Snort mailing list archives
Re: Snort-users Digest, Vol 96, Issue 62
From: Friska Ambarita <friskaasnitha () gmail com>
Date: Fri, 30 May 2014 10:48:26 +0700
Hello guys.. need ur help.. I've a research how to make snort as anti netcut ( or anti arpspoofing attack) i've looking for many script to configure snort but it didin't works. anyone knows? or any idea what should i add to my snort for make it as anti netcut? thankyou 2014-05-29 20:03 GMT+07:00 <snort-users-request () lists sourceforge net>:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: How to threshold ALL sigs (waldo kitty) 2. Re: How to threshold ALL sigs (waldo kitty) 3. Re: blacklist vs black_list :: pulledpork overwrites the files with a list of IP addresses (waldo kitty) 4. Re: Snort spikes to 100% CPU followed by network latency (waldo kitty) 5. Re: How to threshold ALL sigs (Joel Esler (jesler)) 6. Re: How to threshold ALL sigs (Russ Combs (rucombs)) ---------------------------------------------------------------------- Message: 1 Date: Wed, 28 May 2014 22:32:23 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] How to threshold ALL sigs To: snort-users () lists sourceforge net Message-ID: <53869C37.6080108 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 5/28/2014 2:49 PM, Turnbough, Bradley E. wrote:After thresholding: sourceipA ------> destipA ---- Alert A #1 10:29:15 sourceipA ------> destipA ---- Alert A #2 10:29:26 ------ not logged(thresholded)sourceipA ------> destipA ---- Alert A #3 10:29:39 ------ not logged(thresholded)sourceipB ------> destipA ---- Alert A #4 10:29:42 sourceipB ------> destipA ---- Alert A #5 10:29:55 ------ not logged(thresholded)sourceipB ------> destipA ---- Alert A #6 10:30:12------ not logged(thresholded)I want to basically write one rule / threshold for this. I don't wantto maintain a huge library of thresholds. Any ideas? you can threshold in each rule... it isn't called threshold any more, though... eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP Brute-Force login attempt (1) -- BLOCKED DESTINATION"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;) note the "detection_filter" section then follow up in the docs ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 2 Date: Wed, 28 May 2014 22:34:05 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] How to threshold ALL sigs To: snort-users () lists sourceforge net Message-ID: <53869C9D.2040607 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 5/28/2014 3:48 PM, Jefferson, Shawn wrote:Yes, but that doesn't work for a SRC<->DEST type suppression. You canonlymake Snort blind to ALL things from that IP. You need to use BPF to do a SRC<->DEST suppression (basically not sending that traffic to snort atall.) no ya don't ;) you've forgotten about "detection_filter" which is what the old in-rule thresholding is now called... eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP Brute-Force login attempt (1) -- BLOCKED DESTINATION"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 3 Date: Wed, 28 May 2014 22:37:23 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] blacklist vs black_list :: pulledpork overwrites the files with a list of IP addresses To: snort-users () lists sourceforge net Message-ID: <53869D63.4080206 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 5/28/2014 4:47 PM, Steve Crow wrote:Pulledpork is overwriting my blacklist.rules or black_list.rules filesthatnormally has rules in it with a list IP addresses. Whichever is listed in snort.conf gets overwritten. Why are there two similarly named rules files. What are their proper uses. How does it need to be specified in snort.conf so that pulledpork doesn't overwrite the rules with IP addresses?the one named in the reputation blacklist/whitelist section is the one that should have IP addresses in it... the other one is the one with rules in it... FWIW: this came up about a year+ ago... at that time, i suggested to VRt that they rename the reputation blacklist/whitelist files to RP_whitelist and RP_blacklist specifically so denote them being related to the reputation processor... i recommend you do the same now and leave the other one named as it is... i don't recall which is which but your snort.conf will tell you ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 4 Date: Wed, 28 May 2014 22:39:24 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] Snort spikes to 100% CPU followed by network latency To: snort-users () lists sourceforge net Message-ID: <53869DDC.2060802 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 5/28/2014 5:40 PM, Cody Brugh wrote:Also note that when we see these CPU/latency spikes we have no alerts ordropsthat would easily tell us what is causing the problem. If it's not arule whatshould I start turning off to try eliminate possible causes? It'ssomethingthat doesn't log or anything.what does your traffic look like on the line when this happens? is there any? are the light blinking? are you using some sort of additional packet capturing package that you can look at for the periods of high snort CPU usage??? -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 5 Date: Thu, 29 May 2014 12:44:41 +0000 From: "Joel Esler (jesler)" <jesler () cisco com> Subject: Re: [Snort-users] How to threshold ALL sigs To: waldo kitty <wkitty42 () windstream net> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <8C2B0696-3F0B-4615-BA8C-DDD338322D78 () cisco com> Content-Type: text/plain; charset="windows-1252" On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 () windstream net<mailto: wkitty42 () windstream net>> wrote: no ya don't ;) you've forgotten about "detection_filter" which is what the old in-rule thresholding is now called... eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP Brute-Force login attempt (1) -- BLOCKED DESTINATION"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;) kinda. detection_filter doesn?t limit the number of alerts like threshold did. That?s still threshold. -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 6 Date: Thu, 29 May 2014 13:03:20 +0000 From: "Russ Combs (rucombs)" <rucombs () cisco com> Subject: Re: [Snort-users] How to threshold ALL sigs To: "Joel Esler (jesler)" <jesler () cisco com>, waldo kitty <wkitty42 () windstream net> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <6BD6F06B9CA6764DB4E3B905660DEC5E08FE7B79 () xmb-aln-x06 cisco com> Content-Type: text/plain; charset="windows-1252" ________________________________ From: Joel Esler (jesler) Sent: Thursday, May 29, 2014 8:44 AM To: waldo kitty Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] How to threshold ALL sigs On May 28, 2014, at 10:34 PM, waldo kitty <wkitty42 () windstream net<mailto: wkitty42 () windstream net>> wrote: no ya don't ;) you've forgotten about "detection_filter" which is what the old in-rule thresholding is now called... eg: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"LOCAL.RULES FTP Brute-Force login attempt (1) -- BLOCKED DESTINATION"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/^530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; detection_filter: track by_dst, count 5, seconds 300; sid:100000001; rev:5;) kinda. detection_filter doesn?t limit the number of alerts like threshold did. That?s still threshold. * threshold is deprecated: -- use detection_filter in a rule to prevent it from generating events until the limit is reached -- use event_filter outside a rule to limit the number of events logged See README.filters for details. -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 96, Issue 62 *******************************************
------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 96, Issue 62 Friska Ambarita (May 29)