Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: LAN (Jason Costomiris) 2. Re: (no subject) (Byron York) 3. Re: (no subject) (james) 4. Re: Wrappers (james) 5. Acid -> remote system (Lance Spitzner) 6. RE: Wrappers (Wells, Kenneth L) 7. cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon (Administrator) --__--__-- Message: 1 Date: Tue, 6 Nov 2001 15:16:47 -0500 From: Jason Costomiris To: snortlst snortlst Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] LAN On Tue, Nov 06, 2001 at 10:01:29AM -0500, snortlst snortlst wrote: : I run snort as ids.I have a sensor on LAN that sniffs traffic coming inside : our lan from firewall's lan interface. Is that enough to figure out if there : are some trojans running on some workstations on the lan, or some other : problems with lan wstations? That's enough to see traffic going to/from the Internet, not necessarily all of your network. : If this configuration is not enough then what.....I should mirror all 700 : ports on the lan switch to the snort sensor port? If you've got that many live ports, I'd say you're probably best off using multiple sensors with barnyard talking to a postresql/mysql db. -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions. --__--__-- Message: 2 Date: Tue, 06 Nov 2001 14:47:52 -0600 From: Byron York To: "Wells, Kenneth L" , "snort-users () lists sourceforge net" Subject: Re: [Snort-users] (no subject) --------------5535BD072F54F6E729D4AC0D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit rpm -qa | grep libpcap And I don't think you are missing anything with those steps. "Wells, Kenneth L" wrote: > Thanks to whoever sent this to me.......Can anyone tell me if I'm > missing anything? > > How can I tell if I have libpcap already installed? > > Kenny --------------5535BD072F54F6E729D4AC0D Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit rpm -qa | grep libpcap

And I don't think you are missing anything with those steps.

"Wells, Kenneth L" wrote:

Thanks to whoever sent this to me.......Can anyone tell me if I'm missing anything?
How can I tell if I have libpcap already installed?
Kenny

--------------5535BD072F54F6E729D4AC0D-- --__--__-- Message: 3 From: "james" To: "Wells, Kenneth L" Cc: Subject: Re: [Snort-users] (no subject) Date: Tue, 6 Nov 2001 13:36:23 -0700 if you have updated updatedb: locate libpcap or whereis libpcap James Edwards jamesh () cybermesa com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday Phone support 365 days till 10 pm via the Santa Fe office: 505-988-9200 or Toll Free: 888-988-2700 --__--__-- Message: 4 From: "james" To: Subject: Re: [Snort-users] Wrappers Date: Tue, 6 Nov 2001 13:37:38 -0700 It really depends on what Unix distro you use. Some do or don't allow you to control ssh and http via the wrappers. In theory, any service that has a one to one mapping wuth an exacutable can be remapped to tcpd or the service daemon replaced with tcpd and then tcpd passed the connection (after check and logging) to the correct daemon. james --__--__-- Message: 5 Date: Tue, 6 Nov 2001 14:37:37 -0600 (CST) From: Lance Spitzner To: "Snort-Users (E-mail)" Subject: [Snort-users] Acid -> remote system Question, I'm attempting to build and use Snort+Acid, however acid is on a different remote system. When I attempt to build snort, do I have to still compile it with the mysql option? Does this mean that when I do the build, on the build system mysql has to be installed so the build can find all the headers, even though Acid is on a different system? I've got a feeling the answer to this is yes, just want to make sure. And if so, will the following from www.sunfreeware.com work on Solaris8 Sparc? mysql-3.22.26a-sol8-sparc-local.gz Thanks! -- Lance Spitzner http://project.honeynet.org --__--__-- Message: 6 From: "Wells, Kenneth L" To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Wrappers Date: Tue, 6 Nov 2001 15:40:01 -0500 I have the following error when I try to run snort Initializing rule chains... ERROR: Unable to open rules file: /snort.conf or //snort.conf Fatal Error. Quitting... My rules are in a folder call rules in the snort-1.8.2 directory. What should my include statement say? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 7 Date: Tue, 06 Nov 2001 15:37:10 -0500 From: "Administrator" To: Subject: [Snort-users] cc:Mail Link to SMTP Undeliverable Message: Unknown user: Bud CTR Gordon --1005079301 () faa gov Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: "cc:Mail Note Part" Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Wrappers (Chris Green) 2. Re: Ignoring ports (Chris Green) 3. RE: snort on Linux works, on OpenBSD doesn\'t (Chris Eidem) 4. RE: Barnyard and ACID question (Steve Halligan) 5. RE: snort on Linux works, on OpenBSD doesn\'t (Ashley Thomas) 6. (no subject) (Wells, Kenneth L) -- __--__-- Message: 1 To: "snortlst snortlst" Cc: Subject: Re: [Snort-users] Wrappers From: Chris Green Reply-To: snort-users () lists sourceforge net Date: Tue, 06 Nov 2001 13:39:39 -0600 "snortlst snortlst" writes: > On which layer snort inspects incoming traffic? If it inspects it before > tcp/ip (like checkpoint firewall) then can I use tcp wrappers and deny all > traffic in tcp wrappers in order to secure linux machine? It sniffs in promiscous mode so it can see traffic with no interaction with the native tcp/ip stack ( other than where it overlaps with BPF ). Yes. Using TCP wrappers will not affect snort. > thx. -- Chris Green A good pun is its own reword. -- __--__-- Message: 2 To: "Joshua Thomas" Cc: Subject: Re: [Snort-users] Ignoring ports From: Chris Green Reply-To: snort-users () lists sourceforge net Date: Tue, 06 Nov 2001 13:44:43 -0600 "Joshua Thomas" writes: > How do I ignore arbirtary ports with out rewriting all the rules? > For example, kazza runs on port 1214; how can I make all my rules not > trigger on port 1214 traffic? pcap filter of 'not tcp and port 1214 ' or pass tcp any any <-> any 1214 along with using snort -o Beware that this will open one for attacks due to clever attackers using 1214 as a source port for the attack. Someday, snort might be able to tell what kinda traffic it is and possibly ignore it based on that. -- Chris Green "I'm beginning to think that my router may be confused." -- __--__-- Message: 3 Subject: RE: [Snort-users] snort on Linux works, on OpenBSD doesn\'t Date: Tue, 6 Nov 2001 13:46:51 -0600 From: "Chris Eidem" To: "Ashley Thomas" , Cc: Not necessary, here is my setup: [root@cubanelle /home/ceidem/src]# for i in /etc/hostname.*; do echo $i; cat $i; done /etc/hostname.fxp0 up /etc/hostname.xl0 inet 10.70.0.108 255.255.255.0 NONE=20 /etc/hostname.xl1 up > -----Original Message----- > From: Ashley Thomas [mailto:athomas () unity ncsu edu] > Sent: Tuesday, November 06, 2001 1:08 PM > To: donegan () donegan org > Cc: snort-users () lists sourceforge net > Subject: Re: [Snort-users] snort on Linux works, on OpenBSD doesn\'t >=20 >=20 > One point to be noted: > in OpenBSD ifconfig rl0 up does'nt seem to work. >=20 > So modify /etc/hostname.rl0 >=20 > inet 0.0.0.0 255.255.255.0 NONE >=20 > That should do the trick :-) >=20 > let me know if that works >=20 > cheers > ashley >=20 >=20 > On Tue, 6 Nov 2001 donegan () donegan org wrote: >=20 > > I have just installed, from the same sources, snort on Linux and > > OpenBSD. Both compile AOK, both appear to execute OK, the=20 > Linux snort > > catches all the nimda stuff that continues to provide test=20 > data :-) and > > the OpenBSD snort catches nothing. Both are connected to=20 > the same hub > > (not switch), both interfaces show PROMISC mode and UP. > > > > A key difference here is that the OpenBSD snort is running on an > > interface that has no IP address - i.e. ifconfig rl0 up. > > > > Any pointers on waking the OpenBSD version up would be appreciated. > > > > Thanks! > > > > _______________________________________________ > > Snort-users mailing list > > Snort-users () lists sourceforge net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users > > >=20 >=20 > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users >=20 -- __--__-- Message: 4 From: Steve Halligan To: Steve Halligan , "'Andrew R. Baker'" Cc: "'snort-users () lists sourceforge net'" Subject: RE: [Snort-users] Barnyard and ACID question Date: Tue, 6 Nov 2001 13:53:00 -0600 One more piece of wierdness: Barnyard popped up a few "Unknown Network Header (0x0)" and inserted an alert with only a sig, no ip info, tcp info, etc. > -----Original Message----- > From: Steve Halligan [mailto:agent33 () geeksquad com] > Sent: Tuesday, November 06, 2001 12:29 PM > To: 'Andrew R. Baker'; 'Wozz' > Cc: 'snort-users () lists sourceforge net' > Subject: RE: [Snort-users] Barnyard and ACID question > > > PS: The timestamps appear to be set to UTC. Both the > snort/barnyard box > and the database box are set to the correct time and timezone, but > timestamps logged in the database are +6 hours (which would > be utc from > where I am). Not a bug, but is there anyway to change this behaviour? > > > -----Original Message----- > > From: Steve Halligan > > Sent: Tuesday, November 06, 2001 12:23 PM > > To: 'Andrew R. Baker'; Wozz > > Cc: snort-users () lists sourceforge net > > Subject: RE: [Snort-users] Barnyard and ACID question > > > > > > I am having this problem also. OpenBSD 2.9-release here. > > Barnyard from CVS today. snort-unified-logfile is attached. > > I also noticed that sometimes (although not in this logfile, > > I believe) the ordering of the source ip address backwards > > also a.b.c.d becomes d.c.b.a. The dest ip is unaffected. > > -steve > > > > > -----Original Message----- > > > From: Andrew R. Baker [mailto:andrewb () snort org] > > > Sent: Monday, November 05, 2001 11:44 PM > > > To: Wozz > > > Cc: snort-users () lists sourceforge net > > > Subject: Re: [Snort-users] Barnyard and ACID question > > > > > > > > > Wozz wrote: > > > > > > > > I'm noticing some problems with barnyard and the mysql > > > output plugin. > > > > After some correlation, here's the real headers for the > > > event (from the > > > > barnyard log output plugin) > > > > > > > > [**] [1:1002:1] WEB-IIS cmd.exe access [**] > > > > [Classification: Attempted User Privilege Gain] [Priority: 8] > > > > Event ID: 692 Event Reference: 0 > > > > 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80 > > > > TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF > > > > ***AP*** Seq: 0x6CA76E65 Ack: 0x636CB06B Win: 0x2238 > TcpLen: 32 > > > > > > > > For some reason, when using the mysql output plugin in > > > barnyard, the source > > > > port is being munged from the correct 55776 to 57561, and > > > the destination > > > > port from 80 to 20480. I've confirmed that this is the > > > data that is being > > > > inserted into mysql (as opposed to it being an ACID display > > > problem). > > > > > > > > This is consistant across all alerts being inserted into > > > mysql (as far as I > > > > can tell) > > > > > > > > Is this a known bug? > > > > > > > > > Which version (and build) of snort are you using? Do you > > have a small > > > unified alert file you could send me for testing? AFAIK, > > this should > > > not occur. I will look into it tomorrow. > > > > > > -A > > > > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users () lists sourceforge net > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > -- __--__-- Message: 5 Date: Tue, 6 Nov 2001 14:55:52 -0500 (EST) From: Ashley Thomas To: Chris Eidem cc: , Subject: RE: [Snort-users] snort on Linux works, on OpenBSD doesn\'t Could you explain what you are doing. thanks ashley On Tue, 6 Nov 2001, Chris Eidem wrote: > Not necessary, here is my setup: > > [root@cubanelle /home/ceidem/src]# for i in /etc/hostname.*; do echo $i; > cat $i; done > /etc/hostname.fxp0 > up > /etc/hostname.xl0 > inet 10.70.0.108 255.255.255.0 NONE > /etc/hostname.xl1 > up > > > -----Original Message----- > > From: Ashley Thomas [mailto:athomas () unity ncsu edu] > > Sent: Tuesday, November 06, 2001 1:08 PM > > To: donegan () donegan org > > Cc: snort-users () lists sourceforge net > > Subject: Re: [Snort-users] snort on Linux works, on OpenBSD doesn\'t > > > > > > One point to be noted: > > in OpenBSD ifconfig rl0 up does'nt seem to work. > > > > So modify /etc/hostname.rl0 > > > > inet 0.0.0.0 255.255.255.0 NONE > > > > That should do the trick :-) > > > > let me know if that works > > > > cheers > > ashley > > > > > > On Tue, 6 Nov 2001 donegan () donegan org wrote: > > > > > I have just installed, from the same sources, snort on Linux and > > > OpenBSD. Both compile AOK, both appear to execute OK, the > > Linux snort > > > catches all the nimda stuff that continues to provide test > > data :-) and > > > the OpenBSD snort catches nothing. Both are connected to > > the same hub > > > (not switch), both interfaces show PROMISC mode and UP. > > > > > > A key difference here is that the OpenBSD snort is running on an > > > interface that has no IP address - i.e. ifconfig rl0 up. > > > > > > Any pointers on waking the OpenBSD version up would be appreciated. > > > > > > Thanks! > > > > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users () lists sourceforge net > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > > > > _______________________________________________ > > Snort-users mailing list > > Snort-users () lists sourceforge net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > -- __--__-- Message: 6 From: "Wells, Kenneth L" To: snort-users () lists sourceforge net Date: Tue, 6 Nov 2001 15:05:02 -0500 Subject: [Snort-users] (no subject) This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C166FE.5206D3B0 Content-Type: text/plain Thanks to whoever sent this to me.......Can anyone tell me if I'm missing anything? How can I tell if I have libpcap already installed? Kenny 1.Search the web and install libpcap - unpack it Then run: - ./configure - make - make install 2. download snort (www.snort.org ) - unpack it (gzip -d , then tar -xvf Then run - ./configure - make - make install 3. Make sure when you run snort it sets your nic to promiscuous mode. If it doesn't then do the followingt manually before starting snort: ifconfig promisc 4. In the installation directory find the snort.conf file and edit the following values: - set $home_net to your lan - set external_net to !$home_net - set the logging to /var/snort/log - include your dns server addresses in the list of ignored hosts - in the bottom of the file (where you see a lot of 'include rules' provide a path to the rules. You'll have to download the rules from snort.org) 5. Create a 'snort' directory in the /var/log. Here IDS logs things. 6. Download snort_stat.pl from snort.org. This perl script will parse alert and portscan files and present it to you in nice html format. 7. Connect snort machine to internet or to internal lan (depends what you wanna sniff exactly) 8. On the switch or hub mirror firewall (or whatever you want to sniff) port to port where snort machine is connected. 9.start snort like : snort -c /snort.conf (it will automatically use full loggong feature and and will use default log directory /var/log/snort) 10. after a while run: cat /var/log/snort | /snort_stat.pl -f -h > /alert.html (this one will create and alert.html file in the / , you can open it later with browser) That's what I remember from the top of my head.This is a very basic setup, you can do much more complicated things, especially regarding representation of alert files. hope this helps. P.S. don't disregard reading FAQ on snort.org, though I think it misses quite a lot of things for newbies and can't be very useful for the bigginer. ------_=_NextPart_001_01C166FE.5206D3B0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable

Thanks to whoever sent this to = me.......Can anyone tell me if I'm missing anything?

How can I tell if I have libpcap = already installed?

Kenny

1.Search the web and install = libpcap
- unpack it
Then run:
- ./configure
- make
- make install
2. download snort (www.snort.org)
- unpack it (gzip -d <snort = file.tar.gzip>, then tar -xvf <snortfile.tar>
Then run
- ./configure
- make
- make install
3. Make sure when you run snort it = sets your nic to promiscuous mode. If it doesn't then do the followingt = manually before starting snort: ifconfig <yournic> = promisc

4. In the installation directory find = the snort.conf file and edit the following values:
- set $home_net to your = lan
- set external_net to = !$home_net
- set the logging to = /var/snort/log
- include your dns server addresses = in the list of ignored hosts =
- in the bottom of the file (where = you see a lot of 'include rules' provide a path to the rules. You'll = have to download the rules from snort.org)

5. Create a 'snort' directory in the = /var/log. Here IDS logs things. =
6. Download snort_stat.pl from = snort.org. This perl script will parse alert and portscan files and = present it to you in nice html format.

7. Connect snort machine to internet = or to internal lan (depends what you wanna sniff exactly)
8. On the switch or hub mirror = firewall (or whatever you want to sniff) port to port where snort = machine is connected.
9.start snort like : snort -c = /snort.conf=20
(it will automatically use full = loggong feature and and will use default log directory /var/log/snort)
10. after a while run:
cat /var/log/snort | /snort_stat.pl = -f -h > /alert.html (this one will create and alert.html file in the = / , you can open it later with browser)

That's what I remember from the top of = my head.This is a very basic setup, you can do much more complicated = things, especially regarding representation of alert files.

hope this helps.
P.S. don't disregard reading FAQ on = snort.org, though I think it misses quite a lot of things for newbies = and can't be very useful for the bigginer.

------_=_NextPart_001_01C166FE.5206D3B0-- -- __--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest --1005079301 () faa gov Content-Type: text/plain; charset=US-ASCII; name="RFC822.TXT" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="RFC822.TXT" Received: from relay5.faa.gov [172.27.170.37] by faa.gov (ccMail Link to SMTP R8.31.00.5) ; Tue, 06 Nov 2001 15:35:34 -0500 Return-Path: Received: from usw-sf-list1.sourceforge.net (usw-sf-fw2.sourceforge.net [216.136.171.252]) by relay5.faa.gov (Switch-2.0.6/Switch-2.0.6) with ESMTP id fA6KZXO00194; Tue, 6 Nov 2001 15:35:33 -0500 (EST) Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net) by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian)) id 161Cdi-00058W-00; Tue, 06 Nov 2001 12:16:06 -0800 From: snort-users-request () lists sourceforge net Subject: Snort-users digest, Vol 1 #1222 - 6 msgs Reply-to: snort-users () lists sourceforge net X-Mailer: Mailman v2.0.5 MIME-version: 1.0 Content-type: text/plain To: snort-users () lists sourceforge net Sender: snort-users-admin () lists sourceforge net Errors-To: snort-users-admin () lists sourceforge net X-BeenThere: snort-users () lists sourceforge net X-Mailman-Version: 2.0.5 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Snort users talk about... Snort! List-Unsubscribe: , List-Archive: Message-Id: Date: Tue, 06 Nov 2001 12:16:06 -0800 --1005079301 () faa gov-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest