Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-devel Digest, Vol 65, Issue 1

From: "Adrian Mamolea \(admamole\) via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 9 Nov 2022 18:39:07 +0000
Hello Parbat,

What version of Snort is pfsense using?
Could you:
- describe what you are trying to do,
- provide a copy of the snort configuration including policy files
- provide a log extract for the issue.

Thanks,
Adrian

From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Parbat Bhatiya via Snort-devel
Sent: Monday, November 7, 2022 4:15 PM
To: snort-devel () lists snort org
Subject: Re: [Snort-devel] Snort-devel Digest, Vol 65, Issue 1

hello anybody can help me

or guide me i have pfsense installed with public ip

if i transfer one vm to another vm or other network to vm ssh copy or some activity

even my ip getting blocked  like


T SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infec

(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

ET SCAN Potential SSH Scan

misc activity misc unknow traffic

detection of network scan

ET POLICY RDP connection confirm

like this all more i have anyone can guide me or something i can do normal behaviour only critical or risky operation 
can block possible ?




On Tue, Nov 8, 2022 at 12:22 AM <snort-devel-request () lists snort org<mailto:snort-devel-request () lists snort org>> 
wrote:
Send Snort-devel mailing list submissions to
        snort-devel () lists snort org<mailto:snort-devel () lists snort org>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
        snort-devel-request () lists snort org<mailto:snort-devel-request () lists snort org>

You can reach the person managing the list at
        snort-devel-owner () lists snort org<mailto:snort-devel-owner () lists snort org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."


Today's Topics:

   1. Snort 3 output to linux journal is buffered? (Neville, Andrew)


----------------------------------------------------------------------

Message: 1
Date: Mon, 7 Nov 2022 15:08:59 +0000
From: "Neville, Andrew" <Andrew.Neville () fujitsu co uk<mailto:Andrew.Neville () fujitsu co uk>>
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: [Snort-devel] Snort 3 output to linux journal is buffered?
Message-ID:
        <CWLP123MB46741BEB8A47A238FF834F2FDE3C9 () CWLP123MB4674 GBRP123 PROD OUTLOOK 
COM<mailto:CWLP123MB46741BEB8A47A238FF834F2FDE3C9 () CWLP123MB4674 GBRP123 PROD OUTLOOK COM>>

Content-Type: text/plain; charset="us-ascii"

Hi,

I'm looking for some help with a slightly odd behaviour we see when running Snort 3 as a systemd service.

When Snort3 is started from a simple systemd service definition it does not immediately show its normal full startup 
information into the journal. I'm expecting approximately 300 lines ending with "Commencing packet processing" and then 
the list of interfaces its monitoring, but I don't get all lines - only around 230 ish lines.

The only way to get the remaining output seems to be to make Snort write something else to the journal,   like send it 
a USR1 signal.

And actually,  in response to the USR1 signal again we see only some of the USR1 runtime information is written to the 
journal.  We have to send the USR1 signal twice in order to make sure we immediately get all the output from the first 
signal.

When running Snort in the foreground, all the expected output is displayed to the terminal immediately. Similarly, 
starting Snort3 at the command line, but putting it into the background, still allows all the startup and USR1 
information to display fully.

The most recent test I've tried is with Snort3 compiled on a basic CentOS 8 stream VM, following the guide from the 
snort.org<http://snort.org>, with a really vanilla configuration as far as I can tell (registered rules were loaded).

snort -V

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.43.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.9
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1k  FIPS 25 Mar 2021
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.42 2018-03-20
           Using ZLIB version 1.2.11
           Using Hyperscan version 5.3.0 2020-08-10
           Using LZMA version 5.2.4

As far as I know this behaviour is not as a result of  any journald configuration (I just have the default)  and we 
have seen the same behaviour with Alma and Ubuntu too.

Anyone have any pointers please??

Thanks,

Andrew.


Andrew Neville

Defence & National Security

Fujitsu
Jays Close, Viables Industrial Estate, Basingstoke, Hampshire, RG22 4BY
Email: andrew.neville () fujitsu co uk<mailto:andrew.neville () fujitsu co uk><mailto:andrew.neville () fujitsu co 
uk<mailto:andrew.neville () fujitsu co uk>>

[cid:image001.jpg@01D8F2BA.E208B550]<https://www.fujitsu.com/uk/solutions/industry/defence-national-security/>


Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); 
Fujitsu EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW; 
PFU (EMEA) Limited, (registered in England No 1578652) registered offices at: Belmont, Belmont Road, Uxbridge, England, 
UB8 1HE and Fujitsu Research of Europe Ltd (registered in England No. 4153469) 4th Floor, Building 3, Hyde Park Hayes, 
11 Millington Road, Hayes, UB3 4AZ.

This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be 
privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20221107/7481e8b1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 19594 bytes
Desc: image001.jpg
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20221107/7481e8b1/attachment.jpg>

------------------------------

Subject: Digest Footer

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel


------------------------------

End of Snort-devel Digest, Vol 65, Issue 1
******************************************

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: