Snort mailing list archives
Re: Content "c:"
From: "Graham M Locke" <graham () waldonet net mt>
Date: Wed, 20 Jun 2001 14:31:02 +0200
I think the problem is that snort is interpreting the ':' in the content string (incorectly ?). So you have to escape the ':' with a '\'. I have tested the following, and it seems to work, although the ':' in the msg gets dropped, you can escape that ':', but the logged message then contains 'C:\' alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing C:"; content:"c\:"; nocase;) Hope this helps Graham
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> Date: Tue Jun 19 2001 - 14:47:28 CDT I'm trying to create a rule that searches for content of "c:" in packets. But Snort complains that a closing quote is needed. In a prior posting I had
asked about "c:\" and someone mentioned the backslash was a problem. Even without the backslash this still fails. Ths is the latest test rule I tried:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content: "c:"; nocase;) Snort complains that content needs an ending quote. Apparently the colon after the "c" is what is messing this up. Does anyone know how to make a content rule with "c:" or any drive letter as the content? Thanks, Paul Message: 5 Date: Tue, 19 Jun 2001 12:18:17 -0700 (PDT) From: Andrew Daviel <andrew () andrew triumf ca> Reply-To: Andrew Daviel <advax () triumf ca> To: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> cc: "'Snort-users () lists sourceforge net'" <Snort-users () lists sourceforge net>
Subject: Re: [Snort-users] getcontact utility In-Reply-To: <4BC7BAFE07ADD31197C500508B6F4C2808E311A1 () ct-exch-02 corp priceline com>
Message-ID: <Pine.LNX.4.33.0106191152210.2117-100000 () andrew triumf ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: snort-users-admin () lists sourceforge net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://lists.sourceforge.net/archives//snort-users/> On Mon, 18 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:Hello, I am looking for a utility to use with Snort (running on Linux) similar to
the "Getcontact" utility seen on snort.org. It would be nice to be able to
automatically lookup contacts for the different ISPs and send out emails
when certain attacks occur. Does anyone have a script they could share that
could do this?My reporter script (the subject of some criticism for one false alert :-7)
has a contact lookup module. Like most of my stuff, it's ugly Perl (what do you expect from an ex-FORTRAN programmer). http://andrew.triumf.ca/pub/security/reporter/ The contact lookup algorithm keeps evolving. Currently, it works like this: Try to resolve the ip with DNS Failing that, try to get an Apache error message. Failing that, a sendmail
banner (many APNIC sites don't resolve) Work along the name looking for an MX record. Look up the org. in a private database. Look up the org at whois.abuse.net Try mailing to "abuse" anyhow, and watch for a bounce. If it doesn't resolve, dig through whois records starting at whois.arin.net. Mail to "abuse" if it exists in the whois record. If the technical contact address seems to match the netblock, as it does for major ISPs & orgs, try mailing "abuse@org". Otherwise, mail any email address found in the record, except if it's IANA, meaning it's a private netblock and I didn't notice. Try not to mail people like "nic () apnic net" if I can help it. dshield.org is doing something similar with aggregate records. They cache whois contacts and store them in a database. There's an SQL dump on the web. Abuse.net is really for spam complaints but I've started using their database for resolved names except where I know a more appropriate one, e.g. "security-nonverbose () uu net" or whatever. As has been pointed out to me, an automated reporter is vulnerable to scans with spoofed source addresses as an attack on the credibility of the reporter. (Maybe I need a "credible limit" of total scans/hour) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca Message: 6 From: "Bill Marquette" <wlmarque () hewitt com> To: Kiira Triea <kiira-t () mail bsasinc org> cc: snort-users () lists sourceforge net Message-ID: <86256A70.006FBA82.00 () lintng1 hewitt com> Date: Tue, 19 Jun 2001 15:19:51 -0500 Subject: Re: [Snort-users] Starting snort against multiple interfaces? Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: snort-users-admin () lists sourceforge net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://lists.sourceforge.net/archives//snort-users/> Kiira, http://snort.sourceforge.net/snort-daily.tar.gz contains a daily snapshot
of the CVS tree. Be warned though, I believe it's a tarball of the actual
CVS
tree, not the export (or checked out) tree. This should at least get you around
your firewall issues :) Alternately, I make a snapshot at midnight CDT, that
is
a checked out version, it's available (if you want to trust me :)) at: http://www.danger.ms/~billm/snort-current.tgz --Bill |--------+-------------------------------> | | Kiira Triea | | | <kiira-t@mail.bsasinc| | | .org> | | | | | | 06/19/2001 01:52 PM | | | | |--------+-------------------------------> >-------------------------------------------------------------------------|
|
|
| To: fygrave () tigerteam net (Fyodor)
|
| cc: snort-users () lists sourceforge net
|
| Client:
|
| Subject: Re: [Snort-users] Starting snort against multiple
|
| interfaces?
|
>-------------------------------------------------------------------------|
Hi,On Tue, Jun 19, 2001 at 12:30:45PM -0400, Kiira Triea wrote:Ok, it's my day for goofy questions I guess. I have recompiled snort using Sebastian Krahmer's patched libpcap, I am using a 2.2.16 kernel and all went well with the build. If I understand the docs I've found on this I should be able to start snort like: './snort -D -i any -c snort.conf' and have it read from all nics? Instead I get Initializing Network Interface any ioctl(SIOCGIFMTU): No such device ERROR: Can not get MTU of an interface any! ????Looks like old snort (1.7x something) is used here. :) We have done a few fixes here: 1. It's recomended to use recent version from www.tcpdump.org, they have
fixed a few things in Sebastian's code and incorporated the patch. 2. More recent snort, we have fixed support of interface 'any' in it :)Yes Ok, I am using ver 1.7 from snort.org. Poop. When is ver. 8 expected ready for prime time? Getting cvs working is not going through my firewall it looks. thanks, Kiira _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Message: 7 Date: Tue, 19 Jun 2001 13:23:39 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: Kiira Triea <kiira-t () mail bsasinc org> cc: Fyodor <fygrave () tigerteam net>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Starting snort against multiple interfaces? In-Reply-To: <200106191852.f5JIqIm07625 () mailhub bsasinc org> Message-ID: <Pine.GSO.4.32.0106191321410.127-100000 () lurch theadamsfamily net>
MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: snort-users-admin () lists sourceforge net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://lists.sourceforge.net/archives//snort-users/> On Tue, 19 Jun 2001, Kiira Triea wrote:Yes Ok, I am using ver 1.7 from snort.org. Poop. When is ver. 8 expected ready for prime time? Getting cvs working is not going through my firewall it looks.Actually, save yourself some effort: http://snort.sourceforge.net/snort-daily.tar.gz Thank Fydor for that! :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net Message: 8 Date: Tue, 19 Jun 2001 13:28:12 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> cc: "Snort List (E-mail)" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Content "c:" In-Reply-To: <4BC7BAFE07ADD31197C500508B6F4C2808E311CB () ct-exch-02 corp priceline com>
Message-ID: <Pine.GSO.4.32.0106191326560.127-200000 () lurch theadamsfamily net>
MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-758783491-992982492=:127"
Sender: snort-users-admin () lists sourceforge net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://lists.sourceforge.net/archives//snort-users/> This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime () docserver cac washington edu for more info. On Tue, 19 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:I'm trying to create a rule that searches for content of "c:" in packets.
But Snort complains that a closing quote is needed. In a prior posting I
had
asked about "c:\" and someone mentioned the backslash was a problem. Even
without the backslash this still fails. Ths is the latest test rule I tried:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:
"c:"; nocase;) Snort complains that content needs an ending quote. Apparently the colon
after the "c" is what is messing this up. Does anyone know how to make a
content rule with "c:" or any drive letter as the content?Paul, Have a look at the attached message. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net Message: 9 Date: Tue, 19 Jun 2001 21:43:06 +0100 From: Lee Smallbone <lee () smallbone com> Reply-To: Lee Smallbone <lee () smallbone com> Message-ID: <16904.010619 () smallbone com> To: Snort-users () lists sourceforge net Subject: Re[2]: [Snort-users] performance snort question References: <3B2F3B0D.864A667D () office netland nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: snort-users-admin () lists sourceforge net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://lists.sourceforge.net/archives//snort-users/> RW> I you use logging into MySQL, you must have a better configuration. RW> But, yes, I think this works fine when just Snort logs into txt file. Not a major concern in my instance as all logging is made to a central MySQL server. If you intend to log locally to an SQL server, consider doubling the below specification, especially if you intend to also run something like ACID on the same box. /LeeLee Smallbone <lee () smallbone com> writes:Tuesday, June 19, 2001, 8:44:42 AM, you wrote: EHS> I haven't seen an answer to Roeland's questions so far. I am EHS> currently considering building a snort box wich should be able to
EHS> withstand a saturated 100mbps in worst-case, and have been unable
to
EHS> find even the slightest hint on what hardware requirement would be
EHS> needed to do that. The author seems fairly sure that a 486 should be able to keep up with a 100mbit/s link. I'd go one step further and use the following
configuration so I know it would be there if it was needed: o) old pentium of some sort (P90/100) o) 32-64mb ram o) Large disk to cope with logs (pref SCSI or ATA100) o) Decent, trusted 100mbit/s NICThank you very much for your answer! I really needed this information to support my push for building a snort based IDS box :) /Esben _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersRW> -- RW> Netland Internet Services RW> bedrijfsmatige internetoplossingen RW> http://www.netland.nl Kruislaan 419 1098 VA Amsterdam RW> info: 020-5628282 servicedesk: 020-5628280 fax: 020-5628281 Best regards, Lee mailto:lee () smallbone com Message: 10 Message-ID: <4BC7BAFE07ADD31197C500508B6F4C2808E311D0 () ct-exch-02 corp priceline com>
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> To: 'Erek Adams' <erek () theadamsfamily net>, "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> Cc: "Snort List (E-mail)" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Content "c:" Date: Tue, 19 Jun 2001 17:25:05 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Sender: snort-users-admin () lists sourceforge net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://lists.sourceforge.net/archives//snort-users/> I'm not using a "\" (backslash). I am strictly searching for a letter followed by a colon. I will give Jim's advice a try. Thanks! -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Tuesday, June 19, 2001 4:28 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: Re: [Snort-users] Content "c:" On Tue, 19 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:I'm trying to create a rule that searches for content of "c:" in packets.
But Snort complains that a closing quote is needed. In a prior posting I
hadasked about "c:\" and someone mentioned the backslash was a problem. Even
without the backslash this still fails. Ths is the latest test rule Itried:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing c:"; content:
"c:"; nocase;) Snort complains that content needs an ending quote. Apparently the colon
after the "c" is what is messing this up. Does anyone know how to make a
content rule with "c:" or any drive letter as the content?Paul, Have a look at the attached message. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net Message: 11 Message-ID: <3B2FC554.FD91536D () mitre org> Date: Tue, 19 Jun 2001 17:34:12 -0400 From: Brian Caswell <bmc () mitre org> Organization: The MITRE Corporation MIME-Version: 1.0 To: Bill Marquette <wlmarque () hewitt com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Starting snort against multiple interfaces? References: <86256A70.006FBA82.00 () lintng1 hewitt com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: snort-users-admin () lists sourceforge net Precedence: bulk List-Help: <mailto:snort-users-request () lists sourceforge net?subject=help>
List-Post: <mailto:snort-users () lists sourceforge net> List-Subscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=subscribe> List-Id: Snort users talk about... Snort! <snort-users.lists.sourceforge.net>
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe> List-Archive: <http://lists.sourceforge.net/archives//snort-users/> Bill Marquette wrote:http://snort.sourceforge.net/snort-daily.tar.gz contains a daily snapshot
of the CVS tree. Be warned though, I believe it's a tarball of the actual
CVS
tree, not the export (or checked out) tree. This should at least get you
around
your firewall issues :) Alternately, I make a snapshot at midnight CDT,
that is
a checked out version, it's available (if you want to trust me :)) at: http://www.danger.ms/~billm/snort-current.tgzDid you actually LOOK before stating this? snort-daily.tar.gz is a snapshot of the latest version of snort generated daily. If you want the latest (and sometimes greatest) bleeding edge snort, get snort-daily.tar.gz from snort.sourceforge.net. "Current" is not for general consumption, but it is usually what is being actively looked by the developers. -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content "c:" Sheahan, Paul (PCLN-NW) (Jun 19)
- Re: Content "c:" Erek Adams (Jun 19)
- <Possible follow-ups>
- RE: Content "c:" Sheahan, Paul (PCLN-NW) (Jun 19)
- Re: Content "c:" Graham M Locke (Jun 20)
- FYI - Avoiding bullet->foot w/ Syslog (was Content "c:") A.L.Lambert (Jun 20)