snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] Blocking Anomalous Events

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Josh, 
	I would simply add a call do InlineDrop() right before the call to 
CallAlertFuncs().  InlineDrop() does not take any arguments.  I've 
highlighted the insertion below with 3 asterix(***).  This will drop the 
packet and continue to alert or log as required.
	The Inline functions do not do any alerting or logging.  They 
simply tell iptables to drop the packet.  Therefore, we still require the 
use of snort Alert and Log functions.

Rob

On Mon, 1 Dec 2003, Josh Berry wrote:

> Sorry I am not much of a developer,  So for this piece of code:
> 
> 
>                     if((runMode == MODE_IDS) &&
> pv.decoder_flags.decode_alerts)
>                     {
>                         SetEvent(&event, GENERATOR_SNORT_DECODE,
>                                  DECODE_BAD_80211_ETHLLC, 1, DECODE_CLASS,
  
                          /***/ InlineDrop();
> 5, 0);
>                         CallAlertFuncs(p, DECODE_BAD_80211_ETHLLC_STR,
> NULL, &event);
>                         CallLogFuncs(p, DECODE_BAD_80211_ETHLLC_STR, NULL,
> &event);
>                     }
> 
>                     return;
>                 }
> 
> Would I just replace the CallAlertFuncs with InlineDrop();?  Do I need to
> pass anything to InlineDrop?

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP8vzafnAyY+9KLjdEQLUQwCgz38HC0i/1wntDBOP8hJLRFNO28IAoJA/
ke202S2ZGoE7m8xBmENrf5TA
=fW1A
-----END PGP SIGNATURE-----

[Snort-inline-users] Bridging filtering traffic

[Hess, B. <ben...@te...>]

Hello,
            I have been attempting to get snort-inline running on a RedHat
9.0 in a passive state. The issue that I am running into is setting up the
bridging. It says everything is running fine, I can get IPTables running on
it and everything, however I can not get traffic through the bridge. I can
get icmp traffic trhough, but all tcp and udp is being filtered. I attempted
to shutdown all IPTables and tested just the bridging and I am still getting
all tcp and udp filtered. If I move the host out from behind the bridge
everything works fine. Any hints or clues as to what I am missing would be
much appreciated. Below are the commands I am using to create the bridge:
 
insmod bridge
brctl addbr mybridge0
brctl addif mybridge0 eth0
brctl addif mybridge0 eth1
ifconfig mybridge0 up
 
I appreciate any and all help on this matter,
Ben Hess

Re: [Snort-inline-users] Blocking Anomalous Events

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I'm sorry, I knew that the preprocessors didn't block packets, I just
> didn't realize that the config variables were considered preprocessors
> (such as)
> 
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_ttcp_alerts
> etc.
> 
> What would it take to make these drop packets?  Would it be a lot of work?

It depends on your knowledge of snort.  This is basically what you have to 
do to make a preproc drop.

1.  find the source file you want to modify.
2.  include inline.h.
3.  find the location where the preproc identifies what you want to drop.
4.  add one of the following function calls depending on what you want to 
do:
   a.  InlineDrop();           <-- this drops the packet and logs
   b.  InlineReject(Packet *); <-- this drops the packet; sends a reset; 
and logs.
5.  recompile source:
   a.  make clean
   b.  make
   c.  make install

6.  If everything works as planned?  Send patch to rv...@ca... 
or to this mail list so it can be considered for inclusion into 
snort_inline.

7.  (optional) consider making the preproc you modified accept an argument 
so it does what you just modified above as well as act as it was 
originally intended to work.  For example:
    a.  (regular operation) : preprocessor portscan2: scanners_max 256, 
targets_max 1024, target_limit 5, port_limit 20, timeout 60 
    b.  (lets drop): preprocessor portscan2: scanners_max 256, targets_max 
1024, target_limit 5, port_limit 20, timeout 60, drop
    c.  (lets reject): preprocessor portscan2: scanners_max 256, 
targets_max 1024, target_limit 5, port_limit 20, timeout 60 reject

This would make it much easier to integrate into the snort source.  Also, 
I surround all modifications to the original snort source with 

#ifdef GIDS
    modifications
#endif

Again, this will make it easier in the future to integrate with the snort 
source tree.

As soon as I finish working on a project for the Honeynet project, I will 
update snort_inline to snort version 2.0.5, and I will include drop 
capability for portscan, protscan2, and arpspoof preprocs.  Please let me 
know if there are any preprocs which you guys think would be good 
additions.  Please consider possible false alarm rates because this would 
mean drops or rejects of packets every time such an event occurs.

Rob

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP8fkfPnAyY+9KLjdEQIwuACePEQUJm8N6hobfMUl5wfCVQlzxMAAoMlq
YdhEj/iO3HYbIgbt01GvjTP+
=dY9t
-----END PGP SIGNATURE-----

Re: [Snort-inline-users] Blocking Anomalous Events

[Josh B. <jos...@ne...>]

I'm sorry, I knew that the preprocessors didn't block packets, I just
didn't realize that the config variables were considered preprocessors
(such as)

config disable_tcpopt_experimental_alerts
config disable_tcpopt_ttcp_alerts
etc.

What would it take to make these drop packets?  Would it be a lot of work?

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 27 Nov 2003, Stephan Scholz wrote:
>
>> I don't believe that any preprocessor actually blocks at the moment.
>> Correct me if I'm wrong, Rob. :-)
>
> That is correct.  None of the preprocessors actually drop packets.
> However, it would be really easy to make them do such things.
>
> Rob
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.76
>
> iQA/AwUBP8YgYvnAyY+9KLjdEQLWcwCg5O2lEaVJvnZkJ8lY/MuSE/jIEgcAoIps
> fODuls9TnJDRNtbzec+Cu+EU
> =3UcE
> -----END PGP SIGNATURE-----
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
jos...@li...

Re: [Snort-inline-users] Blocking Anomalous Events

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 27 Nov 2003, Stephan Scholz wrote:

> I don't believe that any preprocessor actually blocks at the moment.
> Correct me if I'm wrong, Rob. :-)

That is correct.  None of the preprocessors actually drop packets.  
However, it would be really easy to make them do such things.

Rob

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP8YgYvnAyY+9KLjdEQLWcwCg5O2lEaVJvnZkJ8lY/MuSE/jIEgcAoIps
fODuls9TnJDRNtbzec+Cu+EU
=3UcE
-----END PGP SIGNATURE-----

Re: [Snort-inline-users] Blocking Anomalous Events

[Stephan S. <ss...@as...>]

I don't believe that any preprocessor actually blocks at the moment.
Correct me if I'm wrong, Rob. :-)

Stephan

> Does Snort-Inline block on the anomalous activities it finds with the
> decoding options, experimental tcp options, ip options, and ttcp alerts?
> 
> Will it actually block these packets or just alert on them like it does
> with most of the preprocessors?  If it doesn't would it be difficult to
> add?


-- 
Stephan Scholz <ss...@as...> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Visit Astaro at:
- Infosecurity France, Paris, Nov. 26-27, 2003

Awards for ASL:
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003
- LinuxWorld Product Excellence Award: Best Security Solution - August 2003
- "Excellent" Infoworld Magazine - August 2003
- "Four Stars" SC Magazine  - June 2003

[Snort-inline-users] Blocking Anomalous Events

[Josh B. <jos...@li...>]

Does Snort-Inline block on the anomalous activities it finds with the
decoding options, experimental tcp options, ip options, and ttcp alerts?

Will it actually block these packets or just alert on them like it does
with most of the preprocessors?  If it doesn't would it be difficult to
add?

Re: [Snort-inline-users] snort inline hangs

[Matt L. <ml...@em...>]

Also, check to make sure that something else hasn't already bound to ipq.
When I encountered "error message 16" errors, it was the netfilter telling
me that I was already bound, These occurred when I was running
snort-inline during testing, forgot I had already backgrounded a job, and
tried to run snort-inline while another was already running.

+---------------------------------------------------
| Regards;
| Matt Linton
| UNIX Systems Administrator
| ASANI Solutions, LLC.
+---------------------------------------------------

On Sun, 23 Nov 2003, Rob McMillen wrote:

> On Mon, 24 Nov 2003, Thomas Pollet wrote:
>
> > Hi,
> >
> > I'm trying to set up snort inline. But after initialization it errors
> > with code 16. Seems to be an ipq problem
> > (the sample program from libipq manual gave same error).
> > I guess I missed something during setup, but can't find out exactly what.
> > I'd highly appreciate any help.
>
> Make sure the ip_queue module is loaded.  You can check this by doing an
> lsmod.  If it is not present, do an insmod ip_queue.
>
> Rob
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> ------------ Output from pgp ------------
> Pretty Good Privacy(tm) Version 6.5.2
> (c) 1999 Network Associates Inc.
> Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> Export of this software may be restricted by the U.S. government.
> File is signed.  signature not checked.
> Signature made 2003/11/23 22:47 GMT
> key does not meet validity threshold.
> WARNING:  Because this public key is not certified with a trusted
> signature, it is not known with high confidence that this public key
> actually belongs to: "(KeyID: 0xBD28B8DD)".
>
>

Re: [Snort-inline-users] snort inline hangs

[Thomas P. <tho...@UG...>]

> Hi,
>
> I'm trying to set up snort inline. But after initialization it errors
> with code 16. Seems to be an ipq problem
> (the sample program from libipq manual gave same error).
> I guess I missed something during setup, but can't find out exactly what.
> I'd highly appreciate any help.
>
> thanks in advance,
>
> Thomas Pollet
>
> This problem is quite similiar to the one discussed in_
> __http://sourceforge.net/mailarchive/forum.php?thread_id=3303416&forum_id=32933_ 
> <http://sourceforge.net/mailarchive/forum.php?thread_id=3303416&forum_id=32933>
> although nobody posted a solution.
>
> for the record,
>
> I am using slackware 9, kernel 2.4.22,  iptables-1.2.9 and my lsmod 
> looks like

>
> Module                  Size  Used by    Not tainted
> iptable_filter          1644   1  (autoclean)
> ip_conntrack_irc        2992   0  (unused)
> ip_conntrack_ftp        3888   0  (unused)
> ip_conntrack           18016   2  [ip_conntrack_irc ip_conntrack_ftp]
> ipt_LOG                 3384   0  (unused)
> ip_tables              11768   2  [iptable_filter ipt_LOG]
> pcmcia_core            38112   0
> ip_queue                5420   0  (unused)
> ide-scsi                8048   0
> 3c59x                  26736   1
> nls_cp850               3580   1  (autoclean)
> nls_iso8859-15          3356   2  (autoclean)
> ntfs                   51040   2  (autoclean)
>

Re: [Snort-inline-users] snort inline hangs

[<Wil...@kc...>]

If you are using RH9 or Trustix you must run the latest 1.2.7 
patch-o-matic for iptables as the ipq module is broken in the default rh9 
and trustix installations.  After you have done this you must recompile 
your kernel.  You can get the latest pom from www.netfilter.org

Regards,

Will




Thomas Pollet <tho...@UG...>

Sent by: sno...@li...
11/24/2003 04:12 PM
 
        To:     sno...@li...
        cc: 
        Subject:        [Snort-inline-users] snort inline hangs

Hi,

I'm trying to set up snort inline. But after initialization it errors 
with code 16. Seems to be an ipq problem
(the sample program from libipq manual gave same error).
I guess I missed something during setup, but can't find out exactly what.
I'd highly appreciate any help.

thanks in advance,

Thomas Pollet



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] snort inline hangs

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 24 Nov 2003, Thomas Pollet wrote:

> Hi,
> 
> I'm trying to set up snort inline. But after initialization it errors 
> with code 16. Seems to be an ipq problem
> (the sample program from libipq manual gave same error).
> I guess I missed something during setup, but can't find out exactly what.
> I'd highly appreciate any help.

Make sure the ip_queue module is loaded.  You can check this by doing an 
lsmod.  If it is not present, do an insmod ip_queue.

Rob

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP8E49/nAyY+9KLjdEQJDbgCg8rI7CjaZoizdg8McAiXCq6o+6Z4AoOKv
e2Qp4o2AtoYaooGVQ3DhJZ5e
=Un3g
-----END PGP SIGNATURE-----

[Snort-inline-users] snort inline hangs

[Thomas P. <tho...@UG...>]

Hi,

I'm trying to set up snort inline. But after initialization it errors 
with code 16. Seems to be an ipq problem
(the sample program from libipq manual gave same error).
I guess I missed something during setup, but can't find out exactly what.
I'd highly appreciate any help.

thanks in advance,

Thomas Pollet

[Snort-inline-users] SNORT in-line IDS on Free-BSD

[Perrymon, J. L. <Per...@be...>]

>  
> Hello,
> 
> I'm doing some research on In-line IDS.  What is available out there for
> Free-BSD?  
> I understand the snort.conf would be different as well as the ruleset and
> the ability to shun packets.
> 
> How do you feel about the level of false-positives and the probability to
> drop business traffic?  I would like to test in a lab and see how it
> reacts.
> 
> 
> Thanks!
> 
> Joshua Perrymon
> Sr. Network Security Consultant
> BE&K Information Security Dept.
> 2000 International Park Drive
> Birmingham, Al 35243
> Voice ( 205 ) 972-6745
> 
> 
> **********CONFIDENTIALITY NOTICE**********
> The information contained in this e-mail may be proprietary and/or 
> privileged and is intended for the sole use of the individual or 
> organization named above.  If you are not the intended recipient or an 
> authorized representative of the intended recipient, any review, copying
> or distribution of this e-mail and its attachments, if any, is prohibited.
> If you have received this e-mail in error, please notify the sender
> immediately by return e-mail and delete this message from your system.
> 
> 
> 
> 

Re: [Snort-inline-users] portscan preprocessors and drop mode

[Jed H. <je...@gr...>]

I've modified portscan2 to drop packets before, in fact the main reason 
I wrote portscan2 was with the hope of getting an accurate enough 
portscan detector that you could drop packets in a scan without 
breaking your network.  It's pretty simple to do, you just have to add 
InlineDrop() to the portscan2 code where it has determined that a 
packet is a part of a portscan. Look for the function that logs to the 
text file, and put InlineDrop() in the same place where the log 
function is called.

Ideally you'd add some  ifdefs, and some sort of config switch so it 
would be possible to turn scan dropping on/off in the config file.

In my experiments on my small network, and at a couple conference 
networks, dropping portscans works well, if you just drop the packets 
it can really slow the portscanner down. You probably do not want to 
send rejects...

Jed

On Tuesday, November 11, 2003, at 07:11 PM, Rob McMillen wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> Try this, Rob correct me if I'm wrong.
>>
>> LDFLAGS="-static" ./configure --enable-inline
>
> Almost ;)  If you edit the Makefile and then run ./configure, the
> configure script will create a new Makefile and your changes will be 
> lost.
> You need to first run ./configure (you don't need the --enable-inline)
> then edit the src/Makefile.  Either changing the snort_LDFLAGS or 
> LDFLAGS
> should work.
>
> Rob
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.76
>
> iQA/AwUBP7GW6PnAyY+9KLjdEQKstACeLmreldakuZvd1BIisBk4Z/fArDIAnRcx
> Pft5o6itdT2oAl1NOqZCOq5e
> =vToN
> -----END PGP SIGNATURE-----
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] portscan preprocessors and drop mode (fwd)

[Matt L. <ml...@em...>]

Rob: Actually, the more I think of it the better an idea it seems to have
portscan have another line in the configuration file:

preprocessor portscan: $HONEYNET X X /log/file
preprocessor portscan-ignorehosts: $DNSSERVER $AFSSERVER
preprocessor portscan-drop-threshold: X X

If drop-threshold is set to "off off" then portscan stays in alert mode.
If drop-threshold is set to any valid integers, then it takes the new
threshold (probably higher by default than alert, to be safe) and drops
all detected portscan traffic after that threshold.

Does this seem to make sense, and do you think it would result in too much
degredation of performance? Or is the logic off?


+---------------------------------------------------
| Regards;
| Matt Linton
| UNIX Systems Administrator
| ASANI Solutions, LLC.
+---------------------------------------------------

---------- Forwarded message ----------
Date: Tue, 11 Nov 2003 15:26:37 -0800 (PST)
From: Matt Linton <ml...@em...>
To: Rob McMillen <rv...@ca...>
Cc: sno...@li...
Subject: Re: [Snort-inline-users] portscan preprocessors and drop mode


Rob: I can't say I'm a good enough programmer to do the coding, but I'd be
happy to help in any way that I can.

It's definately of interest to me: In the testing that I've done, even
with a relatively restrictive threshold of 10 ports in 2 seconds, the only
false positives I've had are msn.com (cross site links) and ebay (LOTS of
requests to various :80 addresses for remote hosted images).

It would be a wonderful feature for using the snort-inline gateway to
restrict outbound ability of trojans/virii/bounce scans as well as
portscans from outside the network to protected hosts.

+---------------------------------------------------
| Regards;
| Matt Linton
| UNIX Systems Administrator
| ASANI Solutions, LLC.
+---------------------------------------------------

On Tue, 11 Nov 2003, Rob McMillen wrote:

> Matt,
> 	snort-inline does not drop packets based on the portscan
> preprocessor.  However, it would be pretty easy to modify it so it does.
> 	Is this something that would be of interest to the list?  Anyone
> have any pros and cons?  It might be nice to drop portscans, but how many
> false positives does the portscan preprocessor generate?
>
> Rob
>
> P.S.  If I get enough responses, I'll modify/add to the portscan
> preprocessor so it is capable of dropping packets when it detects a port
> scan.
>
> On Mon, 10 Nov 2003, Matt Linton wrote:
>
> >
> > Greetings everyone;
> >
> > Is anyone willing to share a clear understanding of how the portscan
> > preprocessor works under snort-inline? I've done some testing and my
> > gateway doesn't seem to be blocking any portscan traffic.
> >
> > I have two snort gateways in bridge mode, set up as follows:
> >
> > Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet
> >
> > When doing a portscan from the Laptop to a machine on the internet, I
> > should see traffic logged in the portscan log on gateway1 and very little
> > on gateway2, if 1 is blocking correctly. However, they both register all
> > portscan traffic.
> >
> > The rule being used (on both) is:
> >
> > preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan
> > preprocessor portscan-ignorehosts: x.x.x.x (sanitized)
> >
> > Has portscan preprocessor not been patched to support drop mode yet?
> >
> >
> > +---------------------------------------------------
> > | Regards;
> > | Matt Linton
> > | UNIX Systems Administrator
> > | ASANI Solutions, LLC.
> > +---------------------------------------------------
> >
> > On Fri, 7 Nov 2003, Rob McMillen wrote:
> >
> > > The reason it fails is because the function calls between Libnet 1.1 and
> > > 1.0.2 changed a great deal.  Since Flexresp depends on Libnet 1.0.2, I
> > > used it for snort-inline to avoid requiring two different versions of
> > > Libnet.
> > >
> > > Rob
> > >
> > > On Fri, 7 Nov 2003, Stephan Scholz wrote:
> > >
> > > > Hi Josh,
> > > >
> > > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I switched
> > > > back to Libnet 1.0.2.
> > > >
> > > > Stephan
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email sponsored by: ApacheCon 2003,
> > > 16-19 November in Las Vegas. Learn firsthand the latest
> > > developments in Apache, PHP, Perl, XML, Java, MySQL,
> > > WebDAV, and more! http://www.apachecon.com/
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > ------------ Output from pgp ------------
> > > Pretty Good Privacy(tm) Version 6.5.2
> > > (c) 1999 Network Associates Inc.
> > > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> > > Export of this software may be restricted by the U.S. government.
> > > File is signed.  signature not checked.
> > > Signature made 2003/11/08 02:46 GMT
> > > key does not meet validity threshold.
> > > WARNING:  Because this public key is not certified with a trusted
> > > signature, it is not known with high confidence that this public key
> > > actually belongs to: "(KeyID: 0xBD28B8DD)".
> > >
> > >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by: ApacheCon 2003,
> > 16-19 November in Las Vegas. Learn firsthand the latest
> > developments in Apache, PHP, Perl, XML, Java, MySQL,
> > WebDAV, and more! http://www.apachecon.com/
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> ------------ Output from pgp ------------
> Pretty Good Privacy(tm) Version 6.5.2
> (c) 1999 Network Associates Inc.
> Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> Export of this software may be restricted by the U.S. government.
> File is signed.  signature not checked.
> Signature made 2003/11/11 06:38 GMT
> key does not meet validity threshold.
> WARNING:  Because this public key is not certified with a trusted
> signature, it is not known with high confidence that this public key
> actually belongs to: "(KeyID: 0xBD28B8DD)".
>
>

Re: [Snort-inline-users] portscan preprocessors and drop mode

[Lance S. <la...@ho...>]

On Tue, 11 Nov 2003 Wil...@kc... wrote:

> Try this, Rob correct me if I'm wrong.
> 
> LDFLAGS="-static" ./configure --enable-inline 

I find this to be an easier, but less elegant method.
Compile snort_inline like you would normally.

  ./configure
  make

When you type make, the very last line of output is the one
that links all the object code into your executable.  Copy
this line, add the comment '-static' to it, then paste and 
rexecute.  This should give you your static binary.  Crude, 
but should be effective.

lance

Re: [Snort-inline-users] portscan preprocessors and drop mode

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Try this, Rob correct me if I'm wrong.
> 
> LDFLAGS="-static" ./configure --enable-inline 

Almost ;)  If you edit the Makefile and then run ./configure, the 
configure script will create a new Makefile and your changes will be lost.  
You need to first run ./configure (you don't need the --enable-inline) 
then edit the src/Makefile.  Either changing the snort_LDFLAGS or LDFLAGS 
should work.

Rob

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP7GW6PnAyY+9KLjdEQKstACeLmreldakuZvd1BIisBk4Z/fArDIAnRcx
Pft5o6itdT2oAl1NOqZCOq5e
=vToN
-----END PGP SIGNATURE-----

Re: [Snort-inline-users] portscan preprocessors and drop mode

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I would be most interested in getting the arpspoof preprocessor to block. 
> I don't believe it does right now.

You are correct.  It does not drop at this time.  I'll need to check out 
the preproc...

> I would also like to know how to compile snort statically so I don't have
> to repatch/compile on each sensor that I setup.  I just want to be able to
> copy/paste the binary like the binary package for snort-inline on
> sourceforge.

This kind of depends if you are trying to compile it statically with mysql 
support.  I haven't been able to compile it statically with mysql :(

These are the steps I use to create the static snort_inline binary:

1.  ./configure
2.  vi src/Makefile
       a.  change 
       snort_inline_LDFLAGS =
 
       to 

       snort_inline_LDFLAGS = -static

3.  make

If you have already compiled this source, do a make clean before you start 
to make sure you get rid of any old object files.  This should put a 
statically linked binary in the src directory.  Just to verify that you 
have what you want, run file on snort_inline.  It should tell you that you 
have a static binary.

Rob

P.S.  Let me know if you get it to compile statically with mysql support.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA+AwUBP7GVgvnAyY+9KLjdEQI8egCfW2cX674706c7mZc2FmJcVpSSKxIAmMHa
eyUMIuq9olsNFw66qi8EuOM=
=xfMU
-----END PGP SIGNATURE-----

Re: [Snort-inline-users] portscan preprocessors and drop mode

[Matt L. <ml...@em...>]

Rob: I can't say I'm a good enough programmer to do the coding, but I'd be
happy to help in any way that I can.

It's definately of interest to me: In the testing that I've done, even
with a relatively restrictive threshold of 10 ports in 2 seconds, the only
false positives I've had are msn.com (cross site links) and ebay (LOTS of
requests to various :80 addresses for remote hosted images).

It would be a wonderful feature for using the snort-inline gateway to
restrict outbound ability of trojans/virii/bounce scans as well as
portscans from outside the network to protected hosts.

+---------------------------------------------------
| Regards;
| Matt Linton
| UNIX Systems Administrator
| ASANI Solutions, LLC.
+---------------------------------------------------

On Tue, 11 Nov 2003, Rob McMillen wrote:

> Matt,
> 	snort-inline does not drop packets based on the portscan
> preprocessor.  However, it would be pretty easy to modify it so it does.
> 	Is this something that would be of interest to the list?  Anyone
> have any pros and cons?  It might be nice to drop portscans, but how many
> false positives does the portscan preprocessor generate?
>
> Rob
>
> P.S.  If I get enough responses, I'll modify/add to the portscan
> preprocessor so it is capable of dropping packets when it detects a port
> scan.
>
> On Mon, 10 Nov 2003, Matt Linton wrote:
>
> >
> > Greetings everyone;
> >
> > Is anyone willing to share a clear understanding of how the portscan
> > preprocessor works under snort-inline? I've done some testing and my
> > gateway doesn't seem to be blocking any portscan traffic.
> >
> > I have two snort gateways in bridge mode, set up as follows:
> >
> > Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet
> >
> > When doing a portscan from the Laptop to a machine on the internet, I
> > should see traffic logged in the portscan log on gateway1 and very little
> > on gateway2, if 1 is blocking correctly. However, they both register all
> > portscan traffic.
> >
> > The rule being used (on both) is:
> >
> > preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan
> > preprocessor portscan-ignorehosts: x.x.x.x (sanitized)
> >
> > Has portscan preprocessor not been patched to support drop mode yet?
> >
> >
> > +---------------------------------------------------
> > | Regards;
> > | Matt Linton
> > | UNIX Systems Administrator
> > | ASANI Solutions, LLC.
> > +---------------------------------------------------
> >
> > On Fri, 7 Nov 2003, Rob McMillen wrote:
> >
> > > The reason it fails is because the function calls between Libnet 1.1 and
> > > 1.0.2 changed a great deal.  Since Flexresp depends on Libnet 1.0.2, I
> > > used it for snort-inline to avoid requiring two different versions of
> > > Libnet.
> > >
> > > Rob
> > >
> > > On Fri, 7 Nov 2003, Stephan Scholz wrote:
> > >
> > > > Hi Josh,
> > > >
> > > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I switched
> > > > back to Libnet 1.0.2.
> > > >
> > > > Stephan
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email sponsored by: ApacheCon 2003,
> > > 16-19 November in Las Vegas. Learn firsthand the latest
> > > developments in Apache, PHP, Perl, XML, Java, MySQL,
> > > WebDAV, and more! http://www.apachecon.com/
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > > ------------ Output from pgp ------------
> > > Pretty Good Privacy(tm) Version 6.5.2
> > > (c) 1999 Network Associates Inc.
> > > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> > > Export of this software may be restricted by the U.S. government.
> > > File is signed.  signature not checked.
> > > Signature made 2003/11/08 02:46 GMT
> > > key does not meet validity threshold.
> > > WARNING:  Because this public key is not certified with a trusted
> > > signature, it is not known with high confidence that this public key
> > > actually belongs to: "(KeyID: 0xBD28B8DD)".
> > >
> > >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by: ApacheCon 2003,
> > 16-19 November in Las Vegas. Learn firsthand the latest
> > developments in Apache, PHP, Perl, XML, Java, MySQL,
> > WebDAV, and more! http://www.apachecon.com/
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> ------------ Output from pgp ------------
> Pretty Good Privacy(tm) Version 6.5.2
> (c) 1999 Network Associates Inc.
> Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> Export of this software may be restricted by the U.S. government.
> File is signed.  signature not checked.
> Signature made 2003/11/11 06:38 GMT
> key does not meet validity threshold.
> WARNING:  Because this public key is not certified with a trusted
> signature, it is not known with high confidence that this public key
> actually belongs to: "(KeyID: 0xBD28B8DD)".
>
>

Re: [Snort-inline-users] portscan preprocessors and drop mode

[<Wil...@kc...>]

Josh,

Try this, Rob correct me if I'm wrong.

LDFLAGS="-static" ./configure --enable-inline 

Regards,

Will




"Josh Berry" <jos...@ne...>

11/11/2003 10:58 AM
 
        To:     Wil...@kc...
        cc:     sno...@li...
        Subject:        Re: [Snort-inline-users] portscan preprocessors 
and drop mode

I would be most interested in getting the arpspoof preprocessor to block. 
I don't believe it does right now.

I would also like to know how to compile snort statically so I don't have
to repatch/compile on each sensor that I setup.  I just want to be able to
copy/paste the binary like the binary package for snort-inline on
sourceforge.

> this would be a nice thing to have.........
>
>
>
>
> Rob McMillen <rv...@ca...>
>
> Sent by: sno...@li...
> 11/11/2003 12:37 AM
>
>         To:     sno...@li...
>         cc:
>         Subject:        Re: [Snort-inline-users] portscan preprocessors
> and drop mode
>
> WARNING: Unsanitized content follows.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matt,
>                  snort-inline does not drop packets based on the 
portscan
> preprocessor.  However, it would be pretty easy to modify it so it does.
>                  Is this something that would be of interest to the 
list?
> Anyone
> have any pros and cons?  It might be nice to drop portscans, but how 
many
> false positives does the portscan preprocessor generate?
>
> Rob
>
> P.S.  If I get enough responses, I'll modify/add to the portscan
> preprocessor so it is capable of dropping packets when it detects a port
> scan.
>
> On Mon, 10 Nov 2003, Matt Linton wrote:
>
>>
>> Greetings everyone;
>>
>> Is anyone willing to share a clear understanding of how the portscan
>> preprocessor works under snort-inline? I've done some testing and my
>> gateway doesn't seem to be blocking any portscan traffic.
>>
>> I have two snort gateways in bridge mode, set up as follows:
>>
>> Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet
>>
>> When doing a portscan from the Laptop to a machine on the internet, I
>> should see traffic logged in the portscan log on gateway1 and very
> little
>> on gateway2, if 1 is blocking correctly. However, they both register 
all
>> portscan traffic.
>>
>> The rule being used (on both) is:
>>
>> preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan
>> preprocessor portscan-ignorehosts: x.x.x.x (sanitized)
>>
>> Has portscan preprocessor not been patched to support drop mode yet?
>>
>>
>> +---------------------------------------------------
>> | Regards;
>> | Matt Linton
>> | UNIX Systems Administrator
>> | ASANI Solutions, LLC.
>> +---------------------------------------------------
>>
>> On Fri, 7 Nov 2003, Rob McMillen wrote:
>>
>> > The reason it fails is because the function calls between Libnet 1.1
> and
>> > 1.0.2 changed a great deal.  Since Flexresp depends on Libnet 1.0.2, 
I
>> > used it for snort-inline to avoid requiring two different versions of
>> > Libnet.
>> >
>> > Rob
>> >
>> > On Fri, 7 Nov 2003, Stephan Scholz wrote:
>> >
>> > > Hi Josh,
>> > >
>> > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I
> switched
>> > > back to Libnet 1.0.2.
>> > >
>> > > Stephan
>> >
>> >
>> >
>> >
>> > -------------------------------------------------------
>> > This SF.Net email sponsored by: ApacheCon 2003,
>> > 16-19 November in Las Vegas. Learn firsthand the latest
>> > developments in Apache, PHP, Perl, XML, Java, MySQL,
>> > WebDAV, and more! http://www.apachecon.com/
>> > _______________________________________________
>> > Snort-inline-users mailing list
>> > Sno...@li...
>> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>> > ------------ Output from pgp ------------
>> > Pretty Good Privacy(tm) Version 6.5.2
>> > (c) 1999 Network Associates Inc.
>> > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security,
> Inc.
>> > Export of this software may be restricted by the U.S. government.
>> > File is signed.  signature not checked.
>> > Signature made 2003/11/08 02:46 GMT
>> > key does not meet validity threshold.
>> > WARNING:  Because this public key is not certified with a trusted
>> > signature, it is not known with high confidence that this public key
>> > actually belongs to: "(KeyID: 0xBD28B8DD)".
>> >
>> >
>>
>>
>> -------------------------------------------------------
>> This SF.Net email sponsored by: ApacheCon 2003,
>> 16-19 November in Las Vegas. Learn firsthand the latest
>> developments in Apache, PHP, Perl, XML, Java, MySQL,
>> WebDAV, and more! http://www.apachecon.com/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.76
>
> iQA/AwUBP7CDtvnAyY+9KLjdEQJqKACeKY4JRI7rkewgSeP5i1fLESBsKu4An2/z
> aNyVAbEpGuP0/XfzmLxHWwZd
> =NcBx
> -----END PGP SIGNATURE-----
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
jos...@li...

Re: [Snort-inline-users] portscan preprocessors and drop mode

[Josh B. <jos...@ne...>]

I would be most interested in getting the arpspoof preprocessor to block. 
I don't believe it does right now.

I would also like to know how to compile snort statically so I don't have
to repatch/compile on each sensor that I setup.  I just want to be able to
copy/paste the binary like the binary package for snort-inline on
sourceforge.

> this would be a nice thing to have.........
>
>
>
>
> Rob McMillen <rv...@ca...>
>
> Sent by: sno...@li...
> 11/11/2003 12:37 AM
>
>         To:     sno...@li...
>         cc:
>         Subject:        Re: [Snort-inline-users] portscan preprocessors
> and drop mode
>
> WARNING: Unsanitized content follows.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matt,
>                  snort-inline does not drop packets based on the portscan
> preprocessor.  However, it would be pretty easy to modify it so it does.
>                  Is this something that would be of interest to the list?
> Anyone
> have any pros and cons?  It might be nice to drop portscans, but how many
> false positives does the portscan preprocessor generate?
>
> Rob
>
> P.S.  If I get enough responses, I'll modify/add to the portscan
> preprocessor so it is capable of dropping packets when it detects a port
> scan.
>
> On Mon, 10 Nov 2003, Matt Linton wrote:
>
>>
>> Greetings everyone;
>>
>> Is anyone willing to share a clear understanding of how the portscan
>> preprocessor works under snort-inline? I've done some testing and my
>> gateway doesn't seem to be blocking any portscan traffic.
>>
>> I have two snort gateways in bridge mode, set up as follows:
>>
>> Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet
>>
>> When doing a portscan from the Laptop to a machine on the internet, I
>> should see traffic logged in the portscan log on gateway1 and very
> little
>> on gateway2, if 1 is blocking correctly. However, they both register all
>> portscan traffic.
>>
>> The rule being used (on both) is:
>>
>> preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan
>> preprocessor portscan-ignorehosts: x.x.x.x (sanitized)
>>
>> Has portscan preprocessor not been patched to support drop mode yet?
>>
>>
>> +---------------------------------------------------
>> | Regards;
>> | Matt Linton
>> | UNIX Systems Administrator
>> | ASANI Solutions, LLC.
>> +---------------------------------------------------
>>
>> On Fri, 7 Nov 2003, Rob McMillen wrote:
>>
>> > The reason it fails is because the function calls between Libnet 1.1
> and
>> > 1.0.2 changed a great deal.  Since Flexresp depends on Libnet 1.0.2, I
>> > used it for snort-inline to avoid requiring two different versions of
>> > Libnet.
>> >
>> > Rob
>> >
>> > On Fri, 7 Nov 2003, Stephan Scholz wrote:
>> >
>> > > Hi Josh,
>> > >
>> > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I
> switched
>> > > back to Libnet 1.0.2.
>> > >
>> > > Stephan
>> >
>> >
>> >
>> >
>> > -------------------------------------------------------
>> > This SF.Net email sponsored by: ApacheCon 2003,
>> > 16-19 November in Las Vegas. Learn firsthand the latest
>> > developments in Apache, PHP, Perl, XML, Java, MySQL,
>> > WebDAV, and more! http://www.apachecon.com/
>> > _______________________________________________
>> > Snort-inline-users mailing list
>> > Sno...@li...
>> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>> > ------------ Output from pgp ------------
>> > Pretty Good Privacy(tm) Version 6.5.2
>> > (c) 1999 Network Associates Inc.
>> > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security,
> Inc.
>> > Export of this software may be restricted by the U.S. government.
>> > File is signed.  signature not checked.
>> > Signature made 2003/11/08 02:46 GMT
>> > key does not meet validity threshold.
>> > WARNING:  Because this public key is not certified with a trusted
>> > signature, it is not known with high confidence that this public key
>> > actually belongs to: "(KeyID: 0xBD28B8DD)".
>> >
>> >
>>
>>
>> -------------------------------------------------------
>> This SF.Net email sponsored by: ApacheCon 2003,
>> 16-19 November in Las Vegas. Learn firsthand the latest
>> developments in Apache, PHP, Perl, XML, Java, MySQL,
>> WebDAV, and more! http://www.apachecon.com/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.76
>
> iQA/AwUBP7CDtvnAyY+9KLjdEQJqKACeKY4JRI7rkewgSeP5i1fLESBsKu4An2/z
> aNyVAbEpGuP0/XfzmLxHWwZd
> =NcBx
> -----END PGP SIGNATURE-----
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
jos...@li...

Re: [Snort-inline-users] portscan preprocessors and drop mode

[<Wil...@kc...>]

this would be a nice thing to have.........




Rob McMillen <rv...@ca...>

Sent by: sno...@li...
11/11/2003 12:37 AM
 
        To:     sno...@li...
        cc: 
        Subject:        Re: [Snort-inline-users] portscan preprocessors 
and drop mode

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt,
                 snort-inline does not drop packets based on the portscan 
preprocessor.  However, it would be pretty easy to modify it so it does. 
                 Is this something that would be of interest to the list? 
Anyone 
have any pros and cons?  It might be nice to drop portscans, but how many 
false positives does the portscan preprocessor generate?

Rob

P.S.  If I get enough responses, I'll modify/add to the portscan 
preprocessor so it is capable of dropping packets when it detects a port 
scan.

On Mon, 10 Nov 2003, Matt Linton wrote:

> 
> Greetings everyone;
> 
> Is anyone willing to share a clear understanding of how the portscan
> preprocessor works under snort-inline? I've done some testing and my
> gateway doesn't seem to be blocking any portscan traffic.
> 
> I have two snort gateways in bridge mode, set up as follows:
> 
> Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet
> 
> When doing a portscan from the Laptop to a machine on the internet, I
> should see traffic logged in the portscan log on gateway1 and very 
little
> on gateway2, if 1 is blocking correctly. However, they both register all
> portscan traffic.
> 
> The rule being used (on both) is:
> 
> preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan
> preprocessor portscan-ignorehosts: x.x.x.x (sanitized)
> 
> Has portscan preprocessor not been patched to support drop mode yet?
> 
> 
> +---------------------------------------------------
> | Regards;
> | Matt Linton
> | UNIX Systems Administrator
> | ASANI Solutions, LLC.
> +---------------------------------------------------
> 
> On Fri, 7 Nov 2003, Rob McMillen wrote:
> 
> > The reason it fails is because the function calls between Libnet 1.1 
and
> > 1.0.2 changed a great deal.  Since Flexresp depends on Libnet 1.0.2, I
> > used it for snort-inline to avoid requiring two different versions of
> > Libnet.
> >
> > Rob
> >
> > On Fri, 7 Nov 2003, Stephan Scholz wrote:
> >
> > > Hi Josh,
> > >
> > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I 
switched
> > > back to Libnet 1.0.2.
> > >
> > > Stephan
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by: ApacheCon 2003,
> > 16-19 November in Las Vegas. Learn firsthand the latest
> > developments in Apache, PHP, Perl, XML, Java, MySQL,
> > WebDAV, and more! http://www.apachecon.com/
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > ------------ Output from pgp ------------
> > Pretty Good Privacy(tm) Version 6.5.2
> > (c) 1999 Network Associates Inc.
> > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, 
Inc.
> > Export of this software may be restricted by the U.S. government.
> > File is signed.  signature not checked.
> > Signature made 2003/11/08 02:46 GMT
> > key does not meet validity threshold.
> > WARNING:  Because this public key is not certified with a trusted
> > signature, it is not known with high confidence that this public key
> > actually belongs to: "(KeyID: 0xBD28B8DD)".
> >
> >
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP7CDtvnAyY+9KLjdEQJqKACeKY4JRI7rkewgSeP5i1fLESBsKu4An2/z
aNyVAbEpGuP0/XfzmLxHWwZd
=NcBx
-----END PGP SIGNATURE-----




-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] portscan preprocessors and drop mode

[Rob M. <rv...@ca...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt,
	snort-inline does not drop packets based on the portscan 
preprocessor.  However, it would be pretty easy to modify it so it does.  
	Is this something that would be of interest to the list?  Anyone 
have any pros and cons?  It might be nice to drop portscans, but how many 
false positives does the portscan preprocessor generate?

Rob

P.S.  If I get enough responses, I'll modify/add to the portscan 
preprocessor so it is capable of dropping packets when it detects a port 
scan.

On Mon, 10 Nov 2003, Matt Linton wrote:

> 
> Greetings everyone;
> 
> Is anyone willing to share a clear understanding of how the portscan
> preprocessor works under snort-inline? I've done some testing and my
> gateway doesn't seem to be blocking any portscan traffic.
> 
> I have two snort gateways in bridge mode, set up as follows:
> 
> Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet
> 
> When doing a portscan from the Laptop to a machine on the internet, I
> should see traffic logged in the portscan log on gateway1 and very little
> on gateway2, if 1 is blocking correctly. However, they both register all
> portscan traffic.
> 
> The rule being used (on both) is:
> 
> preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan
> preprocessor portscan-ignorehosts: x.x.x.x (sanitized)
> 
> Has portscan preprocessor not been patched to support drop mode yet?
> 
> 
> +---------------------------------------------------
> | Regards;
> | Matt Linton
> | UNIX Systems Administrator
> | ASANI Solutions, LLC.
> +---------------------------------------------------
> 
> On Fri, 7 Nov 2003, Rob McMillen wrote:
> 
> > The reason it fails is because the function calls between Libnet 1.1 and
> > 1.0.2 changed a great deal.  Since Flexresp depends on Libnet 1.0.2, I
> > used it for snort-inline to avoid requiring two different versions of
> > Libnet.
> >
> > Rob
> >
> > On Fri, 7 Nov 2003, Stephan Scholz wrote:
> >
> > > Hi Josh,
> > >
> > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I switched
> > > back to Libnet 1.0.2.
> > >
> > > Stephan
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by: ApacheCon 2003,
> > 16-19 November in Las Vegas. Learn firsthand the latest
> > developments in Apache, PHP, Perl, XML, Java, MySQL,
> > WebDAV, and more! http://www.apachecon.com/
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > ------------ Output from pgp ------------
> > Pretty Good Privacy(tm) Version 6.5.2
> > (c) 1999 Network Associates Inc.
> > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> > Export of this software may be restricted by the U.S. government.
> > File is signed.  signature not checked.
> > Signature made 2003/11/08 02:46 GMT
> > key does not meet validity threshold.
> > WARNING:  Because this public key is not certified with a trusted
> > signature, it is not known with high confidence that this public key
> > actually belongs to: "(KeyID: 0xBD28B8DD)".
> >
> >
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP7CDtvnAyY+9KLjdEQJqKACeKY4JRI7rkewgSeP5i1fLESBsKu4An2/z
aNyVAbEpGuP0/XfzmLxHWwZd
=NcBx
-----END PGP SIGNATURE-----

[Snort-inline-users] portscan preprocessors and drop mode

[Matt L. <ml...@em...>]

Greetings everyone;

Is anyone willing to share a clear understanding of how the portscan
preprocessor works under snort-inline? I've done some testing and my
gateway doesn't seem to be blocking any portscan traffic.

I have two snort gateways in bridge mode, set up as follows:

Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet

When doing a portscan from the Laptop to a machine on the internet, I
should see traffic logged in the portscan log on gateway1 and very little
on gateway2, if 1 is blocking correctly. However, they both register all
portscan traffic.

The rule being used (on both) is:

preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan
preprocessor portscan-ignorehosts: x.x.x.x (sanitized)

Has portscan preprocessor not been patched to support drop mode yet?


+---------------------------------------------------
| Regards;
| Matt Linton
| UNIX Systems Administrator
| ASANI Solutions, LLC.
+---------------------------------------------------

On Fri, 7 Nov 2003, Rob McMillen wrote:

> The reason it fails is because the function calls between Libnet 1.1 and
> 1.0.2 changed a great deal.  Since Flexresp depends on Libnet 1.0.2, I
> used it for snort-inline to avoid requiring two different versions of
> Libnet.
>
> Rob
>
> On Fri, 7 Nov 2003, Stephan Scholz wrote:
>
> > Hi Josh,
> >
> > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I switched
> > back to Libnet 1.0.2.
> >
> > Stephan
>
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> ------------ Output from pgp ------------
> Pretty Good Privacy(tm) Version 6.5.2
> (c) 1999 Network Associates Inc.
> Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> Export of this software may be restricted by the U.S. government.
> File is signed.  signature not checked.
> Signature made 2003/11/08 02:46 GMT
> key does not meet validity threshold.
> WARNING:  Because this public key is not certified with a trusted
> signature, it is not known with high confidence that this public key
> actually belongs to: "(KeyID: 0xBD28B8DD)".
>
>

[Snort-inline-users] Re: Libnet

[<Wil...@kc...>]

Use libnet 1.0.2a and remove the following lines at the bottom of the 
/include/libnet.h file, it should compile fine on RH9 once you have done 
this.

#if (!LIBNET_LIL_ENDIAN && !LIBNET_BIG_ENDIAN)
#error "byte order has not been specified, you'll
need to #define either LIBNET_LIL_ENDIAN or LIBNET_BIG_ENDIAN.  See the
documentation regarding the libnet-config script."
#endif

Regards,

Will