Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Rob M. <ro...@ho...> - 2004-04-26 03:04:52
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Okay list, I've finally updated snort_inline against snort-2.1.2. As soon
as 2.1.3 comes out officially, I'll make an effort to release the next
version of snort_inline a bit faster.
Here are the changes:
**********
* 2.1.2 *
**********
2004-04-25 Rob McMillen <ro...@ho...>
* Updated snort_inline to snort version 2.1.2.
* Updated snort_inline.conf
* Used snortconfig to create drop-rules, reject-rules, and
replace_or_drop rules.
Here is where you can get it:
http://snort-inline.sourceforge.net/download.html
Enjoy,
Rob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFAjIcc+cDJj70ouN0RAinqAKCFd4lT7daEv317jdpxdh95Ba1DQwCgs5qv
CsTThSqZx/8fd5i9NIHrFJs=
=2S+A
-----END PGP SIGNATURE-----
|
|
From: Rob M. <ro...@ho...> - 2004-04-25 23:28:55
|
> Dear all. > I am having a problem to see the mac address of ip addresses in the logs I > just get an error Datalink 0 type 2nd layer display is not supported. > Has anyone seen this? When snort_inline gets the packet from iptables, it does not have a link layer. We get the packet at layer 3 (i.e. ip). Therefore, snort_inline starts decoding at the ip layer. Rob |
|
From: Ben J. <be...@ma...> - 2004-04-25 19:43:15
|
Dear all. I am having a problem to see the mac address of ip addresses in the logs I just get an error Datalink 0 type 2nd layer display is not supported. Has anyone seen this? -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm |
|
From: Rob M. <ro...@ho...> - 2004-04-22 12:34:08
|
> Hi, > > I installed libnet 1.1.2.1 and tried to ./configure snort-inline but it > fails: > > checking "for libnet.h version 1.0.x"... > > ********************************************** > ERROR: unable to find libnet 1.0.x (libnet.h) > checked in the following places > ********************************************** > > Do I need the older libnet ??? Yes |
|
From: Nicolas S. <Nic...@bi...> - 2004-04-22 12:04:58
|
Hi, I installed libnet 1.1.2.1 and tried to ./configure snort-inline but it fai= ls: checking "for libnet.h version 1.0.x"... ********************************************** ERROR: unable to find libnet 1.0.x (libnet.h) checked in the following places ********************************************** Do I need the older libnet ??? NIC -------------------------------------------- Any e-mail message from Biodata Systems GmbH is sent in good faith but shal= l neither be binding nor construed as constituting a commitment by Biodata = Systems GmbH except where provided for in a written agreement. This e-mail = is intended only for the use of the recipient(s) named above. Any unauthori= sed disclosure, use or dissemination, either in whole or in part, is prohib= ited. If you have received this e-mail in error, please notify the sender i= mmediately via e-mail and delete this e-mail from your system. -------------------------------------------- =20 Biodata Systems GmbH is a specialist manufacturer of Information Security p= roducts -This message has been scanned for all known viruses by 'Biodata BI= GApplication=AE'. |
|
From: Nick R. <ni...@ro...> - 2004-04-19 07:57:14
|
On Sat, 17 Apr 2004, Alex Dupre wrote: > Richard Bejtlich wrote: > > > Would you or anyone > > else have a suggested set of ipfw rules to work with > > Snort-inline? > > There isn't a suggested set, it depends on your needs. The simplest > solution is a rule that diverts all ip traffic :-) Because of the nature of divert in ipfw, it would be dangerous to suggest a global ruleset that works for everyone. However, in the simplest form, you could always send inbound traffic to snort_inline first before any further packet processing is done and inspect outbound traffic last so as to not break NAT rules in between. For example: At the beginning of your ruleset put: ipfw add 100 divert 8000 ip from any to any in via de0 At the end of your ruleset put: ipfw add 65000 divert 8000 ip from any to any out via de0 You could also run multiple copies of snort_inline listening on different divert sockets with different rulesets. The reason to do this is to distribute the load across multiple snort processes. This would be a good idea if you have a large diverse snort ruleset. For example, run 1 copy of snort_inline to inspect tcp port 80 traffic, 1 copy of snort_inline for port 21, etc. Then use ipfw divert rules to send the appropriate traffic to the different snort processes. This would also make good sense if you have multiple processors and lots of memory. As Alex mentioned, discussion has started to work on a better version of the *BSD support with PF. This is somewhat reliant on how quickly we can get PF to support something similar to IPQUEUEs in Linux or divert sockets in FreeBSD. Currently, PF only has support through it's packet logging interface which would not be sufficient, IMO. -- Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
|
From: Alex D. <al...@Fr...> - 2004-04-16 22:54:08
|
Richard Bejtlich wrote: > Would you or anyone > else have a suggested set of ipfw rules to work with > Snort-inline? There isn't a suggested set, it depends on your needs. The simplest solution is a rule that diverts all ip traffic :-) > Also -- if not FreeBSD, has anyone tried OpenBSD and > pf with Snort-inline? We are working on it. -- Alex Dupre |
|
From: Richard B. <ric...@ya...> - 2004-04-16 22:47:20
|
--- Alex Dupre <al...@Fr...> wrote: > The bridge doesn't support the divert socket and > will not support it. Thank you for the quick response. It seems it would be possible to run Snort-inline on a FreeBSD-based NAT or normal routing gateway, then. Would you or anyone else have a suggested set of ipfw rules to work with Snort-inline? Also -- if not FreeBSD, has anyone tried OpenBSD and pf with Snort-inline? Sincerely, Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html |
|
From: Alex D. <al...@Fr...> - 2004-04-16 22:21:35
|
Richard Bejtlich wrote: > I saw the earlier threads about using snort_inline on > FreeBSD. It certainly compiles ok, but I'm wondering > about divert support in the FreeBSD bridge > implementation. The bridge doesn't support the divert socket and will not support it. We are working on a different approach to use snort in inline mode on a bridge, but there isn't an ETA (surely not soon). -- Alex Dupre |
|
From: Richard B. <ric...@ya...> - 2004-04-16 21:21:18
|
Hello, I saw the earlier threads about using snort_inline on FreeBSD. It certainly compiles ok, but I'm wondering about divert support in the FreeBSD bridge implementation. As recently as 18 Feb 04, /usr/src/sys/net/bridge.c in CURRENT had this entry:[0] args.divert_rule = 0; /* we do not support divert yet */ A week later, that line is gone and now we have this:[1] * XXX at some point, add support for divert/forward actions. Has anyone gotten snort_inline working in bridge mode? Or is anyone using it on a routing gateway? How did you do either? Thank you, Richard http://www.taosecurity.com [0] http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/bridge.c?rev=1.75&content-type=text/x-cvsweb-markup [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/bridge.c?rev=1.76&content-type=text/x-cvsweb-markup __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html |
|
From: William M. <Wil...@kc...> - 2004-04-16 05:27:55
|
Rob, A while ago I asked you how to statically compile snort_inline with mys= ql support, due to your busy schedule you told me to send you an e-mail If= I every figured out how to make it work. I finally got this to work by changing the linking order of the libraries and re-running the last lin= e of make. The key is that you must have the libz libraries, and these must= go after the linking of -lmysqlclient. The default linking order is -libq -lz -lpcre -lpcap -lm -lnsl -lmysqlclient -lnet This needs to be changed to something like -libq -lpcre -lpcap -lm -lnsl -lmysqlclient -lz -lnet -static and then re-running the last line from make from in the src directory The following produces src/snort_inline /usr/pp/bin/gcc -fstack-protector -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -L/usr/local/lib -lpcre -L/usr/lib -o snort_inline codes.o debug.o decode.o log.o mstring.o parser.o plugbase.o snort.o snprintf.o strlcat= u.o strlcpyu.o tag.o ubi_BinTree.o ubi_SplayTree.o util.o detect.o signatur= e.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o inline.o packet_time.o event_wrapper.o output-plugins/libspo.a detection-plugins/libspd.a preprocessors/libspp= .a preprocessors/flow/portscan/libportscan.a preprocessors/flow/libflow.a parser/libparser.a preprocessors/HttpInspect/libhttp_inspect.a sfutil/libsfutil.a -lipq -lpcre -lpcap -lm -lnsl -lmysqlclient -lz -lne= t -static snort_inline: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),= for GNU/Linux 2.0.30, statically linked, not stripped The statically compiled executable can log to mysql and drop packets li= ke a champ...... Regards, Will= |
|
From: Rob M. <ro...@ho...> - 2004-04-04 17:21:35
|
> Alright, so heres the deal, I did get uricontent matching to work under
> snort_inline-2.1.1, I had to enable stream 4 reassembly for both the
> client
> and server connections. The http_inspect preprocessor does not do any
> stream reassembly and will not match on any rules if stream 4 is not
> enabled. Here are the changes I had to make in my snort_inline.conf file
>
> preprocessor stream4_reassemble: both
>
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> Regards,
Excellent! Thanks for working this! Will make this part of the default
snort_inline.conf for snort_inline-2.1.2
Rob
|
|
From: Brian J. <bja...@ci...> - 2004-04-02 15:52:51
|
Rob McMillen wrote:-
>
> I would recommend we do our troubleshooting by removing as much
> complexity as possible; therefore, can we verify that snort (NOT
> snort_inline) with the http_inspect preproc will decode and alert on
> uricontent first?
>
> Thanks in advance,
>
> Rob
>
> P.S. my apologies for not doing it myself, but I am trying to meet a
> deadline with another project.
Rob,
I can confirm that snort 2.1.1 and 2.1.2 both alert on uricontent with the
http_inspect preprocessor. just had in an alert on sid 1852 - alert tcp
$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt
access"; flow:to_server,established; uricontent:"/robots.txt"; nocase;
reference:nessus,10302; classtype:web-application-activity; sid:1852;
rev:3;)
Preprocessor configuration for the sensor that received the alert above as
follows:-
#
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor perfmonitor: pktcnt 1 file /var/log/snort/red.stats time 60
#
regards,
Brian
|
|
From: Brian J. <bja...@ci...> - 2004-04-02 14:18:21
|
Thanks Pieter for the subset of your config file, very useful. For the preprocessors it is identical to the one I use with 2.0.4 except for bo: which I don't use. The other thing that struck me is that the 'http_decode' and 'conversation' preprocessors are not included in the configuration file that comes with the 2.1 rules. I had assumed that these had been replaced. I wonder if this is the cause of the confusion? I will have to get a move on and get the rest of the system built and my snort_inline updated. Now I know what to play with / adjust to make it work. regards, Brian Pieter wrote:- >Ok, here is the test packet sent through > > >pieter@pc-dt:/tmp$ telnet 192.168.3.20 80 >Trying 192.168.3.20... >Connected to 192.168.3.20. >Escape character is '^]'. >GET %2fnos%20%68ite HTTP/1.0 > > >This session will then be closed because of the REJECT rule action. >the relevant snort.conf bits are: > >.... >preprocessor telnet_decode: >preprocessor http_decode: 80 unicode iis_alt_unicode double_encode >iis_flip_slash full_whitespace >preprocessor conversation: allowed_ip_protocols all, timeout 60, >max_conversations 32000 >preprocessor rpc_decode: 111 32771 >preprocessor bo: -nobrute >output log_unified: filename snort.log, limit 128 >... >reject tcp any any -> any any (msg:"test"; sid:2000000; rev:0; >classtype:not-suspicious; uricontent: "noshite";) >... > >Pieter > > > >On Fri, 2004-04-02 at 11:59, Brian Jameson wrote: >> Pieter wrote:- >> >> > Yes, the uricontent works and it decodes and drops packets that match >> > in inline mode. >> > >> > Pieter >> > >> > On Fri, 2004-04-02 at 02:43, William Metcalf wrote: >> >> Has anybody been able to confirm or deny that uricontent matching is >> >> broken in 2.1.1? I would like to know so that if its the >> >> configuration that I'm running with, I can start to look there. If >> >> not, I don't mind trying to fumble my way through some c code to try >> >> to get it to work, if some one could point me in the right >> >> direction. I tried looking at the diff and the sp_pattern_match.c >> >> file, is this the correct place to start? >> >> >> >> Regards, >> >> >> >> Will >> > >> >> Interesting, could the fact that some people say it works and some say it >> does not be down to configuration. Pieter any chance you could post(failing >> that send me) part of your config file. This may explain why William Metcalf >> and others are failing to match. It would certainly speed up my updating of >> snort_inline. >> >> regards, >> Brian |
|
From: Rob M. <ro...@ho...> - 2004-04-02 14:17:56
|
> I think that they made this change in the snort 2.1.x series of snort. I > tried to enable the http_inspect preprocessor just to see if it would > successfully decode and drop packets, and it appears to be broken. Can > somebody running snort_inline-2.1.1 try this? you should be able to test > do something like the following replacing "somewebsite" with a test server > or your web server. You should always get a "page cannot be displayed" > rather than a "page could not be found", i.e. these requests should never > make it to the webserver. The rule numbers in order are 1072 1078 1073, > all of them come out of the web-misc.rules > I would recommend we do our troubleshooting by removing as much complexity as possible; therefore, can we verify that snort (NOT snort_inline) with the http_inspect preproc will decode and alert on uricontent first? Thanks in advance, Rob P.S. my apologies for not doing it myself, but I am trying to meet a deadline with another project. |
|
From: William M. <Wil...@kc...> - 2004-04-02 13:50:42
|
I think that they made this change in the snort 2.1.x series of snort. = I tried to enable the http_inspect preprocessor just to see if it would successfully decode and drop packets, and it appears to be broken. Can= somebody running snort_inline-2.1.1 try this? you should be able to te= st do something like the following replacing "somewebsite" with a test ser= ver or your web server. You should always get a "page cannot be displayed"= rather than a "page could not be found", i.e. these requests should nev= er make it to the webserver. The rule numbers in order are 1072 1078 1073= , all of them come out of the web-misc.rules http://somewebsite.com/blah.nsf/../ http://somewebsite.com/counter.exe http://somewebsite.com/scripts/samples/search/webhits.exe= |
|
From: Pieter C. <pie...@co...> - 2004-04-02 13:34:47
|
The version that I tested on was snort-inline_2.0.2 and snort-2.0.2 Pieter On Fri, 2004-04-02 at 14:15, William Metcalf wrote: > Which version of snort_inline are you using? I get an error message > when I try to add the http_decode preprocessor into a config for > snort_inline-2.1.1, It was my understanding that the http_decode > preprocessor was replaced by the http_inspect preprocessor. > > Regards, > > Will > Inactive hide details for Pieter Claassen > <pie...@co...>Pieter Claassen > <pie...@co...> > > > Pieter Claassen <pie...@co...> > Sent by: sno...@li... > > 04/02/2004 06:48 AM > > > > > To > > bja...@ci... > > cc > > snort-inline > <sno...@li...> > > Subject > > RE: > [Snort-inline-users] uricontent matching v2 > > > Ok, here is the test packet sent through > > > pieter@pc-dt:/tmp$ telnet 192.168.3.20 80 > Trying 192.168.3.20... > Connected to 192.168.3.20. > Escape character is '^]'. > GET %2fnos%20%68ite HTTP/1.0 > > > This session will then be closed because of the REJECT rule action. > the relevant snort.conf bits are: > > .... > preprocessor telnet_decode: > preprocessor http_decode: 80 unicode iis_alt_unicode double_encode > iis_flip_slash full_whitespace > preprocessor conversation: allowed_ip_protocols all, timeout 60, > max_conversations 32000 > preprocessor rpc_decode: 111 32771 > preprocessor bo: -nobrute > output log_unified: filename snort.log, limit 128 > ... > reject tcp any any -> any any (msg:"test"; sid:2000000; rev:0; > classtype:not-suspicious; uricontent: "noshite";) > ... > > Pieter > > > > On Fri, 2004-04-02 at 11:59, Brian Jameson wrote: > > Pieter wrote:- > > > > > Yes, the uricontent works and it decodes and drops packets that > match > > > in inline mode. > > > > > > Pieter > > > > > > On Fri, 2004-04-02 at 02:43, William Metcalf wrote: > > >> Has anybody been able to confirm or deny that uricontent matching > is > > >> broken in 2.1.1? I would like to know so that if its the > > >> configuration that I'm running with, I can start to look there. > If > > >> not, I don't mind trying to fumble my way through some c code to > try > > >> to get it to work, if some one could point me in the right > > >> direction. I tried looking at the diff and the sp_pattern_match.c > > >> file, is this the correct place to start? > > >> > > >> Regards, > > >> > > >> Will > > > > > > > Interesting, could the fact that some people say it works and some > say it > > does not be down to configuration. Pieter any chance you could > post(failing > > that send me) part of your config file. This may explain why William > Metcalf > > and others are failing to match. It would certainly speed up my > updating of > > snort_inline. > > > > regards, > > Brian > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: IBM Linux Tutorials > > Free Linux tutorial presented by Daniel Robbins, President and CEO > of > > GenToo technologies. Learn everything from fundamentals to system > > > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -- > Pieter Claassen <pie...@co...> > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- Pieter Claassen <pie...@co...> |
|
From: Pieter C. <pie...@co...> - 2004-04-02 12:48:41
|
Ok, here is the test packet sent through pieter@pc-dt:/tmp$ telnet 192.168.3.20 80 Trying 192.168.3.20... Connected to 192.168.3.20. Escape character is '^]'. GET %2fnos%20%68ite HTTP/1.0 This session will then be closed because of the REJECT rule action. the relevant snort.conf bits are: .... preprocessor telnet_decode: preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute output log_unified: filename snort.log, limit 128 ... reject tcp any any -> any any (msg:"test"; sid:2000000; rev:0; classtype:not-suspicious; uricontent: "noshite";) ... Pieter On Fri, 2004-04-02 at 11:59, Brian Jameson wrote: > Pieter wrote:- > > > Yes, the uricontent works and it decodes and drops packets that match > > in inline mode. > > > > Pieter > > > > On Fri, 2004-04-02 at 02:43, William Metcalf wrote: > >> Has anybody been able to confirm or deny that uricontent matching is > >> broken in 2.1.1? I would like to know so that if its the > >> configuration that I'm running with, I can start to look there. If > >> not, I don't mind trying to fumble my way through some c code to try > >> to get it to work, if some one could point me in the right > >> direction. I tried looking at the diff and the sp_pattern_match.c > >> file, is this the correct place to start? > >> > >> Regards, > >> > >> Will > > > > Interesting, could the fact that some people say it works and some say it > does not be down to configuration. Pieter any chance you could post(failing > that send me) part of your config file. This may explain why William Metcalf > and others are failing to match. It would certainly speed up my updating of > snort_inline. > > regards, > Brian > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- Pieter Claassen <pie...@co...> |
|
From: Brian J. <bja...@ci...> - 2004-04-02 10:59:25
|
Pieter wrote:- > Yes, the uricontent works and it decodes and drops packets that match > in inline mode. > > Pieter > > On Fri, 2004-04-02 at 02:43, William Metcalf wrote: >> Has anybody been able to confirm or deny that uricontent matching is >> broken in 2.1.1? I would like to know so that if its the >> configuration that I'm running with, I can start to look there. If >> not, I don't mind trying to fumble my way through some c code to try >> to get it to work, if some one could point me in the right >> direction. I tried looking at the diff and the sp_pattern_match.c >> file, is this the correct place to start? >> >> Regards, >> >> Will > Interesting, could the fact that some people say it works and some say it does not be down to configuration. Pieter any chance you could post(failing that send me) part of your config file. This may explain why William Metcalf and others are failing to match. It would certainly speed up my updating of snort_inline. regards, Brian |
|
From: pieter c. <pie...@co...> - 2004-04-02 08:08:01
|
Yes, the uricontent works and it decodes and drops packets that match in inline mode. Pieter On Fri, 2004-04-02 at 02:43, William Metcalf wrote: > Has anybody been able to confirm or deny that uricontent matching is > broken in 2.1.1? I would like to know so that if its the configuration > that I'm running with, I can start to look there. If not, I don't mind > trying to fumble my way through some c code to try to get it to work, > if some one could point me in the right direction. I tried looking at > the diff and the sp_pattern_match.c file, is this the correct place to > start? > > Regards, > > Will |
|
From: pieter c. <pi...@co...> - 2004-04-02 07:29:51
|
I tested that uricontent does in fact work in inline mode. Packets do get decoded successfully and dropped if matched with a signature. Pieter On Fri, 2004-04-02 at 02:43, William Metcalf wrote: > Has anybody been able to confirm or deny that uricontent matching is > broken in 2.1.1? I would like to know so that if its the configuration > that I'm running with, I can start to look there. If not, I don't mind > trying to fumble my way through some c code to try to get it to work, > if some one could point me in the right direction. I tried looking at > the diff and the sp_pattern_match.c file, is this the correct place to > start? > > Regards, > > Will |
|
From: William M. <Wil...@kc...> - 2004-04-02 01:44:15
|
Has anybody been able to confirm or deny that uricontent matching is br= oken in 2.1.1? I would like to know so that if its the configuration that I= 'm running with, I can start to look there. If not, I don't mind trying t= o fumble my way through some c code to try to get it to work, if some one= could point me in the right direction. I tried looking at the diff and= the sp_pattern_match.c file, is this the correct place to start? Regards, Will= |
|
From: Frank E. <hi...@fr...> - 2004-04-01 09:12:21
|
Hello,
> I use fedora with snortinline2.1(binary) and barnyard 0.2rc1
> but i cant see ipheader or payload
The unified output plugin of Snort always writes the complete packet
including all headers to the output file. The packet data is decoded by
Barnyard again. When the inline patch is applied to Snort the ethernet
header of the original packets is missing in the output file, but
Barnyard still tries to decode the ethernet header.
Have a look into the file output-plugins/op_decode.c of the Barnyard
code. I have no ready-to-use patch available, but I think when you
replace the function DecodeEthPkt() by the following code, Barnyard
should work with Snort-Inline.
void DecodeEthPkt(Packet *p, SnortPktHeader *pkthdr, u_int8_t *pkt)
{
u_int32_t len;
u_int32_t cap_len;
bzero((char *) p, sizeof(Packet));
p->pkth = pkthdr;
len = pkthdr->pktlen;
cap_len = pkthdr->caplen;
DecodeIP(pkt, cap_len, p);
}
best regards
Frank Eberle
|
|
From: Jochen V. <jv...@it...> - 2004-04-01 08:49:51
|
Hi, I use fedora with snortinline2.1(binary) and barnyard 0.2rc1 but i cant see ipheader or payload I start snort snort -c snort.conf -i br0 -Q -de -A none with config output log_unified: filename snort.log, limit 128 -------------------------------------------------------------- I start barnyard barnyard -c barnyard.conf -d $LOG -g gen-msg.map -s sid-msg.map -f snort.log -w waldo.log with config config localtime config hostname: 18 config interface: config filter: output log_dump ----------------------------------------------------------------- The system generate logs and write it to acid but the IPHeader and Payload fail. If i show dumplog i can see =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] [1:363:4] ICMP IRDP router advertisement [**] [Classification: Misc activity] [Priority: 3] [Xref => http://www.securityfocus.com/bid/578] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0875] [Xref => http://www.whitehats.com/info/IDS173] Event ID: 4014 Event Reference: 4014=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ [**] [1:382:4] ICMP PING Windows [**] [Classification: Misc activity] [Priority: 3] [Xref => http://www.whitehats.com/info/IDS169] Event ID: 20274 Event Reference: 20274 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ----------------------------------------------------------------------- If uncomment the unified log in snort.conf i can see all in the snort standard log Thx for help jo |
|
From: Rob M. <ro...@ho...> - 2004-03-31 12:58:31
|
> Rob, > Could you give me some guidance on when the uricontent will be working > again. I was planning on upgrading from 2.0.5 Build 98 to match my other > snort sensors which are 2.1.1 and the uricontent features heavily in the > subset of rules I use. Is it planned as an interim release for 2.1.1 or > are > you waiting for 2.1.2? Actually, as I sent that email, I realized that I was not writing what I meant. What I should have said is that the replace functionality only works with the content keyword. I was having a bad day ;) I'll have to see if it is the uricontent or the lack of stream reassembly is affecting the match. Anyone else having the same problem? Rob |
133 messages has been excluded from this view by a project administrator.
