snort-inline-users Mailing List for snort_inline (Page 22)

Brought to you by: count_zero_rod, redmaze, vicjul78

snort-inline-users — The goal of this list is to help users debug/use snort_inline

You can subscribe to this list here.

2003	Jan	Feb	Mar	Apr (1)	May (15)	Jun (23)	Jul (54)	Aug (20)	Sep (18)	Oct (19)	Nov (36)	Dec (30)
2004	Jan (48)	Feb (16)	Mar (36)	Apr (36)	May (45)	Jun (47)	Jul (93)	Aug (29)	Sep (28)	Oct (42)	Nov (45)	Dec (53)
2005	Jan (62)	Feb (51)	Mar (65)	Apr (28)	May (57)	Jun (23)	Jul (24)	Aug (72)	Sep (16)	Oct (53)	Nov (53)	Dec (3)
2006	Jan (56)	Feb (6)	Mar (15)	Apr (14)	May (35)	Jun (57)	Jul (35)	Aug (7)	Sep (22)	Oct (16)	Nov (18)	Dec (9)
2007	Jan (8)	Feb (3)	Mar (11)	Apr (35)	May (6)	Jun (10)	Jul (26)	Aug (4)	Sep	Oct (29)	Nov	Dec (7)
2008	Jan (1)	Feb (2)	Mar (2)	Apr (13)	May (8)	Jun (3)	Jul (19)	Aug (20)	Sep (6)	Oct (5)	Nov	Dec (4)
2009	Jan (1)	Feb	Mar (1)	Apr	May	Jun (10)	Jul (2)	Aug (5)	Sep	Oct (1)	Nov	Dec (5)
2010	Jan (10)	Feb (10)	Mar (2)	Apr	May (7)	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec
2011	Jan	Feb (4)	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2012	Jan	Feb	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2013	Jan	Feb (2)	Mar (3)	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 20 21 22 23 24 .. 68 > >> (Page 22 of 68)

Re: [Snort-inline-users] flag on number of packets in period of time

From: Ken G. <ken...@ro...> - 2006-01-24 19:50:58

My apologies, I found Sticky-Drop in the README.INLINE file, =20
unfortunately according to the document this will not do what I"m =20
requesting. This says it is for dropping a host for a certain amount =20
of time.

An example scenario of what I would like to see happen in my rule is =20
an intruder's actions match a rule and the rule counts the times this =20=

rule has been matched for the intruder's IP address, if it matches X =20
times in Y minutes then another action will be applied. If Y time =20
expires and X times have not been matched in Y time then the rule =20
does nothing.


On Jan 24, 2006, at 2:25 PM, Ken Garland wrote:

> Would you happen to have an example or link of examples for such a =20
> rule?
>
> thanks!
>
> On Jan 24, 2006, at 1:45 PM, Will Metcalf wrote:
>
>> yeah you can use sticky drop and the rule language to accomplish =20
>> this.
>>
>> Regards,
>>
>> Will
>>
>> On 1/24/06, Ken Garland <ken...@ro...> wrote:
>>> Is there a snort rule that will only flag after a certain number of
>>> packets in a given period of time?
>>>
>>> if 55 packets are seen from ip x.x.x.x on this port within 5 minutes
>>> then drop all from ip x.x.x.x
>>>
>>> or something to that effect?
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc. Do you grep =20
>>> through log files
>>> for problems?  Stop!  Download the new AJAX search engine that makes
>>> searching your log files as easy as surfing the  web.  DOWNLOAD =20
>>> SPLUNK!
>>> http://sel.as-us.falkag.net/sel?=20
>>> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D121642
>>> _______________________________________________
>>> Snort-inline-users mailing list
>>> Sno...@li...
>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through =20=

>> log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD =20
>> SPLUNK!
>> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=103432&bid#0486&dat=12164=
2
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through =20
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD =20
> SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=103432&bid#0486&dat=121642=

> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] flag on number of packets in period of time

From: Ken G. <ken...@ro...> - 2006-01-24 19:26:08

Would you happen to have an example or link of examples for such a rule?

thanks!

On Jan 24, 2006, at 1:45 PM, Will Metcalf wrote:

> yeah you can use sticky drop and the rule language to accomplish this.
>
> Regards,
>
> Will
>
> On 1/24/06, Ken Garland <ken...@ro...> wrote:
>> Is there a snort rule that will only flag after a certain number of
>> packets in a given period of time?
>>
>> if 55 packets are seen from ip x.x.x.x on this port within 5 minutes
>> then drop all from ip x.x.x.x
>>
>> or something to that effect?
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through =20=

>> log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD =20
>> SPLUNK!
>> http://sel.as-us.falkag.net/sel?=20
>> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D121642
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through =20
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD =20
> SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=103432&bid#0486&dat=121642=

> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] flag on number of packets in period of time

From: Will M. <wil...@gm...> - 2006-01-24 18:45:44

yeah you can use sticky drop and the rule language to accomplish this.

Regards,

Will

On 1/24/06, Ken Garland <ken...@ro...> wrote:
> Is there a snort rule that will only flag after a certain number of
> packets in a given period of time?
>
> if 55 packets are seen from ip x.x.x.x on this port within 5 minutes
> then drop all from ip x.x.x.x
>
> or something to that effect?
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi=
les
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] flag on number of packets in period of time

From: Ken G. <ken...@ro...> - 2006-01-24 18:02:02

Is there a snort rule that will only flag after a certain number of  
packets in a given period of time?

if 55 packets are seen from ip x.x.x.x on this port within 5 minutes  
then drop all from ip x.x.x.x

or something to that effect?

Re: [Snort-inline-users] Re: change in 2.3.3 & 2.4.3 ?????????

From: <ni...@el...> - 2006-01-24 06:21:27

Attachments: snort_inline.conf

Well,
          After your comment, I have tried with snort 2.4.3 without
snort_inline patch & still i got the same result.... I am
attaching my snort_inline.conf file......So it is not something
related to reassenble but i think flushing things after an alert
or something like that......

I have changed lines in experimental.rules files with

alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
alert tcp any any -> any any (msg:"Nishit Test"; content:"root";)

and disabled stream4inline option... & still at the time of connection
close I got only one alert......

telnet 192.168.1.30

passwd : nishit
Invalid Passwd

passwd: root
Invalid Passwd

passwd: root
Invalid Passwd

Connection to host lost.

In above case as connection to host lost i got only 1 alert
01/24-11:43:51.433025  [**] [1:0:0] Nishit Test0 [**] [Priority: 0] {TCP}
192.168.1.76:1551 -> 192.168.1.30:23

After that I have tried following

telnet 192.168.1.30

passwd : root
Invalid Passwd

passwd: root
Invalid Passwd

passwd: root
Invalid Passwd

Connection to host lost.

and i got following alert
01/24-11:45:00.866990  [**] [1:0:0] Nishit Test [**] [Priority: 0] {TCP}
192.168.1.76:1556 -> 192.168.1.30:23

Now more interesting thing is....

telnet 192.168.1.30

passwd : root
Invalid Passwd

passwd: nishit
Invalid Passwd

passwd: root
Invalid Passwd

Connection to host lost.

and i got following alert
01/24-11:43:51.433025  [**] [1:0:0] Nishit Test0 [**] [Priority: 0] {TCP}
192.168.1.76:1551 -> 192.168.1.30:23

So i think some problem is with flusing........

Regards,
Nishit Shah.

> If you are saying that reassembly doesn't work.....
>
>
> 01/23-18:41:46.031945  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} y.y.y.y:44040 -> z.z.z.z:23
> 01/23-18:54:47.611362  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
> 01/23-18:54:48.962838  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
> 01/23-18:54:52.022800  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
> 01/23-18:54:58.142742  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
> 01/23-18:55:10.365608  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
>
> Drops on "t" in root  tried it in two different environments both
> dropped successfully.
>
> Regards,
>
> Will
> On 1/23/06, Will Metcalf <wil...@gm...> wrote:
>> huh?
>>
>> On 1/23/06, ni...@el... <ni...@el...> wrote:
>> > Hi,
>> >
>> > for testing I have following rules in my experimental.rules file
>> >
>> > alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
>> > drop tcp any any -> any any (msg:"Nishit Test"; content:"root";)
>> >
>> > and I had done telnet on 1 machine through snort_inline(2.4.3) & gave
>> > username as "nishit" (user nishit doesn't exists on telnet server
>> !!!!!)
>> > and after that I tried with username "root" & traffic hadn't
>> blocked.....
>> >
>> > In 2nd try I had done telnet on same machine & gave username as "root"
>> &
>> > my traffic blocked... ????????
>> >
>> > Why ?????
>> >
>> > Regards,
>> > Nishit Shah.
>> >
>>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Re: change in 2.3.3 & 2.4.3 ?????????

From: Will M. <wil...@gm...> - 2006-01-24 00:59:59

If you are saying that reassembly doesn't work.....


01/23-18:41:46.031945  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} y.y.y.y:44040 -> z.z.z.z:23
01/23-18:54:47.611362  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602
01/23-18:54:48.962838  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602
01/23-18:54:52.022800  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602
01/23-18:54:58.142742  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602
01/23-18:55:10.365608  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602

Drops on "t" in root  tried it in two different environments both
dropped successfully.

Regards,

Will
On 1/23/06, Will Metcalf <wil...@gm...> wrote:
> huh?
>
> On 1/23/06, ni...@el... <ni...@el...> wrote:
> > Hi,
> >
> > for testing I have following rules in my experimental.rules file
> >
> > alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
> > drop tcp any any -> any any (msg:"Nishit Test"; content:"root";)
> >
> > and I had done telnet on 1 machine through snort_inline(2.4.3) & gave
> > username as "nishit" (user nishit doesn't exists on telnet server !!!!!=
)
> > and after that I tried with username "root" & traffic hadn't blocked...=
..
> >
> > In 2nd try I had done telnet on same machine & gave username as "root" =
&
> > my traffic blocked... ????????
> >
> > Why ?????
> >
> > Regards,
> > Nishit Shah.
> >
>

Re: [Snort-inline-users] output module bug in 2.4.3-RC3

From: Michael W C. <co...@ca...> - 2006-01-23 23:12:36

<sigh>  What I forgot to write was that I'm currently running
snort_inline _AND_ snort, exactly like this -

snort_inline -c /etc/snort/snort.conf -Q
snort -c /etc/snort/snort.conf

If I drop the -Q from the snort command line (or the snort_inline
command line), database writes work fine.  What I have no confidence
in and no way to test is if anything is actually being done with the
packets in the queue.

Database connectivity is working fine - as long as I don't try to use
the QUEUE facility in either snort or snort_inline.

Mike-




On Mon, 23 Jan 2006 16:02:31 -0700, you wrote:

>Sorry coming in late here Mike but did you set up the database info in the
>config file?
>
>-----Original Message-----
>From: sno...@li...
>[mailto:sno...@li...] On Behalf Of Michael
>W Cocke
>Sent: Monday, January 23, 2006 2:52 PM
>To: sno...@li...;
>sno...@li...
>Subject: [Snort-inline-users] output module bug in 2.4.3-RC3
>
>I was absolutely certain that it was something that I did wrong, so I
>went back to the beginning, reinstalled all the requires, compiled
>snort from scratch, turned on every log file I could find, and built a
>rule to log every occurence of GET on port 80.
>
>I've tried both snort and snort-inline compiled with --enable-inline
>and --with-mysql.  Running with this command line snort -Q -c
>/etc/snort/snort.conf -v (replace snort with snort_inline as you
>wish).  I get lots of screen activity from the -v, but snort doesn't
>write anything to a mysql database. Neither does snort_inline
>2.4.3-RC3, compiled with the same options.
>
>If anyone has a suggestion or would like me to try something, email
>me. 
>
>
>Mike-
>--
>If you're not confused, you're not trying hard enough.
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

RE: [Snort-inline-users] output module bug in 2.4.3-RC3

From: Robert M. <bma...@pb...> - 2006-01-23 23:04:50

Sorry coming in late here Mike but did you set up the database info in the
config file?

-----Original Message-----
From: sno...@li...
[mailto:sno...@li...] On Behalf Of Michael
W Cocke
Sent: Monday, January 23, 2006 2:52 PM
To: sno...@li...;
sno...@li...
Subject: [Snort-inline-users] output module bug in 2.4.3-RC3

I was absolutely certain that it was something that I did wrong, so I
went back to the beginning, reinstalled all the requires, compiled
snort from scratch, turned on every log file I could find, and built a
rule to log every occurence of GET on port 80.

I've tried both snort and snort-inline compiled with --enable-inline
and --with-mysql.  Running with this command line snort -Q -c
/etc/snort/snort.conf -v (replace snort with snort_inline as you
wish).  I get lots of screen activity from the -v, but snort doesn't
write anything to a mysql database. Neither does snort_inline
2.4.3-RC3, compiled with the same options.

If anyone has a suggestion or would like me to try something, email
me. 

Mike-
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

[Snort-inline-users] output module bug in 2.4.3-RC3

From: Michael W C. <co...@ca...> - 2006-01-23 21:51:50

I was absolutely certain that it was something that I did wrong, so I
went back to the beginning, reinstalled all the requires, compiled
snort from scratch, turned on every log file I could find, and built a
rule to log every occurence of GET on port 80.

I've tried both snort and snort-inline compiled with --enable-inline
and --with-mysql.  Running with this command line snort -Q -c
/etc/snort/snort.conf -v (replace snort with snort_inline as you
wish).  I get lots of screen activity from the -v, but snort doesn't
write anything to a mysql database. Neither does snort_inline
2.4.3-RC3, compiled with the same options.

If anyone has a suggestion or would like me to try something, email
me. 


Mike-
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

Re: [Snort-inline-users] logging question

From: Michael W C. <co...@ca...> - 2006-01-23 17:48:11

Sorry, please disregard.  

Mike-


On Mon, 23 Jan 2006 11:29:49 -0500, you wrote:

>I think I've FINALLY figured out what I was doing wrong (thinking I
>was smart enough to do this, for starters), but I need to verify
>something.  Can someone tell me how to make a rule log to either a
>text file (preferable) or syslog, and what does a log entry for a
>packet being dropped look like (exactly please).
>
>Thanks!
>
>(If you're curious, it looks like my firewall was hanging onto rules
>that I _THOUGHT_ I had deleted from the config.  I manually flushed
>all chains and restarted everything, and it looks like it's working
>now.  maybe.)
>
>Mike-
>--
>If you're not confused, you're not trying hard enough.
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

[Snort-inline-users] logging question

From: Michael W C. <co...@ca...> - 2006-01-23 16:29:45

I think I've FINALLY figured out what I was doing wrong (thinking I
was smart enough to do this, for starters), but I need to verify
something.  Can someone tell me how to make a rule log to either a
text file (preferable) or syslog, and what does a log entry for a
packet being dropped look like (exactly please).

Thanks!

(If you're curious, it looks like my firewall was hanging onto rules
that I _THOUGHT_ I had deleted from the config.  I manually flushed
all chains and restarted everything, and it looks like it's working
now.  maybe.)

Mike-
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

[Snort-inline-users] Re: change in 2.3.3 & 2.4.3 ?????????

From: Will M. <wil...@gm...> - 2006-01-23 15:27:06

huh?

On 1/23/06, ni...@el... <ni...@el...> wrote:
> Hi,
>
> for testing I have following rules in my experimental.rules file
>
> alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
> drop tcp any any -> any any (msg:"Nishit Test"; content:"root";)
>
> and I had done telnet on 1 machine through snort_inline(2.4.3) & gave
> username as "nishit" (user nishit doesn't exists on telnet server !!!!!)
> and after that I tried with username "root" & traffic hadn't blocked.....
>
> In 2nd try I had done telnet on same machine & gave username as "root" &
> my traffic blocked... ????????
>
> Why ?????
>
> Regards,
> Nishit Shah.
>

[Snort-inline-users] change in 2.3.3 & 2.4.3 ?????????

From: <ni...@el...> - 2006-01-23 15:22:08

Hi,

for testing I have following rules in my experimental.rules file

alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
drop tcp any any -> any any (msg:"Nishit Test"; content:"root";)

and I had done telnet on 1 machine through snort_inline(2.4.3) & gave
username as "nishit" (user nishit doesn't exists on telnet server !!!!!)
and after that I tried with username "root" & traffic hadn't blocked.....

In 2nd try I had done telnet on same machine & gave username as "root" &
my traffic blocked... ????????

Why ?????

Regards,
Nishit Shah.

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Will M. <wil...@gm...> - 2006-01-23 13:48:41

Not only that, what options are you passing to stream4_reassemble:

Regards,

Will

On 1/23/06, Gulfie <gu...@gr...> wrote:
> On Thu, Jan 19, 2006 at 06:18:30PM +0530, ni...@el... wrote:
> > Hi, list
> >             following is my machine configuration
> >
> > Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC=
...
> > Memory:- 1GB
> >
> > The thing is after patching snort 2.3.3 with snort_inline patch... I ha=
ve
> > 2 different configuration for Stream4
> >
> > 1.) preprocessor stream4: disable_evasion_alerts
> >
> > In this case my CPU is less than 10 % for a set of traffic
> >
> > 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
> > 134217728, timeout 3600, midstream_drop_alerts
> >
> > In this case my CPU hits 50% at specific intervals don't know interval =
is
> > random or some specific..... :) with same set of traffic....
>
>         Where are you getting the traffic from?
>
> > Is it due to the inline modifications in stream4 ????
> >
> > Regards,
> > Nishit Shah.
>
>
>                                         -gulfie
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi=
les
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] I don't get it

From: Michael W C. <co...@ca...> - 2006-01-23 13:24:32

I don't understand it, but unless I run both snort and snort_inline
(same command line - 

        $SNORT_BIN -D -Q -l /var/log/snort -c /etc/snort/snort.conf

$SNORT_BIN is snort and snort_inline, everything else is identical)

I don't get logs and alerts written to the mysql server.  I can't tell
if either of them is actually dropping anything.  I can run them both
if I must (although it strikes me as a waste of resources), but I
really need to be able to verify that one of them is dropping what I
want them to drop.

Snort version is 2.4.3, snort inline is 2.4.3-RC3, Distro is SuSE 9.3,
firewall is Shorewall 3.0.4.  According to the firewall log, that end
of it seems to be set properly.

Can someone smack me with a clue by four?

Mike-
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Gulfie <gu...@gr...> - 2006-01-23 13:17:52

On Thu, Jan 19, 2006 at 06:18:30PM +0530, ni...@el... wrote:
> Hi, list
>             following is my machine configuration
> 
> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC...
> Memory:- 1GB
> 
> The thing is after patching snort 2.3.3 with snort_inline patch... I have
> 2 different configuration for Stream4
> 
> 1.) preprocessor stream4: disable_evasion_alerts
> 
> In this case my CPU is less than 10 % for a set of traffic
> 
> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
> 134217728, timeout 3600, midstream_drop_alerts
> 
> In this case my CPU hits 50% at specific intervals don't know interval is
> random or some specific..... :) with same set of traffic....
 
	Where are you getting the traffic from?

> Is it due to the inline modifications in stream4 ????
> 
> Regards,
> Nishit Shah.


					-gulfie

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Will M. <wil...@gm...> - 2006-01-23 13:05:03

It is fairly trivial to splice an attack across multiple packets.=20
Download Nikto and take a look at the IDS evasion techniques or.

There is  good paper in the sans reading room and a perl script to
splice tcp sessions at.

http://www.sans.org/resources/idfaq/sess_splicing.php

Regards,

Will


On 1/23/06, ni...@el... <ni...@el...> wrote:
> Hi,
>
>
> does Snort ruleset contains signatures that splice across the sessions ?
> I am using default ruleset of Snort 2.3.3
>
>
> Regards,
> Nishit Shah.
>
> > Of cource it is due to your stream4 configuration you are creating an
> > uber packet for every packet that you receive that is part of the
> > corresponding stream.  If you want to protect your systems against
> > session splicing attacks in InlineMode() this is the price you pay.
> > If you don't  care about session splicing turn it off.
> >
> > Regards,
> >
> > Will
> >
> > On 1/19/06, ni...@el... <ni...@el...> wrote:
> >> Hi, list
> >>             following is my machine configuration
> >>
> >> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb
> >> NIC...
> >> Memory:- 1GB
> >>
> >> The thing is after patching snort 2.3.3 with snort_inline patch... I
> >> have
> >> 2 different configuration for Stream4
> >>
> >> 1.) preprocessor stream4: disable_evasion_alerts
> >>
> >> In this case my CPU is less than 10 % for a set of traffic
> >>
> >> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memca=
p
> >> 134217728, timeout 3600, midstream_drop_alerts
> >>
> >> In this case my CPU hits 50% at specific intervals don't know interval
> >> is
> >> random or some specific..... :) with same set of traffic....
> >>
> >> Is it due to the inline modifications in stream4 ????
> >>
> >> Regards,
> >> Nishit Shah.
> >>
> >>
> >>
> >>
> >> -------------------------------------------------------
> >> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> >> files
> >> for problems?  Stop!  Download the new AJAX search engine that makes
> >> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK=
!
> >> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&da=
t=3D121642
> >> _______________________________________________
> >> Snort-inline-users mailing list
> >> Sno...@li...
> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> > files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=103432&bid#0486&dat=12164=
2
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>
>

Re: [Snort-inline-users] Re: Snort_inline restart & existing sessions

From: Will M. <wil...@gm...> - 2006-01-23 13:01:37

No your not, snort_inline still drops these attackes you just don't
see them alert.  All midstream_drop_alerts does for you is turn
logging on and off.

Regards,

Will

On 1/22/06, ni...@el... <ni...@el...> wrote:
> But in that case I am also missing attacks in exisiting connections....
> The thing I am thinking is I can avoid snot/stick type of attcks through
> iptables.....'caz i don't want to miss attacks in existing connections..
>
> Regards,
> Nishit Shah.
>
> > you probably just want to get rid of enforce_state, if you enable
> > midstream_drop_alerts you could vulnerable to snot/stick attacks.
> >
> > Regards,
> >
> > Will
> >
> > On 1/21/06, ni...@el... <ni...@el...> wrote:
> >> Hi,
> >>
> >> Is there any way to disable Traffic-Drop for existing connections when
> >> snort_inline restarts ????
> >>                I think one way is to use stream4inline without
> >> enforce_sate option & enabling midstream_drop_alerts
> >> option.... is it advisable ??
> >>
> >> Regards,
> >> Nishit Shah.
> >>
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> > files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=103432&bid#0486&dat=12164=
2
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>
>

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: <ni...@el...> - 2006-01-23 10:55:50

Hi,


does Snort ruleset contains signatures that splice across the sessions ?
I am using default ruleset of Snort 2.3.3


Regards,
Nishit Shah.

> Of cource it is due to your stream4 configuration you are creating an
> uber packet for every packet that you receive that is part of the
> corresponding stream.  If you want to protect your systems against
> session splicing attacks in InlineMode() this is the price you pay.
> If you don't  care about session splicing turn it off.
>
> Regards,
>
> Will
>
> On 1/19/06, ni...@el... <ni...@el...> wrote:
>> Hi, list
>>             following is my machine configuration
>>
>> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb
>> NIC...
>> Memory:- 1GB
>>
>> The thing is after patching snort 2.3.3 with snort_inline patch... I
>> have
>> 2 different configuration for Stream4
>>
>> 1.) preprocessor stream4: disable_evasion_alerts
>>
>> In this case my CPU is less than 10 % for a set of traffic
>>
>> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
>> 134217728, timeout 3600, midstream_drop_alerts
>>
>> In this case my CPU hits 50% at specific intervals don't know interval
>> is
>> random or some specific..... :) with same set of traffic....
>>
>> Is it due to the inline modifications in stream4 ????
>>
>> Regards,
>> Nishit Shah.
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
>> files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Re: Snort_inline restart & existing sessions

From: <ni...@el...> - 2006-01-23 05:54:31

But in that case I am also missing attacks in exisiting connections....
The thing I am thinking is I can avoid snot/stick type of attcks through
iptables.....'caz i don't want to miss attacks in existing connections..

Regards,
Nishit Shah.

> you probably just want to get rid of enforce_state, if you enable
> midstream_drop_alerts you could vulnerable to snot/stick attacks.
>
> Regards,
>
> Will
>
> On 1/21/06, ni...@el... <ni...@el...> wrote:
>> Hi,
>>
>> Is there any way to disable Traffic-Drop for existing connections when
>> snort_inline restarts ????
>>                I think one way is to use stream4inline without
>> enforce_sate option & enabling midstream_drop_alerts
>> option.... is it advisable ??
>>
>> Regards,
>> Nishit Shah.
>>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Re: Snort_inline restart & existing sessions

From: Will M. <wil...@gm...> - 2006-01-21 15:48:48

you probably just want to get rid of enforce_state, if you enable
midstream_drop_alerts you could vulnerable to snot/stick attacks.

Regards,

Will

On 1/21/06, ni...@el... <ni...@el...> wrote:
> Hi,
>
> Is there any way to disable Traffic-Drop for existing connections when
> snort_inline restarts ????
>                I think one way is to use stream4inline without
> enforce_sate option & enabling midstream_drop_alerts
> option.... is it advisable ??
>
> Regards,
> Nishit Shah.
>

[Snort-inline-users] Snort_inline restart & existing sessions

From: <ni...@el...> - 2006-01-21 10:48:44

Hi,

Is there any way to disable Traffic-Drop for existing connections when
snort_inline restarts ????
               I think one way is to use stream4inline without
enforce_sate option & enabling midstream_drop_alerts
option.... is it advisable ??

Regards,
Nishit Shah.

Re: [Snort-inline-users] Interface is null?

From: Will M. <wil...@gm...> - 2006-01-19 19:35:22

eeeee are you seeing this when you try to add QUEUE target rules?

Regards,

Will

On 1/19/06, Michael W Cocke <co...@ca...> wrote:
> I'm still hacking snort_inline 2.4.3-RC3 and shorewall 3.0.4.  Can
> someone tell me what
> "Interface is NULL. Name may not be unique for the host"
> means?  Preferably in small words.
>
>
> By the way, I did manage to prove to my own satisfaction that I'd been
> rooted - wish I'd had snort set up when it happened, I wouldn't be
> rebuilding everything from scratch now!  Oh well, at least I caught
> it.  Thanks guys!
>
> Mike-
> --
> If you're not confused, you're not trying hard enough.
> --
> Please note - Due to the intense volume of spam, we have installed
> site-wide spam filters at catherders.com.  If email from you bounces,
> try non-HTML, non-encoded, non-attachments,
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi=
les
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Interface is null?

From: Michael W C. <co...@ca...> - 2006-01-19 16:55:50

I'm still hacking snort_inline 2.4.3-RC3 and shorewall 3.0.4.  Can
someone tell me what
"Interface is NULL. Name may not be unique for the host"
means?  Preferably in small words.


By the way, I did manage to prove to my own satisfaction that I'd been
rooted - wish I'd had snort set up when it happened, I wouldn't be
rebuilding everything from scratch now!  Oh well, at least I caught
it.  Thanks guys!

Mike-
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Will M. <wil...@gm...> - 2006-01-19 13:25:22

Of cource it is due to your stream4 configuration you are creating an
uber packet for every packet that you receive that is part of the
corresponding stream.  If you want to protect your systems against
session splicing attacks in InlineMode() this is the price you pay.=20
If you don't  care about session splicing turn it off.

Regards,

Will

On 1/19/06, ni...@el... <ni...@el...> wrote:
> Hi, list
>             following is my machine configuration
>
> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC..=
.
> Memory:- 1GB
>
> The thing is after patching snort 2.3.3 with snort_inline patch... I have
> 2 different configuration for Stream4
>
> 1.) preprocessor stream4: disable_evasion_alerts
>
> In this case my CPU is less than 10 % for a set of traffic
>
> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
> 134217728, timeout 3600, midstream_drop_alerts
>
> In this case my CPU hits 50% at specific intervals don't know interval is
> random or some specific..... :) with same set of traffic....
>
> Is it due to the inline modifications in stream4 ????
>
> Regards,
> Nishit Shah.
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi=
les
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

133 messages has been excluded from this view by a project administrator.

Flat | Threaded

<< < 1 .. 20 21 22 23 24 .. 68 > >> (Page 22 of 68)