snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] Bridging snort question

[Will M. <wil...@gm...>]

>  No , it seems that traffic does't pass through linux box from br1 interf=
ace
> ( I tested it with both commands , ) , infact I think my second bridge
> interface ( br1 ) doesn't work . do u think my logic has problem or I mis=
sed
> some configuration ?

It doesn't matter what interface traffic is coming from as long as it
all goes to the QUEUE target.  I think something is messed up with
your bridge configuration.

On 5/26/06, aria asadi <ari...@ya...> wrote:
>
>  Hi ,
>  No , it seems that traffic does't pass through linux box from br1 interf=
ace
> ( I tested it with both commands , ) , infact I think my second bridge
> interface ( br1 ) doesn't work . do u think my logic has problem or I mis=
sed
> some configuration ?
> do u want to say if I start snort  with snort_inline -Q , snot must work
> fine for both bridge interfaces ( br0 , br1 simulatneous )  .
> plz pay attention that traffic pass through linux box correctly from br0
> interface , it doesn't pass from br1 only .
> now what do u think ? what's your recommendation for me to solve the prob=
lem
> and use this case ?
> Thanx
>
>
> Will Metcalf <wil...@gm...> wrote:
>
> Does traffic pass when you don't send it through snort_inline? i.e.
> iptables -A FORWARD -j ACCEPT?
>
> Also FYI -i br0 br1 isn't really valid I would get rid of it....
>
> Regards,
>
> Will
>
> On 5/26/06, aria asadi wrote:
> >
> > Hello Sir ,
> > I have a bridging Snort ( inline mode ) that have 4 Ethernet cards ,
> > I configured my snort box with :
> > brctl addbr br0
> > brctl addif eth0
> > brctl addif eth1
> > ifconfig eth0 0.0.0.0 up
> > ifconfig eth1 0.0.0.0 up
> > ifconfig br0 0.0.0.0 up
> > iptables -A FORWARD -j QUEUE , and aslo : insmode ip_queue and : starte=
d
> > snort_inline with
> > snort_inline -Qvi br0 -c etc/snort_inline.conf ,
> > I connected eth0 to my MS-server ( 172.16.1.X/29, Defaulyt GW: 172.16.1=
.1
> )
> > and also
> > connected eth1 to my cisco layer 3 switch , to the FastEthernet port
> > configured for Vlan 10
> > # interface vlan 10
> > ip address 172.16.1.1/29
> > and it worked fine ,
> > then I tryed to define another bridge interface in my linux box with :
> > brctl addbr br1
> > brctl addif eth2
> > brctl addif eth3
> > ifconfig eth2 0.0.0.0 up
> > ifconfig eth3 0.0.0.0 up
> > ifconfig br1 0.0.0.0 up
> > and conneted eth2 to another MS-server with : ( 192.168.1.X/24, Defaly =
GW
> :
> > 192.168.1.1 )
> > and then connected eth3 to my layer3 cisco switch , to the FastEthernet
> port
> > binded to
> > Vlan 20 ,
> > # interface Vlan 20
> > ip address 192.168.1.1/24
> > and this time started snort_inline with : -Qv -i br0 br1 -c
> > etc/snort_inline.conf
> > but my second server can't see my switch SVI : 192.168.1.1 ,
> > also I tryed to assign Ip to my bridge interfaces and used routing line=
s
> but
> > that time it
> > didn't work too .
> > what do you think about this case ? if you think that you can show me a
> way
> > to have bridging
> > snort IPS with 4 ethernet that belong to 2 diffrent VLan with 2 diffren=
t
> > subnet plz let me
> > know . or if you think my logic is wrong plz let my know the right .
> > Thanx in advance
> >
> >
> > ________________________________
> > Do you Yahoo!?
> > Get on board. You're invited to try the new Yahoo! Mail Beta.
> >
> > ________________________________
> > Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with
> > Voice.
> >
> >
> >
> >
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications i=
n
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=107521&bid$8729&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
>  ________________________________
> Do you Yahoo!?
>  Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
>
>  ________________________________
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rate=
s
> starting at 1=A2/min.
>
>
>
>

Re: [Snort-inline-users] Bridging snort question

[aria a. <ari...@ya...>]

 Hi ,
   No , it seems that traffic does't pass through linux box from br1 interface ( I tested it with both commands , ) , infact I think my second bridge interface ( br1 ) doesn't work . do u think my logic has problem or I missed some configuration ?
  do u want to say if I start snort  with snort_inline -Q , snot must work fine for both bridge interfaces ( br0 , br1 simulatneous )  .
  plz pay attention that traffic pass through linux box correctly from br0 interface , it doesn't pass from br1 only .
  now what do u think ? what's your recommendation for me to solve the problem and use this case ? 
  Thanx 

Will Metcalf <wil...@gm...> wrote:
  Does traffic pass when you don't send it through snort_inline? i.e.
iptables -A FORWARD -j ACCEPT?

Also FYI -i br0 br1 isn't really valid I would get rid of it....

Regards,

Will

On 5/26/06, aria asadi wrote:
>
> Hello Sir ,
> I have a bridging Snort ( inline mode ) that have 4 Ethernet cards ,
> I configured my snort box with :
> brctl addbr br0
> brctl addif eth0
> brctl addif eth1
> ifconfig eth0 0.0.0.0 up
> ifconfig eth1 0.0.0.0 up
> ifconfig br0 0.0.0.0 up
> iptables -A FORWARD -j QUEUE , and aslo : insmode ip_queue and : started
> snort_inline with
> snort_inline -Qvi br0 -c etc/snort_inline.conf ,
> I connected eth0 to my MS-server ( 172.16.1.X/29, Defaulyt GW: 172.16.1.1 )
> and also
> connected eth1 to my cisco layer 3 switch , to the FastEthernet port
> configured for Vlan 10
> # interface vlan 10
> ip address 172.16.1.1/29
> and it worked fine ,
> then I tryed to define another bridge interface in my linux box with :
> brctl addbr br1
> brctl addif eth2
> brctl addif eth3
> ifconfig eth2 0.0.0.0 up
> ifconfig eth3 0.0.0.0 up
> ifconfig br1 0.0.0.0 up
> and conneted eth2 to another MS-server with : ( 192.168.1.X/24, Defaly GW :
> 192.168.1.1 )
> and then connected eth3 to my layer3 cisco switch , to the FastEthernet port
> binded to
> Vlan 20 ,
> # interface Vlan 20
> ip address 192.168.1.1/24
> and this time started snort_inline with : -Qv -i br0 br1 -c
> etc/snort_inline.conf
> but my second server can't see my switch SVI : 192.168.1.1 ,
> also I tryed to assign Ip to my bridge interfaces and used routing lines but
> that time it
> didn't work too .
> what do you think about this case ? if you think that you can show me a way
> to have bridging
> snort IPS with 4 ethernet that belong to 2 diffrent VLan with 2 diffrent
> subnet plz let me
> know . or if you think my logic is wrong plz let my know the right .
> Thanx in advance
>
>
> ________________________________
> Do you Yahoo!?
> Get on board. You're invited to try the new Yahoo! Mail Beta.
>
> ________________________________
> Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with
> Voice.
>
>
>
>


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users


				
---------------------------------
Do you Yahoo!?
 Next-gen email? Have it all with the  all-new Yahoo! Mail Beta.
		
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls.  Great rates starting at 1&cent;/min.

Re: [Snort-inline-users] Bridging snort question

[Will M. <wil...@gm...>]

Does traffic pass when you don't send it through snort_inline? i.e.
iptables -A FORWARD -j ACCEPT?

Also FYI -i br0 br1 isn't really valid I would get rid of it....

Regards,

Will

On 5/26/06, aria asadi <ari...@ya...> wrote:
>
> Hello Sir ,
> I have a bridging Snort ( inline mode ) that have 4 Ethernet cards ,
> I configured my snort box with :
> brctl addbr br0
> brctl addif eth0
> brctl addif eth1
> ifconfig eth0 0.0.0.0 up
> ifconfig eth1 0.0.0.0 up
> ifconfig br0 0.0.0.0 up
> iptables -A FORWARD -j QUEUE , and aslo : insmode ip_queue and : started
> snort_inline with
> snort_inline -Qvi br0 -c etc/snort_inline.conf ,
> I connected eth0 to my MS-server ( 172.16.1.X/29, Defaulyt GW: 172.16.1.1=
 )
> and also
> connected eth1 to my cisco layer 3 switch , to the FastEthernet port
> configured for Vlan 10
> # interface vlan 10
>   ip address 172.16.1.1/29
> and it worked fine ,
> then I tryed to define another bridge interface in my linux box with :
> brctl addbr br1
> brctl addif eth2
> brctl addif eth3
> ifconfig eth2 0.0.0.0 up
> ifconfig eth3 0.0.0.0 up
> ifconfig br1 0.0.0.0 up
> and conneted eth2 to another MS-server with : ( 192.168.1.X/24, Defaly GW=
 :
> 192.168.1.1 )
> and then connected eth3 to my layer3 cisco switch , to the FastEthernet p=
ort
> binded to
> Vlan 20 ,
> # interface Vlan 20
>   ip address 192.168.1.1/24
> and this time started snort_inline with : -Qv -i br0 br1 -c
> etc/snort_inline.conf
> but my second server can't see my switch SVI : 192.168.1.1  ,
> also I tryed to assign Ip to my bridge interfaces and used routing lines =
but
> that time it
> didn't work too .
> what do you think about this case ? if you think that you can show me a w=
ay
> to have bridging
> snort IPS with 4 ethernet that belong to 2 diffrent VLan with 2 diffrent
> subnet plz let me
> know . or if you think my logic is wrong plz let my know the right .
> Thanx in advance
>
>
>  ________________________________
> Do you Yahoo!?
>  Get on board. You're invited to try the new Yahoo! Mail Beta.
>
>  ________________________________
> Be a chatter box. Enjoy free PC-to-PC calls with Yahoo! Messenger with
> Voice.
>
>
>
>

[Snort-inline-users] Bridging snort question

[aria a. <ari...@ya...>]

Hello Sir ,
I have a bridging Snort ( inline mode ) that have 4 Ethernet cards , 
I configured my snort box with :
brctl addbr br0
brctl addif eth0
brctl addif eth1 
ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
ifconfig br0 0.0.0.0 up
iptables -A FORWARD -j QUEUE , and aslo : insmode ip_queue and : started snort_inline with 
snort_inline -Qvi br0 -c etc/snort_inline.conf ,
I connected eth0 to my MS-server ( 172.16.1.X/29, Defaulyt GW: 172.16.1.1 ) and also 
  connected eth1 to my cisco layer 3 switch , to the FastEthernet port configured for Vlan 10
# interface vlan 10
  ip address 172.16.1.1/29
and it worked fine ,
then I tryed to define another bridge interface in my linux box with :
brctl addbr br1
brctl addif eth2
brctl addif eth3 
ifconfig eth2 0.0.0.0 up
ifconfig eth3 0.0.0.0 up
ifconfig br1 0.0.0.0 up
and conneted eth2 to another MS-server with : ( 192.168.1.X/24, Defaly GW : 192.168.1.1 ) 
  and then connected eth3 to my layer3 cisco switch , to the FastEthernet port binded to 
Vlan 20 ,
# interface Vlan 20
  ip address 192.168.1.1/24
and this time started snort_inline with : -Qv -i br0 br1 -c etc/snort_inline.conf
  but my second server can't see my switch SVI : 192.168.1.1  , 
also I tryed to assign Ip to my bridge interfaces and used routing lines but that time it 
  didn't work too . 
what do you think about this case ? if you think that you can show me a way to have bridging 
  snort IPS with 4 ethernet that belong to 2 diffrent VLan with 2 diffrent subnet plz let me 
  know . or if you think my logic is wrong plz let my know the right .
Thanx in advance 


		
---------------------------------
Do you Yahoo!?
 Get on board. You're invited to try the new Yahoo! Mail Beta.
		
---------------------------------
Be a chatter box. Enjoy free PC-to-PC calls  with Yahoo! Messenger with Voice.

RE: [Snort-inline-users] Reloading rules

[Brian J. <te...@ja...>]

	Ok, I'll see what happens if I migrate to 2.4.4. This will take some time
as snort_inline is on a firewall stripped of compilers and other useful
gadgets and the build box has had to change to a different distro.... Also I
should be picking up the keys to my new house today(No sign of them yet at
15:00hrs!). I think I'm in for a chaotic time!

regards,
Brian

-----Original Message-----
From: sno...@li...
[mailto:sno...@li...]On Behalf Of Will
Metcalf
Sent: 26 May 2006 13:30
To: te...@ja...
Cc: sno...@li...
Subject: Re: [Snort-inline-users] Reloading rules


I think the normal snort had some problems with signal handling.  Is
there a reason why have not gone to 2.4.4?  Setting enforce_state will
only make the problem worse, as it will kill all established tcp
connections when the process restarts.

Regards,

Will

Re: [Snort-inline-users] Reloading rules

[Will M. <wil...@gm...>]

I think the normal snort had some problems with signal handling.  Is
there a reason why have not gone to 2.4.4?  Setting enforce_state will
only make the problem worse, as it will kill all established tcp
connections when the process restarts.

Regards,

Will

On 5/26/06, Brian Jameson <te...@ja...> wrote:
>
> >do you have enforce_state enabled under the stream4 section of your
> >snort_inline.conf?
>
> Will,
>         No, I had a very simplistic stream4 of just 'preprocessor stream4=
:
> disable_evasion_alerts'. So I added enforce_state this made no difference=
 to
> a reload. So I added stream4inline, again lock up on sending a SIGHUP.
>
>         The line now reads:- 'preprocessor stream4: disable_evasion_alert=
s,
> stream4inline, enforce_state'.
>
> Any thoughts? By the way it is version 2.3.3.
> regards,
> Brian.
>
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications i=
n
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D107521&bid=3D248729&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

RE: [Snort-inline-users] Reloading rules

[Brian J. <te...@ja...>]

>do you have enforce_state enabled under the stream4 section of your
>snort_inline.conf?

Will,
	No, I had a very simplistic stream4 of just 'preprocessor stream4:
disable_evasion_alerts'. So I added enforce_state this made no difference to
a reload. So I added stream4inline, again lock up on sending a SIGHUP.

	The line now reads:- 'preprocessor stream4: disable_evasion_alerts,
stream4inline, enforce_state'.

Any thoughts? By the way it is version 2.3.3.
regards,
Brian.

Re: [Snort-inline-users] Reloading rules

[<tut...@pa...>]

On Thu, May 25, 2006 at 04:56:50PM +0100, Brian Jameson wrote:
> I am trying to update my snort_inline setup more frequently. Is snort_inline
> meant to continue working if it is sent a SIGHUP? From my experience it
> seems to stop passing packets after a reload. What other techniques do
> people use other than putting a temporary rule into IPTABLES to by-pass
> inline, reloading and then removing the temporary rule. Other suggestions
> gratefully received.
> 
> regards,
> Brian
> 
> 
> 
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 
I like to add an entry to crontab to reload snort for a few minutes in
the future.

Re: [Snort-inline-users] Reloading rules

[Will M. <wil...@gm...>]

do you have enforce_state enabled under the stream4 section of your
snort_inline.conf?

On 5/25/06, Brian Jameson <te...@ja...> wrote:
> I am trying to update my snort_inline setup more frequently. Is snort_inl=
ine
> meant to continue working if it is sent a SIGHUP? From my experience it
> seems to stop passing packets after a reload. What other techniques do
> people use other than putting a temporary rule into IPTABLES to by-pass
> inline, reloading and then removing the temporary rule. Other suggestions
> gratefully received.
>
> regards,
> Brian
>
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications i=
n
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D107521&bid=3D248729&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Reloading rules

[Brian J. <te...@ja...>]

I am trying to update my snort_inline setup more frequently. Is snort_inline
meant to continue working if it is sent a SIGHUP? From my experience it
seems to stop passing packets after a reload. What other techniques do
people use other than putting a temporary rule into IPTABLES to by-pass
inline, reloading and then removing the temporary rule. Other suggestions
gratefully received.

regards,
Brian

Re: [Snort-inline-users] Negation on multiple ports

[Alfredo O. <ao...@tu...>]

MessageThanks Michael (and Joel) for your answers. Will figure out some =
way to solve - perhaps with priorities...thanks.
  ----- Original Message -----=20
  From: Michael Scheidell=20
  To: Alfredo Osorio ; sno...@li...=20
  Sent: Thursday, May 18, 2006 9:06 PM
  Subject: RE: [Snort-inline-users] Negation on multiple ports


  Port ranges are not supported in the base 'snort' yet, so, not =
supported in snort-inline.

  Depending on what and why, you may need to put it into multiple rules.

Re: [Snort-inline-users] Negation on multiple ports

[Joel E. <es...@gm...>]

You can do ranges, but not listings..  you can do '80:110'  80 through
110.  But you can't do 80,25,110.  You could write three pass rules,
however, to ignore those particular ports.

Joel

On 5/18/06, Michael Scheidell <sch...@se...> wrote:
>
>
> Port ranges are not supported in the base 'snort' yet, so, not supported =
in
> snort-inline.
>
> Depending on what and why, you may need to put it into multiple rules.
>


--=20
--Joel

RE: [Snort-inline-users] Negation on multiple ports

[Michael S. <sch...@se...>]

Port ranges are not supported in the base 'snort' yet, so, not supported
in snort-inline.
=20
Depending on what and why, you may need to put it into multiple rules.
=20

[Snort-inline-users] Negation on multiple ports

[Alfredo O. <ao...@tu...>]

My apologies if this is a really basic question - but from what I have =
read online there just may not be a way to do this...

Here is the question: Is there any way to negate more than one port in a =
rule? (without using a range?)

example:=20

alert tcp any !80 !25 !110 -> any ..................
or
alert tcp any ![80,25,110] -> any ..................

I have tried multiple iterations (including the format used by the =
clamav prepocessor without success)

Any ideas?

Many thanks...Alfredo

[Snort-inline-users] stream4 enforcing state

[<tut...@pa...>]

Hi,

I've just returned to snort inline after a year or so having it
disabled. And now I recall why I disabled it. 

When I set the enforce_state keyword on the stream4 processor, my
sessions hang after a few minutes of inactivity. Is there a better
resolution for this than either disabling the state enforcement, or
setting a higher timeout for the stream4 processor?

Thanks
tut.

Re: [Snort-inline-users] spam bots inside

[Will M. <wil...@gm...>]

Are you running a snort_inline box or passive snort?  If you are
running a snort_inline box you can use sticky-drop with a track by_src
rule for port 25 stuff... Probably a better way to do it, and I'm in
no way a master of snort rule language, just a thought

Regards,

Will

On 5/9/06, Stephen Beck <be...@ma...> wrote:
> Hello, ime Stephen Beck, a snort newbee!!!
>
> ime using snort-2.4.4 running on Red Hat Enterprise Linux AS4.
> ime in a college network with about 1200 users in the dorms.
>
> ide like to detect and block any spam bots running inside
> my network.
>
> i could define a spambot as any host contacting more than
> a few other hosts on port 25 in a given length of time.
>
> ive been reading about and playing with sfPortscan but
> i suppect this is not where i should start. can anyone
> make a sugestion or lead me to a source where i can learn more?
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job ea=
sier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim=
o
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Redirect traffic

[Will M. <wil...@gm...>]

On 5/9/06, ikami <ik...@ya...> wrote:
>
> Hi Will,
> Thanks for the help. Now snort_inline is installed but it is not configur=
ed
> correctly yet. I`m still trying to configure it.
> My doubts now are:
> 1) I installed ACID and saw it shows the package payload. How can I write=
 a
> rule that capture the payload and print it on ACID?

I'm not sure what you mean... if you are logging and seeing packet
payloads on alerts it will dump the payload for all alerts...  You
should really use BASE though..

> 2) I want to simulate attacks against the apache service. For this, first=
 is
> necessary to know how is the payload for a normal consultation. Somebody
> knows how can I do that? Can be a rule on SNORT_INLINE?

Use Ethereal or tcpdump or some other sniffer.  You could do this with
snort rules but why would you want to?

> 3) I downloaded the rule package from www.snort.org but the archive rule
> that more interested me was blank (web-attacks.rules). Do you know can I =
get
> rules that look for attacks against apache service?
shouldn't be blank?!?

> 4) Where can I get tools to do this attacks? (Attacks against apache
> service)
try metasploit or milw0rm.com

> Thanks a lot for the  help!
>
> =CDkami
>
>
> Will Metcalf <wil...@gm...> escreveu:
>
> you shouldn't have to patch anything, just look at the README.INLINE.
> This functionality is already built into the snort_inline source code.
> The patch you are talking about is for the bns project from the
> violating.us guy's. You don't need to apply this patch you only need
> to download snort-inline-2.4.4-final and see the README.INLINE and the
> snort_inline.conf to see how to use bait-and-switch.
>
> download the source from
>
> http://snort-inline.sourceforge.net/download.html
>
> Regards,
>
> Will
>
> On 5/7/06, ikami wrote:
> >
> > One question: Bait and Switch HoneyPot only works with snort.1.9.1?
> > When I tried to install it (on step 3) it asks for the archive bns.diff=
. I
> > write the path of the bns.diff and an ERRO occurs
> > Copy of the ERRO:
> >
> > 1) Set Up Routing Tables. (**RUN ONCE PER MACHINE**)
> > 2) Configuration
> > 3) Patch Snort (ONLY AFTER OPTION 2)
> > 4) Exit
> > Your Choice: 3
> >
> > Path to bns.diff (ie: /root/bns/snort/bns.diff)
> > /usr/local/ids/bns/snort/bns.diff
> > patching file src/Makefile.in
> > Hunk #1 FAILED at 170.
> > 1 out of 1 hunk FAILED -- saving rejects to file src/Makefile.in.rej
> > patching file src/output-plugins/Makefile.am
> > Hunk #1 FAILED at 9.
> > 1 out of 1 hunk FAILED -- saving rejects to file
> > src/output-plugins/Makefile.am.rej
> > patching file src/output-plugins/Makefile.in
> > Hunk #1 FAILED at 90.
> > Hunk #2 FAILED at 106.
> > 2 out of 2 hunks FAILED -- saving rejects to file
> > src/output-plugins/Makefile.in.rej
> > patching file src/output-plugins/spo_alert_bns.c
> > patching file src/output-plugins/spo_alert_bns.h
> > patching file src/plugbase.c
> > Hunk #1 succeeded at 110 with fuzz 2 (offset 7 lines).
> > Hunk #2 FAILED at 153.
> > 1 out of 2 hunks FAILED -- saving rejects to file src/plugbase.c.rej
> > done patching...
> > exit or menu [e/m]:
> >
> > I am asking on version of snort because there is a directory called
> 'snort',
> > where the bns.diff is located. In that directory ,snort, there is anoth=
er
> > direcrory called ' non-production' and inside of it are the following
> > archives:
> > bns-snort-1.9.0.diff
> > bns-snort.1.9.1.diff
> > spo_alert_bns.c
> > spo_alert_bns.h
> >
> > I have the snort-2.4.4.
> >
> > Again, sorry for the errors of English.
> >
> > Thanks
> >
> >
> > Will Metcalf escreveu:
>
> >
> > download the tarball, look at the doc/README.INLINE in the source
> > file. It discusses how to use bait-and-switch to accomplish this.
> >
> > Regards,
> >
> > Will
> >
> > On 5/6/06, ikami wrote:
> > >
> > > Hi guys,
> > > Sorry for my english but I`m good on it. I just know to read in engli=
sh
> > and
> > > thus very badly.
> > > I have 2 weeks to finish a project and I don`t know how to do one thi=
ng.
> I
> > > have a network with 3 machines. 1) Router with snort and iptables, 2)
> Web
> > > server 3) honeypot.
> > > My problem is: I want to redirect all the malicious traffic to the
> > honeypot
> > > insted of the web server. Searching for a solution on GOOGLE I found =
the
> > > snort_inline project. My doubt now is: Snort_inline can do this
> redirect?
> > If
> > > yes any one can explain me how?
> > >
> > > Thanks
> > >
> > >
> > >
> > >
> > > ________________________________
> > > Yahoo! Search
> > > Imposto de Renda 2006: o prazo est=E1 acabando. Fa=E7a j=E1 a sua dec=
lara=E7=E3o
> no
> > > site da Receita Federal.
> > >
> > >
> >
> >
> >
> >
> > ________________________________
> > Abra sua conta no Yahoo! Mail - 1GB de espa=E7o, alertas de e-mail no
> celular
> > e anti-spam realmente eficaz.
> >
> >
>
>
>
>
>  ________________________________
>  Abra sua conta no Yahoo! Mail - 1GB de espa=E7o, alertas de e-mail no ce=
lular
> e anti-spam realmente eficaz.
>
>

[Snort-inline-users] spam bots inside

[Stephen B. <be...@ma...>]

Hello, ime Stephen Beck, a snort newbee!!!

ime using snort-2.4.4 running on Red Hat Enterprise Linux AS4.
ime in a college network with about 1200 users in the dorms.

ide like to detect and block any spam bots running inside
my network.

i could define a spambot as any host contacting more than
a few other hosts on port 25 in a given length of time.

ive been reading about and playing with sfPortscan but
i suppect this is not where i should start. can anyone
make a sugestion or lead me to a source where i can learn more?

Re: [Snort-inline-users] Redirect traffic

[ikami <ik...@ya...>]

Hi Will,
  Thanks for the help. Now snort_inline is installed but it is not configured correctly yet. I`m still trying to configure it.
  My doubts now are:
  1) I installed ACID and saw it shows the package payload. How can I write a rule that capture the payload and print it on ACID?
  2) I want to simulate attacks against the apache service. For this, first is necessary to know how is the payload for a normal consultation. Somebody knows how can I do that? Can be a rule on SNORT_INLINE?
  3) I downloaded the rule package from www.snort.org but the archive rule that more interested me was blank (web-attacks.rules). Do you know can I get rules that look for attacks against apache service?
  4) Where can I get tools to do this attacks? (Attacks against apache service)
   
  Thanks a lot for the  help!
   
  Íkami
   
  Will Metcalf <wil...@gm...> escreveu:
  you shouldn't have to patch anything, just look at the README.INLINE.
This functionality is already built into the snort_inline source code.
The patch you are talking about is for the bns project from the
violating.us guy's. You don't need to apply this patch you only need
to download snort-inline-2.4.4-final and see the README.INLINE and the
snort_inline.conf to see how to use bait-and-switch.

download the source from

http://snort-inline.sourceforge.net/download.html

Regards,

Will

On 5/7/06, ikami wrote:
>
> One question: Bait and Switch HoneyPot only works with snort.1.9.1?
> When I tried to install it (on step 3) it asks for the archive bns.diff. I
> write the path of the bns.diff and an ERRO occurs
> Copy of the ERRO:
>
> 1) Set Up Routing Tables. (**RUN ONCE PER MACHINE**)
> 2) Configuration
> 3) Patch Snort (ONLY AFTER OPTION 2)
> 4) Exit
> Your Choice: 3
>
> Path to bns.diff (ie: /root/bns/snort/bns.diff)
> /usr/local/ids/bns/snort/bns.diff
> patching file src/Makefile.in
> Hunk #1 FAILED at 170.
> 1 out of 1 hunk FAILED -- saving rejects to file src/Makefile.in.rej
> patching file src/output-plugins/Makefile.am
> Hunk #1 FAILED at 9.
> 1 out of 1 hunk FAILED -- saving rejects to file
> src/output-plugins/Makefile.am.rej
> patching file src/output-plugins/Makefile.in
> Hunk #1 FAILED at 90.
> Hunk #2 FAILED at 106.
> 2 out of 2 hunks FAILED -- saving rejects to file
> src/output-plugins/Makefile.in.rej
> patching file src/output-plugins/spo_alert_bns.c
> patching file src/output-plugins/spo_alert_bns.h
> patching file src/plugbase.c
> Hunk #1 succeeded at 110 with fuzz 2 (offset 7 lines).
> Hunk #2 FAILED at 153.
> 1 out of 2 hunks FAILED -- saving rejects to file src/plugbase.c.rej
> done patching...
> exit or menu [e/m]:
>
> I am asking on version of snort because there is a directory called 'snort',
> where the bns.diff is located. In that directory ,snort, there is another
> direcrory called ' non-production' and inside of it are the following
> archives:
> bns-snort-1.9.0.diff
> bns-snort.1.9.1.diff
> spo_alert_bns.c
> spo_alert_bns.h
>
> I have the snort-2.4.4.
>
> Again, sorry for the errors of English.
>
> Thanks
>
>
> Will Metcalf escreveu:
>
> download the tarball, look at the doc/README.INLINE in the source
> file. It discusses how to use bait-and-switch to accomplish this.
>
> Regards,
>
> Will
>
> On 5/6/06, ikami wrote:
> >
> > Hi guys,
> > Sorry for my english but I`m good on it. I just know to read in english
> and
> > thus very badly.
> > I have 2 weeks to finish a project and I don`t know how to do one thing. I
> > have a network with 3 machines. 1) Router with snort and iptables, 2) Web
> > server 3) honeypot.
> > My problem is: I want to redirect all the malicious traffic to the
> honeypot
> > insted of the web server. Searching for a solution on GOOGLE I found the
> > snort_inline project. My doubt now is: Snort_inline can do this redirect?
> If
> > yes any one can explain me how?
> >
> > Thanks
> >
> >
> >
> >
> > ________________________________
> > Yahoo! Search
> > Imposto de Renda 2006: o prazo está acabando. Faça já a sua declaração no
> > site da Receita Federal.
> >
> >
>
>
>
>
> ________________________________
> Abra sua conta no Yahoo! Mail - 1GB de espaço, alertas de e-mail no celular
> e anti-spam realmente eficaz.
>
>


				
---------------------------------
 Abra sua conta no Yahoo! Mail - 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz.

RE: [Snort-inline-users] Snort-inline / ipfw and freebsd

[Nick R. <ni...@ro...>]

> Tks, will give it a shot. Might update ports for nick also.
>

  snort_inline-2.4.4 does work with FreeBSD 4.X, 5.X, haven't confirmed
with 6.X yet, but I would guess that it should be OK as well.  Yes, you
still need ipfw[2] divert compiled into the kernel for things to run
properly.

  I was waiting for us to come up with a non RC to update the ports, but
feel free to update the ports to snort_inline-2.4.4 if you wish.  If
not, you can still build and install:

# configure --enable-inline --enable-ipfw
# make
# make install

If I don't see an update it will be one of the first things I do when I
get back...I'm out till the end of this month (May).

>
>> -----Original Message-----
>> From: Will Metcalf [mailto:wil...@gm...]
>> Sent: Sunday, May 07, 2006 2:29 PM
>> To: Michael Scheidell
>> Cc: sno...@li...;
>> ni...@ro...; que...@cl...
>> Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
>>
>>
>> yeah
>>
>> On 5/7/06, Michael Scheidell <sch...@se...> wrote:
>> > > -----Original Message-----
>> > > From: Will Metcalf [mailto:wil...@gm...]
>> > > Sent: Sunday, May 07, 2006 12:01 PM
>> > > To: Michael Scheidell
>> > > Cc: sno...@li...;
>> > > ni...@ro...; que...@cl...
>> > > Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
>> > >
>> > >
>> > > We are at snort_inline-2.4.4.... I have not looked at
>> snort-2.6.0 to
>> > > see if the freebsd fixes are in there but they were not as of
>> > > snort-2.4.4.
>> >
>> > What about FREEBSD fixes, does snort_inline-2.4.4 have the FREEBSD
>> > fixes in it?
>> >
>>
>>
>



Nick Rogness <ni...@ro...>

Re: [Snort-inline-users] Snort_inline_2.4.4 FreeBSD IPFW

[Will M. <wil...@gm...>]

what did you pass to configure?

On 5/8/06, Craig Mueller <cmu...@al...> wrote:
>  Just tried to install 2.4.4 inline on FreeBSd 5.4. The configure fails
> looking for libipq, which is not valid fir ipfw, only ipchains..
>  Craig Mueller CISSP
> Senior Consultant
> Alebra Technologies
> www.alebra.com
> 612-436-8204
>
>
>
>  sno...@li... wrote:
>  Send Snort-inline-users mailing list submissions to
>  sno...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> or, via email, send a message with subject or body 'help' to
>  sno...@li...
>
> You can reach the person managing the list at
>  sno...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-inline-users digest..."
>
>
> Today's Topics:
>
>  1. RE: Snort-inline / ipfw and freebsd (Michael Scheidell)
>
> --__--__--
>
> Message: 1
> Subject: RE: [Snort-inline-users] Snort-inline / ipfw and freebsd
> Date: Sun, 7 May 2006 15:12:48 -0400
> From: "Michael Scheidell" <sch...@se...>
> To: "Will Metcalf" <wil...@gm...>
> Cc: <sno...@li...>,
>  <ni...@ro...>,
>  <que...@cl...>
>
> Tks, will give it a shot. Might update ports for nick also.
>
>
>
>
>  -----Original Message-----
> From: Will Metcalf [mailto:wil...@gm...]=3D20
> Sent: Sunday, May 07, 2006 2:29 PM
> To: Michael Scheidell
> Cc: sno...@li...;=3D20
> ni...@ro...; que...@cl...
> Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
> =3D20
> =3D20
> yeah
> =3D20
> On 5/7/06, Michael Scheidell <sch...@se...> wrote:
>
>
>
>  -----Original Message-----
> From: Will Metcalf [mailto:wil...@gm...]
> Sent: Sunday, May 07, 2006 12:01 PM
> To: Michael Scheidell
> Cc: sno...@li...;
> ni...@ro...; que...@cl...
> Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
>
>
> We are at snort_inline-2.4.4.... I have not looked at=3D20
>
>  snort-2.6.0 to=3D20
>
>
>
>  see if the freebsd fixes are in there but they were not as of=3D20
> snort-2.4.4.
>
>  What about FREEBSD fixes, does snort_inline-2.4.4 have the FREEBSD=3D20
> fixes in it?
>
>
>  =3D20
> =3D20
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> End of Snort-inline-users Digest
>
>
>
>
>  --
> Craig Mueller CISSP
> Senior Consultant
> Alebra Technologies
> www.alebra.com
> 612-436-8204
>
>

[Snort-inline-users] Snort_inline_2.4.4 FreeBSD IPFW

[Craig M. <cmu...@al...>]

Just tried to install 2.4.4 inline on FreeBSd 5.4. The configure fails 
looking for libipq, which is not valid fir ipfw, only ipchains..

Craig Mueller CISSP
Senior Consultant
Alebra Technologies
www.alebra.com
612-436-8204




sno...@li... wrote:
> Send Snort-inline-users mailing list submissions to
> 	sno...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> or, via email, send a message with subject or body 'help' to
> 	sno...@li...
>
> You can reach the person managing the list at
> 	sno...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-inline-users digest..."
>
>
> Today's Topics:
>
>    1. RE: Snort-inline / ipfw and freebsd (Michael Scheidell)
>
> --__--__--
>
> Message: 1
> Subject: RE: [Snort-inline-users] Snort-inline / ipfw and freebsd
> Date: Sun, 7 May 2006 15:12:48 -0400
> From: "Michael Scheidell" <sch...@se...>
> To: "Will Metcalf" <wil...@gm...>
> Cc: <sno...@li...>,
> 	<ni...@ro...>,
> 	<que...@cl...>
>
> Tks, will give it a shot. Might update ports for nick also.
>
>
>   
>> -----Original Message-----
>> From: Will Metcalf [mailto:wil...@gm...]=20
>> Sent: Sunday, May 07, 2006 2:29 PM
>> To: Michael Scheidell
>> Cc: sno...@li...;=20
>> ni...@ro...; que...@cl...
>> Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
>> =20
>> =20
>> yeah
>> =20
>> On 5/7/06, Michael Scheidell <sch...@se...> wrote:
>>     
>>>> -----Original Message-----
>>>> From: Will Metcalf [mailto:wil...@gm...]
>>>> Sent: Sunday, May 07, 2006 12:01 PM
>>>> To: Michael Scheidell
>>>> Cc: sno...@li...;
>>>> ni...@ro...; que...@cl...
>>>> Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
>>>>
>>>>
>>>> We are at snort_inline-2.4.4.... I have not looked at=20
>>>>         
>> snort-2.6.0 to=20
>>     
>>>> see if the freebsd fixes are in there but they were not as of=20
>>>> snort-2.4.4.
>>>>         
>>> What about FREEBSD fixes, does snort_inline-2.4.4 have the FREEBSD=20
>>> fixes in it?
>>>
>>>       
>> =20
>> =20
>>     
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
> End of Snort-inline-users Digest
>
>
>   

-- 
Craig Mueller CISSP
Senior Consultant
Alebra Technologies
www.alebra.com
612-436-8204

RE: [Snort-inline-users] Snort-inline / ipfw and freebsd

[Michael S. <sch...@se...>]

Tks, will give it a shot. Might update ports for nick also.


> -----Original Message-----
> From: Will Metcalf [mailto:wil...@gm...]=20
> Sent: Sunday, May 07, 2006 2:29 PM
> To: Michael Scheidell
> Cc: sno...@li...;=20
> ni...@ro...; que...@cl...
> Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
>=20
>=20
> yeah
>=20
> On 5/7/06, Michael Scheidell <sch...@se...> wrote:
> > > -----Original Message-----
> > > From: Will Metcalf [mailto:wil...@gm...]
> > > Sent: Sunday, May 07, 2006 12:01 PM
> > > To: Michael Scheidell
> > > Cc: sno...@li...;
> > > ni...@ro...; que...@cl...
> > > Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
> > >
> > >
> > > We are at snort_inline-2.4.4.... I have not looked at=20
> snort-2.6.0 to=20
> > > see if the freebsd fixes are in there but they were not as of=20
> > > snort-2.4.4.
> >
> > What about FREEBSD fixes, does snort_inline-2.4.4 have the FREEBSD=20
> > fixes in it?
> >
>=20
>=20

Re: [Snort-inline-users] Snort-inline / ipfw and freebsd

[Will M. <wil...@gm...>]

yeah

On 5/7/06, Michael Scheidell <sch...@se...> wrote:
> > -----Original Message-----
> > From: Will Metcalf [mailto:wil...@gm...]
> > Sent: Sunday, May 07, 2006 12:01 PM
> > To: Michael Scheidell
> > Cc: sno...@li...;
> > ni...@ro...; que...@cl...
> > Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
> >
> >
> > We are at snort_inline-2.4.4.... I have not looked at
> > snort-2.6.0 to see if the freebsd fixes are in there but they
> > were not as of snort-2.4.4.
>
> What about FREEBSD fixes, does snort_inline-2.4.4 have the FREEBSD fixes
> in it?
>

RE: [Snort-inline-users] Snort-inline / ipfw and freebsd

[Michael S. <sch...@se...>]

> -----Original Message-----
> From: Will Metcalf [mailto:wil...@gm...]=20
> Sent: Sunday, May 07, 2006 12:01 PM
> To: Michael Scheidell
> Cc: sno...@li...;=20
> ni...@ro...; que...@cl...
> Subject: Re: [Snort-inline-users] Snort-inline / ipfw and freebsd
>=20
>=20
> We are at snort_inline-2.4.4.... I have not looked at=20
> snort-2.6.0 to see if the freebsd fixes are in there but they=20
> were not as of snort-2.4.4.

What about FREEBSD fixes, does snort_inline-2.4.4 have the FREEBSD fixes
in it?