Snort mailing list archives

Email Alerts

From: "Dinesh Raj" <dinesh.v () net4india net>
Date: Tue, 4 Mar 2003 14:56:13 +0530

hi all,
   Can anyone help me in solving this issue.
 I have snort , i want the alerts to come in emails taking the data in the
mysql , is there any one is having some script or explaining me the steps to
do will he greatfull to me .


Thanks in advance

Regards,

V.Dinesh Raj
Engineer Networking
Net 4 India Ltd.,
No-17,Khader Nawaz khan road,
Nungambakkam,
Chennai-600024,
Tel: +91 044 8203511 Extn.310

URL: http://www.net4india.com

_______________________________________________
This message may contain confidential and/or privileged
information. If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any
information herein. If you have received this message in
error, please advise the sender immediately by reply e-mail
and delete this message. Thank you for your cooperation.
_______________________________________________

----- Original Message -----
From: <snort-users-request () lists sourceforge net>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, March 04, 2003 5:47 AM
Subject: Snort-users digest, Vol 1 #2856 - 3 msgs

Send Snort-users mailing list submissions to
snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net

You can reach the person managing the list at
snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Signature for IPSec encrypted VPN tunnel (Matt Kettler)
   2. SMB alerts doesn't work. (Jimmy Hernandez)
   3. snort 1.9.x still holds fd open on sighup (Michael Scheidell)

--__--__--

Message: 1
Date: Mon, 03 Mar 2003 17:44:15 -0500
To: NTD <ntd100566 () yahoo com au>, snort-users () lists sourceforge net
From: Matt Kettler <mkettler () evi-inc com>
Subject: Re: [Snort-users] Signature for IPSec encrypted VPN tunnel

Well, one REALLY simple way to do this is look for esp/ip or ah/ip type
packets. These are IP protocols 50 and 51 respectively. No non-ipsec
traffic will generate these.

IPSec does not use normal tcp/ip or udp/ip (note: ISAKMP does use udp, but
that only applies if they are doing dynamic key exchange).

Unfortunately snort currently doesn't understand the idea of protocols
other than ip, tcp, udp or arp. It would be nice to be able to do

something

like:

alert ip any any -> any any (transportprotocol:50; msg:"Ipsec ESP data";)
alert ip any any -> any any (transportprotocol:51; msg:"Ipsec AH data";)

In theory, if you specify the transport protocol by number, and limit
yourself to the IP layer, it shouldn't be hard for snort to support stuff
like this, but it currently does not (at least, not to my knowledge). It
would however be a GREAT way to shim in some minimal processing of
transport layer protocols other than tcp or udp by examining them at the

IP

layer and constricting it to that transport protocol.... you wouldn't have
built-in parsing of the fields in that header, but it's better than

nothing.



Actually, with a bit of thinking about depth and offset, might be able to
fake this rule... the protocol is the 10th byte of the IP layer header..

alert ip any any -> any any (content"|32|";depth:0; offset:10; msg:"Ipsec
ESP data";)

Anyone have any feedback on this rule attempting to check for the hex byte
0x32 (aka 50) at an offset from 10 bytes from the start of the IP header?
or does snort calculate the offset from the start of the data instead of
the header, making this not work?



At 01:28 PM 2/28/2003 +1100, you wrote:

Hi All,

Does anyone know that how to create a signature for IPSec encrypted VPN
tunnel i.e authentication using cryptographic hashes such as SHA and MD5

or and IDS currently have that feature?



Thanks in advance

Nguyen


<http://au.rd.yahoo.com/mail/tagline/?http://http://au.mobile.yahoo.com/sms

/msgr/>Yahoo!

Mobile
- Exchange IMs with Messenger friends on your Telstra or Vodafone mobile
phone.




--__--__--

Message: 2
Date: Mon, 3 Mar 2003 14:35:03 -0800
From: "Jimmy Hernandez" <jimmyh () provcom com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] SMB alerts doesn't work.

This is a multi-part message in MIME format.

------=_NextPartTM-000-34d6cdc0-60d5-4338-a4b2-a099f9d60c1b
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C2E1D5.21BB8FDA"

------_=_NextPart_001_01C2E1D5.21BB8FDA
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I am currently using snort 1.9.0 on OpenBSD 3.2. I am having a problem
with the smbalerts. I checked the snort configure file and it have the
plug in for smbalerts. I also ran it specifying the switch ./configure
--enable-smbalerts then make and make install all looks good but when I
try to run snort -c snort.conf -b -M workstation   I keep getting the
Error : "SMB support not compiled into program, exiting...   Fatal
Error, Quitting..=20

I made sure that the /etc/services file has all the appropriate settings
for netbios etc.. Everything else I've tried is running fine.

I can't find any whitepapers that would help me fix that. I am using
SAMBA 2.2.7 and snort 1.9.0 do you think I should downgrade snort to
1.8.0? Is anyone else having this problem?

Thanks,

Jimmy Hernandez

Network Systems Engineer

jimmyh () provcom com

=20


------_=_NextPart_001_01C2E1D5.21BB8FDA
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I am currently using snort 1.9.0 on OpenBSD 3.2. I am =
having
a problem with the smbalerts. I checked the snort configure file and it =
have
the plug in for smbalerts. I also ran it specifying the switch <font
color=3D"#3366ff"><span style=3D'color:#3366FF'>./configure =
--enable-smbalerts</span></font>
then make and make install all looks good but when I try to run snort =
<font
color=3D"#3366ff"><span style=3D'color:#3366FF'>&#8211;c snort.conf =
&#8211;b
&#8211;M workstation</span></font> &nbsp;&nbsp;I keep getting the Error =
: &#8220;SMB
support not compiled into program, exiting&#8230;&nbsp;&nbsp; Fatal =
Error,
Quitting.. </span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I made sure that the /etc/services file has all the
appropriate settings for netbios etc.. Everything else I&#8217;ve tried =
is
running fine.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I can&#8217;t find any whitepapers that would help me =
fix
that. I am using SAMBA 2.2.7 and snort 1.9.0 do you think I should =
downgrade
snort to 1.8.0? Is anyone else having this problem?</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thanks,</span></font></p>

<p class=3DMsoAutoSig><b><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt;font-weight:bold'>Jimmy =
Hernandez</span></font></b></p>

<p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Network Systems Engineer</span></font></p>

<p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>jimmyh () provcom com</span></font></p>

<p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;</span></font></p>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C2E1D5.21BB8FDA--

------=_NextPartTM-000-34d6cdc0-60d5-4338-a4b2-a099f9d60c1b--



--__--__--

Message: 3
To: snort-users () lists sourceforge net
Date: Mon, 3 Mar 2003 17:54:48 -0500 (EST)
From: Michael Scheidell <scheidell () secnap net>
Subject: [Snort-users] snort 1.9.x still holds fd open on sighup

Snort starting with I think 1.8.7, when compiled with --enable-flexresp
will hold an extra fd open on sighup.

I had reported this before, and am sorry for not totally tracking it
down, but it still does in on snort 1.9.1

this compiled without --enable-flexresp:, hup works fine:

sockstat | grep snort
root     snort    34180    4 dgram  syslogd[76]:3
killall -HUP snort
sockstat | grep snort
root     snort    34180    4 dgram  syslogd[76]:3

looks fine, only on fd open.

now, compile with --enable-flexresp. (using libnet 1.02a from fbsd ports)
each hup will leave the original fd open, and open a second.
start snort:
sockstat | grep snort
root     snort    41101   10 ip64   *:*                   *:*
root     snort    41101    4 dgram  syslogd[76]:3

killall -HUP snort
sockstat | grep snort

root     snort    41124   10 ip64   *:*                   *:*
root     snort    41124   12 ip64   *:*                   *:*
root     snort    41124    4 dgram  syslogd[76]:3

subsequent hup will open up additional fd's till, well, you know.

--
Michael Scheidell, CEO
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Email Alerts Dinesh Raj (Mar 04)
- <Possible follow-ups>
- email alerts Dinesh Raj (Mar 04)
  - Re: email alerts Erek Adams (Mar 04)
- Re: email alerts Petriz, Pablo (Mar 04)
  - Re: email alerts Jason Haar (Mar 04)