[Snort-users] REMOVE

Daniel Holt dholt at icsi.com
Mon Sep 25 08:41:17 EDT 2017



Daniel Holt |Office: 410 280 3000 x108 | Fax:410-280-3001
1612 McGuckian Street | Annapolis, MD 21401
www.icsi.com | www.annapolisgeeks.com


Email support at icsi.com for any technical assistance


-----Original Message-----
From: Snort-users [mailto:snort-users-bounces at lists.snort.org] On Behalf Of snort-users-request at lists.snort.org
Sent: Saturday, September 23, 2017 12:00 PM
To: snort-users at lists.snort.org
Subject: Snort-users Digest, Vol 4, Issue 22

Send Snort-users mailing list submissions to
	snort-users at lists.snort.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.snort.org/mailman/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.snort.org

You can reach the person managing the list at
	snort-users-owner at lists.snort.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.


Today's Topics:

   1. Re: Misc UPNP Attak on my two network devices (a modem and a
      routeur) (wkitty42 at windstream.net)
   2. Re: Question (wkitty42 at windstream.net)
   3. Re: Question (Jim Campbell)
   4. Re: Question (William Pearson)


----------------------------------------------------------------------

Message: 1
Date: Fri, 22 Sep 2017 12:44:16 -0400
From: wkitty42 at windstream.net
To: snort-users at lists.snort.org
Subject: Re: [Snort-users] Misc UPNP Attak on my two network devices
	(a modem and a routeur)
Message-ID: <7000dc65-048d-06c3-a199-84640622dfa7 at windstream.net>
Content-Type: text/plain; charset=utf-8; format=flowed

On 09/21/2017 03:26 PM, Dorian ROSSE wrote:
> I have a Misc UPNP Attack on my two network device a modem and a 
> routeur also  how to stop this attacks from  IP : 
> 239.255.255.250:1900,

generally that's not an attack... that's generally the destination IP... it is a broadcast IP specifically for service discovery... see here for an explanation...


https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol


if you think you're part of that 2014 DDoS, you should look to your device 
manufacturers for a fix...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


------------------------------

Message: 2
Date: Fri, 22 Sep 2017 12:47:53 -0400
From: wkitty42 at windstream.net
To: snort-users at lists.snort.org
Subject: Re: [Snort-users] Question
Message-ID: <90ddfd6f-caf8-4756-f492-9f34c7f57e42 at windstream.net>
Content-Type: text/plain; charset=utf-8; format=flowed

On 09/22/2017 11:46 AM, William Pearson wrote:
> I'm using BASE, and the results snort is giving me is beyond vague. I presume 
> this is an issue with the rules and preprocessing. I couldn't care less about 
> what preprocessor is being used. I'm singularly interested in the actual rule. 
> Why won't it show me the message field in the actual rules?
> 
> [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO CONTENT-LENGTH 
> OR TRANSFER-ENCODING IN HTTP RESPONSE


in this example, the all CAPS /is/ the msg portion of the rule... however, 
preprocessors are slightly different in that the rules are written into the code 
of snort... kind of like the shared object rules... generally speaking, their 
msg contents cannot be changed like the text based rules that are used...


are you, perhaps, looking for the actual GID:SID of the rule? it us, that's more 
important than the msg text...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


------------------------------

Message: 3
Date: Fri, 22 Sep 2017 17:25:06 -0400
From: Jim Campbell <jim at w4bqp.net>
To: William Pearson <william at cnsp.net>, snort-users at lists.snort.org
Subject: Re: [Snort-users] Question
Message-ID: <16a09599-1e18-6c3e-7ba2-ba10159477e7 at w4bqp.net>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Will,

If you hover your cursor over the [snort 
<http://www.snort.org/search/sid/120-3>] at the beginning of the Alert, 
you will see the GID-SID at the bottom of the page.

Jim

On 9/22/2017 11:46 AM, William Pearson wrote:
> I'm using BASE, and the results snort is giving me is beyond vague. I 
> presume this is an issue with the rules and preprocessing. I couldn't 
> care less about what preprocessor is being used. I'm singularly 
> interested in the actual rule. Why won't it show me the message field 
> in the actual rules?
>
> [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO 
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
>
>
> Will
>
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170922/4a0da96d/attachment-0001.html>

------------------------------

Message: 4
Date: Fri, 22 Sep 2017 16:26:44 -0600
From: William Pearson <william at cnsp.net>
Cc: snort-users at lists.snort.org
Subject: Re: [Snort-users] Question
Message-ID:
	<CAJEJux0ubtcmDVQqscsukuMgHHuGQSFhemeN+HyMtu8t+LURiQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Jim,

Yeah, I know, but it's much easier to manage if it lists things by the msg
in the rule.

So, for example this rule,

alert tcp $HOME_NET any -> [31.214.157.227,31.41.44.130] any (msg:"ET CNC
Ransomware Tracker Reported CnC Server TCP group 86"; flags:S;
reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,$

I want it to say "ET CNC Ransomware Tracker Reported CnC Server TCP group
86" in BASE.

Will


On Fri, Sep 22, 2017 at 3:25 PM, Jim Campbell <jim at w4bqp.net> wrote:

> Will,
>
> If you hover your cursor over the [snort
> <http://www.snort.org/search/sid/120-3>] at the beginning of the Alert,
> you will see the GID-SID at the bottom of the page.
>
> Jim
>
> On 9/22/2017 11:46 AM, William Pearson wrote:
>
> I'm using BASE, and the results snort is giving me is beyond vague. I
> presume this is an issue with the rules and preprocessing. I couldn't care
> less about what preprocessor is being used. I'm singularly interested in
> the actual rule. Why won't it show me the message field in the actual rules?
>
> [snort <http://www.snort.org/search/sid/120-3>] http_inspect: NO
> CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
>
>
> Will
>
>
>
>
>
> _______________________________________________
> Snort-users mailing listSnort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170922/fd138d55/attachment-0001.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-users


------------------------------

End of Snort-users Digest, Vol 4, Issue 22
******************************************



More information about the Snort-users mailing list