Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Snort U. <pea...@ya...> - 2008-09-22 19:09:28
|
To Any Snot_inline Guru:
I
am an EXTREMELY BAFFLED snort user. I am using snort 2.8 in inline mode
and updating with oinkmaster 2.0. If I update via oinkmaster WITHOUT
specifying {modifysid * “^alert” | “drop”} within the oinkmaster.conf
file, the rules get updated and everything works. If I insert some
simple drop rules for testing after the oinkmaster update, my “test”
drop rules correctly drop and log dropped packets. If I test the
updated alerts by restarting in non-inline mode, they work as well.
STRANGELY, if I
update via oinkmaster and DO specify {modifysid * “^alert” | “drop”}
within the .conf file, oinkmaster “seems” to work (i.e., updates appear
to have been made correctly, “alert” rules are all converted to “drop”
rules, snort inline starts without errors, snort output lists rules as
being correctly read, etc.), however, when I insert some simple drop
rules for testing, my “test” drop rules do not work, nor do any of the
converted drop rules that had worked prior as alerts. At least the
“test” drop rules SHOULD work (but do not), since they work when I
update without converting alerts to drops. This would seem impossible,
but it IS occurring. I always restart snort after rules modifications
to flush rules from memory and am only using dowloaded snort rules
(i.e. other than some extremely simple "test" drop rules that DO work
when I haven't converted "alert" rules to "drop").
I understand
that if I had "alert" rules similar to my test "drop" rules, then my
test "drop" rules might not get triggered and logged (i.e., as a
consequence of already being dropped by other rules that were prior
only "alerts"). However, in that scenario, even though the test
"drops" wouldn't show as triggered in the logs, the packets would still
get dropped, due to other "drop" rules. This isn't what is happening,
since none of my packets are getting dropped once I convert "alerts" to
"drops". Again, extremely baffling!
There must be a way to run snort-inline with automatic alert/drop conversions on updates, but I have not been able to to it.
Any feedback would be GREATLY APPRECIATED!
Peabody
|
|
From: Will M. <wil...@gm...> - 2008-09-04 19:34:28
|
you don't need to compile iptables just yum -y install iptables iptables-devel On 9/4/08, Paul Ernesto Gutierrez Cardenas <pgu...@ae...> wrote: > > Hello everybody. > I have a problem . I've tried many times to install snort_inline in CentOS 5 > but I can´t . Firstable a I can't compile iptables with make install-devel . > I´ve installed all the compilers but nothing (make, gcc , gcc-c++) I don't > know What can I do. > what're the steps for install snort_inline? > I hope any help. > Thanks. > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Paul E. G. C. <pgu...@ae...> - 2008-09-04 13:57:45
|
Hello everybody. I have a problem . I've tried many times to install snort_inline in CentOS 5 but I can´t . Firstable a I can't compile iptables with make install-devel . I´ve installed all the compilers but nothing (make, gcc , gcc-c++) I don't know What can I do. what're the steps for install snort_inline? I hope any help. Thanks. |
|
From: vishal_nitr <vis...@re...> - 2008-08-29 06:06:56
|
Hi ALL, I am using snort_inline-2.6.1.5 on my fedora 6 PC. I
wanted to use snort_inline as an IPS for my system so I was testing
snort_inline's capability to detect web attacks. For this I wrote a
simple TCP client program which will send HTTP GET requests to my
system (I will be running this program on another machine in LAN) and
in that GET request I added a URI pattern from web-cgi.rules file whci
looks like "GET http://10.0.0.1/hsx.cgi HTTP/1.0 \r\nnn".When I executed the program snort_inline neither droped this packet nor it logged.I tested same thing with some other web attack patterns but with the same results.Is this a intended behaviour of snort_inline or am I doing some thing wrong. Below is my snort_inline.conf for reference. var HOME_NET [10.0.0.1/32] var HONEYNET any var EXTERNAL_NET !$HOME_NET var SMTP_SERVERS any var TELNET_SERVERS any var HTTP_SERVERS 10.0.0.1 var SQL_SERVERS any var DNS_SERVERS any var HTTP_PORTS 80# Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 #ports you want to look for SSH on var SSH_PORTS 22var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.18
8.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /home/vishal/snort/ips_rulespreprocessor stickydrop: max_entries 50, logpreprocessor stickydrop-timeouts: sfportscan 60preprocessor stickydrop-ignorehosts: 10.0.0.1/32preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: disable_evasion_alerts, stream4inline, # enforce_state drop, # midstream_drop_alerts, # state_file /var/log/ips/state_file.log, state_file /var/log/state_file.log, detect_scans, memcap 100000000, timeout 3600, truncate, window_size 3000, detect_state_problems, self_preservation_threshold 100, self_preservation_period 30, state_protection enable, suspend_threshold 200, suspend_period 60, enable_udp_sessions, max_udp_sessions 9000preprocessor stream4_reassemble: both, ports "default", favor_new preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500preprocessor rpc_decode: 111 32771preprocessor bopreprocessor telnet_decode: 21 23 25 119preprocessor ftp_telnet: global encrypted_traffic yes inspection_type stateful check_encrypted preprocessor ftp_telnet_protocol: telnet ports { 23 } normalize ayt_attack_thresh 10 detect_anomaliespreprocessor ftp_telnet_protocol: ftp server default def_max_param_len 100 alt_max_param_len 200 { CWD } cmd_validity MODE < char ASBCZ > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } telnet_cmds yes data_chan preprocessor ftp_telnet_protocol: ftp client default max_resp_len 256 bounce yes telnet_cmds yes preprocessor smtp: ports { 25 } inspection_type stateful normalize cmds normalize_cmds { EXPN VRFY RCPT } alt_max_command_line_len 260 { MAIL } alt_max_command_line_len 300 { RCPT } alt_max_command_line_len 500 { HELP HELO ETRN } alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } memcap { 10000000 } scan_type { all } sense_level { medium } logfile { sfport_scan.log }preprocessor dcerpc: autodetect max_frag_size 3000 memcap 100000preprocessor dns: ports { 53 } enable_rdata_overflow output alert_fast: snort_inline-fastinclude $RULE_PATH/classification.config include $RULE_PATH/reference.config ### The Drop Rules # Enabled # include $RULE_PATH/test.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/misc.rules include $RULE_PATH/scan.rules include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules include $RULE_PATH/pop2.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/virus.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/voip.rules ### Bleeding Rules # include $RULE_PATH/bleeding-all.rules include $RULE_PATH/bleeding.rules include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-botcc.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-voip.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-custom.rules include $RULE_PATH/bleeding-rbn.rules include $RULE_PATH/bleeding-web_sql_injection.rules
Thanks and Regards,
Vishal Kotalwar,
Software Engineer,
Aricent,
Chennai-35.
09884074047. |
|
From: Victor J. <li...@in...> - 2008-08-18 08:17:00
|
NevilleDNZ/Snort wrote: > The question: > * How do I get snort-inline listening to a specific NFQUEUE --queue-num? > * I googled a bit, maybe there is a document that can give me a hint? > > In the current SVN code (based on Snort 2.8.2.1) you can use the -Q option: -Q77 Older Snort_inline versions used the 'H' option for this. Hope this helps, Victor > Thanᚷ > NevilleDNZ > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: NevilleDNZ/Snort <Nev...@sg...> - 2008-08-18 05:43:03
|
Greetings, I am currently coming to terms with snort-inline with NFQUEUE Ran Fedora9's configure and make "snort" with --enable-inline and --enable-nfnetlink (etc) seems to work fine (save for a problem with doc/Makefile.in being missing) The added firewall rule (for testing): iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 99 iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 99 iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 77 With "modprobe ip_queue; modprobe nfnetlink_queue" and "snort-inline -dv -Q" works perfect. # iptable-save | grep queue [10:1967] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 77 [14:2183] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 88 [48:5989] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 99 Then I browse http://localhost and get: # iptable-save | grep queue [21:3994] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 77 [14:2183] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 88 [48:5989] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 99 It appears the --queue-num 77 is being used. The question: * How do I get snort-inline listening to a specific NFQUEUE --queue-num? * I googled a bit, maybe there is a document that can give me a hint? Thanᚷ NevilleDNZ |
|
From: Will M. <wil...@gm...> - 2008-08-12 14:18:49
|
They are TCP flags... Regards, Will On 12 Aug 2008 13:45:20 -0000, vishal_nitr <vis...@re...> wrote: > > Hi All, > Can any body help me understand how to analyze stickyd.log file. > > Actually I want to understand what does these '*" means in log file and > what are those letters like 'S', 'A', 'R' etc > in the log > " Dropped 08/08-06:59:31.916533 TCP 192.30.11.127:21928->10.0.0.1:139*****R** " > > Thank You. > > > Thanks and Regards, > Vishal Kotalwar, > Software Engineer, > Aricent, > Chennai-35. > 09884074047. > [image: Sharekhan]<http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.com/signature-home.htm/1050715198@Middle5/2212064_2204411/2207095/1?PARTNER=3&OAS_QUERY=null> > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: vishal_nitr <vis...@re...> - 2008-08-12 13:45:04
|
Hi All, Can any body help me understand how to analyze stickyd.log file. Actually I want to understand what does these '*" means in log file and what are those letters like 'S', 'A', 'R' etcin the log " Dropped 08/08-06:59:31.916533 TCP 192.30.11.127:21928->10.0.0.1:139 *****R** "Thank You. Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: Dave R. <dav...@gm...> - 2008-08-07 23:43:59
|
On Thu, Aug 7, 2008 at 4:30 PM, Victor Julien <li...@in...> wrote:
> It indeed appears that the reassembled payload is not treated
> differently. So the reassembled buffer is 'replaced' but that doesn't
> make much sense as it won't leave the box. Also keep in mind that in
> normal operation stream4 will reassemble ack'd data, so we can't beat
> that to the destination. In our sliding window stream4inline mode you
> could maybe try to achieve that, it would still require significant
> changes I think. You would want to try to modify the original packets
> payload based on the reassembled payload. But I don't think stream4
> provides an easy way to do that.
>
Yah, if you're seeing your match data in the reassembled packet, the horse
has already left the barn, and is long gone.
For grins and giggles, though, given the frailties of most TCP stacks, one
could try crafting a packet with exactly the replacement data (and correct
sequence and ack numbers for the match/replacement) and send that along.
Probably work on some machines.
>
> Hope this helps,
> Victor
>
> Will Metcalf wrote:
> > Victor would be better able to answer that question... he did most of
> > the heavy lifting inside of stream4inline. Last time I looked at the
> > code though I don't remember being a way to differentiate between a
> > regular packet and a reassembled packet after it left stream4 but I
> > could be wrong.
> >
> > Regards,
> >
> > Will
> >
> > On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
> >
> >> Will,
> >>
> >> Thanks for the reply.
> >>
> >> The code doesn't seem to differentiate based on whether the analyzed
> packet is
> >> a pseudo packet or not.
> >>
> >> detection-plugins/sp_pattern_match.c
> >>
> >> CheckANDPatternMatch(...)
> >> <snip>
> >> if (InlineMode() && found && idx->replace_buf)
> >> {
> >> //fix the packet buffer to have the new string
> >> detect_depth = (char *)doe_ptr - idx->pattern_size - dp;
> >>
> >> ret = PayloadReplace(p, otn_idx, fp_list, detect_depth);
> >> if (ret == 0)
> >> return 0;
> >> }
> >> <snip>
> >>
> >> Even inside PayloadReplace the differentiation was not present.
> >>
> >> Is that not handled now?
> >>
> >> Thanks
> >>
> >>
> >>
> >> On Thu, Aug 7, 2008 at 5:03 PM, Will Metcalf <wil...@gm...>
> wrote:
> >>
> >>> Yeah It can only work on a packet-by-packet basis.
> >>>
> >>> Regards,
> >>>
> >>> Will
> >>>
> >>> On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
> >>>
> >>>> Greetings.
> >>>>
> >>>> I have a question/concern regarding the "replace:" rule option -
> >>>>
> >>>> Example rule from the manual --
> >>>>
> >>>> alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET";
> replace:"BET";)
> >>>>
> >>>> Although not specified in the manual it seems the functionality is
> >>>> meant to be used on a packet by packet basis and not on a stream (TCP
> >>>> stream).
> >>>> For example:
> >>>> For the above rule consider that the "GET" is spread across 3 segments
> >>>> each one byte long and all of them arrive in order.
> >>>> The first 2 bytes ('G' and 'E') will be forwarded to the destination
> >>>> before the rule is triggered; and at that point replacing "GET"
> >>>> with "BET" is not possible without the IPS retransmitting the previous
> >>>> 2 bytes and hope that the destination OS favors newer data.
> >>>>
> >>>> Thoughts?
> >>>>
> >>>>
> -------------------------------------------------------------------------
> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> >>>> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> >>>> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >>>> _______________________________________________
> >>>> Snort-inline-users mailing list
> >>>> Sno...@li...
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>>>
> >>>>
> >
> > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> > Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the
> world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
--
"Of course, someone who knows more about this will correct me if I'm
wrong, and someone who knows less will correct me if I'm right."
David Palmer (pa...@ty...)
|
|
From: Victor J. <li...@in...> - 2008-08-07 22:31:07
|
It indeed appears that the reassembled payload is not treated
differently. So the reassembled buffer is 'replaced' but that doesn't
make much sense as it won't leave the box. Also keep in mind that in
normal operation stream4 will reassemble ack'd data, so we can't beat
that to the destination. In our sliding window stream4inline mode you
could maybe try to achieve that, it would still require significant
changes I think. You would want to try to modify the original packets
payload based on the reassembled payload. But I don't think stream4
provides an easy way to do that.
Hope this helps,
Victor
Will Metcalf wrote:
> Victor would be better able to answer that question... he did most of
> the heavy lifting inside of stream4inline. Last time I looked at the
> code though I don't remember being a way to differentiate between a
> regular packet and a reassembled packet after it left stream4 but I
> could be wrong.
>
> Regards,
>
> Will
>
> On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
>
>> Will,
>>
>> Thanks for the reply.
>>
>> The code doesn't seem to differentiate based on whether the analyzed packet is
>> a pseudo packet or not.
>>
>> detection-plugins/sp_pattern_match.c
>>
>> CheckANDPatternMatch(...)
>> <snip>
>> if (InlineMode() && found && idx->replace_buf)
>> {
>> //fix the packet buffer to have the new string
>> detect_depth = (char *)doe_ptr - idx->pattern_size - dp;
>>
>> ret = PayloadReplace(p, otn_idx, fp_list, detect_depth);
>> if (ret == 0)
>> return 0;
>> }
>> <snip>
>>
>> Even inside PayloadReplace the differentiation was not present.
>>
>> Is that not handled now?
>>
>> Thanks
>>
>>
>>
>> On Thu, Aug 7, 2008 at 5:03 PM, Will Metcalf <wil...@gm...> wrote:
>>
>>> Yeah It can only work on a packet-by-packet basis.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
>>>
>>>> Greetings.
>>>>
>>>> I have a question/concern regarding the "replace:" rule option -
>>>>
>>>> Example rule from the manual --
>>>>
>>>> alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
>>>>
>>>> Although not specified in the manual it seems the functionality is
>>>> meant to be used on a packet by packet basis and not on a stream (TCP
>>>> stream).
>>>> For example:
>>>> For the above rule consider that the "GET" is spread across 3 segments
>>>> each one byte long and all of them arrive in order.
>>>> The first 2 bytes ('G' and 'E') will be forwarded to the destination
>>>> before the rule is triggered; and at that point replacing "GET"
>>>> with "BET" is not possible without the IPS retransmitting the previous
>>>> 2 bytes and hope that the destination OS favors newer data.
>>>>
>>>> Thoughts?
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>>>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>>>> Grand prize is a trip for two to an Open Source event anywhere in the world
>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>> _______________________________________________
>>>> Snort-inline-users mailing list
>>>> Sno...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>
>>>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Will M. <wil...@gm...> - 2008-08-07 22:08:46
|
Victor would be better able to answer that question... he did most of
the heavy lifting inside of stream4inline. Last time I looked at the
code though I don't remember being a way to differentiate between a
regular packet and a reassembled packet after it left stream4 but I
could be wrong.
Regards,
Will
On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
> Will,
>
> Thanks for the reply.
>
> The code doesn't seem to differentiate based on whether the analyzed packet is
> a pseudo packet or not.
>
> detection-plugins/sp_pattern_match.c
>
> CheckANDPatternMatch(...)
> <snip>
> if (InlineMode() && found && idx->replace_buf)
> {
> //fix the packet buffer to have the new string
> detect_depth = (char *)doe_ptr - idx->pattern_size - dp;
>
> ret = PayloadReplace(p, otn_idx, fp_list, detect_depth);
> if (ret == 0)
> return 0;
> }
> <snip>
>
> Even inside PayloadReplace the differentiation was not present.
>
> Is that not handled now?
>
> Thanks
>
>
>
> On Thu, Aug 7, 2008 at 5:03 PM, Will Metcalf <wil...@gm...> wrote:
> > Yeah It can only work on a packet-by-packet basis.
> >
> > Regards,
> >
> > Will
> >
> > On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
> >> Greetings.
> >>
> >> I have a question/concern regarding the "replace:" rule option -
> >>
> >> Example rule from the manual --
> >>
> >> alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
> >>
> >> Although not specified in the manual it seems the functionality is
> >> meant to be used on a packet by packet basis and not on a stream (TCP
> >> stream).
> >> For example:
> >> For the above rule consider that the "GET" is spread across 3 segments
> >> each one byte long and all of them arrive in order.
> >> The first 2 bytes ('G' and 'E') will be forwarded to the destination
> >> before the rule is triggered; and at that point replacing "GET"
> >> with "BET" is not possible without the IPS retransmitting the previous
> >> 2 bytes and hope that the destination OS favors newer data.
> >>
> >> Thoughts?
> >>
> >> -------------------------------------------------------------------------
> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> _______________________________________________
> >> Snort-inline-users mailing list
> >> Sno...@li...
> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>
> >
>
|
|
From: Adayadil T. <ada...@gm...> - 2008-08-07 21:25:28
|
Will,
Thanks for the reply.
The code doesn't seem to differentiate based on whether the analyzed packet is
a pseudo packet or not.
detection-plugins/sp_pattern_match.c
CheckANDPatternMatch(...)
<snip>
if (InlineMode() && found && idx->replace_buf)
{
//fix the packet buffer to have the new string
detect_depth = (char *)doe_ptr - idx->pattern_size - dp;
ret = PayloadReplace(p, otn_idx, fp_list, detect_depth);
if (ret == 0)
return 0;
}
<snip>
Even inside PayloadReplace the differentiation was not present.
Is that not handled now?
Thanks
On Thu, Aug 7, 2008 at 5:03 PM, Will Metcalf <wil...@gm...> wrote:
> Yeah It can only work on a packet-by-packet basis.
>
> Regards,
>
> Will
>
> On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
>> Greetings.
>>
>> I have a question/concern regarding the "replace:" rule option -
>>
>> Example rule from the manual --
>>
>> alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
>>
>> Although not specified in the manual it seems the functionality is
>> meant to be used on a packet by packet basis and not on a stream (TCP
>> stream).
>> For example:
>> For the above rule consider that the "GET" is spread across 3 segments
>> each one byte long and all of them arrive in order.
>> The first 2 bytes ('G' and 'E') will be forwarded to the destination
>> before the rule is triggered; and at that point replacing "GET"
>> with "BET" is not possible without the IPS retransmitting the previous
>> 2 bytes and hope that the destination OS favors newer data.
>>
>> Thoughts?
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
|
|
From: Will M. <wil...@gm...> - 2008-08-07 21:03:25
|
Yeah It can only work on a packet-by-packet basis.
Regards,
Will
On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
> Greetings.
>
> I have a question/concern regarding the "replace:" rule option -
>
> Example rule from the manual --
>
> alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
>
> Although not specified in the manual it seems the functionality is
> meant to be used on a packet by packet basis and not on a stream (TCP
> stream).
> For example:
> For the above rule consider that the "GET" is spread across 3 segments
> each one byte long and all of them arrive in order.
> The first 2 bytes ('G' and 'E') will be forwarded to the destination
> before the rule is triggered; and at that point replacing "GET"
> with "BET" is not possible without the IPS retransmitting the previous
> 2 bytes and hope that the destination OS favors newer data.
>
> Thoughts?
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Adayadil T. <ada...@gm...> - 2008-08-07 20:14:43
|
Greetings.
I have a question/concern regarding the "replace:" rule option -
Example rule from the manual --
alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
Although not specified in the manual it seems the functionality is
meant to be used on a packet by packet basis and not on a stream (TCP
stream).
For example:
For the above rule consider that the "GET" is spread across 3 segments
each one byte long and all of them arrive in order.
The first 2 bytes ('G' and 'E') will be forwarded to the destination
before the rule is triggered; and at that point replacing "GET"
with "BET" is not possible without the IPS retransmitting the previous
2 bytes and hope that the destination OS favors newer data.
Thoughts?
|
|
From: vishal_nitr <vis...@re...> - 2008-08-06 13:39:18
|
Hi All, I am using snort-inline-2.6.1.5 and it is not detecting any of the web attacks mentioned in the rules file. It is very important to me that snort detects web attacks. Any help welcomed. Please help. vishal |
|
From: william m. <wil...@gm...> - 2008-08-05 15:37:50
|
That isn't enough information please send us the output of a back trace using gdb. Regards, Will ulimit -c unlimited #start snort as you normally would /usr/local/bin/snort_inline -normal startup options #run core file through gdb gdb /usr/local/bin/snort_inline core.pid bt full #send back the output On Tue, 2008-08-05 at 14:16 +0000, vishal_nitr wrote: > > Hi All, > I am getting a segmentation fault when stickydrop option is enabled > snort_inline.conf after every 338 packet drops. > I am using snort-inline-2.6.1.5 and this is my stickydrop > configuration > > preprocessor stickydrop: max_entries 1000, log > preprocessor stickydrop-timeouts: sfportscan 60 > preprocessor stickydrop-ignorehosts: 10.0.0.1/32 > > Please help. > > TIA. > > Thanks and Regards, > Vishal Kotalwar, > Software Engineer, > Aricent, > Chennai-35. > 09884074047. > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: vishal_nitr <vis...@re...> - 2008-08-05 14:15:56
|
Hi All, I am getting a segmentation fault when stickydrop option is enabled snort_inline.conf after every 338 packet drops. I am using snort-inline-2.6.1.5 and this is my stickydrop configuration preprocessor stickydrop: max_entries 1000, log preprocessor stickydrop-timeouts: sfportscan 60 preprocessor stickydrop-ignorehosts: 10.0.0.1/32 Please help. TIA. Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: xyon <xy...@in...> - 2008-08-04 17:50:47
|
Dropping an SMTP connection in midstream really isn't a good idea. I would suggest configuring your MTA to reject the message with some sort of notification (ie, "SPAM dropped"). Spamassassin is another solution. On Monday 04 August 2008 13:24:44 ismain wrote: > Hello > > can you please tell me what I do wrong. > I hereby would like block email message because of the content in Subject. > > drop tcp $EXTERNAL_NET any -> SMTP_SERVERS 25 (msg:"WORD GO > ";flow:to_server,established;content:"Subject|3A|";nocase;pcre:"/GO/i";sind >1001004;rev:1;) > > thanks > > > > ___________________________________________________________________________ >__ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente > http://mail.yahoo.fr -- xyon |
|
From: ismain <ism...@ya...> - 2008-08-04 17:24:54
|
Hello
can you please tell me what I do wrong.
I hereby would like block email message because of the content in Subject.
drop tcp $EXTERNAL_NET any -> SMTP_SERVERS 25 (msg:"WORD GO ";flow:to_server,established;content:"Subject|3A|";nocase;pcre:"/GO/i";sind1001004;rev:1;)
thanks
_____________________________________________________________________________
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr |
|
From: Dave R. <dav...@gm...> - 2008-08-01 15:52:42
|
---------- Forwarded message ---------- From: Dave Remien <dav...@gm...> Date: Fri, Aug 1, 2008 at 9:51 AM Subject: Re: [Snort-inline-users] Emergency mode & Suspend mode To: vishal_nitr <vis...@re...> On Fri, Aug 1, 2008 at 4:26 AM, vishal_nitr <vis...@re...>wrote: > Hi All, > I am using snort-inline-2.6.1.5. Whenever I am sending some attacks > (e.g web, netbios, oracle etc) to my snort machine it is not detecting them > at all and giving some message as "shifting to Emergency mode" and after > some time "shifting to suspend mode" . Snort has protection against single packet TCP attacks (i.e., stick, snot, etc.) Later versions of snort (including the one you're running) are designed to ignore these attacks, since if it didn't, the attacks could bring snort to it's knees (with alerts). > Can somebody explain to me what are these modes and why snort is getting > into these modes ? The modes are self-protective modes to keep from depleting all TCP stream resources. Your attack is invoking this mode. > > > I will appreciate any kind of help. > > TIA... > > > Thanks and Regards, > Vishal Kotalwar, > Software Engineer, > Aricent, > Chennai-35. > 09884074047. > [image: Naukri]<http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.com/signature-home.htm/1050715198@Middle5/2212974_2205321/2208023/1?PARTNER=3&OAS_QUERY=null> > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) -- "Of course, someone who knows more about this will correct me if I'm wrong, and someone who knows less will correct me if I'm right." David Palmer (pa...@ty...) |
|
From: vishal_nitr <vis...@re...> - 2008-08-01 10:25:43
|
Hi All, I am using snort-inline-2.6.1.5. Whenever I am sending some attacks (e.g web, netbios, oracle etc) to my snort machine it is not detecting them at all and giving some message as "shifting to Emergency mode" and after some time "shifting to suspend mode" .Can somebody explain to me what are these modes and why snort is getting into these modes ?I will appreciate any kind of help.TIA... Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: Will M. <wil...@gm...> - 2008-07-30 16:16:13
|
so your telling me that you are getting alerts but not drops for web rules? Regards, Will On 30 Jul 2008 15:14:49 -0000, vishal_nitr <vis...@re...> wrote: > Hi All, > I am using Snort_inline-2.6.1.5 and ftester1.0 to test snort IPS. > Snort is not able block only web related packets. > Actually ftester will use snort rule files to generate packets means it > generates packets according to the rules mentioned in rule files. > When I use any other rule files like bad-traffic.rules or misc.rules > or exploit.rules to generate packets Snort is detecting and dropping them > but when I am using web-iis.rules or bleeding-web.rules it is checking those > packets but not dropping it. > > TIA. > > > > Thanks and Regards, > Vishal Kotalwar, > Software Engineer, > Aricent, > Chennai-35. > 09884074047. > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: vishal_nitr <vis...@re...> - 2008-07-30 15:14:21
|
Hi All, I am using Snort_inline-2.6.1.5 and ftester1.0 to test snort IPS. Snort is not able block only web related packets.Actually ftester will use snort rule files to generate packets means it generates packets according to the rules mentioned in rule files. When I use any other rule files like bad-traffic.rules or misc.rules or exploit.rules to generate packets Snort is detecting and dropping them but when I am using web-iis.rules or bleeding-web.rules it is checking those packets but not dropping it.TIA. Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
|
From: ismain <ism...@ya...> - 2008-07-25 16:39:30
|
Hello,
could you please help me.her is my situation.
i have on my computer 2 network card installed, one is connected to the internet and another thought for a local area network. So I have installed snort-inline on my computer under Open Suse 10.3 and connect a laptop in the local network.On the laptop had installed Apache server (FTP, SMTP, HTTP). now, I want to write my FTP SMTP POP3 HTTP -rules for test for example for a user who wants to login.
Thanks
_____________________________________________________________________________
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr |
|
From: vishal_nitr <vis...@re...> - 2008-07-23 14:10:47
|
Hi All, Can we send snort inline logs as SNMP traps ?I am using snort_inline-2.6.1.5. If yes how? Thanks and Regards, Vishal Kotalwar, Software Engineer, Aricent, Chennai-35. 09884074047. |
133 messages has been excluded from this view by a project administrator.
