Re: snort-stat warnings
On Wed, 2008-07-30 at 15:07 +0200, Bjoern Meier wrote: > Hi, > > well, it's mir first post on this list. So please don't flame me ;-) > > Ok under the docoments of snort is a file called README.http_inspect , > from which I quote: Thanks. I know what the check does though. :-) My concern was why it's getting logged oddly, and therefore causing snort-stat to warn about a possible problem with the file. fwiw, the bare encoding check isn't the only one that sometimes gets logged in this way, just the one that I happened to pick as an example. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort-stat warnings
Hi, well, it's mir first post on this list. So please don't flame me ;-) Ok under the docoments of snort is a file called README.http_inspect , from which I quote: Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %. Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings correctly. The alert on this decoding should be enabled, because there are no legitimate clients that encoded UTF-8 this way, since it is non-standard. hope this helps Bye, Bjoern aka salacryl Adam D. Barratt wrote: Hi, We're running snort 2.3.3-11 on etch, and for the past few days the cron.daily job has been generating a number of "Warning, file may be incomplete" messages. After a little experimentation, it appears that this is due to /var/log/snort/alert containing the "header" line for a number of alerts repeated (either that or the remaining data from the first item being lost); for example: [...] [[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]] [[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]] [...] Does anyone know what causes this, and whether it's anything we need to be worried about? Cheers, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort, where to listen?
On Fri, May 16, 2003 at 09:49:32AM +0200, [EMAIL PROTECTED] wrote: > Hi all, > > I just installed Snort IDS on my firewall Debian box which is so configured: > > eth0 10.0.0.1 (serves internal LAN) > eth1 192.168.100.1 (directly connected to an ADSL modem auto-connecting to > the > provider with IP 192.168.100.2) > > I run snort on eth1 NOT in promiscuos mode and I send periodic email reports > to me. > > The problem is that I receive messages from the kernel (firewall) indicating > some > "action" blocked from the internet, but snort never shows up anything in its > reports. > > Could someone tell me if I misconfigured the system and, please, a possible > right > configuration ? That would all depend on how you have Snort configured (ruleset) and what the actual kernel messages say. Just because you block an unwanted connection to a certain port doesn't mean the connection attempt matched a rule. Also, if it was blocked by the kernel, snort may have never seen it, since you are not in promisc. mode, IIRC. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 726 << >> http://www.buoy.com >< Moriches, NY 11955 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)399-2910 (888) 924-3728 >> << ><
Re: Snort signature download script
On Sat, Apr 26, 2003 at 12:52:58PM +0200, Konstantin Filtschew wrote: > hi, > > there is a signature download script posted on > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=173254 > > from http://www.xssass.be > > I tried it, but he tells me, that the md5 checksum is wrong > > you can download the script from here: http://www.xssass.be/updateSnort > > who can tell me anything about the script and it's quality On request, I translated the comments in the script... It might be interesting for those on the list that want to alter the script to fit their own needs. The URL is still http://www.xssass.be/updateSnort. Sorry if you consider this (slightly) OT! Kind regards, Kristof -- Digital fingerprint: F56F F987 0E0C AFF8 0B6D 7CA1 F152 E07D 72AF 337B pgp2PYta5qL3a.pgp Description: PGP signature
Re: Snort signature download script
On Sat, Apr 26, 2003 at 12:52:58PM +0200, Konstantin Filtschew wrote: > hi, > > there is a signature download script posted on > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=173254 > > from http://www.xssass.be > > I tried it, but he tells me, that the md5 checksum is wrong Ah... :( There was a bug in the script... We did correct the script already, but apparently, we did not put the new script online. I will do this as soon as I finished typing this mail :) The script that will be available within a few minutes (same location: http://www.xssass.be/updateSnort) works fine for snort 2.0.0. We use it with that version and it updates perfectly without any troubles. We just can't assure you that it will work with snort 1.9.x, but because of security reasons, we would advise everybody to switch to snort 2.0.0 anyway. > you can download the script from here: http://www.xssass.be/updateSnort > who can tell me anything about the script and it's quality My friend and I wrote the script... It's a perlscript, and it works fine... It downloads the new rules from the snort website, as well as the md5 checksum... If the checksum matches, it will download and install the new rules. Then alter the snort.conf file to include the new rules, and restart snort. Kind regards, Kristof -- Digital fingerprint: F56F F987 0E0C AFF8 0B6D 7CA1 F152 E07D 72AF 337B pgppwfD2YVGit.pgp Description: PGP signature
Re: Snort exploit in wild.
On Fri, Apr 25, 2003 at 10:44:49PM +0100, Nick Boyce wrote: > The general consensus of opinion (including the Debian packager) was > that *nobody* should even consider using the V1.8.4 Snort package in > Woody - it's much too old, and has a number of security issues. It's not really that it has a number of security issues; It's more that no new rulesets are being developed for it, and thus it can't detect any attempts to exploit vulnerabilities more recent than its last ruleset. Obviously that defeats the purpose of using a rule-based traffic analyzer like snort. > Most people's advice was to stop using the Debian package, and instead > download & compile the latest source from www.snort.org, and keep > tracking new releases from there - and get signature updates from > there as well. This is what I do now. Yes, that's generally the least disruptive to your Debian system. I've seen people run a hybrid woody/sid system just to get the new snort. If you build it yourself, you don't need to worry about upgrading to unstable and unsupported (by the sec team) software. > Some people think Snort should actually be removed from the Debian > package collection, because it will always drift seriously out of date > over time, and because there's no easy way to incorporate up-to-date > signatures (rules) into Debian. It would be less of an issue if you could actually *get* new rules for the version of snort that's in woody. There wouldn't be anything to stop you from downloading the new rules (which are distributed independently of snort itself and updated regularly) and untarring them into the right place and having the right thing happened. Yes, snort should probably not be shipping with Debian. Sticking with an outdated version of snort is counterproductive and, at the very least, likely to give you a false sense of security regarding the traffic hitting your machines. I wish people were more open to the idea of letting a wholly new version (say, an up to date 1.9) enter woody with its next revision, but that's not going to happen. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpIvSmbRka4m.pgp Description: PGP signature
Re: Snort exploit in wild.
On Fri, 25 Apr 2003 10:19:59 +0100, David Ramsden wrote: >Noticed on vil.mcafee.com that a proof of concept exploit for Snort to >exploit the vuln. found in v1.8 through to 1.9.1. [...] >What's the status of a patch from Debian Security? No DSA yet either. >I know this has been brought up a few times already but now an exploit >exists in the wild. David, you probably want to look at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=173254 which I submitted after a previous discussion on this list (December 2002) about problems with the Debian stable Snort package being out of date. The general consensus of opinion (including the Debian packager) was that *nobody* should even consider using the V1.8.4 Snort package in Woody - it's much too old, and has a number of security issues. Most people's advice was to stop using the Debian package, and instead download & compile the latest source from www.snort.org, and keep tracking new releases from there - and get signature updates from there as well. This is what I do now. Some people think Snort should actually be removed from the Debian package collection, because it will always drift seriously out of date over time, and because there's no easy way to incorporate up-to-date signatures (rules) into Debian. Cheers, Nick Boyce Bristol, UK -- Boycott Amazon till they relent on the 1-click software patent - http://www.gnu.org/philosophy/amazon.html
Re: Snort exploit in wild.
- Forwarded message from Marcel Weber <[EMAIL PROTECTED]> - From: Marcel Weber <[EMAIL PROTECTED]> To: David Ramsden <[EMAIL PROTECTED]> Cc: debian-security@lists.debian.org Subject: Re: Snort exploit in wild. X-Virus-Scanned: by AMaViS and OpenAntivirus ScannerDaemon X-Spam-Status: No, hits=-4.4 required=5.0 tests=IN_REP_TO version=2.20 X-Spam-Level: David Ramsden wrote: >Hi, > >Noticed on vil.mcafee.com that a proof of concept exploit for Snort to >exploit the vuln. found in v1.8 through to 1.9.1. > >Packet Storm Security have this proof of concept on their site (local >exploit at the moment). >It uses a call-back technique to spawn a shell on the attackers machine, >via a connection from the compromised machine. >I've not tried this on my Debian machines yet, so can't say if it works >- You'd need the return address for Debian as only Slackware is support >in this proof of concept. > >What's the status of a patch from Debian Security? No DSA yet either. >I know this has been brought up a few times already but now an exploit >exists in the wild. > >As a workaround, I could disable snort (granted) but also, how can I use >/etc/apt/preferences to update /just/ snort to a non-vuln. version from >another branch (unstable/testing)? What line do I need in >/etc/apt/sources.list? And how easy is it to downgrade to the stable >version if something goes wrong or a patch is released from Debian? > >Thanks for all the help and regards, >David. Hi Following the advice from heise.de [1] it should be enough to comment out the line: preprocessor stream4_reassemble in your /etc/snort/snort.conf as the vulnerability is in this module. Of course you will loose some information. But saver is better ;-) Regards Marcel [1] (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort) - End forwarded message - -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpKunnn53SX5.pgp Description: PGP signature
Re: Snort exploit in wild.
Il ven, 2003-04-25 alle 11:19, David Ramsden ha scritto: > Noticed on vil.mcafee.com that a proof of concept exploit for Snort to > exploit the vuln. found in v1.8 through to 1.9.1. up to 2.0rc1 as reported by cert > What's the status of a patch from Debian Security? No DSA yet either. > I know this has been brought up a few times already but now an exploit > exists in the wild. don't know if the debian package is affected, however it should > As a workaround, I could disable snort (granted) but also, how can I use > /etc/apt/preferences to update /just/ snort to a non-vuln. version from > another branch (unstable/testing)? What line do I need in > /etc/apt/sources.list? And how easy is it to downgrade to the stable > version if something goes wrong or a patch is released from Debian? don't do it... unstable/snort depends on a libc version not available in stable, and maybe there are some other unresolved dependencies... instead get the deb-src and try to recompile... i think it's not so linear, but it should work... in the meantime (from the cert advisory): > Disable affected preprocessor modules > > Sites that are unable to immediately upgrade affected Snort sensors > may prevent exploitation of this vulnerability by commenting out the > affected preprocessor modules in the "snort.conf" configuration file. > > To prevent exploitation of VU#139129, comment out the following line: > > preprocessor stream4_reassemble > > To prevent exploitation of VU#916785, comment out the following line: > > preprocessor rpc_decode: 111 32771 > > After commenting out the affected modules, send a SIGHUP signal to the > affected Snort process to update the configuration. Note that > disabling these modules may have adverse affects on a sensor's ability > to correctly process RPC record fragments and TCP packet fragments. In > particular, disabling the "stream4" preprocessor module will prevent > the Snort sensor from detecting a variety of IDS evasion attacks. Regards, Gian Piero. PS: about the pinning question, please read the apt-howto
Re: Snort exploit in wild.
On Fri, Apr 25, 2003 at 12:13:38PM +0200, Marcel Weber wrote: > David Ramsden wrote: > [snip] > > Following the advice from heise.de [1] it should be enough to comment > out the line: > > preprocessor stream4_reassemble > > in your /etc/snort/snort.conf > > as the vulnerability is in this module. Of course you will loose some > information. But saver is better ;-) > [snip] > > [1] > (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort) Thank you for the information. I had a quick look on the bug tracking system for Debian and found information for the RPC decoder exploit, so have commented that out. I'll now disable what's been suggested and wait for a DSA. Thanks for the information on this Marcel. Kind regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp5yi8ycYeGX.pgp Description: PGP signature
Re: Snort exploit in wild.
David Ramsden wrote: Hi, Noticed on vil.mcafee.com that a proof of concept exploit for Snort to exploit the vuln. found in v1.8 through to 1.9.1. Packet Storm Security have this proof of concept on their site (local exploit at the moment). It uses a call-back technique to spawn a shell on the attackers machine, via a connection from the compromised machine. I've not tried this on my Debian machines yet, so can't say if it works - You'd need the return address for Debian as only Slackware is support in this proof of concept. What's the status of a patch from Debian Security? No DSA yet either. I know this has been brought up a few times already but now an exploit exists in the wild. As a workaround, I could disable snort (granted) but also, how can I use /etc/apt/preferences to update /just/ snort to a non-vuln. version from another branch (unstable/testing)? What line do I need in /etc/apt/sources.list? And how easy is it to downgrade to the stable version if something goes wrong or a patch is released from Debian? Thanks for all the help and regards, David. Hi Following the advice from heise.de [1] it should be enough to comment out the line: preprocessor stream4_reassemble in your /etc/snort/snort.conf as the vulnerability is in this module. Of course you will loose some information. But saver is better ;-) Regards Marcel [1] (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort)
Re: Snort
There should be some logging taking place, hopefully from snort itself. One thing to try, which will all but rule out a permissions issue would be to try to connect using the MySQL CLI as the user you setup. So, something like this: mysql -u snortuser -p snort Probably wouldn't hurt to show tables within that database. One other idea would be to jump onto the snort users mailing list or (preferably) check the archive for that list. This problem has come up before and isn't debian specific. http://marc.theaimsgroup.com/?l=snort-users Steve On Mon, Feb 17, 2003 at 10:19:24AM -0500, Phillip Hofmeister wrote: > All, > > I have been having problems with snort, this may be kind of OT for this > list (should be debian-user) but I have a feeling more people on this > list use snort. > > I manage 2 potato converted to woody machines. Each morning I receive 2 > blank reports from cron.daily. > > I have snort-mysql installed. snort appears to be running fine but > nothing ever gets written to the mysql database. The username/password > I gave snort have update/select/insert rights to the mysql DB. > > Any clue of where I can start looking for problems as to why this isn't > working? > > Thanks, > > -- > Phil > > PGP/GPG Key: > http://www.zionlth.org/~plhofmei/ > wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import > -- > Excuse #198: Interference from lunar radiation > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Snort
There should be some logging taking place, hopefully from snort itself. One thing to try, which will all but rule out a permissions issue would be to try to connect using the MySQL CLI as the user you setup. So, something like this: mysql -u snortuser -p snort Probably wouldn't hurt to show tables within that database. One other idea would be to jump onto the snort users mailing list or (preferably) check the archive for that list. This problem has come up before and isn't debian specific. http://marc.theaimsgroup.com/?l=snort-users Steve On Mon, Feb 17, 2003 at 10:19:24AM -0500, Phillip Hofmeister wrote: > All, > > I have been having problems with snort, this may be kind of OT for this > list (should be debian-user) but I have a feeling more people on this > list use snort. > > I manage 2 potato converted to woody machines. Each morning I receive 2 > blank reports from cron.daily. > > I have snort-mysql installed. snort appears to be running fine but > nothing ever gets written to the mysql database. The username/password > I gave snort have update/select/insert rights to the mysql DB. > > Any clue of where I can start looking for problems as to why this isn't > working? > > Thanks, > > -- > Phil > > PGP/GPG Key: > http://www.zionlth.org/~plhofmei/ > wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import > -- > Excuse #198: Interference from lunar radiation > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Snort
One other thing I can think of (even though I primarily use redhat) is if you are logging to a different computer other than localhost, make sure that: - you don't have a firewall blocking the inbound connection - you have /etc/hosts.allow configured properly - i'm not sure about debian+mysql, but I use redhat+postgresql and I had to change its configuration files to allow connections from remote systems. -- Thanks for Your Time, Ed Wiget ** ** ** RHP Studios ** **Keeping Your Data Safe! ** **Web: http://www.rhpstudios.com** ** Voice: 606-564-0046 / 606-564-0056 / 866-402-7477 ** ** Fax: 606-564-0076 ** ** Cell: 606-584-0878 ** **E-mail: [EMAIL PROTECTED] ** ** ** signature.asc Description: This is a digitally signed message part
Re: Snort
On 2003/02/17 10:19:24AM -0500, Mon, Phillip Hofmeister wrote: > > I have snort-mysql installed. snort appears to be running fine but > nothing ever gets written to the mysql database. The username/password > I gave snort have update/select/insert rights to the mysql DB. > > Any clue of where I can start looking for problems as to why this isn't > working? > have you added an output option to snort.conf? eg output database: log, mysql, user=db_user password=db_pass dbname=snort host=localhost also, check /var/log/syslog, see if its giving any errors when starting up andrew -- "computer networks are infrastructure that you should be able to rely on, to take for granted, just like telephones and electricity. if you can't do that, then there's something wrong, something that can and should be fixed." - craig sanders pgpqU1RaRX3hC.pgp Description: PGP signature
Re: Snort
One other thing I can think of (even though I primarily use redhat) is if you are logging to a different computer other than localhost, make sure that: - you don't have a firewall blocking the inbound connection - you have /etc/hosts.allow configured properly - i'm not sure about debian+mysql, but I use redhat+postgresql and I had to change its configuration files to allow connections from remote systems. -- Thanks for Your Time, Ed Wiget ** ** ** RHP Studios ** **Keeping Your Data Safe! ** **Web: http://www.rhpstudios.com** ** Voice: 606-564-0046 / 606-564-0056 / 866-402-7477 ** ** Fax: 606-564-0076 ** ** Cell: 606-584-0878 ** **E-mail: [EMAIL PROTECTED] ** ** ** signature.asc Description: This is a digitally signed message part
Re: Snort
Phillip Hofmeister wrote on Feb 17, 2003 at 10:19:24 AM: > All, > > I have been having problems with snort, this may be kind of OT for this > list (should be debian-user) but I have a feeling more people on this > list use snort. > > I manage 2 potato converted to woody machines. Each morning I receive 2 > blank reports from cron.daily. > > I have snort-mysql installed. snort appears to be running fine but > nothing ever gets written to the mysql database. The username/password > I gave snort have update/select/insert rights to the mysql DB. > > Any clue of where I can start looking for problems as to why this isn't > working? > > Thanks, > > -- > Phil > I don't know about snort-mysql, but I got the same empty reports initially from snort (non-mysql package) on a woody machine also upgraded from potato. In my case the problem was snort by default logging only to /var/log/alerts, while snort-stat (running from /etc/cron.daily/5snort) was operating on /var/log/auth.log. Regards, David -- .- David Hardne <[EMAIL PROTECTED]> `-- wget -O- cybe.net/dh|gpg --import
Re: Snort
On 2003/02/17 10:19:24AM -0500, Mon, Phillip Hofmeister wrote: > > I have snort-mysql installed. snort appears to be running fine but > nothing ever gets written to the mysql database. The username/password > I gave snort have update/select/insert rights to the mysql DB. > > Any clue of where I can start looking for problems as to why this isn't > working? > have you added an output option to snort.conf? eg output database: log, mysql, user=db_user password=db_pass dbname=snort host=localhost also, check /var/log/syslog, see if its giving any errors when starting up andrew -- "computer networks are infrastructure that you should be able to rely on, to take for granted, just like telephones and electricity. if you can't do that, then there's something wrong, something that can and should be fixed." - craig sanders msg08714/pgp0.pgp Description: PGP signature
Re: Snort
Phillip Hofmeister wrote on Feb 17, 2003 at 10:19:24 AM: > All, > > I have been having problems with snort, this may be kind of OT for this > list (should be debian-user) but I have a feeling more people on this > list use snort. > > I manage 2 potato converted to woody machines. Each morning I receive 2 > blank reports from cron.daily. > > I have snort-mysql installed. snort appears to be running fine but > nothing ever gets written to the mysql database. The username/password > I gave snort have update/select/insert rights to the mysql DB. > > Any clue of where I can start looking for problems as to why this isn't > working? > > Thanks, > > -- > Phil > I don't know about snort-mysql, but I got the same empty reports initially from snort (non-mysql package) on a woody machine also upgraded from potato. In my case the problem was snort by default logging only to /var/log/alerts, while snort-stat (running from /etc/cron.daily/5snort) was operating on /var/log/auth.log. Regards, David -- .- David Hardne <[EMAIL PROTECTED]> `-- wget -O- cybe.net/dh|gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort-stats without mailing...
I'm sending all logs to one only host with syslog-ng. This can give me a lot of information if not filtered, but snort also makes daily reports and then sends them via mail to root or another user that i can define. This extra information is usefull as all the other. After reading all mails of the community, i think that ssmtp is the best choice for what i want to use, because: 1) as i said this host is a gateway and is in direct contact with www 2) no need to more services / open doors 3) last but not the least, there's less probability of a hole. Now, time to read the ssmtp doc's =) Thank you all. Regards, Ricardo Sousa. On Thu, 2003-02-13 at 10:14, Philipp Hetzner wrote: > n Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: > > > >> How can i send/view snort stats without mailing them ?!? > > An other way is to log your syslog-messages to a remote host (e.g. with > syslog-ng²) and this host could handle the informations (prepare the > data with ACID³ and display it over https, sending mails ...). Syslog-ng > works on any port u want (e.g. 22) and supports encryption. > > Philipp Hetzner > > ²http://www.balabit.hu/en/downloads/syslog-ng/ > ³http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: This is a digitally signed message part
Re: snort-stats without mailing...
I'm sending all logs to one only host with syslog-ng. This can give me a lot of information if not filtered, but snort also makes daily reports and then sends them via mail to root or another user that i can define. This extra information is usefull as all the other. After reading all mails of the community, i think that ssmtp is the best choice for what i want to use, because: 1) as i said this host is a gateway and is in direct contact with www 2) no need to more services / open doors 3) last but not the least, there's less probability of a hole. Now, time to read the ssmtp doc's =) Thank you all. Regards, Ricardo Sousa. On Thu, 2003-02-13 at 10:14, Philipp Hetzner wrote: > n Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: > > > >> How can i send/view snort stats without mailing them ?!? > > An other way is to log your syslog-messages to a remote host (e.g. with > syslog-ng²) and this host could handle the informations (prepare the > data with ACID³ and display it over https, sending mails ...). Syslog-ng > works on any port u want (e.g. 22) and supports encryption. > > Philipp Hetzner > > ²http://www.balabit.hu/en/downloads/syslog-ng/ > ³http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > signature.asc Description: This is a digitally signed message part
Re: snort-stats without mailing...
n Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: >> How can i send/view snort stats without mailing them ?!? An other way is to log your syslog-messages to a remote host (e.g. with syslog-ng²) and this host could handle the informations (prepare the data with ACID³ and display it over https, sending mails ...). Syslog-ng works on any port u want (e.g. 22) and supports encryption. Philipp Hetzner ²http://www.balabit.hu/en/downloads/syslog-ng/ ³http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html
Re: snort-stats without mailing...
n Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: >> How can i send/view snort stats without mailing them ?!? An other way is to log your syslog-messages to a remote host (e.g. with syslog-ng²) and this host could handle the informations (prepare the data with ACID³ and display it over https, sending mails ...). Syslog-ng works on any port u want (e.g. 22) and supports encryption. Philipp Hetzner ²http://www.balabit.hu/en/downloads/syslog-ng/ ³http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort-stats without mailing...
On Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: > How can i send/view snort stats without mailing them ?!? I may be missing how snort sends its logs, but: * If you're reading the mail on the same system that snort's installed on, you can use the "local delivery only" option in eximconfig. * If you're reading the mail on a different system, I'd think you could configure exim (or some other MTA) to not listen on any port at all (make sure it's not in inetd, and remove all startup links in /etc/rc?.d, since snort probably just uses mail, mailx, or pipes to /usr/sbin/sendmail. Neither option should require an open smtp port, and you'd only be vulnerable to remote holes in snort or ssh, plus local holes in whatever else is on the system. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: snort-stats without mailing...
On Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: > How can i send/view snort stats without mailing them ?!? ssh-keygen and scp is one way Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: snort-stats without mailing...
On Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: > How can i send/view snort stats without mailing them ?!? I may be missing how snort sends its logs, but: * If you're reading the mail on the same system that snort's installed on, you can use the "local delivery only" option in eximconfig. * If you're reading the mail on a different system, I'd think you could configure exim (or some other MTA) to not listen on any port at all (make sure it's not in inetd, and remove all startup links in /etc/rc?.d, since snort probably just uses mail, mailx, or pipes to /usr/sbin/sendmail. Neither option should require an open smtp port, and you'd only be vulnerable to remote holes in snort or ssh, plus local holes in whatever else is on the system. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort-stats without mailing...
* Ricardo Sousa <[EMAIL PROTECTED]> [2003-02-13 01:50:44]: > Hi people. > I'd like to have some sugestions and/or opinions about one thing that > i'm doing here in my network. > Well, i've a gateway with only 2 services (ssh and portmap). As lately i > removed the mail service, because in fact i don't need in this host, a > problem as surged with snort. How can i send/view snort stats without > mailing them ?!? > There's any workaround to this pseudo-problem without enabling mail > service? > You might want to check out the ssmtp package. Taken from apt-cache show ssmtp; "Description: Extremely simple MTA to get mail off the system to a mail hub A secure, effective and simple way of getting mail off a system to your mail hub. It contains no suid-binaries or other dangerous things - no mail spool to poke around in, and no daemons running in the background. Mail is simply forwarded to the configured mailhost. Extremely easy configuration." Regards, /Andreas -- andreas blaafladt <[EMAIL PROTECTED]>
Re: snort-stats without mailing...
On Thu, Feb 13, 2003 at 12:15:55AM +, Ricardo Sousa wrote: > How can i send/view snort stats without mailing them ?!? ssh-keygen and scp is one way Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort-stats without mailing...
* Ricardo Sousa <[EMAIL PROTECTED]> [2003-02-13 01:50:44]: > Hi people. > I'd like to have some sugestions and/or opinions about one thing that > i'm doing here in my network. > Well, i've a gateway with only 2 services (ssh and portmap). As lately i > removed the mail service, because in fact i don't need in this host, a > problem as surged with snort. How can i send/view snort stats without > mailing them ?!? > There's any workaround to this pseudo-problem without enabling mail > service? > You might want to check out the ssmtp package. Taken from apt-cache show ssmtp; "Description: Extremely simple MTA to get mail off the system to a mail hub A secure, effective and simple way of getting mail off a system to your mail hub. It contains no suid-binaries or other dangerous things - no mail spool to poke around in, and no daemons running in the background. Mail is simply forwarded to the configured mailhost. Extremely easy configuration." Regards, /Andreas -- andreas blaafladt <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
> Once again I ask, please do not use procmail or any other automated > system to report mail to razor that comes from a Debian list!!! > > From: Andris Kalnozols <[EMAIL PROTECTED]> > Subject: Re: SNORT not adding entries to snort/portscan ??? > To: debian-security@lists.debian.org > Date: Sat, 30 Nov 2002 18:25:47 PST > Delivery-date: Sat, 30 Nov 2002 21:37:04 -0500 > X-Razor-Warning: SPAM. > > Regards, > > Phil Hi, Phil. Was this admonition directed at me or was the display of the "X-Razor-Warning: SPAM." header meant to illustrate the negative consequences to the true guily party? Although we plan to implement SpamAssassin, we'll take the conservative approach and _not_ enable the automatic reporting feature to Razor for just the reason you stated. Andris
Re: SNORT not adding entries to snort/portscan ???
> Once again I ask, please do not use procmail or any other automated > system to report mail to razor that comes from a Debian list!!! > > From: Andris Kalnozols <[EMAIL PROTECTED]> > Subject: Re: SNORT not adding entries to snort/portscan ??? > To: [EMAIL PROTECTED] > Date: Sat, 30 Nov 2002 18:25:47 PST > Delivery-date: Sat, 30 Nov 2002 21:37:04 -0500 > X-Razor-Warning: SPAM. > > Regards, > > Phil Hi, Phil. Was this admonition directed at me or was the display of the "X-Razor-Warning: SPAM." header meant to illustrate the negative consequences to the true guily party? Although we plan to implement SpamAssassin, we'll take the conservative approach and _not_ enable the automatic reporting feature to Razor for just the reason you stated. Andris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
Once again I ask, please do not use procmail or any other automated system to report mail to razor that comes from a Debian list!!! From: Andris Kalnozols <[EMAIL PROTECTED]> Subject: Re: SNORT not adding entries to snort/portscan ??? To: debian-security@lists.debian.org Date: Sat, 30 Nov 2002 18:25:47 PST Delivery-date: Sat, 30 Nov 2002 21:37:04 -0500 X-Razor-Warning: SPAM. Regards, Phil On Sat, 30 Nov 2002 at 06:25:47PM -0800, Andris Kalnozols wrote: > > Perhaps I did not state this clearly enough. The majority of cases > > I run across are caused by an entirely unnecessary dependancy to > > a version of libc6 which isn't in any way required for the package > > in question. Yes, one can fix this manually. Every time, for every > > package. Which naturally means you do it once or twice and then > > say "oh forget it" and wait a year or whatever until the next stable > > upgrade. > > > > Package Dependencies on lib versions (or any other entity for that > > matter) really are several entirely different things: > > > > * the API changed and my application will fail with any > > lib version prior to this one because it relies on > > the changes. > > > > * bug fixes went into this lib version without which my > > app will crash. > > > > * bug fixes went into this version which I specifically > > want/prefer for my application, but it won't crash > > on the older one. > > > > * I just like to use the latest set of lib version digits > > for no particular reason. > > > > I suspect the majority of package version dependencies fall into > > the last category. > > > > If this was dealt with, there would be a much higher level of > > interoperability between packages in various dists. Still a > > caveat emptor, but far, far easier to deal with. > > Is this an example of what you mean? > > /usr/sbin/sendmail: /lib/libc.so.6: version `GLIBC_2.3' not found > (required by /usr/sbin/sendmail) > > After `apt-get' upgraded sendmail to 8.12.6, this error appeared. > As I recall from another Debian list, the response from whoever > compiled this version was something like "Oops, stuff happens > in the testing distro" but, a month later, there's still no working > replacement. How does one go about fixing this kind of problem? > > Andris > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #41: Bank holiday - system operating credits not recharged
Re: SNORT not adding entries to snort/portscan ???
Perhaps what I'm suggesting is an idea for the package people to consider. Instead of Required: being univalued, perhaps have a minimum useable version required and a preferred version. Default to the prefered but give the user via dselect and apt a means of pinning to the "minimum" instead. That would let me selectively pull in a number of security tools I began using on a sid dist that I sorely miss in woody. I simply don't have time to repackage them all and be my own package maintainer. I doubt any of them has *real* dependencies such that they would not work perfectly well with the woody libs.
Re: SNORT not adding entries to snort/portscan ???
On Sat, Nov 30, 2002 at 06:25:47PM -0800, Andris Kalnozols wrote: > Is this an example of what you mean? > > /usr/sbin/sendmail: /lib/libc.so.6: version `GLIBC_2.3' not found > (required by /usr/sbin/sendmail) > > After `apt-get' upgraded sendmail to 8.12.6, this error appeared. > As I recall from another Debian list, the response from whoever > compiled this version was something like "Oops, stuff happens > in the testing distro" but, a month later, there's still no working > replacement. How does one go about fixing this kind of problem? > > Andris More basic than that. You will find packages that refuse to build without pulling in a new libc6 they don't even need. This comes from a dependency for say: >= libc6_2.2.5-13 when there is actually no reason that anything after >= libc6_2.2.1-1 would have worked. Perhaps there are good reasons for requiring the absolute latest revision. Usually there are not unless you really do intend to upgrade a large chunk of your system. The case you are describing is far worse. It's broken period, not just an annoyance and the cause of loads of unnecessary package dependency caused upgrades.
Re: SNORT not adding entries to snort/portscan ???
Once again I ask, please do not use procmail or any other automated system to report mail to razor that comes from a Debian list!!! From: Andris Kalnozols <[EMAIL PROTECTED]> Subject: Re: SNORT not adding entries to snort/portscan ??? To: [EMAIL PROTECTED] Date: Sat, 30 Nov 2002 18:25:47 PST Delivery-date: Sat, 30 Nov 2002 21:37:04 -0500 X-Razor-Warning: SPAM. Regards, Phil On Sat, 30 Nov 2002 at 06:25:47PM -0800, Andris Kalnozols wrote: > > Perhaps I did not state this clearly enough. The majority of cases > > I run across are caused by an entirely unnecessary dependancy to > > a version of libc6 which isn't in any way required for the package > > in question. Yes, one can fix this manually. Every time, for every > > package. Which naturally means you do it once or twice and then > > say "oh forget it" and wait a year or whatever until the next stable > > upgrade. > > > > Package Dependencies on lib versions (or any other entity for that > > matter) really are several entirely different things: > > > > * the API changed and my application will fail with any > > lib version prior to this one because it relies on > > the changes. > > > > * bug fixes went into this lib version without which my > > app will crash. > > > > * bug fixes went into this version which I specifically > > want/prefer for my application, but it won't crash > > on the older one. > > > > * I just like to use the latest set of lib version digits > > for no particular reason. > > > > I suspect the majority of package version dependencies fall into > > the last category. > > > > If this was dealt with, there would be a much higher level of > > interoperability between packages in various dists. Still a > > caveat emptor, but far, far easier to deal with. > > Is this an example of what you mean? > > /usr/sbin/sendmail: /lib/libc.so.6: version `GLIBC_2.3' not found > (required by /usr/sbin/sendmail) > > After `apt-get' upgraded sendmail to 8.12.6, this error appeared. > As I recall from another Debian list, the response from whoever > compiled this version was something like "Oops, stuff happens > in the testing distro" but, a month later, there's still no working > replacement. How does one go about fixing this kind of problem? > > Andris > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #41: Bank holiday - system operating credits not recharged -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
Perhaps what I'm suggesting is an idea for the package people to consider. Instead of Required: being univalued, perhaps have a minimum useable version required and a preferred version. Default to the prefered but give the user via dselect and apt a means of pinning to the "minimum" instead. That would let me selectively pull in a number of security tools I began using on a sid dist that I sorely miss in woody. I simply don't have time to repackage them all and be my own package maintainer. I doubt any of them has *real* dependencies such that they would not work perfectly well with the woody libs. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
On Sat, Nov 30, 2002 at 06:25:47PM -0800, Andris Kalnozols wrote: > Is this an example of what you mean? > > /usr/sbin/sendmail: /lib/libc.so.6: version `GLIBC_2.3' not found > (required by /usr/sbin/sendmail) > > After `apt-get' upgraded sendmail to 8.12.6, this error appeared. > As I recall from another Debian list, the response from whoever > compiled this version was something like "Oops, stuff happens > in the testing distro" but, a month later, there's still no working > replacement. How does one go about fixing this kind of problem? > > Andris More basic than that. You will find packages that refuse to build without pulling in a new libc6 they don't even need. This comes from a dependency for say: >= libc6_2.2.5-13 when there is actually no reason that anything after >= libc6_2.2.1-1 would have worked. Perhaps there are good reasons for requiring the absolute latest revision. Usually there are not unless you really do intend to upgrade a large chunk of your system. The case you are describing is far worse. It's broken period, not just an annoyance and the cause of loads of unnecessary package dependency caused upgrades. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
> Perhaps I did not state this clearly enough. The majority of cases > I run across are caused by an entirely unnecessary dependancy to > a version of libc6 which isn't in any way required for the package > in question. Yes, one can fix this manually. Every time, for every > package. Which naturally means you do it once or twice and then > say "oh forget it" and wait a year or whatever until the next stable > upgrade. > > Package Dependencies on lib versions (or any other entity for that > matter) really are several entirely different things: > > * the API changed and my application will fail with any > lib version prior to this one because it relies on > the changes. > > * bug fixes went into this lib version without which my > app will crash. > > * bug fixes went into this version which I specifically > want/prefer for my application, but it won't crash > on the older one. > > * I just like to use the latest set of lib version digits > for no particular reason. > > I suspect the majority of package version dependencies fall into > the last category. > > If this was dealt with, there would be a much higher level of > interoperability between packages in various dists. Still a > caveat emptor, but far, far easier to deal with. Is this an example of what you mean? /usr/sbin/sendmail: /lib/libc.so.6: version `GLIBC_2.3' not found (required by /usr/sbin/sendmail) After `apt-get' upgraded sendmail to 8.12.6, this error appeared. As I recall from another Debian list, the response from whoever compiled this version was something like "Oops, stuff happens in the testing distro" but, a month later, there's still no working replacement. How does one go about fixing this kind of problem? Andris
Re: SNORT not adding entries to snort/portscan ???
> Perhaps I did not state this clearly enough. The majority of cases > I run across are caused by an entirely unnecessary dependancy to > a version of libc6 which isn't in any way required for the package > in question. Yes, one can fix this manually. Every time, for every > package. Which naturally means you do it once or twice and then > say "oh forget it" and wait a year or whatever until the next stable > upgrade. > > Package Dependencies on lib versions (or any other entity for that > matter) really are several entirely different things: > > * the API changed and my application will fail with any > lib version prior to this one because it relies on > the changes. > > * bug fixes went into this lib version without which my > app will crash. > > * bug fixes went into this version which I specifically > want/prefer for my application, but it won't crash > on the older one. > > * I just like to use the latest set of lib version digits > for no particular reason. > > I suspect the majority of package version dependencies fall into > the last category. > > If this was dealt with, there would be a much higher level of > interoperability between packages in various dists. Still a > caveat emptor, but far, far easier to deal with. Is this an example of what you mean? /usr/sbin/sendmail: /lib/libc.so.6: version `GLIBC_2.3' not found (required by /usr/sbin/sendmail) After `apt-get' upgraded sendmail to 8.12.6, this error appeared. As I recall from another Debian list, the response from whoever compiled this version was something like "Oops, stuff happens in the testing distro" but, a month later, there's still no working replacement. How does one go about fixing this kind of problem? Andris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
On Sat, Nov 30, 2002 at 01:56:53PM +0100, Adrian Phillips wrote: > > "Dale" == Dale Amon <[EMAIL PROTECTED]> writes: > Dale> I've a general issue along those lines. There are often > Dale> tools I'd like to install but most packages specify >= a > Dale> version of libc6 even when the package would basically run > Dale> with any libc that ever existed. > > I would have thought a reasonable number of packages can be upgraded > by grabbing the source, patching using the Debian diff and > dpkg-buildpackage'ing. I've done this on a small number of packages > without problems. Some manualy fixing of the diff maybe necessary > obviously if there are bug fix patches included that aren't required > for the newer version. > > I was under the impression that if people wished to have newer > "stable" versions then it is up to individuals to handle this > themselves. It is not something that the Debian project can be > expected to maintain. Perhaps I did not state this clearly enough. The majority of cases I run across are caused by an entirely unnecessary dependancy to a version of libc6 which isn't in any way required for the package in question. Yes, one can fix this manually. Every time, for every package. Which naturally means you do it once or twice and then say "oh forget it" and wait a year or whatever until the next stable upgrade. Package Dependencies on lib versions (or any other entity for that matter) really are several entirely different things: * the API changed and my application will fail with any lib version prior to this one because it relies on the changes. * bug fixes went into this lib version without which my app will crash. * bug fixes went into this version which I specifically want/prefer for my application, but it won't crash on the older one. * I just like to use the latest set of lib version digits for no particular reason. I suspect the majority of package version dependencies fall into the last category. If this was dealt with, there would be a much higher level of interoperability between packages in various dists. Still a caveat emptor, but far, far easier to deal with.
Re: SNORT not adding entries to snort/portscan ???
On Sat, Nov 30, 2002 at 01:56:53PM +0100, Adrian Phillips wrote: > > "Dale" == Dale Amon <[EMAIL PROTECTED]> writes: > Dale> I've a general issue along those lines. There are often > Dale> tools I'd like to install but most packages specify >= a > Dale> version of libc6 even when the package would basically run > Dale> with any libc that ever existed. > > I would have thought a reasonable number of packages can be upgraded > by grabbing the source, patching using the Debian diff and > dpkg-buildpackage'ing. I've done this on a small number of packages > without problems. Some manualy fixing of the diff maybe necessary > obviously if there are bug fix patches included that aren't required > for the newer version. > > I was under the impression that if people wished to have newer > "stable" versions then it is up to individuals to handle this > themselves. It is not something that the Debian project can be > expected to maintain. Perhaps I did not state this clearly enough. The majority of cases I run across are caused by an entirely unnecessary dependancy to a version of libc6 which isn't in any way required for the package in question. Yes, one can fix this manually. Every time, for every package. Which naturally means you do it once or twice and then say "oh forget it" and wait a year or whatever until the next stable upgrade. Package Dependencies on lib versions (or any other entity for that matter) really are several entirely different things: * the API changed and my application will fail with any lib version prior to this one because it relies on the changes. * bug fixes went into this lib version without which my app will crash. * bug fixes went into this version which I specifically want/prefer for my application, but it won't crash on the older one. * I just like to use the latest set of lib version digits for no particular reason. I suspect the majority of package version dependencies fall into the last category. If this was dealt with, there would be a much higher level of interoperability between packages in various dists. Still a caveat emptor, but far, far easier to deal with. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
> "Dale" == Dale Amon <[EMAIL PROTECTED]> writes: Dale> I've a general issue along those lines. There are often Dale> tools I'd like to install but most packages specify >= a Dale> version of libc6 even when the package would basically run Dale> with any libc that ever existed. Dale> In one sense this is a more general issue, but it's also a Dale> security one in that it prevents using adding important Dale> tools to an older dist on a one off basis, even if that tool Dale> would give a substantial increase in security. I would have thought a reasonable number of packages can be upgraded by grabbing the source, patching using the Debian diff and dpkg-buildpackage'ing. I've done this on a small number of packages without problems. Some manualy fixing of the diff maybe necessary obviously if there are bug fix patches included that aren't required for the newer version. I was under the impression that if people wished to have newer "stable" versions then it is up to individuals to handle this themselves. It is not something that the Debian project can be expected to maintain. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK]
Re: SNORT not adding entries to snort/portscan ???
> "Dale" == Dale Amon <[EMAIL PROTECTED]> writes: Dale> I've a general issue along those lines. There are often Dale> tools I'd like to install but most packages specify >= a Dale> version of libc6 even when the package would basically run Dale> with any libc that ever existed. Dale> In one sense this is a more general issue, but it's also a Dale> security one in that it prevents using adding important Dale> tools to an older dist on a one off basis, even if that tool Dale> would give a substantial increase in security. I would have thought a reasonable number of packages can be upgraded by grabbing the source, patching using the Debian diff and dpkg-buildpackage'ing. I've done this on a small number of packages without problems. Some manualy fixing of the diff maybe necessary obviously if there are bug fix patches included that aren't required for the newer version. I was under the impression that if people wished to have newer "stable" versions then it is up to individuals to handle this themselves. It is not something that the Debian project can be expected to maintain. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
Here it goes! I attach the snort.conf, but I only changed this part: -- #= # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #= include bad-traffic.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include dos.rules include ddos.rules include dns.rules include tftp.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include web-attacks.rules include sql.rules include x11.rules include icmp.rules include netbios.rules include misc.rules include attack-responses.rules include backdoor.rules # include shellcode.rules include policy.rules include porn.rules include info.rules # include icmp-info.rules include virus.rules include local.rules -- I hope it helps! Hanasaki JiJi wrote: Please do send the file. I have put 1.9 in manaully its rocking! #-- # http://www.snort.org Snort 1.8.1 Ruleset # Contact: [EMAIL PROTECTED] #-- # NOTE:This ruleset only works for 1.8.0 and later #-- # $Id: snort.conf,v 1.77.2.1 2002/01/11 00:17:35 roesch Exp $ # ### # This file contains a sample snort configuration. # You can take the following steps to create your # own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ### # Step #1: Set the network variables: # # You must change the following variables to reflect # your local network. The variable is currently # setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 10.1.1.0/24 # # or use global variable $_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: var HOME_NET any # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET any # Set up your SMTP servers, or simply configure them # to HOME_NET var SMTP $HOME_NET # Set up your web servers, or simply configure them # to HOME_NET var HTTP_SERVERS $HOME_NET # Set up your sql servers, or simply configure them # to HOME_NET var SQL_SERVERS $HOME_NET # Define the addresses of DNS servers and other hosts # if you want to ignore portscan false alarms from them... var DNS_SERVERS $HOME_NET ### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor : # frag2: IP defragmentation support # --- # This preprocessor performs IP defragmentation. This plugin will also detect # people launching fragmentation attacks (usually DoS) against hosts. No # arguments loads the default configuration of the preprocessor, which is a # 60 second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 #timeout [seconds] - sets the number of [seconds] than an unfinished #fragment will be kept around waiting for completion, #if this time expires the fragment will be flushed #memcap [bytes] - limit frag2 memory usage to [bytes] bytes preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort #-- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8MB) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect
Re: SNORT not adding entries to snort/portscan ???
Please do send the file. I have put 1.9 in manaully its rocking! Alfonso Federico Simó wrote: Hanasaki JiJi wrote: Snort is reporting scans in the alert.log but not the portscan.log Any thoughts? Hi! Now I *have* my snort reporting scans in the portscan.log in Version 1.8.4-beta1 (Build 91). Because of this message, I started playing with my snort.conf. When I uncommented the rules at the end of the snort.conf (except shellcodes.rules), snort started reporting in that file. If you wish, I can send you my snort.conf. Bye (and I sorry for my english, it is not good enough) :-) Alfonso -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: SNORT not adding entries to snort/portscan ???
Hanasaki JiJi wrote: Snort is reporting scans in the alert.log but not the portscan.log Any thoughts? Hi! Now I *have* my snort reporting scans in the portscan.log in Version 1.8.4-beta1 (Build 91). Because of this message, I started playing with my snort.conf. When I uncommented the rules at the end of the snort.conf (except shellcodes.rules), snort started reporting in that file. If you wish, I can send you my snort.conf. Bye (and I sorry for my english, it is not good enough) :-) Alfonso
Re: SNORT not adding entries to snort/portscan ???
On Fri, Nov 29, 2002 at 06:36:16PM +0100, Marcel Weber wrote: > What about considering outdated security tools as hazardous to the > system's security? Taking this point of view, why not distributing > updated versions via debian-security? > I've a general issue along those lines. There are often tools I'd like to install but most packages specify >= a version of libc6 even when the package would basically run with any libc that ever existed. In one sense this is a more general issue, but it's also a security one in that it prevents using adding important tools to an older dist on a one off basis, even if that tool would give a substantial increase in security. You can force things, but then you've hassles for life every time you use apt and dselect.
Re: SNORT not adding entries to snort/portscan ???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanasaki JiJi wrote: | My driver is a tulip for a linksys card | | The snort list told me that the version in woody is known to be broken | so I downloaded snort 1.9 and manually installed it.. yuk! | | FYI: when run from the command line, the BETA in woody was saying | something about exhausting trees. | | REQUEST! can 1.9 be put in woody? can 2.0 be put in when it comes out? | My driver was a 8139too. As SNORT is a security related tool (active security) and the threats are changing from time to time the signatures have to be up to date as well as the tool itself. What about considering outdated security tools as hazardous to the system's security? Taking this point of view, why not distributing updated versions via debian-security? Marcel - -- Marcel Weber - [EMAIL PROTECTED] PGP/GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE956WQ1EXMUTKVE5URAk0DAJ9giopxfg/8Y+lnWY3qL9nNjYSWiACgqiZ/ k9jVwvo2duJbgfhmLNyzqSk= =dEC6 -END PGP SIGNATURE-
Re: SNORT not adding entries to snort/portscan ???
My driver is a tulip for a linksys card The snort list told me that the version in woody is known to be broken so I downloaded snort 1.9 and manually installed it.. yuk! FYI: when run from the command line, the BETA in woody was saying something about exhausting trees. REQUEST! can 1.9 be put in woody? can 2.0 be put in when it comes out? Simon Kirby wrote: On Fri, Nov 29, 2002 at 02:01:26PM +0100, Marcel Weber wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanasaki JiJi schrieb: | 1.8.4-Beta1 Build 91 | | It also seems to be dying without any reports to syslog | This also happens to my setup. I'm restarting snort every night now. This seems really weird, but try switching to the e100 driver if you are currently using eepro100. It may just be timing related, but it seemed to make a difference. (We're using tg3 now and it's still fine.) Simon- [Simon Kirby][Network Operations] [ [EMAIL PROTECTED] ][ NetNation Communications ] [ Opinions expressed are not necessarily those of my employer. ] -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: SNORT not adding entries to snort/portscan ???
Here it goes! I attach the snort.conf, but I only changed this part: -- #= # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #= include bad-traffic.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include dos.rules include ddos.rules include dns.rules include tftp.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include web-attacks.rules include sql.rules include x11.rules include icmp.rules include netbios.rules include misc.rules include attack-responses.rules include backdoor.rules # include shellcode.rules include policy.rules include porn.rules include info.rules # include icmp-info.rules include virus.rules include local.rules -- I hope it helps! Hanasaki JiJi wrote: Please do send the file. I have put 1.9 in manaully its rocking! #-- # http://www.snort.org Snort 1.8.1 Ruleset # Contact: [EMAIL PROTECTED] #-- # NOTE:This ruleset only works for 1.8.0 and later #-- # $Id: snort.conf,v 1.77.2.1 2002/01/11 00:17:35 roesch Exp $ # ### # This file contains a sample snort configuration. # You can take the following steps to create your # own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ### # Step #1: Set the network variables: # # You must change the following variables to reflect # your local network. The variable is currently # setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 10.1.1.0/24 # # or use global variable $_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: var HOME_NET any # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET any # Set up your SMTP servers, or simply configure them # to HOME_NET var SMTP $HOME_NET # Set up your web servers, or simply configure them # to HOME_NET var HTTP_SERVERS $HOME_NET # Set up your sql servers, or simply configure them # to HOME_NET var SQL_SERVERS $HOME_NET # Define the addresses of DNS servers and other hosts # if you want to ignore portscan false alarms from them... var DNS_SERVERS $HOME_NET ### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor : # frag2: IP defragmentation support # --- # This preprocessor performs IP defragmentation. This plugin will also detect # people launching fragmentation attacks (usually DoS) against hosts. No # arguments loads the default configuration of the preprocessor, which is a # 60 second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 #timeout [seconds] - sets the number of [seconds] than an unfinished #fragment will be kept around waiting for completion, #if this time expires the fragment will be flushed #memcap [bytes] - limit frag2 memory usage to [bytes] bytes preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort #-- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8MB) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_st
Re: SNORT not adding entries to snort/portscan ???
Please do send the file. I have put 1.9 in manaully its rocking! Alfonso Federico Simó wrote: Hanasaki JiJi wrote: Snort is reporting scans in the alert.log but not the portscan.log Any thoughts? Hi! Now I *have* my snort reporting scans in the portscan.log in Version 1.8.4-beta1 (Build 91). Because of this message, I started playing with my snort.conf. When I uncommented the rules at the end of the snort.conf (except shellcodes.rules), snort started reporting in that file. If you wish, I can send you my snort.conf. Bye (and I sorry for my english, it is not good enough) :-) Alfonso -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
Hanasaki JiJi wrote: Snort is reporting scans in the alert.log but not the portscan.log Any thoughts? Hi! Now I *have* my snort reporting scans in the portscan.log in Version 1.8.4-beta1 (Build 91). Because of this message, I started playing with my snort.conf. When I uncommented the rules at the end of the snort.conf (except shellcodes.rules), snort started reporting in that file. If you wish, I can send you my snort.conf. Bye (and I sorry for my english, it is not good enough) :-) Alfonso -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
On Fri, Nov 29, 2002 at 02:01:26PM +0100, Marcel Weber wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hanasaki JiJi schrieb: > | 1.8.4-Beta1 Build 91 > | > | It also seems to be dying without any reports to syslog > | > > > This also happens to my setup. I'm restarting snort every night now. This seems really weird, but try switching to the e100 driver if you are currently using eepro100. It may just be timing related, but it seemed to make a difference. (We're using tg3 now and it's still fine.) Simon- [Simon Kirby][Network Operations] [ [EMAIL PROTECTED] ][ NetNation Communications ] [ Opinions expressed are not necessarily those of my employer. ]
Re: SNORT not adding entries to snort/portscan ???
On Fri, Nov 29, 2002 at 06:36:16PM +0100, Marcel Weber wrote: > What about considering outdated security tools as hazardous to the > system's security? Taking this point of view, why not distributing > updated versions via debian-security? > I've a general issue along those lines. There are often tools I'd like to install but most packages specify >= a version of libc6 even when the package would basically run with any libc that ever existed. In one sense this is a more general issue, but it's also a security one in that it prevents using adding important tools to an older dist on a one off basis, even if that tool would give a substantial increase in security. You can force things, but then you've hassles for life every time you use apt and dselect. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanasaki JiJi wrote: | My driver is a tulip for a linksys card | | The snort list told me that the version in woody is known to be broken | so I downloaded snort 1.9 and manually installed it.. yuk! | | FYI: when run from the command line, the BETA in woody was saying | something about exhausting trees. | | REQUEST! can 1.9 be put in woody? can 2.0 be put in when it comes out? | My driver was a 8139too. As SNORT is a security related tool (active security) and the threats are changing from time to time the signatures have to be up to date as well as the tool itself. What about considering outdated security tools as hazardous to the system's security? Taking this point of view, why not distributing updated versions via debian-security? Marcel - -- Marcel Weber - [EMAIL PROTECTED] PGP/GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE956WQ1EXMUTKVE5URAk0DAJ9giopxfg/8Y+lnWY3qL9nNjYSWiACgqiZ/ k9jVwvo2duJbgfhmLNyzqSk= =dEC6 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
My driver is a tulip for a linksys card The snort list told me that the version in woody is known to be broken so I downloaded snort 1.9 and manually installed it.. yuk! FYI: when run from the command line, the BETA in woody was saying something about exhausting trees. REQUEST! can 1.9 be put in woody? can 2.0 be put in when it comes out? Simon Kirby wrote: On Fri, Nov 29, 2002 at 02:01:26PM +0100, Marcel Weber wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanasaki JiJi schrieb: | 1.8.4-Beta1 Build 91 | | It also seems to be dying without any reports to syslog | This also happens to my setup. I'm restarting snort every night now. This seems really weird, but try switching to the e100 driver if you are currently using eepro100. It may just be timing related, but it seemed to make a difference. (We're using tg3 now and it's still fine.) Simon- [Simon Kirby][Network Operations] [ [EMAIL PROTECTED] ][ NetNation Communications ] [ Opinions expressed are not necessarily those of my employer. ] -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
On Fri, Nov 29, 2002 at 02:01:26PM +0100, Marcel Weber wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hanasaki JiJi schrieb: > | 1.8.4-Beta1 Build 91 > | > | It also seems to be dying without any reports to syslog > | > > > This also happens to my setup. I'm restarting snort every night now. This seems really weird, but try switching to the e100 driver if you are currently using eepro100. It may just be timing related, but it seemed to make a difference. (We're using tg3 now and it's still fine.) Simon- [Simon Kirby][Network Operations] [ [EMAIL PROTECTED] ][ NetNation Communications ] [ Opinions expressed are not necessarily those of my employer. ] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanasaki JiJi schrieb: | 1.8.4-Beta1 Build 91 | | It also seems to be dying without any reports to syslog | This also happens to my setup. I'm restarting snort every night now. Marcel - -- Marcel Weber - [EMAIL PROTECTED] PGP/GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE952Um1EXMUTKVE5URAjWQAJ0QmqZ4v1zFAhPkmLg0tELbpnEqIgCgxwNM fiTZExp08VpjfTmiefvCDKY= =ydnx -END PGP SIGNATURE-
Re: SNORT not adding entries to snort/portscan ???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hanasaki JiJi schrieb: | 1.8.4-Beta1 Build 91 | | It also seems to be dying without any reports to syslog | This also happens to my setup. I'm restarting snort every night now. Marcel - -- Marcel Weber - [EMAIL PROTECTED] PGP/GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE952Um1EXMUTKVE5URAjWQAJ0QmqZ4v1zFAhPkmLg0tELbpnEqIgCgxwNM fiTZExp08VpjfTmiefvCDKY= =ydnx -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
1.8.4-Beta1 Build 91 It also seems to be dying without any reports to syslog J.H.M. Dassen (Ray) wrote: On Thu, Nov 28, 2002 at 10:19:24 -0600, Hanasaki JiJi wrote: Snort is reporting scans in the alert.log but not the portscan.log Which version? AFAIK the version in woody still has wrong log rotation causing it to log to a file descriptor corresponding to an already deleted file (#158042). HTH, Ray -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: SNORT not adding entries to snort/portscan ???
On Thu, Nov 28, 2002 at 10:19:24 -0600, Hanasaki JiJi wrote: > Snort is reporting scans in the alert.log but not the portscan.log Which version? AFAIK the version in woody still has wrong log rotation causing it to log to a file descriptor corresponding to an already deleted file (#158042). HTH, Ray -- A Microsoft Certified System Engineer is to information technology as a McDonalds Certified Food Specialist is to the culinary arts. Michael Bacarella commenting on the limited value of certification.
Re: SNORT not adding entries to snort/portscan ???
1.8.4-Beta1 Build 91 It also seems to be dying without any reports to syslog J.H.M. Dassen (Ray) wrote: On Thu, Nov 28, 2002 at 10:19:24 -0600, Hanasaki JiJi wrote: Snort is reporting scans in the alert.log but not the portscan.log Which version? AFAIK the version in woody still has wrong log rotation causing it to log to a file descriptor corresponding to an already deleted file (#158042). HTH, Ray -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SNORT not adding entries to snort/portscan ???
On Thu, Nov 28, 2002 at 10:19:24 -0600, Hanasaki JiJi wrote: > Snort is reporting scans in the alert.log but not the portscan.log Which version? AFAIK the version in woody still has wrong log rotation causing it to log to a file descriptor corresponding to an already deleted file (#158042). HTH, Ray -- A Microsoft Certified System Engineer is to information technology as a McDonalds Certified Food Specialist is to the culinary arts. Michael Bacarella commenting on the limited value of certification. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
On Sun, 24 Nov 2002 at 12:30:25PM +0100, Tore Nilsson wrote: > Thanks. Well, I'm not using FTP on the box, so all traffic directed at > that port is dropped by IPTables. Actually, these messages are from my > system log (and it was IPTables who logged it there). But, do you think it > was an attempt to break in? I got 4-5 of each of those 2. And 1 of the > "WARNING: Fraglist" message... Most likely a random port scan. I get them all the time. Since port scans are technically "legal" in the US (there is case law to back this, look on google) there is not much you can do about it ttyl -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #188: Plate voltage too low on demodulator tube
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
On Sun, 24 Nov 2002 at 12:30:25PM +0100, Tore Nilsson wrote: > Thanks. Well, I'm not using FTP on the box, so all traffic directed at > that port is dropped by IPTables. Actually, these messages are from my > system log (and it was IPTables who logged it there). But, do you think it > was an attempt to break in? I got 4-5 of each of those 2. And 1 of the > "WARNING: Fraglist" message... Most likely a random port scan. I get them all the time. Since port scans are technically "legal" in the US (there is case law to back this, look on google) there is not much you can do about it ttyl -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #188: Plate voltage too low on demodulator tube -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
Thanks. Well, I'm not using FTP on the box, so all traffic directed at that port is dropped by IPTables. Actually, these messages are from my system log (and it was IPTables who logged it there). But, do you think it was an attempt to break in? I got 4-5 of each of those 2. And 1 of the "WARNING: Fraglist" message... //Tore Nilsson >On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: >> Hello! >Greets. >> Got this message sent to me by email from logcheck: >> snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 >Not a clue...sorry. > >> I also got this: >> Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 >> DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP >> SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 >Someone from 200.214.189.168 tried to connect (SYN) to your machine on >port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is >up to the administrator to decide if this is acceptable activity. > > >> Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 >> DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP >> SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 >Same, except a different IP and a window size suggestion of 32 kb > > >ttyl, >-- >Phil > >PGP/GPG Key: >http://www.zionlth.org/~plhofmei/ >wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import >-- >Excuse #8: Hardware stress fractures
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
Thanks. Well, I'm not using FTP on the box, so all traffic directed at that port is dropped by IPTables. Actually, these messages are from my system log (and it was IPTables who logged it there). But, do you think it was an attempt to break in? I got 4-5 of each of those 2. And 1 of the "WARNING: Fraglist" message... //Tore Nilsson >On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: >> Hello! >Greets. >> Got this message sent to me by email from logcheck: >> snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 >Not a clue...sorry. > >> I also got this: >> Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 >> DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP >> SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 >Someone from 200.214.189.168 tried to connect (SYN) to your machine on >port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is >up to the administrator to decide if this is acceptable activity. > > >> Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= >> MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 >> DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP >> SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 >Same, except a different IP and a window size suggestion of 32 kb > > >ttyl, >-- >Phil > >PGP/GPG Key: >http://www.zionlth.org/~plhofmei/ >wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import >-- >Excuse #8: Hardware stress fractures -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: > Hello! Greets. > Got this message sent to me by email from logcheck: > snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 Not a clue...sorry. > I also got this: > Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= > MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 > DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP > SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Someone from 200.214.189.168 tried to connect (SYN) to your machine on port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is up to the administrator to decide if this is acceptable activity. > Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= > MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 > DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP > SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 Same, except a different IP and a window size suggestion of 32 kb ttyl, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #8: Hardware stress fractures pgpgbWl97aWQB.pgp Description: PGP signature
Re: snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388
On Sat, 23 Nov 2002 at 02:11:00PM +0100, Tore Nilsson wrote: > Hello! Greets. > Got this message sent to me by email from logcheck: > snort: WARNING: Bad insert in fraglist for FragTracker 0x8511388 Not a clue...sorry. > I also got this: > Nov 22 16:39:32 otaku kernel: auditIN=eth0 OUT= > MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=200.214.189.168 > DST=213.114.36.73 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=15141 DF PROTO=TCP > SPT=41134 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 Someone from 200.214.189.168 tried to connect (SYN) to your machine on port 21 (FTP-Control) suggesting a TCP/IP Window size of 5 kb. It is up to the administrator to decide if this is acceptable activity. > Nov 23 10:48:13 otaku kernel: auditIN=eth0 OUT= > MAC=00:02:e3:18:0a:7a:00:04:c1:3a:9e:42:08:00 SRC=80.143.237.209 > DST=213.114.36.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=13953 DF PROTO=TCP > SPT=3000 DPT=21 WINDOW=32767 RES=0x00 SYN URGP=0 Same, except a different IP and a window size suggestion of 32 kb ttyl, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #8: Hardware stress fractures msg07911/pgp0.pgp Description: PGP signature
Re: snort error starting
Phillip Hofmeister, 2002-Jul-19 15:12 -0400:
> This looks like a hack job...
>
> if ls /var/run/snort_*pid >/dev/null 2>&1 ; then
> sleep 3
> ps cax \
> | grep '/usr/sbin/snort' \
> | awk '{ print $1 }' \
> | xargs --no-run-if-empty kill -9 >/dev/null
> rm -f /var/run/snort_*.pid
> fi
> echo "."
> ;;
>
> they should have used a -e file test...let me write a patch and send it to
> you...this should help diagnose the problem...
>
> Apply it with 'cat snort.patch | patch -p1'. Run your init and let me know
> after which 'test' the error occurs...
I applied your patch:
# cat snort.patch | patch -p1
missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--
|--- snort.orig Fri Jul 19 15:05:33 2002
|+++ snort Fri Jul 19 15:06:39 2002
--
File to patch: ./snort
patching file ./snort
# ./snort start
./snort: var: command not found
Did I do something wrong applying the patch?
Thanks for your help!
jc
--
Jeff CoppockSystems Engineer
Diggin' Debian Admin and User
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort error starting
InfoEmergencias - Luis Gómez, 2002-Jul-19 19:55 +0200: > El vie, 19-07-2002 a las 19:53, Phillip Hofmeister escribió: > > On Fri, 19 Jul 2002 at 09:33:14AM -0700, Jeff wrote: > > > # /etc/init.d/snort start > > > /etc/init.d/snort: var: command not found > > > > > Looks like a bug in the init script. If I had Snort/woody I would look at > > it. > > Someone can probably make the changes, make a patch and file a bug with the > > patch flag set... > > I have 3 occurrences for "var" in mi /etc/init.d/snort : > adelita:~# grep "var" /etc/init.d/snort > -l /var/log/snort \ > if ls /var/run/snort_*pid >/dev/null 2>&1 ; then > rm -f /var/run/snort_*.pid > Probably in the second or in the third, you got a missing slash, I mean, > you have "var" instead of "/var" . I am attaching this script as of > snort 1.8.2 (build 86) in Woody. This was the first thing I checked and I have exactly what your grep shows. thanks, jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort error starting
This looks like a hack job...
if ls /var/run/snort_*pid >/dev/null 2>&1 ; then
sleep 3
ps cax \
| grep '/usr/sbin/snort' \
| awk '{ print $1 }' \
| xargs --no-run-if-empty kill -9 >/dev/null
rm -f /var/run/snort_*.pid
fi
echo "."
;;
they should have used a -e file test...let me write a patch and send it to
you...this should help diagnose the problem...
Apply it with 'cat snort.patch | patch -p1'. Run your init and let me know
after which 'test' the error occurs...
--
Phil
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import
--- snort.orig Fri Jul 19 15:05:33 2002
+++ snort Fri Jul 19 15:06:39 2002
@@ -26,6 +26,7 @@
-S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \
-h "$DEBIAN_SNORT_HOME_NET" \
-c /etc/snort/snort.conf \
+ echo "test 1"
-l /var/log/snort \
-b \
-d \
@@ -43,12 +44,14 @@
echo -n "Stopping Network Intrusion Detection System: snort"
/sbin/start-stop-daemon --stop --quiet --oknodo --exec $DAEMON
>/dev/null
# If it isn't willing we shoot it!
+ echo "test 2"
if ls /var/run/snort_*pid >/dev/null 2>&1 ; then
sleep 3
ps cax \
| grep '/usr/sbin/snort' \
| awk '{ print $1 }' \
| xargs --no-run-if-empty kill -9 >/dev/null
+ echo "test 3"
rm -f /var/run/snort_*.pid
fi
echo "."
Re: snort error starting
El vie, 19-07-2002 a las 19:53, Phillip Hofmeister escribió:
> On Fri, 19 Jul 2002 at 09:33:14AM -0700, Jeff wrote:
> > # /etc/init.d/snort start
> > /etc/init.d/snort: var: command not found
> >
> Looks like a bug in the init script. If I had Snort/woody I would look at it.
> Someone can probably make the changes, make a patch and file a bug with the
> patch flag set...
I have 3 occurrences for "var" in mi /etc/init.d/snort :
adelita:~# grep "var" /etc/init.d/snort
-l /var/log/snort \
if ls /var/run/snort_*pid >/dev/null 2>&1 ; then
rm -f /var/run/snort_*.pid
Probably in the second or in the third, you got a missing slash, I mean,
you have "var" instead of "/var" . I am attaching this script as of
snort 1.8.2 (build 86) in Woody.
Regards
Pope
--
Luis Gómez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
[EMAIL PROTECTED]
PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
#!/bin/sh -e
test $DEBIAN_SCRIPT_DEBUG && set -v -x
test -f /usr/sbin/snort || exit 0
DAEMON=/usr/sbin/snort
CONFIG=/etc/snort/snort.debian.conf
test -f $CONFIG && . $CONFIG
test -z "$DEBIAN_SNORT_HOME_NET" && DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
# to find the lib files
cd /etc/snort
case "$1" in
start)
test "$DEBIAN_SNORT_STARTUP" = "dialup" && exit 0
test "$DEBIAN_SNORT_STARTUP" = "manual" && \
echo $0 | grep -q 'S[0-9]' && exit 0
echo -n "Starting Network Intrusion Detection System: snort"
set +e
/sbin/start-stop-daemon --start --quiet --exec $DAEMON -- \
-D \
-S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \
-h "$DEBIAN_SNORT_HOME_NET" \
-c /etc/snort/snort.conf \
-l /var/log/snort \
-b \
-d \
-u snort \
-g snort \
$DEBIAN_SNORT_OPTIONS >/dev/null
case "$?" in
0) echo "." ;;
1) echo "...already running." ;;
2) echo "...failed." ;;
esac
set -e
;;
stop)
echo -n "Stopping Network Intrusion Detection System: snort"
/sbin/start-stop-daemon --stop --quiet --oknodo --exec $DAEMON >/dev/null
# If it isn't willing we shoot it!
if ls /var/run/snort_*pid >/dev/null 2>&1 ; then
sleep 3
ps cax \
| grep '/usr/sbin/snort' \
| awk '{ print $1 }' \
| xargs --no-run-if-empty kill -9 >/dev/null
rm -f /var/run/snort_*.pid
fi
echo "."
;;
restart|force-restart|reload|force-reload)
/etc/init.d/snort stop
# stop will take care that the thing is really dead
/etc/init.d/snort start
;;
*)
echo "Usage: /etc/init.d/snort start|stop|restart"
exit 1
;;
esac
exit 0
Re: snort error starting
On Fri, 19 Jul 2002 at 09:33:14AM -0700, Jeff wrote: > # /etc/init.d/snort start > /etc/init.d/snort: var: command not found > Looks like a bug in the init script. If I had Snort/woody I would look at it. Someone can probably make the changes, make a patch and file a bug with the patch flag set... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/ | gpg --import -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
--- Javier Fernández-Sanguino_Peña <[EMAIL PROTECTED]> wrote: > On Mon, May 06, 2002 at 04:27:53AM -0700, Jeff wrote: > > dafr, 2002-May-03 10:52 -0700: > > > Jeff, > > > > > > I had this problem initially as well when I reconfigured snort, > until I > > > restarted the service. Quite obvious in retrospect, but when I > missed > > > it initially, I could see others doing the same. > > > > > > There is also a section towards the bottom of the snort.conf file > that > > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually > activate > > > the DNS filter. > > > > > Since this is a common issue, why not file a wishlist bug against > the snort package so that it helps the user do this upon > installation? > IIRC it currently does not do it. > > Javi Yes, the installation tools might be able to be improved upon, but I'd rather see more obvious documentation, or just a banner page at install that says "here are the steps to..." at this point. The wishlist may be appropriate for accomplishing this, but this request was the first one that I've seen on this list, so I'm not sure how common the problem really is. I have to admit that I didn't go digging too hard for documentation and went straight to the configuration files and figured it out for myself. David __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
--- Javier Fernández-Sanguino_Peña <[EMAIL PROTECTED]> wrote: > On Mon, May 06, 2002 at 04:27:53AM -0700, Jeff wrote: > > dafr, 2002-May-03 10:52 -0700: > > > Jeff, > > > > > > I had this problem initially as well when I reconfigured snort, > until I > > > restarted the service. Quite obvious in retrospect, but when I > missed > > > it initially, I could see others doing the same. > > > > > > There is also a section towards the bottom of the snort.conf file > that > > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually > activate > > > the DNS filter. > > > > > Since this is a common issue, why not file a wishlist bug against > the snort package so that it helps the user do this upon > installation? > IIRC it currently does not do it. > > Javi Yes, the installation tools might be able to be improved upon, but I'd rather see more obvious documentation, or just a banner page at install that says "here are the steps to..." at this point. The wishlist may be appropriate for accomplishing this, but this request was the first one that I've seen on this list, so I'm not sure how common the problem really is. I have to admit that I didn't go digging too hard for documentation and went straight to the configuration files and figured it out for myself. David __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
On Mon, May 06, 2002 at 04:27:53AM -0700, Jeff wrote: > dafr, 2002-May-03 10:52 -0700: > > Jeff, > > > > I had this problem initially as well when I reconfigured snort, until I > > restarted the service. Quite obvious in retrospect, but when I missed > > it initially, I could see others doing the same. > > > > There is also a section towards the bottom of the snort.conf file that > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > > the DNS filter. > > Since this is a common issue, why not file a wishlist bug against the snort package so that it helps the user do this upon installation? IIRC it currently does not do it. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
On Mon, May 06, 2002 at 04:27:53AM -0700, Jeff wrote: > dafr, 2002-May-03 10:52 -0700: > > Jeff, > > > > I had this problem initially as well when I reconfigured snort, until I > > restarted the service. Quite obvious in retrospect, but when I missed > > it initially, I could see others doing the same. > > > > There is also a section towards the bottom of the snort.conf file that > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > > the DNS filter. > > Since this is a common issue, why not file a wishlist bug against the snort package so that it helps the user do this upon installation? IIRC it currently does not do it. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly [closed]
Jeff, 2002-May-06 04:27 -0700: > dafr, 2002-May-03 10:52 -0700: > > Jeff, > > > > I had this problem initially as well when I reconfigured snort, until I > > restarted the service. Quite obvious in retrospect, but when I missed > > it initially, I could see others doing the same. > > > > There is also a section towards the bottom of the snort.conf file that > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > > the DNS filter. > > > > HTH, > > David > > David, > > Thanks for the pointer. I found the section and uncommented it > and then restarted snort. I'll be watching my logs and let you > know what I see. After a couple of weeks with these settings, no more portscans are being registered by my dns servers. Thanks for you help David. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly [closed]
Jeff, 2002-May-06 04:27 -0700: > dafr, 2002-May-03 10:52 -0700: > > Jeff, > > > > I had this problem initially as well when I reconfigured snort, until I > > restarted the service. Quite obvious in retrospect, but when I missed > > it initially, I could see others doing the same. > > > > There is also a section towards the bottom of the snort.conf file that > > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > > the DNS filter. > > > > HTH, > > David > > David, > > Thanks for the pointer. I found the section and uncommented it > and then restarted snort. I'll be watching my logs and let you > know what I see. After a couple of weeks with these settings, no more portscans are being registered by my dns servers. Thanks for you help David. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
dafr, 2002-May-03 10:52 -0700: > Jeff, > > I had this problem initially as well when I reconfigured snort, until I > restarted the service. Quite obvious in retrospect, but when I missed > it initially, I could see others doing the same. > > There is also a section towards the bottom of the snort.conf file that > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > the DNS filter. > > HTH, > David David, Thanks for the pointer. I found the section and uncommented it and then restarted snort. I'll be watching my logs and let you know what I see. thanks, jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
dafr, 2002-May-03 10:52 -0700: > Jeff, > > I had this problem initially as well when I reconfigured snort, until I > restarted the service. Quite obvious in retrospect, but when I missed > it initially, I could see others doing the same. > > There is also a section towards the bottom of the snort.conf file that > you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate > the DNS filter. > > HTH, > David David, Thanks for the pointer. I found the section and uncommented it and then restarted snort. I'll be watching my logs and let you know what I see. thanks, jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
Hi Jeff, Quoting Jeff ([EMAIL PROTECTED]): > The 192... is a local private network and the next 2 addresses > are dns servers. Snort is constantly logging activity to the 1st > dns server as a portscan, and as I understand it, this config > entry is supposed to eliminate that. Is this incorrect? Please email me offlist about this; (debian-security is not the right place, the package maintainer address (mine) is). It's also important to know what version(s) of the package(s) you're talking about. Greets, Robert -- ( o> Linux Generation
Re: snort not recognizing dns server correctly
Hi Jeff, Quoting Jeff ([EMAIL PROTECTED]): > The 192... is a local private network and the next 2 addresses > are dns servers. Snort is constantly logging activity to the 1st > dns server as a portscan, and as I understand it, this config > entry is supposed to eliminate that. Is this incorrect? Please email me offlist about this; (debian-security is not the right place, the package maintainer address (mine) is). It's also important to know what version(s) of the package(s) you're talking about. Greets, Robert -- ( o> Linux Generation
Re: snort not recognizing dns server correctly
Jeff, I had this problem initially as well when I reconfigured snort, until I restarted the service. Quite obvious in retrospect, but when I missed it initially, I could see others doing the same. There is also a section towards the bottom of the snort.conf file that you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate the DNS filter. HTH, David --- Jeff <[EMAIL PROTECTED]> wrote: > I have the following entry in /etc/snort/snort.conf > > var DNS_SERVERS [192.168.0.0/24,216.148.227.68/32,204.127.202.4/32] > > The 192... is a local private network and the next 2 addresses > are dns servers. Snort is constantly logging activity to the 1st > dns server as a portscan, and as I understand it, this config > entry is supposed to eliminate that. Is this incorrect? > > thanks, > jc > > -- > Jeff Coppock Systems Engineer > Diggin' DebianAdmin and User __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
Jeff, I had this problem initially as well when I reconfigured snort, until I restarted the service. Quite obvious in retrospect, but when I missed it initially, I could see others doing the same. There is also a section towards the bottom of the snort.conf file that you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate the DNS filter. HTH, David --- Jeff <[EMAIL PROTECTED]> wrote: > I have the following entry in /etc/snort/snort.conf > > var DNS_SERVERS [192.168.0.0/24,216.148.227.68/32,204.127.202.4/32] > > The 192... is a local private network and the next 2 addresses > are dns servers. Snort is constantly logging activity to the 1st > dns server as a portscan, and as I understand it, this config > entry is supposed to eliminate that. Is this incorrect? > > thanks, > jc > > -- > Jeff Coppock Systems Engineer > Diggin' DebianAdmin and User __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Snort logging portscans from dns
Dňa Pi, 2002-03-22 at 06:58, Jeff napísal: > Any ideas why Snort is logging portscans from 2 of my providers > DNS servers? I see this every day. Its making only UDP > connections based on the log: > > Mar 19 13:00:47 myhost snort: spp_portscan: portscan status > from +216.148.227.68: 6 connections across 1 hosts: TCP(0), > UDP(6) > > I think this is due to the DNS servers making several connections > in my firewall/nat gateway in a short period of time. But I'm > not sure. You shoul add this addresses to snort.conf to section var DNS_SERVERS. One way how to detect portscans is to look for a lot of connection from one IP address and DNS is service witch a lot of connections. Add these DNS IP addresses to DNS_SERVERS and snort will stop reporting portscans. > > thanks, > jc > > -- > Jeff Coppock Systems Engineer > Diggin' DebianAdmin and User > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- -- Ing. Jozef Novikmec Linux system administrator LYNX, spol. s r. o. Masarykova 10 040 01, Kosice Tel.: +421 55 633 55 11 Fax: +421 55 633 55 20 E-mail: [EMAIL PROTECTED] http: http://www.lynx.sk --- signature.asc Description: PGP signature
Re: Snort logging portscans from dns
Dňa Pi, 2002-03-22 at 06:58, Jeff napísal: > Any ideas why Snort is logging portscans from 2 of my providers > DNS servers? I see this every day. Its making only UDP > connections based on the log: > > Mar 19 13:00:47 myhost snort: spp_portscan: portscan status > from +216.148.227.68: 6 connections across 1 hosts: TCP(0), > UDP(6) > > I think this is due to the DNS servers making several connections > in my firewall/nat gateway in a short period of time. But I'm > not sure. You shoul add this addresses to snort.conf to section var DNS_SERVERS. One way how to detect portscans is to look for a lot of connection from one IP address and DNS is service witch a lot of connections. Add these DNS IP addresses to DNS_SERVERS and snort will stop reporting portscans. > > thanks, > jc > > -- > Jeff Coppock Systems Engineer > Diggin' DebianAdmin and User > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- -- Ing. Jozef Novikmec Linux system administrator LYNX, spol. s r. o. Masarykova 10 040 01, Kosice Tel.: +421 55 633 55 11 Fax: +421 55 633 55 20 E-mail: [EMAIL PROTECTED] http: http://www.lynx.sk --- signature.asc Description: PGP signature
Re: snort 1.8 for demarc
Il 19:22, domenica 5 agosto 2001, J.H.M. Dassen (Ray) ha scritto: > On Sun, Aug 05, 2001 at 19:41:41 +, Marco Tassinari wrote: > > /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': > > Any particular reason you're using a local libpcap rather than the libpcap0 > and libpcap-dev Debian packages? > > Ray (yes, I've bison installed) Oh, damn, you're right! ...dselect... libcap-dev... OK! It works! Thank you, Marco PS and what about demarc, all?
Re: snort 1.8 for demarc
Il 19:22, domenica 5 agosto 2001, J.H.M. Dassen (Ray) ha scritto: > On Sun, Aug 05, 2001 at 19:41:41 +, Marco Tassinari wrote: > > /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': > > Any particular reason you're using a local libpcap rather than the libpcap0 > and libpcap-dev Debian packages? > > Ray (yes, I've bison installed) Oh, damn, you're right! ...dselect... libcap-dev... OK! It works! Thank you, Marco PS and what about demarc, all? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort 1.8 for demarc
On Sun, Aug 05, 2001 at 07:41:41PM +, Marco Tassinari wrote: > /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': > gencode.o(.text+0x203): undefined reference to `lex_init' > /usr/local/lib/libpcap.a(grammar.o): In function `yyparse': > grammar.o(.text+0x94): undefined reference to `yylex' > grammar.o(.text+0x9ba): undefined reference to `yylex' You have bison installed too? Or just flex? I think yylex calls are frequently references to yacc. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: snort 1.8 for demarc
On Sun, Aug 05, 2001 at 07:41:41PM +, Marco Tassinari wrote: > /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': > gencode.o(.text+0x203): undefined reference to `lex_init' > /usr/local/lib/libpcap.a(grammar.o): In function `yyparse': > grammar.o(.text+0x94): undefined reference to `yylex' > grammar.o(.text+0x9ba): undefined reference to `yylex' You have bison installed too? Or just flex? I think yylex calls are frequently references to yacc. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort 1.8 for demarc
On Sun, Aug 05, 2001 at 19:41:41 +, Marco Tassinari wrote: > /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': Any particular reason you're using a local libpcap rather than the libpcap0 and libpcap-dev Debian packages? Ray -- Obsig: developing a new sig
Re: snort 1.8 for demarc
On Sun, Aug 05, 2001 at 19:41:41 +, Marco Tassinari wrote: > /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': Any particular reason you're using a local libpcap rather than the libpcap0 and libpcap-dev Debian packages? Ray -- Obsig: developing a new sig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort 's logs go to /var/log/auth.log for some reason?
Dmitriy wrote: > How can I change this? man snort, note -s option man syslog.conf -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer
Re: snort 's logs go to /var/log/auth.log for some reason?
Dmitriy wrote: > How can I change this? man snort, note -s option man syslog.conf -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort rules (Was: Attack alert from snort)
On Thu, 12 Jul 2001, Martin Domig wrote: > As I am using snort I keep getting many warnings in my logfiles which I > don't know what they mean. For example the following entry: > > Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon > Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25 > > This tells me that someone is doing funny stuff to my mailserver (I keep > getting those all the time), but I don't know what is causing this entry > and how "dangerous" this "attack" is. Is there any resource where I can > search for snort warnings (those IDSxxx codes) and look up more information > about a single snort rule? http://www.whitehats.com/IDS/266 All Chameleon alerts I've seen where false positives. Basically any ip packet directed to TCP port 25 longer than 500 bytes and having the word help in the first 5 bytes triggers the rule. I don't think it's possible to tell snort the difference between a false alert and a real intrusion. -- Tot ziens, Bart-Jan
Re: snort rules (Was: Attack alert from snort)
On Thu, 12 Jul 2001, Martin Domig wrote: > As I am using snort I keep getting many warnings in my logfiles which I > don't know what they mean. For example the following entry: > > Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon > Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25 > > This tells me that someone is doing funny stuff to my mailserver (I keep > getting those all the time), but I don't know what is causing this entry > and how "dangerous" this "attack" is. Is there any resource where I can > search for snort warnings (those IDSxxx codes) and look up more information > about a single snort rule? http://www.whitehats.com/IDS/266 All Chameleon alerts I've seen where false positives. Basically any ip packet directed to TCP port 25 longer than 500 bytes and having the word help in the first 5 bytes triggers the rule. I don't think it's possible to tell snort the difference between a false alert and a real intrusion. -- Tot ziens, Bart-Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort rules (Was: Attack alert from snort)
On Thu, 12 Jul 2001, Martin Domig wrote: > Hello > > As I am using snort I keep getting many warnings in my logfiles which I > don't know what they mean. For example the following entry: > > Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon > Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25 Again you might want to check out the rule itself and the stream/packet content. Some rules are prone to false positives. > This tells me that someone is doing funny stuff to my mailserver (I keep > getting those all the time), but I don't know what is causing this entry > and how "dangerous" this "attack" is. Is there any resource where I can > search for snort warnings (those IDSxxx codes) and look up more information > about a single snort rule? You can check out these IDS(\d+) at www.whitehats.com where you can also find new rules and updates to older ones. greets Jigal -- I can run [EMAIL PROTECTED] with total impunity! FORTY-TWO ! - cerebro
Re: snort rules (Was: Attack alert from snort)
On Thu, 12 Jul 2001, Martin Domig wrote: > Hello > > As I am using snort I keep getting many warnings in my logfiles which I > don't know what they mean. For example the following entry: > > Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon > Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25 Again you might want to check out the rule itself and the stream/packet content. Some rules are prone to false positives. > This tells me that someone is doing funny stuff to my mailserver (I keep > getting those all the time), but I don't know what is causing this entry > and how "dangerous" this "attack" is. Is there any resource where I can > search for snort warnings (those IDSxxx codes) and look up more information > about a single snort rule? You can check out these IDS(\d+) at www.whitehats.com where you can also find new rules and updates to older ones. greets Jigal -- I can run SETI@HOME with total impunity! FORTY-TWO ! - cerebro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
