Snort mailing list archives
Re: Snort-users digest, Vol 1 #1553 - 15 msgs
From: Wynn Fenwick <wfenwick () FHLSim com>
Date: Tue, 05 Feb 2002 19:28:18 -0500
I would speculate the only way to do this is to fully populate the table with the alerts in it before any alerts are submitted. This way they are all in sync together. However, this will have to be repeated when new signatures come out with new sids. The problem is that the sid table's index does not use the sid of the signature directly. For your existing setup, you'll likely have to do some UPDATEs on the sid table so they are all in synch manually. Ouch. I suspect that binding them in ACID itself would cause other problems, but I'm sure Roman can speculate much more in-depth than I. W snort-users-request () lists sourceforge net wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." ------------------------------------------------------------------------ Today's Topics: 1. Suspicious email message intercepted ('IT Virus Filter') 2. Re: what does flags: A+ mean in the snort rules? (James Hoagland) 3. RE: what does flags: A+ mean in the snort rules? (Wirth, Jeff) 4. Re: what does flags: A+ mean in the snort rules? (James Hoagland) 5. Re: (new?) worm or bot signature - echo request (Stephane Nasdrovisky) 6. Yahoo Messenger? (tyler () ibill com) 7. centralized mysql collation (David E. Wach) 8. (no subject) (Edward Cole) 9. RE: what does flags: A+ mean in the snort rules? (Grimes, Shawn (NIA/IRP)) 10. Re: what does flags: A+ mean in the snort rules? (Charles) 11. Signaled Stop/Start? (Chip Kelly) 12. Re: [Snort-devel] 1.8.4-beta1 feedback? (Jeff Nathan) 13. 2 Issues (David Chait) 14. RE: mySQL Data Question (Graham, Randy (RAW) ) 15. RE: [Snort-devel] 1.8.4-beta1 feedback? (Smith, Donald ) ------------------------------------------------------------------------ Subject: [Snort-users] Suspicious email message intercepted Date: Tue, 5 Feb 2002 13:46:45 -0500 (EST) From: "'IT Virus Filter'" <virus () bur-mbx1 genuity com> To: <snort-users () lists sourceforge net> Hello- You are receiving this message because an email message with a suspicious attachment was intercepted by the POP server. It is possible that the message was actually valid, and simply shared some common features with email viruses such as the 'lovebug' virus. Replies to virus () bur-mbx1 genuity com are not read; this is an automated process to facilitate forwarding the executable attachment. You must follow these instructions exactly in order for the software to forward the email. If you can confirm that this is indeed a valid email message, and not a virus, then simply respond to this message, pasting the following information into the Subject: field (copied exactly, all on one line, starting with "Message re-delivery"): example: Message re-delivery request -459023xadf-27af834-_12350_0 Message re-delivery request -003501c1ae73-d03d87d0-b467e4c3-swsdb-_28895_0 Some identifying information about the message: Sender: "Szilagyi Gergely" <szilagyi () direkt-kfki hu> Subject: Re: [Snort-users] Snort and MsSQL Attachment: "Re_ [Snort-users] Having Snort log to a remote SQL server....eml" Attachment: "spo_database.c" Attachment: "Re_ [Snort-users] How to place Snort machine on the network _.eml" Attachment: "Fw_ [Snort-users] what changes are required to move from MySQL toMSSQL_.eml" Attachment: "Re_ [Snort-users] what changes are required to move from MySQL toMSSQL_.eml" We realize that this process is somewhat cumbersome, but, given the amount of damage that can be caused by email viruses, this is less disruptive in the long run. Please send email to <helpdesk () genuity com> if you have any questions or concerns. Thank you- Genuity IT ------------------------------------------------------------------------ Subject: Re: [Snort-users] what does flags: A+ mean in the snort rules? Date: Tue, 5 Feb 2002 11:09:06 -0800 From: James Hoagland <hoagland () SiliconDefense com> To: Charles <quanxing () Eng Auburn EDU> CC: snort-users () lists sourceforge net References: <Pine.SOL.4.10.10202051220100.14362-100000 () lab45 eng auburn edu> At 12:27 PM -0600 2/5/02, Charles wrote:I know A is for ack bit, but what does the + mean here?'A+' means the ack bit must be set, and other TCP flag bits may also be set. 'A' by itself means that ack is the only bit set. -- Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------------------------ Subject: RE: [Snort-users] what does flags: A+ mean in the snort rules? Date: Tue, 5 Feb 2002 14:17:37 -0500 From: "Wirth, Jeff" <WirthJe () DNB com> To: "'Charles'" <quanxing () Eng Auburn EDU> CC: snort-users () lists sourceforge net + All flag, match on all specified flags plus any others... - Jeff -----Original Message----- From: Charles [mailto:quanxing () Eng Auburn EDU] Sent: Tuesday, February 05, 2002 1:28 PM Cc: snort-users () lists sourceforge net Subject: [Snort-users] what does flags: A+ mean in the snort rules? I know A is for ack bit, but what does the + mean here? Thank you very much! Charles _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------ Subject: Re: [Snort-users] what does flags: A+ mean in the snort rules? Date: Tue, 5 Feb 2002 11:09:06 -0800 From: James Hoagland <hoagland () SiliconDefense com> To: Charles <quanxing () Eng Auburn EDU> CC: snort-users () lists sourceforge net References: <Pine.SOL.4.10.10202051220100.14362-100000 () lab45 eng auburn edu> At 12:27 PM -0600 2/5/02, Charles wrote:I know A is for ack bit, but what does the + mean here?'A+' means the ack bit must be set, and other TCP flag bits may also be set. 'A' by itself means that ack is the only bit set. -- Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------------------------ Subject: Re: [Snort-users] (new?) worm or bot signature - echo request Date: Tue, 05 Feb 2002 20:39:32 +0100 From: "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be> Organization: uniwayers To: Scott Nursten <scottn () s2s ltd uk> CC: snort-users () lists sourceforge net References: <B88494BE.10C%scottn () s2s ltd uk> Scott Nursten wrote:What version of Snort is this? If it's 1.8.3,It was a snort 1.8.1 on solaris 8/sparcthere were some problems with the stream4 (I think) preprocessor which was allowing for some pretty unbelievable packet mangling by the time it hit the log :)Your packet looks like a ICMP mangled with DHCP/BOOTP...!?I could be wrong, but I don't see why DHCP info would be in an ICMP packet...!I don't see either. There is no dhcp server on the network snort is listening on, our dhcp server is not serving any 192.168.0.* address, the mac address is not one of ours. I bet the icmp packet did really contained this data, it is probably not a snort bug. Another alternative is a flaw in the ip stack of the sender. I've sometimes seen packets (especially reset) containing data they should not contain (i.e. a browser sending back part of the server's answer). Although I sometimes suspect some snort undocumented features, I've seen the same king of behaviour in snoop outputs. I had never looked at dhcp packets, at least, I learned what dhcp packets looks like now. I was thinking of some malicious code reporting back their activity.Anyone else got any ideas?I received a strange icmp packet. The payload contains SERVER Offered | Offering: 192.168.0.31 To: 0030651278CF By:19 213.221.141.64 -> 195.72.91.xxx ICMP TTL:233 TOS:0x0 ID:23287 IpLen:20------------------------------------------------------------------------ Subject: [Snort-users] Yahoo Messenger? Date: Tue, 5 Feb 2002 14:41:21 -0500 From: tyler () ibill com To: snort-users () lists sourceforge net Anyone had any success with a sig for yahoo messenger traffic [including the proxy-over-http configurations?] or, better still, a surefire way to block it? tf. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at postmaster () ibill com. ********************************************************************** ------------------------------------------------------------------------ Subject: [Snort-users] centralized mysql collation Date: Tue, 5 Feb 2002 11:51:37 -0800 From: "David E. Wach" <david () ignw com> To: <snort-users () lists sourceforge net> Hello all, I'm currently running snort at 3 remote sites with logging going to the local mysql daemon on each sensor. I'm using the binary logging in mysql and transfer the logs periodically to my central log server. I then run the binary logs through mysqlbinlog to "replay" the sql and insert the events into my main database. This way I don't have to leave a connection up to each of the sites 24/7. The problem i'm running into is the way the mysql schema is set up. Since the entries in the "signature" table are inserted on-the-fly on the remote databases, they don't match the "signature" table on my master database. What might be "WEB-IIS _mem_bin access" on one IDS server ends up being "Traceroute UDP" on the other. Any ideas on how to get all the signatures to correlate to each other? I've got the same problem with the references too. Anybody else run into this and come up with a solution? Thanks for any insight, -david -- =============================================== David E. Wach Senior Managed Security Architect david () ignw com InfoGroup Northwest 541.485.0957 x168 =============================================== ------------------------------------------------------------------------ Subject: [Snort-users] (no subject) Date: Tue, 05 Feb 2002 19:50:17 From: "Edward Cole" <elcole () hotmail com> To: snort-users () lists sourceforge net Folks, Is there a way to add mysql database support after snort has already been complied?? How do I configure the snort.conf file?? Ed Cole _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com ------------------------------------------------------------------------ Subject: [Snort-users] RE: what does flags: A+ mean in the snort rules? Date: Tue, 5 Feb 2002 14:51:46 -0500 From: "Grimes, Shawn (NIA/IRP)" <GrimesSh () grc nia nih gov> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> It means any packet with the Ack bit set and any other flag. -- __--__-- Message: 4 Date: Tue, 5 Feb 2002 12:27:34 -0600 (CST) From: Charles <quanxing () Eng Auburn EDU> cc: snort-users () lists sourceforge net Subject: [Snort-users] what does flags: A+ mean in the snort rules? I know A is for ack bit, but what does the + mean here? Thank you very much! Charles -- __--__-- ------------------------------------------------------------------------ Subject: Re: [Snort-users] what does flags: A+ mean in the snort rules? Date: Tue, 5 Feb 2002 13:53:53 -0600 (CST) From: Charles <quanxing () Eng Auburn EDU> To: James Hoagland <hoagland () SiliconDefense com> CC: snort-users () lists sourceforge net Thank you very much! Charles On Tue, 5 Feb 2002, James Hoagland wrote:At 12:27 PM -0600 2/5/02, Charles wrote:I know A is for ack bit, but what does the + mean here?'A+' means the ack bit must be set, and other TCP flag bits may also be set. 'A' by itself means that ack is the only bit set. -- Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *|------------------------------------------------------------------------ Subject: [Snort-users] Signaled Stop/Start? Date: Tue, 5 Feb 2002 15:11:41 -0500 From: Chip Kelly <Chip.Kelly () sas com> To: snort-users () lists sourceforge net Is there a way to quickly, and gracefully, stop SNORT and re-start it to pick up configuration file changes? I'm using ps -ael | grep snort | kill ` awk ' { print $4 } ' ` snort .... parameters .... in a script, but is there a signal that I can pass to snort that causes a restart? Similar to the signal that causes stats to be dumped without actually stopping and starting the process. Thanks. -chip ------------------------------------------------------------------------ Subject: [Snort-users] Re: [Snort-devel] 1.8.4-beta1 feedback? Date: Tue, 05 Feb 2002 13:42:19 -0800 From: Jeff Nathan <jeff () snort org> To: "Smith, Donald" <Donald.Smith () qwest com> CC: "'Jeff Nathan'" <jeff () snort org>, Martin Roesch <roesch () sourcefire com>, snort-users <snort-users () lists sourceforge net>, snort-dev <snort-devel () lists sourceforge net> References: <2D00AD0E4D36D411BD300008C786E424069BF0C8 () Denntex021 qwest net> "Smith, Donald" wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeff, what happened to the synscan kill code I sent you. Did you reject it for some reason? Donald.Smith () qwest com GCIA QIS/WWN Security 303-226-9939 Office 720-320-1537 cellDonald, I still have the code, thanks for spending the time working on it. As of now it hasn't been integrated into snort due to the use of static data used within the proof of concept code as well as our desire to simplify and optimize the code. We're looking at what can be added to the sp_respond code to try and shutdown backdoors, etc but I suspect there will be some debate before that is completed. -Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein ------------------------------------------------------------------------ Subject: [Snort-users] 2 Issues Date: Tue, 5 Feb 2002 13:59:11 -0800 From: "David Chait" <davidc () bonair stanford edu> To: <snort-users () lists sourceforge net> Greetings, I am reletively new to snort and need to do the following, any assistance would be greatly appreciated: #1 My current snort sensor constantly stops scanning within 24 hours, it is not overloaded, so I was wondering what could be causing this behavior #2 I need to add a second snort sensor to report to the same mysql database, how? Thanks, David Chait ------------------------------------------------------------------------ Subject: RE: [Snort-users] mySQL Data Question Date: Tue, 5 Feb 2002 17:10:22 -0500 From: "Graham, Randy (RAW) " <RAW () y12 doe gov> To: snort-users () lists sourceforge net If you get any answers to this question, please share it. I'm just getting snort going with mysql at my site, but we will face this issue soon. Randy Graham -- The Internet? Bah! Is that thing still around? -- Homer Simpson http://www.securitynewbie.com/ - for people like me-----Original Message----- From: Mike Walter [mailto:mike () pcdnet net] Sent: Monday, February 04, 2002 12:22 PM To: snort-users () lists sourceforge net Subject: [Snort-users] mySQL Data Question Okay, so I have looked in the archive lists and the FAQ. What is the best way to archive data from the mySQL database of SNORT. I have over 2 million records and it's running slow. I'd like to move the data into the archive_database by date range. Mike Walter, MCP PCD Network Solutions, Inc. 3z.net a PCD Company <http://www.3z.net> "When Success is the Only Solution t h i n K 3z.net" _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------ Subject: [Snort-users] RE: [Snort-devel] 1.8.4-beta1 feedback? Date: Tue, 5 Feb 2002 16:11:26 -0700 From: "Smith, Donald " <Donald.Smith () qwest com> To: "'Jeff Nathan'" <jeff () snort org>, "Smith, Donald " <Donald.Smith () qwest com> CC: Martin Roesch <roesch () sourcefire com>, snort-users <snort-users () lists sourceforge net>, snort-dev <snort-devel () lists sourceforge net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeff I believe the static data your referring to is hardcoded data because that is what it takes to kill synscan1.5 or 1.6. A packet from www.microsoft.de on port 80 to port 31337 on the scanning machine. I realize this is a little specialized but it would affect a large number of scanners. Since a large part of the scanning being done on the net is still using synscan1.5/1.6 code I had hoped to get this patch accepted soon. I did send you two versions. Just to be sure you have the correct version I am including the latest version. It is for 1.8.3 not 1.8.4. and precaches the tcpsyn packet. Donald.Smith () qwest com GCIA QIS/WWN Security 303-226-9939 Office 720-320-1537 cell-----Original Message----- From: Jeff Nathan [mailto:jeff () snort org] Sent: Tuesday, February 05, 2002 2:42 PM To: Smith, Donald Cc: 'Jeff Nathan'; Martin Roesch; snort-users; snort-dev Subject: Re: [Snort-devel] 1.8.4-beta1 feedback? "Smith, Donald" wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeff, what happened to the synscan kill code I sent you. Did you reject it for some reason? Donald.Smith () qwest com GCIA QIS/WWN Security 303-226-9939 Office 720-320-1537 cellDonald, I still have the code, thanks for spending the time working on it. As of now it hasn't been integrated into snort due to the use of static data used within the proof of concept code as well as our desire to simplify and optimize the code. We're looking at what can be added to the sp_respond code to try and shutdown backdoors, etc but I suspect there will be some debate before that is completed. -Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 iQA/AwUBPGBpQkPxB2evAO3MEQLeMgCeKgHj+yx5Xtg4KQ6f4YkGANxrv1AAoNKR Af9CjbiWbNV+UcYQBHub3DwF =/g0+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Name: SNORT_1.8.tar SNORT_1.8.tar Type: Unix Tape Archive (application/x-tar) Encoding: base64 ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #1553 - 15 msgs Wynn Fenwick (Feb 05)