Snort mailing list archives
snort and demarc frontend and Promiscuous mode
From: "Lavin, John" <JLavin () rudolphtech com>
Date: Wed, 4 Sep 2002 15:01:52 -0400
Do I need two network cards in order to run snort in Promiscuous mode? I am running this on a linux box with one nic card right now. So currently if I do a nmap scan from another linux box right at the box with snort loaded on it.... nmap -O (ip address of the box) It will trigger the alerts. However If I scan another pc plugged into the same hub it does not report finding anything. so I think I need to adjust the mode or install another nic card then setup the Promiscuous mode. Can anyone please let me know how to do this or point me to the correct documentation. I know how to put in the nic and set it up, I just want to find out what the interfaces are labeled from snorts point of view and know what options I need to add to snort when I start it up. Thanks in advance, John Lavin -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Tuesday, September 03, 2002 10:33 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2240 - 16 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Hard choice: Preprocessor or Tagging (Chris Green) 2. Re: -b binary logging question (Chris Green) 3. Snort Minimum permissions (Richard Hall) 4. Re: Snort and creating new classtypes (Roman Danyliw) 5. papers about installing snort (charella constansia) 6. Re: NETBIOS NT NULL session (Ian Macdonald) 7. Re: PORN Virgin (Ian Macdonald) 8. Re: -b binary logging question (John Sage) 9. Re: Another error message. Thx. (Keith Young) 10. MS-SQL and ACID (Dhruv Chandra) 11. MS-SQL and ACID (Dhruv Chandra) 12. MS-SQL and ACID (Dhruv Chandra) 13. MS-SQL and ACID (Dhruv Chandra) 14. MS-SQL and ACID (Dhruv Chandra) 15. MS-SQL and ACID (Dhruv Chandra) 16. MS-SQL and ACID (Dhruv Chandra) --__--__-- Message: 1 Date: Tue, 03 Sep 2002 08:22:43 -0400 From: Chris Green <cmg () sourcefire com> Subject: Re: [Snort-users] Hard choice: Preprocessor or Tagging To: Michael Boman <michael.boman () securecirt com> Cc: Snort Users List <snort-users () lists sourceforge net> Reply-to: snort-users () lists sourceforge net Michael Boman <michael.boman () securecirt com> writes:
Make it a option in the output line and I'll include it.Ok. Here is a diff against SNORT_1_8 CVS. I called the option 'ignore_bpf'
and
it's a boolean. I updated README.database documentation to reflect the
change
as well.
Would you change this to Snort 1.9 please. :) -- Chris Green <cmg () sourcefire com> "Yeah, but you're taking the universe out of context." --__--__-- Message: 2 Date: Tue, 03 Sep 2002 08:25:54 -0400 From: Chris Green <cmg () sourcefire com> Subject: Re: [Snort-users] -b binary logging question To: John Sage <jsage () finchhaven com> Cc: snort-users () lists sourceforge net Reply-to: snort-users () lists sourceforge net John Sage <jsage () finchhaven com> writes:
Having a discussion off-list about the -b binary logging switch, and suddenly I'm wondering... Does the -b binary logging switch *always* record all packets on the interface?
No. One thing that is confusing about snort is that it supports many different modes.
Or is the set of packets logged by -b changed when one starts to specify a snort.conf and thus check the packets against rules, whether alerts or passes?
Yes. There is a difference between with a snort.conf and without.
"If you're on a high speed network or you want to log the packets into a more compact form for later analysis you should consider logging in "binary mode". Binary mode logs the packets in "tcpdump format" to a single binary file in the logging directory:e
I really should rewrite that portion. That only makes sense these days if you've got a slow machine but fast disk IO. Binary mode for a log format + fast mode instead of an ascii logging makes lots of sense though.\
./snort -l ./log -b Note the command line changes here. We don't nee to specify a home network any longer because binary mode logs everything into a single file, which eliminates the need to tell it how to format the output directory structure." This implies that -b gets everything.
It does in that command line.
OK: does it *always* get everything?
Nope. -- Chris Green <cmg () sourcefire com> Don't use a big word where a diminutive one will suffice. --__--__-- Message: 3 Date: Tue, 03 Sep 2002 13:40:02 +0100 From: Richard Hall <r.j.hall () rhul ac uk> Organization: Information Security Group CC: Snort Users List <snort-users () lists sourceforge net> Subject: [Snort-users] Snort Minimum permissions Does anyone know what the absolute minimum permissions are on the MySQL database tables for the snort sensor account? The guide states CREATE, INSERT, SELECT, DELETE and UPDATE on snort_db.* are all these needed? Does the sensor ever need CREATE, DELETE SELECT or UPDATE if it is just inserting information into the existing database tables? My SQL (that is My as in Me not the program) is very limited and I wan't people in other less trusted locations to be able to still log sensor data back to a central location for analysis but without being to modify or read the existing data in the database. Is this possible? Cheers Rich === === === === === === === === === Richard Hall Systems Administrator Information Security Group Royal Holloway, University of London Tel: +44 (0)1784 44 3111 Fax: +44 (0)1784 430766 === === === === === === === === === --__--__-- Message: 4 Date: Tue, 3 Sep 2002 09:06:09 -0400 (EDT) From: "Roman Danyliw" <roman () danyliw com> To: Matthew Wagenknecht <Matthew.Wagenknecht () quantum com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and creating new classtypes This is the expected (if not necessarily the desired) behavior. Meta information about a signature (e.g., classification, priority) is stored in the database the first time that an event matching this signature is encountered. Without an update to the revision number of the signature to denote that something has changed, the meta information will not be updated despite a manual update to the configuration file. ACID should probably provide primatives to manipulate signature classifications. Roman On Thu, 29 Aug 2002 10:11:03 -0600, Matthew Wagenknecht <Matthew.Wagenknecht () quantum com> wrote :
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. In the snort rules, a number of virus rules have misc-activity. I want to move all virus signatures to a new classtype called virus. I created a new line in classifications.config like the following:: config classification: virus,Virus Detection,1 However when in ACID, it shows up under unclassified. Is there something else I need to do or is this and ACID issue? ..:: Matt ::..
--__--__-- Message: 5 Date: Tue, 3 Sep 2002 06:50:38 -0700 (PDT) From: charella constansia <sharella () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] papers about installing snort Hi, Do you guys any good paper about installing Snort on multiple sensors that logs to one console. The platform must be redhat7.3. thanks __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com --__--__-- Message: 6 From: "Ian Macdonald" <secsnort () dirk demon co uk> To: "Tony Wong" <tony.wong () stanford edu>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] NETBIOS NT NULL session Date: Tue, 3 Sep 2002 09:50:51 -0400 NT Null sessions are something that is used by MS operating systems to get information about another server. It is a way to connect to a machine and not authenticate (Null) then gather information from the machine. You can use a null session to collect information about who is logged onto a machine, what domain they are part of and some other stuff. I think you can also make registry updates using Null sessions. You can restrict what information can be viewed by null sessions by setting restrictanoymous in the registry (doing a search on the web will bring up the exact location). If you completely disable null sessions things will break but by making this registry change you can limit the impact of the null sessions. Ian ----- Original Message ----- From: "Tony Wong" <tony.wong () stanford edu> To: <snort-users () lists sourceforge net> Sent: Wednesday, August 28, 2002 3:29 PM Subject: [Snort-users] NETBIOS NT NULL session
Why am I getting these alerts to my NT Fileserver? ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 7 From: "Ian Macdonald" <secsnort () dirk demon co uk> To: "Phil Wood" <cpw () lanl gov>, "Tony Wong" <tony.wong () stanford edu> Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] PORN Virgin Date: Tue, 3 Sep 2002 09:55:16 -0400 This rule is disabled by default in the current snortrules-stable.tar.gz on snort.org. Maybe you should update your rule set? I would look very closely at the porn rules and see if they make sense, the there are a few rules in there that match on a single word that will generate a lot of false positives (These are disabled in the the rule set on snort.org) Ian ----- Original Message ----- From: "Phil Wood" <cpw () lanl gov> To: "Tony Wong" <tony.wong () stanford edu> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, August 28, 2002 6:53 PM Subject: Re: [Snort-users] PORN Virgin
On Wed, Aug 28, 2002 at 01:02:59PM -0700, Tony Wong wrote:Everytime I bring up ACID from my workstation browser. I see "PORN Virgin" from my workstation to the IDS box which is also running ACID. Why is that?Either someone is interested in "virgin wool", "a young virgin cow", or you are sending your rule set over the net and capturing it with your carefully configured snort IDS. Have you bothered to look at the data surrounding the key word "virgin" (using ACID). Also, check your collection of rules for the keyword "virgin". Oh, heck I can do that! $ cd where-ever-your-rules-are $ grep -i virgin * porn.rules:# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:
"PORN virgin"; content: "virgin "; nocase; flow: to_client,established; classtype: kickass-porn; sid:1796; rev:2;)
------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 8 Date: Tue, 3 Sep 2002 07:29:03 -0700 From: John Sage <jsage () finchhaven com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] -b binary logging question Erek, Chris: Thanks, guys.. - John On Tue, Sep 03, 2002 at 08:25:54AM -0400, Chris Green wrote:
John Sage <jsage () finchhaven com> writes:Having a discussion off-list about the -b binary logging switch, and suddenly I'm wondering... Does the -b binary logging switch *always* record all packets on the interface?No. One thing that is confusing about snort is that it supports many different modes.Or is the set of packets logged by -b changed when one starts to specify a snort.conf and thus check the packets against rules, whether alerts or passes?Yes. There is a difference between with a snort.conf and without."If you're on a high speed network or you want to log the packets into a more compact form for later analysis you should consider logging in "binary mode". Binary mode logs the packets in "tcpdump format" to a single binary file in the logging directory:eI really should rewrite that portion. That only makes sense these days if you've got a slow machine but fast disk IO. Binary mode for a log format + fast mode instead of an ascii logging makes lots of sense though.\./snort -l ./log -b Note the command line changes here. We don't nee to specify a home network any longer because binary mode logs everything into a single file, which eliminates the need to tell it how to format the output directory structure." This implies that -b gets everything.It does in that command line.OK: does it *always* get everything?Nope. -- Chris Green <cmg () sourcefire com> Don't use a big word where a diminutive one will suffice.
--__--__-- Message: 9 Date: Tue, 03 Sep 2002 10:27:58 -0400 From: Keith Young <kyoung () v-one com> Reply-To: kyoung () v-one com Organization: V-ONE To: gaojianwen () gzidc com CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Another error message. Thx. jordi wrote:
HI, all Gleen,Do u mean i remove the following lines? #!/bin/sh #
Keep the file like it is. Three things: 1) Is the file executable (ie "chmod +x snort")? 2) Did you FTP it from a Windows machine and need to convert the CR/LF (ie. "dos2unix snort snort")? 3) Do you have any whitespace after "/bin/sh"? -- -- --Keith Young -kyoung () v-one com --__--__-- Message: 10 From: "Dhruv Chandra" <dhruvc () hotmail com> To: snort-users () lists sourceforge net Date: Tue, 03 Sep 2002 10:31:03 -0400 Subject: [Snort-users] MS-SQL and ACID <html><div style='background-color:'><DIV>Hi Everyone. </DIV> <DIV> </DIV> <DIV>I am new to Snort and NIDS in general. I am trying to incorporate Snort NIDS within our corporate network. </DIV> <DIV> </DIV> <DIV>Here is what I am planning to use. </DIV> <DIV> </DIV> <DIV>OS -> Windows 2000 </DIV> <DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Send and receive Hotmail on your mobile device: <a href='http://g.msn.com/1HM1ENCA/c152??PI=44318'>Click Here</a><br></html> --__--__-- Message: 11 From: "Dhruv Chandra" <dhruvc () hotmail com> To: snort-users () lists sourceforge net Date: Tue, 03 Sep 2002 10:31:02 -0400 Subject: [Snort-users] MS-SQL and ACID <html><div style='background-color:'><DIV>Hi Everyone. </DIV> <DIV> </DIV> <DIV>I am new to Snort and NIDS in general. I am trying to incorporate Snort NIDS within our corporate network. </DIV> <DIV> </DIV> <DIV>Here is what I am planning to use. </DIV> <DIV> </DIV> <DIV>OS -> Windows 2000 </DIV> <DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>MSN Photos is the easiest way to share and print your photos: <a href='http://g.msn.com/1HM1ENCA/c156??PI=44318'>Click Here</a><br></html> --__--__-- Message: 12 From: "Dhruv Chandra" <dhruvc () hotmail com> To: snort-users () lists sourceforge net Date: Tue, 03 Sep 2002 10:31:01 -0400 Subject: [Snort-users] MS-SQL and ACID <html><div style='background-color:'><DIV>Hi Everyone. </DIV> <DIV> </DIV> <DIV>I am new to Snort and NIDS in general. I am trying to incorporate Snort NIDS within our corporate network. </DIV> <DIV> </DIV> <DIV>Here is what I am planning to use. </DIV> <DIV> </DIV> <DIV>OS -> Windows 2000 </DIV> <DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Join the world's largest e-mail service with MSN Hotmail. <a href='http://g.msn.com/1HM1ENCA/c157??PI=44318'>Click Here</a><br></html> --__--__-- Message: 13 From: "Dhruv Chandra" <dhruvc () hotmail com> To: snort-users () lists sourceforge net Date: Tue, 03 Sep 2002 10:31:03 -0400 Subject: [Snort-users] MS-SQL and ACID <html><div style='background-color:'><DIV>Hi Everyone. </DIV> <DIV> </DIV> <DIV>I am new to Snort and NIDS in general. I am trying to incorporate Snort NIDS within our corporate network. </DIV> <DIV> </DIV> <DIV>Here is what I am planning to use. </DIV> <DIV> </DIV> <DIV>OS -> Windows 2000 </DIV> <DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Send and receive Hotmail on your mobile device: <a href='http://g.msn.com/1HM1ENCA/c152??PI=44318'>Click Here</a><br></html> --__--__-- Message: 14 From: "Dhruv Chandra" <dhruvc () hotmail com> To: snort-users () lists sourceforge net Date: Tue, 03 Sep 2002 10:31:01 -0400 Subject: [Snort-users] MS-SQL and ACID <html><div style='background-color:'><DIV>Hi Everyone. </DIV> <DIV> </DIV> <DIV>I am new to Snort and NIDS in general. I am trying to incorporate Snort NIDS within our corporate network. </DIV> <DIV> </DIV> <DIV>Here is what I am planning to use. </DIV> <DIV> </DIV> <DIV>OS -> Windows 2000 </DIV> <DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Join the world's largest e-mail service with MSN Hotmail. <a href='http://g.msn.com/1HM1ENCA/c157??PI=44318'>Click Here</a><br></html> --__--__-- Message: 15 From: "Dhruv Chandra" <dhruvc () hotmail com> To: snort-users () lists sourceforge net Date: Tue, 03 Sep 2002 10:31:02 -0400 Subject: [Snort-users] MS-SQL and ACID <html><div style='background-color:'><DIV>Hi Everyone. </DIV> <DIV> </DIV> <DIV>I am new to Snort and NIDS in general. I am trying to incorporate Snort NIDS within our corporate network. </DIV> <DIV> </DIV> <DIV>Here is what I am planning to use. </DIV> <DIV> </DIV> <DIV>OS -> Windows 2000 </DIV> <DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>MSN Photos is the easiest way to share and print your photos: <a href='http://g.msn.com/1HM1ENCA/c156??PI=44318'>Click Here</a><br></html> --__--__-- Message: 16 From: "Dhruv Chandra" <dhruvc () hotmail com> To: snort-users () lists sourceforge net Date: Tue, 03 Sep 2002 10:31:01 -0400 Subject: [Snort-users] MS-SQL and ACID <html><div style='background-color:'><DIV>Hi Everyone. </DIV> <DIV> </DIV> <DIV>I am new to Snort and NIDS in general. I am trying to incorporate Snort NIDS within our corporate network. </DIV> <DIV> </DIV> <DIV>Here is what I am planning to use. </DIV> <DIV> </DIV> <DIV>OS -> Windows 2000 </DIV> <DIV>Database -> MS-SQL 2000</DIV></div><br clear=all><hr>Join the world's largest e-mail service with MSN Hotmail. <a href='http://g.msn.com/1HM1ENCA/c157??PI=44318'>Click Here</a><br></html> --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and demarc frontend and Promiscuous mode Lavin, John (Sep 04)
- Re: snort and demarc frontend and Promiscuous mode Erek Adams (Sep 04)