date: Tue, 5 Aug 2014 18:10:58 +0000
From: Anshuman Anil Deshmukh <anshuman at ...16510...>
Subject: Re: [Snort-users] Event mismatch
To: 'JJC' <cummingsj at ...11827...>, "snort-users at lists.sourceforge.net"
    <snort-users at lists.sourceforge.net>
Message-ID:
    <B6C975E672AF804EA892285F67BB885BA78AD227 at ...16511...>
Content-Type: text/plain; charset="utf-8"

ok.  I know my config for barnyard  & snort is referring the same file which is produced by pulledpork. But where do I tell Snorby to use the same sid-msg.map file? It is already configured to generate version 1 of sid-msg.map.





Regards,

Anshuman



From: JJC [mailto:cummingsj at ...11827...]
Sent: Tuesday, August 5, 2014 8:22 PM
To: Anshuman Anil Deshmukh
Cc: Joel Esler (jesler); snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Event mismatch



Snorby needs to be using the sid-msg.map that pulledpork produces, you also need to be sure that you have your pulledpork configured to generate a version 1 (one) sid-msg.map as I do not think that Snorby is compatible with the new version that was designed for use with Barnyard.



JJC



On Tue, Aug 5, 2014 at 7:27 AM, Anshuman Anil Deshmukh <anshuman at ...16567....<mailto:anshuman at ...16510...>> wrote:

Can anybody reply on this?





Regards,

Anshuman



From: Anshuman Anil Deshmukh [mailto:anshuman at ...16510...<mailto:anshuman at ...843.....16510...>]
Sent: Monday, August 4, 2014 10:59 PM
To: 'Joel Esler (jesler)'; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>


Subject: Re: [Snort-users] Event mismatch



Sorry for the encrypted mail which was recently sent by mistake. My apologies.



What I was saying was - which configuration file does Snorby refer in which the sid-msg.map file is specified?





Regards,

Anshuman



From: Joel Esler (jesler) [mailto:jesler at ...589...]
Sent: Monday, August 4, 2014 8:42 PM
To: Anshuman Anil Deshmukh
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Event mismatch



Looks like Snorby is not reading from the correct sid-msg.map file.





   On Aug 4, 2014, at 9:34 AM, Anshuman Anil Deshmukh <anshuman at ...16900...10...<mailto:anshuman at ...16510...>> wrote:



   Anybody on this? Is there any fix for this?





   Regards,

   Anshuman



   From: Anshuman Anil Deshmukh [mailto:anshuman at ...16510...]
   Sent: Wednesday, July 30, 2014 5:23 PM
   To: snort-users mailinglist
   Subject: [Snort-users] Event mismatch



   Hi,



   I am observing that an event shown in the snort terminal window appears in the Snorby console with a different description. Kindly see below output in the terminal window and refer attachment for same event how it appears in Snorby. This event appears in Snorby as ?ssh: Gobbles exploit?. SIG & GID is same for both.



   Has anybody encountered this issue?



   Snort terminal window



   [**] [128:1:1] (spp_ssh) Challenge-Response Overflow exploit [**]

   [Classification: Attempted Administrator Privilege Gain] [Priority: 1]

   07/29-11:38:33.588575 <IP address removed>:53198 -> <IP address removed>:22

   TCP TTL:64 TOS:0x8 ID:27261 IpLen:20 DgmLen:4180 DF

   ***A**** Seq: 0x6DCCC579  Ack: 0xFD13066A  Win: 0xEA80  TcpLen: 20

   [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640][Xref<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0640%5d%5bXref> => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0639]



   I have recently upgraded from Snort version 2.9.5 to 2.9.6.1 (it was compiled from source). After upgrade I have replaced the older version of files classification.config, gen.msg.map, reference.config & unicode.map.  Am I missing something which is causing this issue?



   I use pulledpork version 0.7.0 to update my rules. I update text based rules & so_rules with pulledpork. I use barnyard 2.1.9 (Build 263) - XFF patch (version 2). I am using mysql  ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1.



   Let me know in case any other information regarding my setup is needed.



   Thanks.





   Regards,

   Anshuman




   "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>




   "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>

   <Appearing in Snorbyt_mismatch.jpg>------------------------------------------------------------------------------
   Infragistics Professional
   Build stunning WinForms apps today!
   Reboot your WinForms applications with our WinForms controls.
   Build a bridge from your legacy apps to the future.
  http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk_______________________________________________
   Snort-users mailing list
  Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...ge.net>
   Go to this URL to change user options or unsubscribe:
  https://lists.sourceforge.net/lists/listinfo/snort-users
   Snort-users list archive:
  http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

   Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!






   "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com>




   "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com>


   ------------------------------------------------------------------------------
   Infragistics Professional
   Build stunning WinForms apps today!
   Reboot your WinForms applications with our WinForms controls.
   Build a bridge from your legacy apps to the future.
  http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
   _______________________________________________
   Snort-users mailing list
  Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3471...ge.net>
   Go to this URL to change user options or unsubscribe:
  https://lists.sourceforge.net/lists/listinfo/snort-users
   Snort-users list archive:
  http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

   Please visit http://blog.snort.org to stay current on all the latest Snort news!




"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." 
www.cybage.com
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 99, Issue 12
*******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140806/2a608401/attachment.html>


More information about the Snort-users mailing list