[Snort-users] Snort-users Digest, Vol 3, Issue 30

flipsdd at sina.com flipsdd at sina.com
Wed Aug 23 03:41:35 EDT 2017


Hello, I have some rules. The key words are not clear. They are :

1.byte_extract

2.flowbits

3.within:cipsize;




flipsdd at sina.com

From: snort-users-request
Date: 2017-08-23 00:00
To: snort-users
Subject: Snort-users Digest, Vol 3, Issue 30

Send Snort-users mailing list submissions to
snort-users at lists.snort.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.snort.org/mailman/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request at lists.snort.org

You can reach the person managing the list at
snort-users-owner at lists.snort.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.


Today's Topics:

   1. NIPS Rules (Manojit Ghosh)
   2. Re: NIPS Rules (wkitty42 at windstream.net)
   3. Re: NIPS Rules (Manojit Ghosh)


----------------------------------------------------------------------

Message: 1
Date: Mon, 21 Aug 2017 23:55:40 +0530
From: Manojit Ghosh <a46105 at gmail.com>
To: snort-users at lists.snort.org
Subject: [Snort-users] NIPS Rules
Message-ID:
<CAD2+Gzu8bfwC4Hm+YwRFBOo-H+H7fdCXyDKbe7jX9FJ=hvWE+w at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi,

I have installed Snort 2.9.9.0 on windows 7 professional 32 bit and running
it using the command snort -i 3 -c C:\Snort\etc\snort.conf -A fast. In the
alert.ids file, I see a lot of reset outside window alerts, such as this,
08/21-23:16:37.473511  [**] [129:15:1] Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:443 -> XXXX:XXXX:XXXX:XXXX:XXXX:57462.
I have reason to believe that these alerts are the result of malicious
activities. I want to protect my network from these attacks. Please provide
me the precise instructions to prevent these attacks, i.e. the rule(s), the
file to place the rule(s) in, & the location of the file.

-- 
Manojit Ghosh
CEO, A Joshing Moth
ajoshingmoth.blogspot.in

*Disclaimer:*
This e-mail contains privileged and confidential information intended
solely for the use of the addressee(s). If you are not the intended
recipient, please notify the sender by e-mail and delete the original
message. Further, you are not to copy, disclose, or distribute this e-mail
or its contents to any other person and any such actions are unlawful. This
e-mail may contain viruses. The sender has taken every reasonable
precaution to minimize this risk, but is not liable for any damage you may
sustain as a result of any virus in this e-mail. You should carry out your
own virus checks before opening the e-mail or attachment. The sender
reserves the right to monitor and review the content of all messages sent
to or from this e-mail address. Messages sent to or from this e-mail
address may be stored on the e-mail system.
*End of Disclaimer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170821/e977fa4f/attachment-0001.html>

------------------------------

Message: 2
Date: Mon, 21 Aug 2017 15:18:32 -0400
From: wkitty42 at windstream.net
To: snort-users at lists.snort.org
Subject: Re: [Snort-users] NIPS Rules
Message-ID: <f207dc88-fb29-46f9-bccf-50741dad8499 at windstream.net>
Content-Type: text/plain; charset=utf-8; format=flowed

On 08/21/2017 02:25 PM, Manojit Ghosh via Snort-users wrote:
> I have installed Snort 2.9.9.0 on windows 7 professional 32 bit and running it 
> using the command snort -i 3 -c C:\Snort\etc\snort.conf -A fast. In the 
> alert.ids file, I see a lot of reset outside window alerts, such as this, 
> 08/21-23:16:37.473511  [**] [129:15:1] Reset outside window [**] 
> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
> XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:443 -> XXXX:XXXX:XXXX:XXXX:XXXX:57462. I 
> have reason to believe that these alerts are the result of malicious activities. 
> I want to protect my network from these attacks. Please provide me the precise 
> instructions to prevent these attacks, i.e. the rule(s), the file to place the 
> rule(s) in, & the location of the file.


if the rule is alerting, then you are already detecting them... if you want to 
block them, add the remote IP to your firewall's blocking list...

but these may not really be attacks... you need to capture the traffic and study 
it to see if it really is an attack... it may be that you need to simply adjust 
your stream5 preprocessor settings in your snort.conf file... search for 
"small_segments" and increase the count if you like... see README.stream5 for 
more information...

FWIW: one thing that i've noted over the years of using snort is that new folks 
to snort are now suddenly introduced to what's really going on on their network 
and how it really works... many are quite surprised to traffic they had no idea 
about... i remember one person freaking out when they discovered how chatty 
NETBIOS/NETBEUI is and how often devices using that protocol fight over which 
one is going to be the master browser for the network ;)


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


------------------------------

Message: 3
Date: Tue, 22 Aug 2017 11:42:53 +0530
From: Manojit Ghosh <a46105 at gmail.com>
To: snort-users at lists.snort.org
Subject: Re: [Snort-users] NIPS Rules
Message-ID:
<CAD2+Gzv-RoTF4hBp00V1cMh1UKDCcksqo3FTJF9-hcrMi-G9jw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I was hoping to block them using snort. I am in a wireless network.

On Mon, Aug 21, 2017 at 11:55 PM, Manojit Ghosh <a46105 at gmail.com> wrote:

> Hi,
>
> I have installed Snort 2.9.9.0 on windows 7 professional 32 bit and
> running it using the command snort -i 3 -c C:\Snort\etc\snort.conf -A fast.
> In the alert.ids file, I see a lot of reset outside window alerts, such as
> this, 08/21-23:16:37.473511  [**] [129:15:1] Reset outside window [**]
> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
> XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:443 ->
> XXXX:XXXX:XXXX:XXXX:XXXX:57462. I have reason to believe that these
> alerts are the result of malicious activities. I want to protect my network
> from these attacks. Please provide me the precise instructions to prevent
> these attacks, i.e. the rule(s), the file to place the rule(s) in, & the
> location of the file.
>
> --
> Manojit Ghosh
> CEO, A Joshing Moth
> ajoshingmoth.blogspot.in
>
> *Disclaimer:*
> This e-mail contains privileged and confidential information intended
> solely for the use of the addressee(s). If you are not the intended
> recipient, please notify the sender by e-mail and delete the original
> message. Further, you are not to copy, disclose, or distribute this e-mail
> or its contents to any other person and any such actions are unlawful. This
> e-mail may contain viruses. The sender has taken every reasonable
> precaution to minimize this risk, but is not liable for any damage you may
> sustain as a result of any virus in this e-mail. You should carry out your
> own virus checks before opening the e-mail or attachment. The sender
> reserves the right to monitor and review the content of all messages sent
> to or from this e-mail address. Messages sent to or from this e-mail
> address may be stored on the e-mail system.
> *End of Disclaimer*
>



-- 
Manojit Ghosh
CEO, A Joshing Moth
ajoshingmoth.blogspot.in

*Disclaimer:*
This e-mail contains privileged and confidential information intended
solely for the use of the addressee(s). If you are not the intended
recipient, please notify the sender by e-mail and delete the original
message. Further, you are not to copy, disclose, or distribute this e-mail
or its contents to any other person and any such actions are unlawful. This
e-mail may contain viruses. The sender has taken every reasonable
precaution to minimize this risk, but is not liable for any damage you may
sustain as a result of any virus in this e-mail. You should carry out your
own virus checks before opening the e-mail or attachment. The sender
reserves the right to monitor and review the content of all messages sent
to or from this e-mail address. Messages sent to or from this e-mail
address may be stored on the e-mail system.
*End of Disclaimer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170822/ed2a8410/attachment-0001.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-users


------------------------------

End of Snort-users Digest, Vol 3, Issue 30
******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170823/3e72edfa/attachment.html>


More information about the Snort-users mailing list