Snort mailing list archives
Email Alerts
From: "Dinesh Raj" <dinesh.v () net4india net>
Date: Tue, 4 Mar 2003 14:56:13 +0530
hi all, Can anyone help me in solving this issue. I have snort , i want the alerts to come in emails taking the data in the mysql , is there any one is having some script or explaining me the steps to do will he greatfull to me . Thanks in advance Regards, V.Dinesh Raj Engineer Networking Net 4 India Ltd., No-17,Khader Nawaz khan road, Nungambakkam, Chennai-600024, Tel: +91 044 8203511 Extn.310 URL: http://www.net4india.com _______________________________________________ This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. _______________________________________________ ----- Original Message ----- From: <snort-users-request () lists sourceforge net> To: <snort-users () lists sourceforge net> Sent: Tuesday, March 04, 2003 5:47 AM Subject: Snort-users digest, Vol 1 #2856 - 3 msgs
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Signature for IPSec encrypted VPN tunnel (Matt Kettler) 2. SMB alerts doesn't work. (Jimmy Hernandez) 3. snort 1.9.x still holds fd open on sighup (Michael Scheidell) --__--__-- Message: 1 Date: Mon, 03 Mar 2003 17:44:15 -0500 To: NTD <ntd100566 () yahoo com au>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Signature for IPSec encrypted VPN tunnel Well, one REALLY simple way to do this is look for esp/ip or ah/ip type packets. These are IP protocols 50 and 51 respectively. No non-ipsec traffic will generate these. IPSec does not use normal tcp/ip or udp/ip (note: ISAKMP does use udp, but that only applies if they are doing dynamic key exchange). Unfortunately snort currently doesn't understand the idea of protocols other than ip, tcp, udp or arp. It would be nice to be able to do
something
like: alert ip any any -> any any (transportprotocol:50; msg:"Ipsec ESP data";) alert ip any any -> any any (transportprotocol:51; msg:"Ipsec AH data";) In theory, if you specify the transport protocol by number, and limit yourself to the IP layer, it shouldn't be hard for snort to support stuff like this, but it currently does not (at least, not to my knowledge). It would however be a GREAT way to shim in some minimal processing of transport layer protocols other than tcp or udp by examining them at the
IP
layer and constricting it to that transport protocol.... you wouldn't have built-in parsing of the fields in that header, but it's better than
nothing.
Actually, with a bit of thinking about depth and offset, might be able to fake this rule... the protocol is the 10th byte of the IP layer header.. alert ip any any -> any any (content"|32|";depth:0; offset:10; msg:"Ipsec ESP data";) Anyone have any feedback on this rule attempting to check for the hex byte 0x32 (aka 50) at an offset from 10 bytes from the start of the IP header? or does snort calculate the offset from the start of the data instead of the header, making this not work? At 01:28 PM 2/28/2003 +1100, you wrote:Hi All, Does anyone know that how to create a signature for IPSec encrypted VPN tunnel i.e authentication using cryptographic hashes such as SHA and MD5
?
or and IDS currently have that feature? Thanks in advance Nguyen<http://au.rd.yahoo.com/mail/tagline/?http://http://au.mobile.yahoo.com/sms
/msgr/>Yahoo!
Mobile - Exchange IMs with Messenger friends on your Telstra or Vodafone mobile phone.--__--__-- Message: 2 Date: Mon, 3 Mar 2003 14:35:03 -0800 From: "Jimmy Hernandez" <jimmyh () provcom com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] SMB alerts doesn't work. This is a multi-part message in MIME format. ------=_NextPartTM-000-34d6cdc0-60d5-4338-a4b2-a099f9d60c1b Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2E1D5.21BB8FDA" ------_=_NextPart_001_01C2E1D5.21BB8FDA Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am currently using snort 1.9.0 on OpenBSD 3.2. I am having a problem with the smbalerts. I checked the snort configure file and it have the plug in for smbalerts. I also ran it specifying the switch ./configure --enable-smbalerts then make and make install all looks good but when I try to run snort -c snort.conf -b -M workstation I keep getting the Error : "SMB support not compiled into program, exiting... Fatal Error, Quitting..=20 I made sure that the /etc/services file has all the appropriate settings for netbios etc.. Everything else I've tried is running fine. I can't find any whitepapers that would help me fix that. I am using SAMBA 2.2.7 and snort 1.9.0 do you think I should downgrade snort to 1.8.0? Is anyone else having this problem? Thanks, Jimmy Hernandez Network Systems Engineer jimmyh () provcom com =20 ------_=_NextPart_001_01C2E1D5.21BB8FDA Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)"> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} span.EmailStyle17 {font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I am currently using snort 1.9.0 on OpenBSD 3.2. I am = having a problem with the smbalerts. I checked the snort configure file and it = have the plug in for smbalerts. I also ran it specifying the switch <font color=3D"#3366ff"><span style=3D'color:#3366FF'>./configure = --enable-smbalerts</span></font> then make and make install all looks good but when I try to run snort = <font color=3D"#3366ff"><span style=3D'color:#3366FF'>–c snort.conf = –b –M workstation</span></font> I keep getting the Error = : “SMB support not compiled into program, exiting… Fatal = Error, Quitting.. </span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I made sure that the /etc/services file has all the appropriate settings for netbios etc.. Everything else I’ve tried = is running fine.</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>I can’t find any whitepapers that would help me = fix that. I am using SAMBA 2.2.7 and snort 1.9.0 do you think I should = downgrade snort to 1.8.0? Is anyone else having this problem?</span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Thanks,</span></font></p> <p class=3DMsoAutoSig><b><font size=3D3 face=3D"Times New Roman"><span style=3D'font-size:12.0pt;font-weight:bold'>Jimmy = Hernandez</span></font></b></p> <p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'>Network Systems Engineer</span></font></p> <p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'>jimmyh () provcom com</span></font></p> <p class=3DMsoAutoSig><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'> </span></font></p> </div> </body> </html> =00 ------_=_NextPart_001_01C2E1D5.21BB8FDA-- ------=_NextPartTM-000-34d6cdc0-60d5-4338-a4b2-a099f9d60c1b-- --__--__-- Message: 3 To: snort-users () lists sourceforge net Date: Mon, 3 Mar 2003 17:54:48 -0500 (EST) From: Michael Scheidell <scheidell () secnap net> Subject: [Snort-users] snort 1.9.x still holds fd open on sighup Snort starting with I think 1.8.7, when compiled with --enable-flexresp will hold an extra fd open on sighup. I had reported this before, and am sorry for not totally tracking it down, but it still does in on snort 1.9.1 this compiled without --enable-flexresp:, hup works fine: sockstat | grep snort root snort 34180 4 dgram syslogd[76]:3 killall -HUP snort sockstat | grep snort root snort 34180 4 dgram syslogd[76]:3 looks fine, only on fd open. now, compile with --enable-flexresp. (using libnet 1.02a from fbsd ports) each hup will leave the original fd open, and open a second. start snort: sockstat | grep snort root snort 41101 10 ip64 *:* *:* root snort 41101 4 dgram syslogd[76]:3 killall -HUP snort sockstat | grep snort root snort 41124 10 ip64 *:* *:* root snort 41124 12 ip64 *:* *:* root snort 41124 4 dgram syslogd[76]:3 subsequent hup will open up additional fd's till, well, you know. -- Michael Scheidell, CEO SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Email Alerts Dinesh Raj (Mar 04)
- <Possible follow-ups>
- email alerts Dinesh Raj (Mar 04)
- Re: email alerts Erek Adams (Mar 04)
- Re: email alerts Petriz, Pablo (Mar 04)
- Re: email alerts Jason Haar (Mar 04)