Snort mailing list archives
Re: Snort-users Digest, Vol 66, Issue 25
From: Matthew Meersman <mmeersman () ndi org>
Date: Wed, 30 Nov 2011 15:42:28 -0500
On 11/30/11, snort-users-request () lists sourceforge net <snort-users-request () lists sourceforge net> wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. CanSecWest 2012 Mar 7-9; 2nd call for papers, closes next week, Monday. Dec 5 2011 (Dragos Ruiu) 2. Re: Some alerts not logging packet data (James Lay) 3. How to best do DB *and* syslog logging? (Miguel Alvarez) 4. Re: How to best do DB *and* syslog logging? (Joel Esler) 5. Re: How to best do DB *and* syslog logging? (Eoin Miller) 6. Re: How to best do DB *and* syslog logging? (beenph) 7. Re: How to best do DB *and* syslog logging? (Martin Holste) ---------------------------------------------------------------------- Message: 1 Date: Tue, 29 Nov 2011 17:59:54 -0800 From: Dragos Ruiu <dr () kyx net> Subject: [Snort-users] CanSecWest 2012 Mar 7-9; 2nd call for papers, closes next week, Monday. Dec 5 2011 To: snort-users () lists sourceforge net Message-ID: <201111291759.54537.dr () kyx net> Content-Type: text/plain; charset="iso-8859-1" So after a dozen years or so organizing conferences, you get the urge to pull levers and try experimenting with things. So this year I sent out the CanSecWest CFP only over Twitter, and G+ publicly. Just curious as to the adoption and information dispersion rate, and some estimate of the attention these newer channels are getting. So after this experiment I hear about people having submissions and missing ?the CFP. So for my control set, here is the normal announce message to different e-mail lists. We'll do a Second CanSecWest CFP, but a brief one. Send us your proposal by the end of Monday next week, December 5, 2011. The questions and information needed is the same as usual (see website), also for my curiosity could you include: 12. Where did you hear about the CFP from? cheers, --dr -- World Emerging Security Technology Vancouver, March 7-9 http://cansecwest.com pgpkey http://cansecwest.com/ kyxpgp ------------------------------ Message: 2 Date: Wed, 30 Nov 2011 07:08:37 -0700 From: James Lay <jlay () slave-tothe-box net> Subject: Re: [Snort-users] Some alerts not logging packet data To: Snort <snort-users () lists sourceforge net> Message-ID: <CAFB85A8.EA48%jlay () slave-tothe-box net> Content-Type: text/plain; charset="us-ascii" Haven't received much on this, so I thought I'd try and add some more info. Here's the hit: 11/27-10:52:18.548118 [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers [**] [Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2] {TCP} INT_IP:51126 -> EX_IP:25 u2spewfoo output: (Event) sensor id: 0 event id: 1312 event second: 1322416338 event microsecond: 548118 sig id: 2 gen id: 138 revision: 1 classification: 35 priority: 2 ip source: IN_IP ip destination: EXT_IP src port: 51126 dest port: 25 protocol: 6 impact_flag: 0 blocked: 0 There's no information in the tcpdump.log file. Not sure this matters or not, but here is smtp relevant entries: preprocessor smtp: ports { 25 465 587 691 } \ inspection_type stateful \ b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_depth 0 \ log_mailfrom \ log_rcptto \ log_filename \ log_email_hdrs \ normalize cmds \ normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ max_command_line_len 512 \ max_header_line_len 1000 \ max_response_line_len 512 \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ xlink2state { enabled } Does anyone have any hints or ideas? Thank you. James -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Wed, 30 Nov 2011 09:45:00 -0700 From: Miguel Alvarez <miguellvrz9 () gmail com> Subject: [Snort-users] How to best do DB *and* syslog logging? To: Snort Users <snort-users () lists sourceforge net> Message-ID: <CAMCxHFTm8wv_bJCFJ-s8KW+ETw2s2nJ+zWfuSWc7XfFxmrrbFg () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Right now, I'm logging my snort alerts back to a syslog server but I'd like to start playing with Snorby. Please correct me if I'm wrong but I think the ideal way to do this would be to log via unified2 and use barnyard to send the alert data to snorby's DB but I can't lose my syslog functionality. I really wish barnyard was able to do this on non-Windows boxes! But what would be the best way to achieve this short of running two separate snort instances? ------------------------------ Message: 4 Date: Wed, 30 Nov 2011 11:53:19 -0500 From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-users] How to best do DB *and* syslog logging? To: Miguel Alvarez <miguellvrz9 () gmail com> Cc: Snort Users <snort-users () lists sourceforge net> Message-ID: <C1B2AFFC-E894-455B-B636-705922F50873 () sourcefire com> Content-Type: text/plain; charset=us-ascii Snorby reads the unified2 file directly. No need for barnyard2 J On Nov 30, 2011, at 11:45 AM, Miguel Alvarez wrote:Right now, I'm logging my snort alerts back to a syslog server but I'd like to start playing with Snorby. Please correct me if I'm wrong but I think the ideal way to do this would be to log via unified2 and use barnyard to send the alert data to snorby's DB but I can't lose my syslog functionality. I really wish barnyard was able to do this on non-Windows boxes! But what would be the best way to achieve this short of running two separate snort instances?------------------------------ Message: 5 Date: Wed, 30 Nov 2011 16:55:16 +0000 From: Eoin Miller <eoin.miller () trojanedbinaries com> Subject: Re: [Snort-users] How to best do DB *and* syslog logging? To: snort-users () lists sourceforge net Message-ID: <4ED65FF4.4050105 () trojanedbinaries com> Content-Type: text/plain; charset=ISO-8859-1 Barnyard2 does multiple outputs simultaneously. http://www.securixlive.com/barnyard2/ -- Eoin On 11/30/2011 4:45 PM, Miguel Alvarez wrote:Right now, I'm logging my snort alerts back to a syslog server but I'd like to start playing with Snorby. Please correct me if I'm wrong but I think the ideal way to do this would be to log via unified2 and use barnyard to send the alert data to snorby's DB but I can't lose my syslog functionality. I really wish barnyard was able to do this on non-Windows boxes! But what would be the best way to achieve this short of running two separate snort instances?------------------------------ Message: 6 Date: Wed, 30 Nov 2011 14:03:17 -0500 From: beenph <beenph () gmail com> Subject: Re: [Snort-users] How to best do DB *and* syslog logging? To: Miguel Alvarez <miguellvrz9 () gmail com> Cc: barnyard2-users () googlegroups com, Snort Users <snort-users () lists sourceforge net> Message-ID: <CAFU9AX91KN3zDfoa8dQTzsu5z+B9mvODzm4YrD5mRzaB+DEqAQ () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:Right now, I'm logging my snort alerts back to a syslog server but I'd like to start playing with Snorby. ?Please correct me if I'm wrong but I think the ideal way to do this would be to log via unified2 and use barnyard to send the alert data to snorby's DB but I can't lose my syslog functionality. ?I really wish barnyard was able to do this on non-Windows boxes! ?But what would be the best way to achieve this short of running two separate snort instances?If you need local syslog and forward them, barnyard2 currently support this on windows and non windows system. If you need remote syslog logging You can access the feature in its current branch branch via https://github.com/binf/barnyard2/tree/RemoteSyslogFix Also If you look in the provided barnyard2.conf you can see output plugin conf example. Note that it use a slightly different logging message format from the default snort format, but you have the possibility to configure field delimiters and separators from the config file. Configuration example for remote syslog # alert_syslog # ---------------------------------------------------------------------------- # # Purpose: # This output module provides the abilty to output alert information to local syslog # # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO) # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0) # # Examples: # output alert_syslog # output alert_syslog: LOG_AUTH LOG_INFO # # syslog_full #------------------------------- # Available as both a log and alert output plugin. Used to output data via TCP/UDP # Arguments: # sensor_name $sensor_name - unique sensor name # server $server - server the device will report to # protocol $protocol - protocol device will report over (tcp/udp) # port $port - destination port device will report to (default: 514) # detail $detail_threshold - specify full/complete log reporting or only summaries. # delimiters - define a character that will delimit message sections ex: "|", will use | as message section delimiters. (default: |) # separators - define field separator included in each message ex: " " , will use space as field separator. (default: [:space:]) # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol tcp, port 514 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol tcp, port 514 If you have barnyard2 related question, your also welcome to send it over the by2 ML's. -elz ------------------------------ Message: 7 Date: Wed, 30 Nov 2011 13:32:41 -0600 From: Martin Holste <mcholste () gmail com> Subject: Re: [Snort-users] How to best do DB *and* syslog logging? To: beenph <beenph () gmail com> Cc: barnyard2-users () googlegroups com, Snort Users <snort-users () lists sourceforge net> Message-ID: <CANpnLHj=mPnts5iGNPQ1MScVFoouw4KFR8S-=9jC=VWYB6RE9w () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 It's tough to beat Snorby for just Snort data, but if you'd also like your console to contain URL data and router/server logs, and since you're already doing syslog, you may want to check out my ELSA project: http://code.google.com/p/enterprise-log-search-and-archive/ . On Wed, Nov 30, 2011 at 1:03 PM, beenph <beenph () gmail com> wrote:On Wed, Nov 30, 2011 at 11:45 AM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:Right now, I'm logging my snort alerts back to a syslog server but I'd like to start playing with Snorby. ?Please correct me if I'm wrong but I think the ideal way to do this would be to log via unified2 and use barnyard to send the alert data to snorby's DB but I can't lose my syslog functionality. ?I really wish barnyard was able to do this on non-Windows boxes! ?But what would be the best way to achieve this short of running two separate snort instances?If you need local syslog and forward them, barnyard2 currently support this on windows and non windows system. If you need remote syslog logging You can access the feature in its current branch branch via https://github.com/binf/barnyard2/tree/RemoteSyslogFix Also If you look in the provided barnyard2.conf you can see output plugin conf example. Note that it use a slightly different logging message format from the default snort format, but you have the possibility to configure field delimiters and separators from the config file. Configuration example for remote syslog # alert_syslog # ---------------------------------------------------------------------------- # # Purpose: # This output module provides the abilty to output alert information to local syslog # # severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INFO) # facility - as defined in RFC 3164 (eg. LOG_AUTH, LOG_LOCAL0) # # Examples: # output alert_syslog # output alert_syslog: LOG_AUTH LOG_INFO # # syslog_full #------------------------------- # Available as both a log and alert output plugin. Used to output data via TCP/UDP # Arguments: # sensor_name $sensor_name - unique sensor name # server $server - server the device will report to # protocol $protocol - protocol device will report over (tcp/udp) # port $port - destination port device will report to (default: 514) # detail $detail_threshold - specify full/complete log reporting or only summaries. # delimiters - define a character that will delimit message sections ex: "|", will use | as message section delimiters. (default: |) # separators - define field separator included in each message ex: " " , will use space as field separator. (default: [:space:]) # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol udp, port 514 # output alert_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol tcp, port 514 # output log_syslog_full: sensor_name snortIds1-eth2, server xxx.xxx.xxx.xxx, protocol tcp, port 514 If you have barnyard2 related question, your also welcome to send it over the by2 ML's. -elz ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 66, Issue 25 *******************************************
-- Sent from my mobile device *********************************************************** Matthew Meersman Senior Systems Engineer National Democratic Institute for International Affairs 455 Mass. Ave., NW, Eighth Floor Washington, DC 20001-2621 Direct: (202) 728-5621 Main: (202) 728-5500 Cell: (202) 302-1594 Fax: (202) 728-5523 Email: mmeersman () ndi org ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 66, Issue 25 Matthew Meersman (Nov 30)