You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Javier R. <jr...@on...> - 2010-02-09 14:50:59
|
I had succesfully implemented snort as ips on x86 , using gentoo-gnap and a soekris hardware, and it works quite well. All the info you need is in snort.org documentation. What are the problems you are facing? On Tue, Feb 09, 2010 at 09:11:29AM +0300, Emmanuel Mugarura wrote: > Hello > > Greetings > > I am inquiring about whether there is some one who has successfully > implemented Snort on *x86*-64. I would also appreciate any kind of guides on > how to do this > > Regards > > Emmanuel Mugarura > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
From: Emmanuel M. <cmu...@gm...> - 2010-02-09 06:11:37
|
Hello Greetings I am inquiring about whether there is some one who has successfully implemented Snort on *x86*-64. I would also appreciate any kind of guides on how to do this Regards Emmanuel Mugarura |
From: Will M. <wil...@gm...> - 2010-02-05 21:05:17
|
Hmmm I could be mistaken but I'm unaware of any divert socket/netfilter queue type of functionality on Solaris does such a beast exist? If so we never did any work on the snort-inline to support it. Regards, Will On Fri, Feb 5, 2010 at 6:56 AM, Emmanuel Mugarura <cmu...@gm...>wrote: > Hello > > Greetings > > I am working on a project to implement Snort inline on solaris 10. Any one > with tips, tutorials and any material that can help me achieve this, i would > love being pointed in the right direction > > The implementation could as well be on any flavor of Unix > > Regards > > Emmanuel Mugarura > > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
From: Emmanuel M. <cmu...@gm...> - 2010-02-05 20:59:14
|
Hello Greetings I am working on a project to implement Snort inline on solaris 10. Any one with tips, tutorials and any material that can help me achieve this, i would love being pointed in the right direction The implementation could as well be on any flavor of Unix Regards Emmanuel Mugarura |
From: charles m. <mug...@gm...> - 2010-01-20 14:47:18
|
Hi; I changed snort-inline version to 2.6; now it is running and snort-inline options are enabled but when i launch snort-inline with "snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline" command i'm getting the following errors in the output. 1. WARNING /etc/snort_inline/snort_inline.conf(361) => flush_behavior set in config file, using old static flushpoints (0) 2. ERROR: /etc/snort_inline/rules/exploit.rules(38): Cannot check flow connection for non-TCP traffic Can you please help? Check the full output bellow charles@ips:~$ sudo snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline Reading from iptables Running in IDS mode Initializing Inline mode --== Initializing Snort ==-- Initializing Output Plugins! Var 'usbmon1_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'usbmon2_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'usbmon3_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'usbmon4_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'usbmon5_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'usbmon6_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'usbmon7_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'usbmon8_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_inline/snort_inline.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'HOME_NET' defined, value len = 3 chars, value = any Var 'HONEYNET' defined, value len = 3 chars, value = any Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any Var 'SQL_SERVERS' defined, value len = 3 chars, value = any Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 Var 'AIM_SERVERS' defined, value len = 185 chars [ 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] Var 'RULE_PATH' defined, value len = 23 chars, value = /etc/snort_inline/rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- stream4inline mode enabled truncating mode enabled Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 3600 seconds Session memory cap: 134217728 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: ACTIVE and DROPPING Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE Server Data Inspection Limit: -1 Inline-mode options: Inline-mode enabled? (stream4inline): Yes Scan mode? (scan_stream_only): Both packet and stream Sliding Windowsize (window_size): 3000 Memcap reached method (truncate): Truncate Truncate percentage (truncate_percentage): 33 Store/Load state from/to disk: No Max out-of-order packets in a stream (max_ooo_pkts): 5 Max out-of-order bytes in a stream (max_ooo_bytes): 5000 Max sequence holes in a stream (max_seq_holes): 2 Normalize wscale max (norm_wscale_max): 2 Perform window scale normaliztion: Yes Disable out-of-order packet drop: No Disable out-of-order packet drop: No Disable sequence hole packet drop: No Max sequence holes in a stream (max_seq_holes): 2 Disable wscale normalization alerts (disable_norm_wscale_alerts): No Disable out-of-order alerts (disable_ooo_alerts): No Drop bad RST packets? (drop_bad_rst): No WARNING /etc/snort_inline/snort_inline.conf(361) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor New Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_inline/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 ERROR: /etc/snort_inline/rules/exploit.rules(38): Cannot check flow connection for non-TCP traffic Fatal Error, Quitting.. charles@ips:~$ |
From: Emilio M. S. <em...@te...> - 2010-01-17 13:27:03
|
I installed an old version as I do not know how to install a new one and I wanted to follow www.openmaniak.com instructions. I have the sensation that I always go one step behind. When I tried to load libmyhsqlclient12-dev my Ubuntu 9.10 do not find the package and instead invite me to load libmysqlclient15off. I loaded this package but when configuring snort_inline-2.4.5a I got the error and the tutorial says that is because of libmysqlclient12 missing. I would like to install a new version like snort 2.8.5.2 as snort inline but I do not know which steps to follow or how to compile it to work in the line of www.openmaniak.com as I loaded all the packages as they say in the tutorial. I tried to load a new bundle from securixlive. The NMWnow but in the middle they say that I DO NOT HAVE mysql-server 5.0 because I installed the last version that is my-sqlserver 5.1. So my sensation is that I am one step behind because I do not know all this in linux. I am coming from the windows world where things are not cheep but a little bit easier to install Is there a full guide on how to install snort 2.8.5.2 in Ubuntu 9.10 without any errors or old packages? Regards and Thanks Emilio |
From: John D. <joh...@gm...> - 2010-01-17 11:02:34
|
Hi, Did you install anything like libmysqlclient-dev ? Usually *dev packages contain header files needed for compilation. And "sudo apt-get install libmysqlclient-dev" worked for me just now. 'make' should not work for you until you have ./configure without errors. By the way, I hope there is a reason you are installing and old version. Usually newer one have less errors. Some things even work only from svn (like using nfqueue with multiple queues). Best regards John Default Emilio Mari Solera wrote: > ERROR: unable to find mysql headers (mysql.h) > checked in the following places > /usr/include > /usr/include/mysql > /usr/local/include > /usr/local/include/mysql > ********************************************** > > emilio@ubuntu:~/Downloads/snort_inline-2.4.5a$ make > make: *** No targets specified and no makefile found. Stop. > emilio@ubuntu:~/Downloads/snort_inline-2.4.5a$ > > NEW TO LINUX WHAT I CAN DO? > I HAVE GCC AND G++ INSTALLED AS WELL AS BUILD-ESSENTIALS > > ------------------------------------------------------------------------------ > Throughout its 18-year history, RSA Conference consistently attracts the > world's best and brightest in the field, creating opportunities for Conference > attendees to learn about information security's most important issues through > interactions with peers, luminaries and emerging and established companies. > http://p.sf.net/sfu/rsaconf-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
From: Emilio M. S. <em...@te...> - 2010-01-17 08:56:18
|
ERROR: unable to find mysql headers (mysql.h) checked in the following places /usr/include /usr/include/mysql /usr/local/include /usr/local/include/mysql ********************************************** emilio@ubuntu:~/Downloads/snort_inline-2.4.5a$ make make: *** No targets specified and no makefile found. Stop. emilio@ubuntu:~/Downloads/snort_inline-2.4.5a$ NEW TO LINUX WHAT I CAN DO? I HAVE GCC AND G++ INSTALLED AS WELL AS BUILD-ESSENTIALS |
From: Joel E. <es...@gm...> - 2010-01-15 13:59:08
|
Looks like you are using an old version of Snort with a new version of rules. Please update your Snort version. J On Fri, Jan 15, 2010 at 3:44 AM, charles mugisha <mug...@gm...> wrote: > Hi; > > > > This is my first time to run snort-inline, it look like I syccesfully > install snort-inline but when I start it I’m getting the following message. > Is saying that no process found. > > What I’m I missing? > > > > charles@ips:~$ sudo /etc/init.d/snort_inlined restart > > snort_inline: no process found > > Removing iptables rules: > > Starting ip_queue module: > > Starting iptables rules: > > Starting snort_inline: > > Reading from iptables > > Initializing Inline mode > > > > > > Also when I run this command “snort_inline -Q -v -c > /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline > > Reading from iptables” I’m getting the following output with two errors. > What is wrong with my snort-inline?Is any one can help? > > > > charles@ips:~$ sudo snort_inline -Q -v -c > /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline > > Reading from iptables > > Running in IDS mode > > Initializing Inline mode > > > > --== Initializing Snort ==-- > > Initializing Output Plugins! > > Setting the Packet Processor to decode packets from iptables > > Initializing Preprocessors! > > Initializing Plug-ins! > > Parsing Rules file /etc/snort_inline/snort_inline.conf > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Initializing rule chains... > > ,-----------[Flow Config]---------------------- > > | Stats Interval: 0 > > | Hash Method: 2 > > | Memcap: 10485760 > > | Rows : 4099 > > | Overhead Bytes: 16400(%0.16) > > `---------------------------------------------- > > Stream4 config: > > Stateful inspection: ACTIVE > > Session statistics: INACTIVE > > Session timeout: 30 seconds > > Session memory cap: 8388608 bytes > > Session count max: 8192 sessions > > Session cleanup count: 5 > > State alerts: INACTIVE > > Evasion alerts: INACTIVE > > Scan alerts: INACTIVE > > Log Flushed Streams: INACTIVE > > MinTTL: 1 > > TTL Limit: 5 > > Async Link: 0 > > State Protection: 0 > > Self preservation threshold: 50 > > Self preservation period: 90 > > Suspend threshold: 200 > > Suspend period: 30 > > Enforce TCP State: INACTIVE > > Midstream Drop Alerts: INACTIVE > > Server Data Inspection Limit: -1 > > Inline-mode options: > > Inline-mode enabled? (stream4inline): No > > Sliding Windowsize (window_size): 7000 (max full conn: 1198) > > Memcap reached method (truncate): Prune > > Truncate percentage (truncate_percentage): 33 > > DROP out-of-window packets (drop_out_of_window): No > > DROP data on unestablised session state (drop_data_on_unest): No > > DROP no tcp-flags on establised packets (drop_no_tcp_on_est): No > > DROP packet not within session limits (drop_not_in_limits): No > > DROP ttl evasion (drop_ttl_evasion): No > > Store/Load state from/to disk: No > > WARNING /etc/snort_inline/snort_inline.conf(299) => flush_behavior set in > config file, using old static flushpoints (0) > > Stream4_reassemble config: > > Server reassembly: ACTIVE > > Client reassembly: ACTIVE > > Reassembler alerts: ACTIVE > > Zero out flushed packets: INACTIVE > > Flush stream on alert: INACTIVE > > flush_data_diff_size: 500 > > Reassembler Packet Preferance : Favor Old > > Packet Sequence Overlap Limit: -1 > > Flush behavior: Small (<255 bytes) > > Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 > 3306 > > Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 > 1433 1521 3306 > > HttpInspect Config: > > GLOBAL CONFIG > > Max Pipeline Requests: 0 > > Inspection Type: STATELESS > > Detect Proxy Usage: NO > > IIS Unicode Map Filename: /etc/snort_inline/unicode.map > > IIS Unicode Map Codepage: 1252 > > DEFAULT SERVER CONFIG: > > Ports: 80 8080 8180 > > Flow Depth: 300 > > Max Chunk Length: 500000 > > Inspect Pipeline Requests: YES > > URI Discovery Strict Mode: NO > > Allow Proxy Usage: NO > > Disable Alerting: NO > > Oversize Dir Length: 500 > > Only inspect URI: NO > > Ascii: YES alert: NO > > Double Decoding: YES alert: YES > > %U Encoding: YES alert: YES > > Bare Byte: YES alert: YES > > Base36: OFF > > UTF 8: OFF > > IIS Unicode: YES alert: YES > > Multiple Slash: YES alert: NO > > IIS Backslash: YES alert: NO > > Directory Traversal: YES alert: NO > > Web Root Traversal: YES alert: YES > > Apache WhiteSpace: YES alert: NO > > IIS Delimiter: YES alert: NO > > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG > > Non-RFC Compliant Characters: NONE > > rpc_decode arguments: > > Ports to decode RPC on: 111 32771 > > alert_fragments: INACTIVE > > alert_large_fragments: ACTIVE > > alert_incomplete: ACTIVE > > alert_multiple_requests: ACTIVE > > telnet_decode arguments: > > Ports to decode telnet on: 21 23 25 119 > > Portscan Detection Config: > > Detect Protocols: TCP UDP ICMP IP > > Detect Scan Type: portscan portsweep decoy_portscan > distributed_portscan > > Sensitivity Level: Low > > Memcap (in bytes): 10000000 > > Number of Nodes: 36900 > > > > database: compiled support for ( mysql ) > > database: configured to use mysql > > database: user = snortuser > > database: password is set > > database: database name = snort > > database: host = localhost > > Interface is NULL. Name may not be unique for the host > > Node unique name is: unknown:(null) > > > > database: sensor name = unknown:(null) > > database: sensor id = 1 > > database: schema version = 106 > > database: using the "log" facility > > ERROR: Warning: /etc/snort_inline/rules/exploit.rules(24) => Unknown > keyword ' metadata' in rule! > > Fatal Error, Quitting.. > > > ------------------------------------------------------------------------------ > Throughout its 18-year history, RSA Conference consistently attracts the > world's best and brightest in the field, creating opportunities for > Conference > attendees to learn about information security's most important issues > through > interactions with peers, luminaries and emerging and established companies. > http://p.sf.net/sfu/rsaconf-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- Joel Esler |
From: Ihab el B. <iha...@ho...> - 2010-01-15 08:54:23
|
Hi, have you configured your snort_inline.conf file correctly, try to check the mysql database itself (containig rows ...) also try to except the exploit.rules from the config file and give it a try then, and dont forget to send the packet stream to the queue e.g( iptables -A FORWARD -p all - j QUEUE) Best regards Ihab El Bakri Date: Fri, 15 Jan 2010 10:44:36 +0200 From: mug...@gm... To: sno...@li... Subject: [Snort-inline-users] Help Hi; This is my first time to run snort-inline, it look like I syccesfully install snort-inline but when I start it I’m getting the following message. Is saying that no process found. What I’m I missing? charles@ips:~$ sudo /etc/init.d/snort_inlined restart snort_inline: no process found Removing iptables rules: Starting ip_queue module: Starting iptables rules: Starting snort_inline: Reading from iptables Initializing Inline mode Also when I run this command “snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline Reading from iptables” I’m getting the following output with two errors. What is wrong with my snort-inline?Is any one can help? charles@ips:~$ sudo snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline Reading from iptables Running in IDS mode Initializing Inline mode --== Initializing Snort ==-- Initializing Output Plugins! Setting the Packet Processor to decode packets from iptables Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_inline/snort_inline.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Server Data Inspection Limit: -1 Inline-mode options: Inline-mode enabled? (stream4inline): No Sliding Windowsize (window_size): 7000 (max full conn: 1198) Memcap reached method (truncate): Prune Truncate percentage (truncate_percentage): 33 DROP out-of-window packets (drop_out_of_window): No DROP data on unestablised session state (drop_data_on_unest): No DROP no tcp-flags on establised packets (drop_no_tcp_on_est): No DROP packet not within session limits (drop_not_in_limits): No DROP ttl evasion (drop_ttl_evasion): No Store/Load state from/to disk: No WARNING /etc/snort_inline/snort_inline.conf(299) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_inline/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 database: compiled support for ( mysql ) database: configured to use mysql database: user = snortuser database: password is set database: database name = snort database: host = localhost Interface is NULL. Name may not be unique for the host Node unique name is: unknown:(null) database: sensor name = unknown:(null) database: sensor id = 1 database: schema version = 106 database: using the "log" facility ERROR: Warning: /etc/snort_inline/rules/exploit.rules(24) => Unknown keyword ' metadata' in rule! Fatal Error, Quitting.. _________________________________________________________________ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 |
From: charles m. <mug...@gm...> - 2010-01-15 08:44:46
|
Hi; This is my first time to run snort-inline, it look like I syccesfully install snort-inline but when I start it I’m getting the following message. Is saying that no process found. What I’m I missing? charles@ips:~$ sudo /etc/init.d/snort_inlined restart snort_inline: no process found Removing iptables rules: Starting ip_queue module: Starting iptables rules: Starting snort_inline: Reading from iptables Initializing Inline mode Also when I run this command “snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline Reading from iptables” I’m getting the following output with two errors. What is wrong with my snort-inline?Is any one can help? charles@ips:~$ sudo snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline Reading from iptables Running in IDS mode Initializing Inline mode --== Initializing Snort ==-- Initializing Output Plugins! Setting the Packet Processor to decode packets from iptables Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_inline/snort_inline.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Server Data Inspection Limit: -1 Inline-mode options: Inline-mode enabled? (stream4inline): No Sliding Windowsize (window_size): 7000 (max full conn: 1198) Memcap reached method (truncate): Prune Truncate percentage (truncate_percentage): 33 DROP out-of-window packets (drop_out_of_window): No DROP data on unestablised session state (drop_data_on_unest): No DROP no tcp-flags on establised packets (drop_no_tcp_on_est): No DROP packet not within session limits (drop_not_in_limits): No DROP ttl evasion (drop_ttl_evasion): No Store/Load state from/to disk: No WARNING /etc/snort_inline/snort_inline.conf(299) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_inline/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 database: compiled support for ( mysql ) database: configured to use mysql database: user = snortuser database: password is set database: database name = snort database: host = localhost Interface is NULL. Name may not be unique for the host Node unique name is: unknown:(null) database: sensor name = unknown:(null) database: sensor id = 1 database: schema version = 106 database: using the "log" facility ERROR: Warning: /etc/snort_inline/rules/exploit.rules(24) => Unknown keyword ' metadata' in rule! Fatal Error, Quitting.. |
From: Ihab el B. <iha...@ho...> - 2010-01-13 15:38:23
|
Hello base , placid , or sguil are just web interfaces for the logs , you can try webmin i think it has a snort addon to add rules to snort and iptables. Best regards Ihab ElBakri _________________________________________________________________ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 |
From: Dave R. <dav...@gm...> - 2010-01-05 17:11:05
|
On Tue, Jan 5, 2010 at 2:55 AM, Morgan Cox <mor...@gm...> wrote: > Thanks Will for getting back to me. > > (Sorry if this has gone to a new thread, my mailing list options were set > to not deliver mail previously) > > I have 1 further question to ask about rule whitelisting.. > > Can I stop a rule for one (or more) IP(s), if I comment out the rule that > will prevent the rule entirely. > At this point you need 2 rules, I think - one that accepts for the whitelisted address (1st), 1 that takes the other action (for the rest). > > Also should I be able to use snort inline with latest normal snort in AMD64 > ? > SF snort should work as a 64 bit app, although it's inline mode might not because ip_queueing is a wrapper for nfqueueing these days. I've run snort-inline 2.8.4.1 as a 64 bit app using NFQUEUEs; no problem. > I got it to compile but it segfaulted.. Is it advisible to stick with > 2.4.8.1 snort_inline svn for now ? > > Thank you for all your help Will. > > Cheers > > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and > easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) |
From: Morgan C. <mor...@gm...> - 2010-01-05 09:56:04
|
Thanks Will for getting back to me. (Sorry if this has gone to a new thread, my mailing list options were set to not deliver mail previously) I have 1 further question to ask about rule whitelisting.. Can I stop a rule for one (or more) IP(s), if I comment out the rule that will prevent the rule entirely. Also should I be able to use snort inline with latest normal snort in AMD64 ? I got it to compile but it segfaulted.. Is it advisible to stick with 2.4.8.1 snort_inline svn for now ? Thank you for all your help Will. Cheers |
From: Will M. <wil...@gm...> - 2009-12-31 20:49:06
|
Full Announcement here: http://www.openinfosecfoundation.org/ It's been about three years in the making, but the day has finally come! We have the first release of the Suricata Engine! The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field. The Suricata Engine and the HTP Library are available to use under the GPLv2. The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. This is considered a Beta Release as we are seeking feedback from the community. This release has many of the major new features we wanted to add to the industry, but certainly not all. We intend to get this base engine out and stable, and then continue to add new features. We expect several new releases in the month of January culminating in a production quality release shortly thereafter. The engine and the HTP Library are available here: http://www.openinfosecfoundation.org/index.php/download-suricata Please join the oisf-users mailing list to discuss and share feedback. The developers will be there ready to help you test. http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users As this is a first release we don't really have a "what's New" section because everything is new. But we do have a number of new ideas and new concepts to Intrusion Detection to note. Some of those are listed below: Multi-Threading Amazing that multi-threading is new to IDS, but it is, and we've got it! Automatic Protocol Detection The engine not only has keywords for IP, TCP, UDP and ICMP, but also has HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match within an HTTP stream for example regardless of the port the stream occurs on. This is going to revolutionize malware detection and control. Detections for more layer 7 protocols are on the way. Gzip Decompression The HTP Parser will decode Gzip compressed streams, allowing much more detailed matching within the engine. Independent HTP Library The HTP Parser will be of great use to many other applications such as proxies, filters, etc. The parser is available as a library also under GPLv2 for easy integration ito other tools. Standard Input Methods You can use NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support coming shortly. Unified2 Output You can use your standard output tools and methods with the new engine, 100% compatible! Flow Variables It's possible to capture information out of a stream and save that in a variable which can then be matched again later. Fast IP Matching The engine will automatically take rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats) and put them into a special fast matching preprocessor. HTTP Log Module All HTTP requests can be automatically output into an apache-style log format file. Very useful for monitoring and logging activity completely independent of rulesets and matching. Should you need to do so you could use the engine only as an HTTP logging sniffer. Coming Very Soon: (Within a few weeks) Global Flow Variables The ability to store more information from a stream or match (actual data, not just setting a bit), and storing that information for a period of time. This will make comparing values across many streams and time possible. Graphics Card Acceleration Using CUDA and OpenCL we will be able to make use of the massive processing power of even old graphics cards to accelerate your IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance. IP Reputation Hard to summarize in a sentence, but Reputation will allow sensors and organizations to share intelligence and eliminate many false positives. Windows Binaries As soon as we have a reasonably stable body of code. The list could go on and on. Please take a few minutes to download the engine and try it out and let us know what you think. We're not comfortable calling it production ready at the moment until we get your feedback, and we have a few features to complete. We really need your feedback and input. We intend to put out a series of small releases in the two to three weeks to come, and then a production ready major release shortly thereafter. Phase two of our development plan will then begin where we go after some major new features such as IP Reputation shortly. http://www.openinfosecfoundation.org |
From: Michael S. <sch...@se...> - 2009-12-30 14:26:24
|
On 12/30/09 7:50 AM, Morgan Cox wrote: > Hi. > > At present I am commenting out rules I do not use. > > This works fine until I update the rules, then obviously the rules > that were commented out will no longer be. > > use oinkmaster. you use oinkmaster to both update rules AND keep your customizations (including disabling rules) Its much better to disable the rule, same ram, cpu, buffer space, than ignore it once its been triggered. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _________________________________________________________________________ |
From: Morgan C. <mor...@gm...> - 2009-12-30 12:50:56
|
Hi. At present I am commenting out rules I do not use. This works fine until I update the rules, then obviously the rules that were commented out will no longer be. I thought that you could prevent rules being used by adding lines such as - suppress gen_id 1, sig_id 1852 to /etc/snort/threshold.conf I know realise that just prevents the log/alert it doesn't prevent the rule from running - I know this to be true as I am running in inline mode (with drop) and lots of things do not work until I comment out the lines of the rules... My question is, Is there any config file I can tell snort to ignore a sid id, so that when I replace the updated rules I am still whitelisting certain rules ? Also I still notice that inline mode doesn't work with 64bit in the standard snort version (2.8.5.1) - when will 64bit standard snort (inline) work with 64 bit ? Running snort-inline svn 2.8.4.1 - Debian Lenny - AMD64 Cheers |
From: Will M. <wil...@gm...> - 2009-12-22 11:12:37
|
There isn't a pre-built drop rule set. This is an exercise left to the user. Run the non-drop rules for a while to weed out false positives, etc, and then change the alert type from alert to drop where it makes sense for your environment. Regards, Will 2009/12/21 <gw...@gm...>: > i surf the internet ,but i can't find it > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
From: <gw...@gm...> - 2009-12-22 05:35:19
|
i surf the internet ,but i can't find it |
From: star6868 <sta...@gm...> - 2009-10-08 09:18:35
|
I have installed snort-inline in Centos http://snort-inline.sourceforge.net/download.html, Version: snort_inline-2.6.1.5.tar.gz I work very well, it can Alert or Drop packet well! *In iptable rule, I monitor only port 80:* iptables -I INPUT -p tcp --dport 80 -j QUEUE iptables -I OUTPUT -p tcp --sport 80 -j QUEUE *In rule, I use only one rule for test:* #Drop all access to webserver if more than 10 access/second drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC access"; flow:to_server, established; uricontent:"/"; nocase; reference:nessus,10302; classtype:web-application-activity; threshold: type both , track by_dst, count 10 , seconds 10 ; sid:1852; rev:1;) (I refer this rule at: http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.thresholding?rev=1.5 ) *But now, I have problem: * When drop packet, snort-inline BLOCKs that IP and Snort-inline seem NOT release that IP ----> It means snort-inline BLOCK that IP forever (untill restart snort-inline) So, I want snort inline drop/block one IP in time range (ex, some minute). How to do this? *Thank you in advanced! * |
From: Victor J. <li...@in...> - 2009-08-17 11:00:12
|
Hi everyone, Most of you have probably heard of the new Open Source IDS/IPS project Will and I are working on at the Open Infosec Foundation (see http://www.openinfosecfoundation.org/ and http://www.inliniac.net/blog/tag/oisf). We're still looking for help. We're especially interested in C coders. So if you're a C coder and interested in getting involved, please contact me off list. We're well funded and the work is paid. We're both interested in part time and full time coders, so if you have some spare time, let me know! Cheers, Victor -- --------------------------------------------- Victor Julien http://www.inliniac.net/ PGP: http://www.inliniac.net/victorjulien.asc --------------------------------------------- |
From: Dave R. <dav...@gm...> - 2009-08-05 15:40:50
|
You can get the latest (2.8.3) snort_inline source tree from svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk and testing (2.8.4.1) svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/testing At this point, I'd venture that the 2.8.4.1 tree is as ready as it's likely to get. Cheers, Dave On Tue, Aug 4, 2009 at 4:15 AM, Ondrej Pesta <ond...@id...> wrote: > Maybe I just find out, that newest snort with snortsam can do the work... > > Ondrej Pesta wrote: > > Hi. > > I am interested in snort_inline IPS solution. I am using FreeBSD and i > > install snort_inline from ports. There is version 2.4.5 available. I > > cannot find updated rules file for this version. > > What can I do to have newer version or updated rules file? > > Thanx > > > > > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) |
From: Ondrej P. <ond...@id...> - 2009-08-04 10:15:55
|
Maybe I just find out, that newest snort with snortsam can do the work... Ondrej Pesta wrote: > Hi. > I am interested in snort_inline IPS solution. I am using FreeBSD and i > install snort_inline from ports. There is version 2.4.5 available. I > cannot find updated rules file for this version. > What can I do to have newer version or updated rules file? > Thanx > > |
From: Ondrej P. <ond...@id...> - 2009-08-04 07:34:27
|
Hi. I am interested in snort_inline IPS solution. I am using FreeBSD and i install snort_inline from ports. There is version 2.4.5 available. I cannot find updated rules file for this version. What can I do to have newer version or updated rules file? Thanx -- ------------------------------------ Regards Ondrej Pesta |
From: Ondrej P. <ond...@id...> - 2009-08-04 07:34:27
|
Hi. I am interested in snort_inline IPS solution. I am using FreeBSD and i install snort_inline from ports. There is version 2.4.5 available. I cannot find updated rules file for this version. What can I do to have newer version or updated rules file? Thanx -- ------------------------------------ Regards Ondrej Pesta |