|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Francois Le Bec (flebec
unis.org)Date: Tue Apr 02 2002 - 15:04:31 CST
-----Original Message-----
From: snort-users-requestlists.sourceforge.net
[mailto:snort-users-requestlists.sourceforge.net]
Sent: Tuesday, April 02, 2002 3:48 PM
To: snort-userslists.sourceforge.net
Subject: Snort-users digest, Vol 1 #1751 - 8 msgs
Send Snort-users mailing list submissions to
snort-userslists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-requestlists.sourceforge.net
You can reach the person managing the list at
snort-users-adminlists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. Snort Solaris 8 with quad card (Chris Frazier - PA)
2. RE: how to upgrade to schema 105? (Kreimendahl, Chad J)
3. Re: OT: Deciphering log entry(iptables) (Matt Kettler)
4. Re: configure --with-mysql= ? (___cliff rayman___)
5. Re: Snort Working Mechanism (Scott Nursten)
6. Re: Snort Solaris 8 with quad card (Erek Adams)
7. Re: configure --with-mysql= ? (Jason Yates)
8. Re: OT: Deciphering log entry(iptables) (Chris Green)
--__--__--
Message: 1
From: Chris Frazier - PA <Chris_FrazierGMACM.COM>
To: snort-userslists.sourceforge.net
Date: Tue, 2 Apr 2002 13:35:00 -0500
Subject: [Snort-users] Snort Solaris 8 with quad card
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C1DA75.18B5A1F0
Content-Type: text/plain;
charset="iso-8859-1"
Greetings,
I have Snort running on a Ultra 5 with Solaris 8. I bring up interfaces
qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and
have Snort listen on those interfaces using separate commands:
snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2
snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3
When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does
nothing. If I kill the snort running on qfe3, and just do a tcpdump -i
qfe3, and run tthe scans again, I see the traffic.
So am I doing something completely wrong, or am I trying to do something
that is not possible.
Any help is greatly appreciated.
Thanks
Chris
------_=_NextPart_001_01C1DA75.18B5A1F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>Snort Solaris 8 with quad card</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Arial">Greetings,</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">I have Snort running on a Ultra 5 =
with Solaris 8. I bring up interfaces qfe2 and qfe3 without IP =
addresses being assigned on differnet VLANs, and have Snort listen on =
those interfaces using separate commands:</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">snort -D -c conf.file -l =
/var/log/snort/qfe2 -i qfe2</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">snort -D -c conf.file -l =
/var/log/snort/qfe3 -i qfe3</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">When I trigger scans on those VLANs, =
qfe2 logs the results, but qfe3 does nothing. If I kill the snort =
running on qfe3, and just do a tcpdump -i qfe3, and run tthe scans =
again, I see the traffic.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Arial">So am I doing something completely =
wrong, or am I trying to do something that is not possible.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Any help is greatly =
appreciated.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">Chris</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C1DA75.18B5A1F0--
--__--__--
Message: 2
From: "Kreimendahl, Chad J" <Chad.Kreimendahlumb.com>
To: "'Michael Scheidell'" <scheidellsecnap.net>,
snort-userslists.sourceforge.net
Subject: RE: [Snort-users] how to upgrade to schema 105?
Date: Tue, 2 Apr 2002 12:49:48 -0600
No changes were made from 104 to 105 in MySQL... All that's necessary is to
change vseq from 104 to 105 in the 'schema' table.
-----Original Message-----
From: Michael Scheidell [mailto:scheidellsecnap.net]
Sent: Saturday, March 30, 2002 10:01 AM
To: snort-userslists.sourceforge.net
Subject: [Snort-users] how to upgrade to schema 105?
Ok, must have been asleep at the switch.
How do I upgrade an existing mysql schema (104) to 105?
I would prefer to keep the existing data.
-- Michael Scheidell SECNAP Network Security, LLC_______________________________________________ Snort-users mailing list Snort-users
--__--__--
Message: 3 Date: Tue, 02 Apr 2002 13:54:33 -0500 To: "Scott Taylor" <scottt
You said there was no outbound syn packet.. but in this case I suspect there would be an *inbound* syn...
This would appear that someone tried to connect to a webserver on your machine, and your machine responded with a reset since it was not running one.
This is extraordinarily common due to the number of web-server infecting worms floating around.
typical expected sequence to generate this:
someone:someport -> you:80 syn
you:80 -> someone:someport rst - "get lost buddy."
or possibly:
someone_running_portscaners:someport -> you:80 (no flags, fake fin/ack, or a xmas tree)
you:80 -> someone:someport rst - "get lost buddy."
Of course what kinds of traffic would generate a RST instead of an ICMP error message will vary with how you have iptables configured.
At 09:24 AM 4/2/2002 -0800, you wrote: >This isn't related to snort (yet) I havn't >installed it on this network. I was going >through my log files on this firewall and have a >ton(literally) of this entry. The only thing >that changes is the destination ip's last two >octets. eth0 is the external interface. There is >no initiating SYN packet out bound.(that I know >of need to run tcpdump on it for a bit) >Has anyone seen this or know what it may be >related to? > >Mar 31 04:19:35 xxxxfw1 kernel: IN= OUT=eth0 >SRC=aa.bb.cc.ddd(me) DST=aa.bb.ee.ff(them) >LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF >PROTO=TCP SPT=80 DPT=2418 WINDOW=0 >RES=0x00 ACK RST URGP=0 > >Cheers, > Scott > >Oh yea, I think this is good for a drink or >possibly two. > > > >THERE IS ONLY ONE... >SOCCER.COM, The Center of the Soccer Universe >http://www.soccer.com > >_______________________________________________ >Snort-users mailing list >Snort-users
--__--__--
Message: 4 Date: Tue, 02 Apr 2002 11:09:02 -0800 From: ___cliff rayman___ <cliff
John Sage wrote:
> In /usr/local/snort-1.8.4/ I say: > > ./configure --with-mysql=/usr/include/mysql/ > > or I say: > > ./configure --with-mysql=/usr/include/mysql > > and I get "checking for mysql... no"
on my system, i entered: --with-mysql=/usr/libexec/
that is the location of my mysql daemon, not the header file. i think if you do a: ./configure --help | less
you will see some switches that ask for header file locations and they have a different format. i know i confused this when i built php for acid, which had the same switch, but with a different usage. go figure or rather go configure. ;-)
-- ___cliff rayman___cliff
--__--__--
Message: 5 Date: Tue, 02 Apr 2002 19:09:57 +0100 Subject: Re: [Snort-users] Snort Working Mechanism From: Scott Nursten <scottn
Answers inline:
> 1. I believe Stealth mode scan is a type of slow scan say 1 port/hr. how > does snort manage to find out such types of scans.
Snort will detect these attacks if YOU configure it to. This would be done by defining the right *NET statements and configuring rules that catch TCP SYN or UDP packets to any ports OTHER then legit. publicly accessible ports on your network. Log it into a database, use ACID and a little event correlation and tadah - stealth portscan capture...!
Remember, a computer is just a high speed idiot :)
> 2. the logging facility of snort ie > snort -dev -l /var/log/snort --doesn't see any rule file , so > will this log 'ALL' the packets on the network completely.?
From what I see in the help, yes. Let's go through it shall we?
-d Dump the Application Layer -e Display the second layer header info -v Be verbose -l <ld> Log to directory <ld>
Now, I'm on a train, so I can't really test it, but I'm pretty sure that
A) it will be verbose and display all the packets (including application and second layer info) to STDOUT B) it will also log it all into the <ld> directory.
> 3. I have found that in NIDS mode ie > snort -deD -l /var/log/snort -c /etc/snort.conf > logs only part of complete data.ie maybe the current > packet.What if i want to log "everything " if attack is found. > i have gone thru the log-documents.plz clear these points.
Ehheh, well, for a start, take a look at the stream4 preprocessor. Having said that, I'm pretty sure it doesn't log the whole stream. I haven't looked into this in more depth, but a quick 'grep stream4' in the snort-1.8.4 dir revealed
* added new config keyword to stream4, "log_flushed_streams", which causes all buffered packets in the stream reassembler for that session to be logged in the event of an event on that stream (must be used in conjunction with spo_log_tcpdump)
So, I guess that'll sort it...! If it doesn't, then use tcpdump in conjunction with it and throw man-hours at it...! :)
HTH,
Scott
--__--__--
Message: 6 Date: Tue, 2 Apr 2002 11:28:54 -0800 (PST) From: Erek Adams <erek
On Tue, 2 Apr 2002, Chris Frazier - PA wrote:
> I have Snort running on a Ultra 5 with Solaris 8. I bring up interfaces > qfe2 and qfe3 without IP addresses being assigned on differnet VLANs, and > have Snort listen on those interfaces using separate commands: > > snort -D -c conf.file -l /var/log/snort/qfe2 -i qfe2 > snort -D -c conf.file -l /var/log/snort/qfe3 -i qfe3 > > When I trigger scans on those VLANs, qfe2 logs the results, but qfe3 does > nothing. If I kill the snort running on qfe3, and just do a tcpdump -i > qfe3, and run tthe scans again, I see the traffic.
Ok, lets check this a bit more. If you use a 'snort -vade -i qfe2' and run scans, do you see the traffic? Where does this traffic come from? A third machine? If just run the qfe3 instance (as above), does it log? Running a 'snort -vade -i qfe3' while scanning--Does that show any data?
> So am I doing something completely wrong, or am I trying to do something > that is not possible.
It all depends. :) 'Not Possible' just means someone else hasn't done it yet. ;-)
> Any help is greatly appreciated.
Cheers!
----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
--__--__--
Message: 7 Subject: Re: [Snort-users] configure --with-mysql= ? From: Jason Yates <jyates
Try,
./configure --with-mysql
-Jason Yates
--__--__--
Message: 8 To: snort-users
>>Has anyone seen this or know what it may be >>related to? >> >>Mar 31 04:19:35 xxxxfw1 kernel: IN= OUT=eth0 >>SRC=aa.bb.cc.ddd(me) DST=aa.bb.ee.ff(them) >>LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF >>PROTO=TCP SPT=80 DPT=2418 WINDOW=0 >>RES=0x00 ACK RST URGP=0 >>
It's very possible that someone is synflooding someone else using your IP as the spoofed src.
-- Chris Green <cmg
--__--__--
_______________________________________________ Snort-users mailing list Snort-users
End of Snort-users Digest
_______________________________________________ Snort-users mailing list Snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]