Snort mailing list archives
Re: Snort-sigs Digest, Vol 76, Issue 14
From: PR <oly562 () gmail com>
Date: Tue, 11 Sep 2012 12:06:36 -0700
in quotes? also, what im trying to do is log and capture any sid/event from audit software aimed at this snort server. i wish to capture it all, on base. base works, but now that i enabled $RULES and removed the entry in local.rules, when i fire up snort/barnyard2 with the same cmds - here they are again - its not logging attacks/audits attempts to base anymore.... i doubt i need to enter in all the stuff i want in local.rules. that would be hard for me. i should be able to enable the preproc so rules, regular 2.9.3.1 rules in /etc/snort/rules, so on so forth... do i need to specify everything i want in snort.conf? specificially? isn't this a Vanilla snort.conf minus specifying the home net? or host system? i need to read the manual for snort now.... more to follow... sighs... On Tue, 2012-09-11 at 13:29 -0400, Joel Esler wrote:
Your HOME_NET should read "ipvar HOME_NET 192.168.1.0/24" If that's what you are trying to do. On Sep 11, 2012, at 1:24 PM, PR <oly562 () gmail com> wrote:when i ran a script, bash simple with 2 lines just like i type them into the cmdline, it said ipvar 192.168.1.0/24 cant be something... i have since just ran the cmds one at a time, and i dont see that anymore, but it said failed or errored... something like that. sorry i missed it... maybe its in the logs? i cant read the logs as they are in unified format. i guess... lol.... ls /var/log/snort/ alert snort.log.1347321601 snort.log.1347374349 snort.log.1347320873 snort.log.1347325626 snort.log.1347382370 snort.log.1347321584 snort.log.1347346937 snort.log.1347382486 snort.log.1347321592 snort.log.1347347097 snort.log.1347383400 this is what i mean, i can't less them: less /var/log/snort/snort.log.1347320873 "/var/log/snort/snort.log.1347320873" may be a binary file. See it anyway? your thoughts? thanks pete On Tue, 2012-09-11 at 17:04 +0000, snort-sigs-request () lists sourceforge net wrote:Send Snort-sigs mailing list submissions to snort-sigs () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists sourceforge net You can reach the person managing the list at snort-sigs-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Re: Couple sigs (lists () packetmail net) 2. Re: Couple sigs (Alex Kirk) 3. Re: Couple sigs (lists () packetmail net) 4. Re: Up and Running (Joel Esler) ---------------------------------------------------------------------- Message: 1 Date: Mon, 10 Sep 2012 10:40:16 -0500 From: "lists () packetmail net" <lists () packetmail net> Subject: Re: [Snort-sigs] Couple sigs To: Alex Kirk <akirk () sourcefire com> Cc: Snort-sigs <snort-sigs () lists sourceforge net> Message-ID: <504E09E0.3080403 () packetmail net> Content-Type: text/plain; charset="us-ascii" On 09/10/12 10:30, Alex Kirk wrote:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content"; flow:to_client, established; file_data; content:"<iframe "; nocase; content:"width=1"; nocase; distance:0; within:50; content:"height=1"; nocase; distance:-40; within:80; content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80; classtype:bad-unknown;)I've seen \x22 and \x27 being used occasionally to quote the in-line style declaration. Cheers, Nathan ------------------------------ Message: 2 Date: Mon, 10 Sep 2012 12:00:04 -0400 From: Alex Kirk <akirk () sourcefire com> Subject: Re: [Snort-sigs] Couple sigs To: "lists () packetmail net" <lists () packetmail net> Cc: Snort-sigs <snort-sigs () lists sourceforge net> Message-ID: <CABed_ZcRBwOY4tP2-WcSHrQS8RO-5hvqwUbBQfewyxjvaVP+Rg () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" On Mon, Sep 10, 2012 at 11:40 AM, lists () packetmail net <lists () packetmail netwrote:On 09/10/12 10:30, Alex Kirk wrote:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any(msg:"INDICATOR-OBFUSCATIONhidden iframe - potential include of malicious content"; flow:to_client, established; file_data; content:"<iframe "; nocase; content:"width=1";nocase;distance:0; within:50; content:"height=1"; nocase; distance:-40;within:80;content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80; classtype:bad-unknown;)I've seen \x22 and \x27 being used occasionally to quote the in-line style declaration. Cheers, Nathan Which, of course, goes back to the whole issue of "HTML is such arelatively free-form mockup language that there's a zillion ways to evade any sort of detection." If this concept isn't totally blown out of the water by lots of legitimate web sites using hidden iframes, then it seems to me that the best way to proceed is to figure out what's the least performance-intensive way of accounting for all of the potential permutations. This may end up being several rules, or potentially even a single rule with a PCRE; I'm honestly agnostic as to how the end result is achieved, so long as it works when we're done. Long-term, it might even make sense to have additional Snort functionality to normalize cases like this (i.e. standardize how quotes appear in a normalized buffer) to make things more sane, but that's something we'd need to debate fairly extensively within the community before implementing, I'm sure. In the meantime, thanks for the input, you make a very good point. -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Mon, 10 Sep 2012 11:09:41 -0500 From: "lists () packetmail net" <lists () packetmail net> Subject: Re: [Snort-sigs] Couple sigs To: Alex Kirk <akirk () sourcefire com> Cc: Snort-sigs <snort-sigs () lists sourceforge net> Message-ID: <504E10C5.70708 () packetmail net> Content-Type: text/plain; charset="us-ascii" On 09/10/12 11:00, Alex Kirk wrote:single rule with a PCREI'm kind of partial to: file_data; content:"<iframe "; nocase; content:"visibility|3a|hidden"; within:100; nocase; pcre:"/\x3ciframe[^\x3e]+[heigwdth]{5,6}[^\x3d]*?=[0-1][^\d]/i"; Not really sure though how to make that one performance friendly since the PCRE engine may be invoked often. Either way, good conversation James and Alex, I believe this theme to be very useful. ------------------------------ Message: 4 Date: Tue, 11 Sep 2012 13:04:35 -0400 From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-sigs] Up and Running To: PR <oly562 () gmail com> Cc: snort-sigs <snort-sigs () lists sourceforge net> Message-ID: <28EBC923-168A-4444-A8F7-34501E42481E () sourcefire com> Content-Type: text/plain; charset="us-ascii" On Sep 11, 2012, at 1:02 PM, PR <oly562 () gmail com> wrote:4. only thing i see complaining so far was the ipvar option for 192.168.1.0/24, and the No White/Black_list.rules that are there. maybe perms or chown needed on rules dir?What complained about the ipvar option for HOME_NET? But, white and black list rules are not in our standard ruleset at this time. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! End of Snort-sigs Digest, Vol 76, Issue 14 ******************************************
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-sigs Digest, Vol 76, Issue 14 Joel Esler (Sep 11)
- Re: Snort-sigs Digest, Vol 76, Issue 14 PR (Sep 11)
- Re: Snort-sigs Digest, Vol 76, Issue 14 waldo kitty (Sep 11)