Hi, I wrote Part I of what I would like to be a series of tutorials both administrative and coding to SNORT it can be found at http://www.maximumunix.org/modules.php?name=News&file=article&sid=6 I will appreciate your feedback Thanks ----- Original Message ----- From: <snort-users-request@lists.sourceforge.net> To: <snort-users@lists.sourceforge.net> Sent: Friday, December 13, 2002 3:39 PM Subject: Snort-users digest, Vol 1 #2582 - 14 msgs > Send Snort-users mailing list submissions to > snort-users@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/snort-users > or, via email, send a message with subject or body 'help' to > snort-users-request@lists.sourceforge.net > > You can reach the person managing the list at > snort-users-admin@lists.sourceforge.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Snort-users digest..." > > > Today's Topics: > > 1. RE: New Trend: Intrusion Prevention (twig les) > 2. Re: stopping snort (Bennett Todd) > 3. Re: New Trend: Intrusion Prevention (Alberto Gonzalez) > 4. Re: stopping snort (Alberto Gonzalez) > 5. No Traffic stats showing in my acid main php browser (Salloum, Camile) > 6. Re: New Trend: Intrusion Prevention (Erick Mechler) > 7. RE: New Trend: Intrusion Prevention (Chris Eidem) > 8. RE: No Traffic stats showing in my acid main php br > owser (Axness, Bob) > 9. Huge Amount of Port 1433 Scans From Asian IP's (Ibarra, Michael) > 10. YASG :-) - yet another setup guide for snort (switched, Debian, > MySQL, etc) (Anton A. Chuvakin) > 11. Re: New Trend: Intrusion Prevention (Martin Roesch) > 12. snorting SSL/TLS traffic? (Todd Holloway) > > --__--__-- > > Message: 1 > Date: Fri, 13 Dec 2002 12:26:57 -0800 (PST) > From: twig les <twigles@yahoo.com> > Subject: RE: [Snort-users] New Trend: Intrusion Prevention > To: "Ibarra, Michael" <m.ibarra@cdcixis-na.com>, > "'Sheahan, Paul \(PCLN-NW\)'" <Paul.Sheahan@priceline.com>, > "Snort List \(E-mail\)" <snort-users@lists.sourceforge.net> > > I've seen a few of these for a couple years now, but > generally I run into the host-based ones. Eeye makes > one for that retarded MS web server here: > http://www.eeye.com/html/Products/SecureIIS/index.html > > I believe it intercepts kernel calls and blocks/passes > them, kinda playing middleman. Not sure though. > Looks neat, but I don't see any silver bullet here > either; not unless you want to slap this type of thing > on your 500-5000 XP workstations too. > > --- "Ibarra, Michael" <m.ibarra@cdcixis-na.com> wrote: > > -----Original Message----- > > From: Sheahan, Paul (PCLN-NW) > > [mailto:Paul.Sheahan@priceline.com] > > Sent: Friday, December 13, 2002 12:31 PM > > To: Snort List (E-mail) > > Subject: [Snort-users] New Trend: Intrusion > > Prevention > > > > > > > > I attended Infosecurity 2002 yesterday and there was > > much talk about > > intrusion detection going away, and intrusion > > prevention replacing it. Does > > anyone know if there are any plans to include > > intrusion prevention > > functionality into Snort in the future? > > > > Thanks, > > > > Paul Sheahan > > > > Can you elaborate on this? Do they mean that a > > sensor will pro > > actively block IP's/attacks? > > > > -mike > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by: > > With Great Power, Comes Great Responsibility > > Learn to use your power at OSDN's High Performance > > Computing Channel > > http://hpc.devchannel.org/ > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or > > unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > ===== > ----------------------------------------------------------- > If you give a man a fish, he can eat for a day > If you bludgeon him to death, you can eat the fish yourself > ----------------------------------------------------------- > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > > --__--__-- > > Message: 2 > Date: Fri, 13 Dec 2002 15:46:44 -0500 > From: Bennett Todd <bet@rahul.net> > To: Don <Don@WeberOnTheWeb.com> > Cc: snort-users@lists.sourceforge.net > Subject: Re: [Snort-users] stopping snort > > > --d6Gm4EdcadzBjdND > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > > 2002-12-13-13:54:14 Don: > > Has anyone found a way to stop snort, automatically, [...] > > That's very much a platform-specific question. On platforms on which > I'd try and support snort, when it's installed the way I'd install > it, I can always stop it with "/etc/init.d/snort stop". > > > what i want to do is have snort stop, if it gets more than 'x' > > alerts in a single hour, or some time frame, then of course email > > me that it has stopped. > > On the platorms where I'd support snort, I'd just use swatch with a > rule to stop snort. No new engineering required. However, I wouldn't > actually set this up; instead, I'd fix the underlying problem of > looping errors. > > > i do go to syslog with alerts. any suggestions. I have a > > particular sensor that periodically starts alerting on something, > > that just causes a round robin effect, and fills up the logs with > > the same error over and over and over, it gets really boring > > actually. > > Sounds like the snort alert is re-triggering the alarm. You've got > several choices. > > - don't ship the snort alerts off-system > - don't ship them through an interface that snort is watching > - fix the signature so it doesn't re-signal on its own alarm data > - encapsulate the alarm data in something like SSL or SSH so snort > can't see the scary bits any more > - write a BPF filter to blind snort to the traffic stream that's > carrying the alarms off-system > - disable the alarm that's looping > > and maybe there are more alternatives. > > -Bennett > > --d6Gm4EdcadzBjdND > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE9+kc0HZWg9mCTffwRAh3eAKCZtpxYnIzDELE77aezgnDS2uO6SwCgmzOA > MhrFfVgyDa1soZVQ6wD/mpI= > =o9Zp > -----END PGP SIGNATURE----- > > --d6Gm4EdcadzBjdND-- > > > --__--__-- > > Message: 3 > Date: Fri, 13 Dec 2002 15:58:30 -0800 > From: Alberto Gonzalez <albertg@cerebro.violating.us> > CC: snort-users@lists.sourceforge.net > Subject: Re: [Snort-users] New Trend: Intrusion Prevention > > Why would you want to use an IPS to stop a SYN|FIN sweep? Portscans are > the same ol thing > nowadays. Not like in the past few years where new techniques would keep > getting released. > Your IPS software(appliance) should be tuned to defend against attacks > not mere probes at your > network. Heck there methods to trick nmap out there. I think if > intrusion prevention is going to get > anywhere, it needs to just concentrate on attacks, you don't want to > overwhelm it. Or is it just me > that hasn't seen anything interesting in a portscan in the last oh say year? > > These are my opinions, I would love to hear others but lets keep it > off-list.. > > Cheers! > > - Alberto > > Bob Dehnhardt wrote: > > >Everything I've seen about IPS is that it's intended as another facet of > >security, not as a replacement for IDS. IPS is useful for preventing attacks > >that can be identified with a high (99%+) degree of accuracy, like SYN/FIN > >sweeps. Attacks that may have a significant number of false positives are > >outside IPS's realm, since having that traffic dropped would likely affect > >normal network operations. IDS with a real live decision-making person will > >be used in those cases, just as today. > > > >There is no single solution, probably never will be. > > > > - Bob > > > >Bob Dehnhardt > >IT Operations Manager - Reno > >TriNet > >(775) 327-6407 > > > > -----Original Message----- > >From: Steve Halligan [mailto:giermo@geeksquad.com] > >Sent: Friday, December 13, 2002 10:16 AM > >To: 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail) > >Subject: RE: [Snort-users] New Trend: Intrusion Prevention > > > > > > > >>I attended Infosecurity 2002 yesterday and there was much talk about > >>intrusion detection going away, and intrusion prevention > >>replacing it. Does > >>anyone know if there are any plans to include intrusion prevention > >>functionality into Snort in the future? > >> > >> > > > >The future is now. > > > >http://www.snort.org/dl/contrib/patches/inline/ > > > >Also see Hogwash at: > >http://www.snort.org/dl/contrib/patches/hogwash/ > > > >Now one could (and I would) debate the premise that you stated, but that is > >a whole 'nother can of worms. > > > >-steve > > > > > > > > > > > > -- > The secret to success is to start from scratch and keep on scratching. > > > > > --__--__-- > > Message: 4 > Date: Fri, 13 Dec 2002 16:06:36 -0800 > From: Alberto Gonzalez <albertg@cerebro.violating.us> > CC: snort-users@lists.sourceforge.net > Subject: Re: [Snort-users] stopping snort > > daemontools? > > Bennett Todd wrote: > > >2002-12-13-13:54:14 Don: > > > > > >>Has anyone found a way to stop snort, automatically, [...] > >> > >> > > > >That's very much a platform-specific question. On platforms on which > >I'd try and support snort, when it's installed the way I'd install > >it, I can always stop it with "/etc/init.d/snort stop". > > > > > > > >>what i want to do is have snort stop, if it gets more than 'x' > >>alerts in a single hour, or some time frame, then of course email > >>me that it has stopped. > >> > >> > > > >On the platorms where I'd support snort, I'd just use swatch with a > >rule to stop snort. No new engineering required. However, I wouldn't > >actually set this up; instead, I'd fix the underlying problem of > >looping errors. > > > > > > > >>i do go to syslog with alerts. any suggestions. I have a > >>particular sensor that periodically starts alerting on something, > >>that just causes a round robin effect, and fills up the logs with > >>the same error over and over and over, it gets really boring > >>actually. > >> > >> > > > >Sounds like the snort alert is re-triggering the alarm. You've got > >several choices. > > > >- don't ship the snort alerts off-system > >- don't ship them through an interface that snort is watching > >- fix the signature so it doesn't re-signal on its own alarm data > >- encapsulate the alarm data in something like SSL or SSH so snort > > can't see the scary bits any more > >- write a BPF filter to blind snort to the traffic stream that's > > carrying the alarms off-system > >- disable the alarm that's looping > > > >and maybe there are more alternatives. > > > >-Bennett > > > > > > -- > The secret to success is to start from scratch and keep on scratching. > > > > > --__--__-- > > Message: 5 > From: "Salloum, Camile" <SalloumC@Grangeinsurance.com> > To: "'snort-users@lists.sourceforge.net'" <snort-users@lists.sourceforge.net> > Date: Fri, 13 Dec 2002 16:07:21 -0500 > Subject: [Snort-users] No Traffic stats showing in my acid main php browser > > Hi. I am at the point now where I have run the CIS Cerberus Scanner on my > local host. The machine is not conected to a good switch just a simple > linksys switch. I have ran the CIS Scanner and still get no traffic stats. > Why? What am I missing here? Why doesn't the web browser automatically > refresh itself? I am forced to refresh it manually. Where can I check to > troubleshoot? Thank You. > > Camile L Salloum > > > > > > --__--__-- > > Message: 6 > Date: Fri, 13 Dec 2002 13:14:07 -0800 > From: Erick Mechler <emechler@techometer.net> > To: twig les <twigles@yahoo.com> > Cc: snort-users@lists.sourceforge.net > Subject: Re: [Snort-users] New Trend: Intrusion Prevention > > :: I believe it intercepts kernel calls and blocks/passes > :: them, kinda playing middleman. Not sure though. > :: Looks neat, but I don't see any silver bullet here > :: either; not unless you want to slap this type of thing > :: on your 500-5000 XP workstations too. > > Okena makes one that my team is currently evaulating. Twig, you're right, > it sits between the application and the OS level and looks at all system > calls that the applications are making. Benefits of sitting this low: you > can have extremely fine-grained control over what an application is allowed > to use/modify/read/etc.; you can analyze encrypted data since the > application has already decrypted it. Drawbacks: it takes a *lot* of setup > time to figure out exactly what certain applications need. > > http://www.okena.com/areas/products/products_stormwatch.html > > Niels Provos also wrote something similar for UNIX, called systrace. > > http://www.citi.umich.edu/u/provos/systrace/ > > I'm not sure this is what Paul Sheahan was referring to when he was talking > about Intrusion Prevention, though, seeing as this is a host-based > solution. There are network-based Intrusion Prevention solutions, but in > my opinion they're really not practial due to the fact that you need an > extremely high degree of accuracy (as Bob already mentioned). > > Cheers - Erick > > > --__--__-- > > Message: 7 > Subject: RE: [Snort-users] New Trend: Intrusion Prevention > Date: Fri, 13 Dec 2002 15:27:47 -0600 > From: "Chris Eidem" <ceidem@Dexma.com> > To: "twig les" <twigles@yahoo.com>, > "Snort List (E-mail)" <snort-users@lists.sourceforge.net> > > > -----Original Message----- > > From: twig les [mailto:twigles@yahoo.com] > > Sent: Friday, December 13, 2002 2:27 PM > > To: Ibarra, Michael; 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail) > > Subject: RE: [Snort-users] New Trend: Intrusion Prevention > >=20 > >=20 > > I've seen a few of these for a couple years now, but > > generally I run into the host-based ones. Eeye makes > > one for that retarded MS web server here: > > http://www.eeye.com/html/Products/SecureIIS/index.html > >=20 > > I believe it intercepts kernel calls and blocks/passes > > them, kinda playing middleman. Not sure though.=20 > > Looks neat, but I don't see any silver bullet here > > either; not unless you want to slap this type of thing > > on your 500-5000 XP workstations too. > > my retarded servers have enough trouble with their IIS miscommunicating > with the kernal as it is. i really don't want add another layer that > could muck things up even more... > > my basic thought is this (IPS - that is) is too dangerous right now for > this to be used in a production network. the DOS potential against a > system is way too high and you would have to 10000 rules to make sure > that you have the right signature before you start blocking connections > accurately. > > locking the doors and checking the windows is difficult enough without > having to go out onto the sidewalk and chase any 'shady' looking person > from your yard. > > - chris > > > --__--__-- > > Message: 8 > From: "Axness, Bob" <BAxness@stjosephswb.com> > To: "'Salloum, Camile'" <SalloumC@Grangeinsurance.com>, > "'snort-users@lists.sourceforge.net'" <snort-users@lists.sourceforge.net> > Subject: RE: [Snort-users] No Traffic stats showing in my acid main php br > owser > Date: Fri, 13 Dec 2002 15:37:46 -0600 > > I am a newbie to Snort but I think your problem is... > The interface that is doing the listening needs to be on a hub or a switch > capable of doing port mirroring/monitoring. > If you are on a normal switch listening you won't see/hear anything. Swap > it out with a hub and I bet you'll see some stats. > > Bob > > > > -----Original Message----- > From: Salloum, Camile [mailto:SalloumC@Grangeinsurance.com] > Sent: Friday, December 13, 2002 3:07 PM > To: 'snort-users@lists.sourceforge.net' > Subject: [Snort-users] No Traffic stats showing in my acid main php > browser > > > Hi. I am at the point now where I have run the CIS Cerberus Scanner on my > local host. The machine is not conected to a good switch just a simple > linksys switch. I have ran the CIS Scanner and still get no traffic stats. > Why? What am I missing here? Why doesn't the web browser automatically > refresh itself? I am forced to refresh it manually. Where can I check to > troubleshoot? Thank You. > > Camile L Salloum > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by: > With Great Power, Comes Great Responsibility > Learn to use your power at OSDN's High Performance Computing Channel > http://hpc.devchannel.org/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses. > > www.mimesweeper.com > ********************************************************************** > > > > --__--__-- > > Message: 9 > From: "Ibarra, Michael" <m.ibarra@cdcixis-na.com> > To: snort-users@lists.sourceforge.net > Date: Fri, 13 Dec 2002 16:50:17 -0500 > Subject: [Snort-users] Huge Amount of Port 1433 Scans From Asian IP's > > Am I the only one who has seen an extremely large rise > in scans to port 1433/ms-sql? While not a problem for me, > we do not run this crap, just curious to find out why it hasn't > stopped, the src addr's are mostly the same. > > -mike > > > --__--__-- > > Message: 10 > Date: Fri, 13 Dec 2002 17:17:42 -0500 (EST) > From: "Anton A. Chuvakin" <anton@chuvakin.org> > To: snort-users@lists.sourceforge.net > Subject: [Snort-users] YASG :-) - yet another setup guide for snort (switched, Debian, > MySQL, etc) > > All, > > Covers Debian GNU/Linux based setup for single sensor and distributed > environments, MySQL, ACID, etc. > > "Complete Snort-based IDS Architecture, Part One " > http://online.securityfocus.com/infocus/1640 > > "Complete Snort-based IDS Architecture, Part Two" > http://online.securityfocus.com/infocus/1643 > > Comments are welcome! > > Best, > -- > Anton A. Chuvakin, Ph.D., GCIA > http://www.chuvakin.org > http://www.info-secure.org > > > > --__--__-- > > Message: 11 > Date: Fri, 13 Dec 2002 17:21:25 -0500 > Subject: Re: [Snort-users] New Trend: Intrusion Prevention > Cc: "Snort List (E-mail)" <snort-users@lists.sourceforge.net> > To: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan@priceline.com> > From: Martin Roesch <roesch@sourcefire.com> > > Hi Paul, > > I went into this on the Focus-IDS mailing list a month or so ago. > Basically, I believe IPS to be more of a threat to (or the future of) > firewalls. Network intrusion prevention devices sit in-line and > provide permit/deny access control for packet streams based on whether > or not they're attacks. Presumably it would be relatively easy as a > subset of functionality to add stateful packet filtering that's just as > good or better than any existing firewalling mechanisms. Netscreen and > Checkpoint have figured this out which is why you see them making > aggressive moves in the IPS space. Intrusion detection devices have a > VERY different role in the network security hierarchy, they provide > *awareness* of what's happening on your network, verification of policy > compliance and detection of potential threats and anomalies. > > Let me lay out two scenarios that illustrate why intrusion prevention > != intrusion detection and why it's unlikely that IPS will ever replace > IDS (and how everyone who's trying to tell you it will is trying to > sell you something): > > 1) IPS devices only guard the peering points (at best) of the network. > In the case of an attack between hosts on the same broadcast network > (inside the peering point) you have absolutely no coverage from the > IPS. In that case you'll need to have an IDS to tell you what's going > on. For example, someone in engineering decides to give him self a > raise by hacking into the accounting department and making it so, your > IPS has no visibility into this traffic so it's quite worthless. Your > IDS can see this traffic, however, and collect the relevant information > for detection/enforcement of policy and evidence for law enforcement. > > 2) No IPS is going to be perfect, so attacks are going to slip through > them. It can be attacks that they don't know about (new buffer > overflows, etc) or even traffic that's legitimate but hostile in your > environment, like non-anonymous logins to your anonymous FTP server. > If an attack gets by an IDS, how will you know? You better have a > pretty good IDS to tell you, that's how. > > There are several other things I could highlight, but I think this > illustrates the point pretty well and it's Friday and late and I feel > like going home. :) > > -Marty > > > On Friday, December 13, 2002, at 12:30 PM, Sheahan, Paul (PCLN-NW) > wrote: > > > > > I attended Infosecurity 2002 yesterday and there was much talk about > > intrusion detection going away, and intrusion prevention replacing it. > > Does > > anyone know if there are any plans to include intrusion prevention > > functionality into Snort in the future? > > > > Thanks, > > > > Paul Sheahan > > Manager of Information Security > > Priceline.com > > paul.sheahan@priceline.com > > > > > > > > > > ------------------------------------------------------- > > This sf.net email is sponsored by: > > With Great Power, Comes Great Responsibility > > Learn to use your power at OSDN's High Performance Computing Channel > > http://hpc.devchannel.org/ > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > -- > Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 > Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure > roesch@sourcefire.com - http://www.sourcefire.com > Snort: Open Source Network IDS - http://www.snort.org > > > > --__--__-- > > Message: 12 > Date: Fri, 13 Dec 2002 17:37:54 -0600 > From: Todd Holloway <todd@duckland.org> > To: snort-users@lists.sourceforge.net > Subject: [Snort-users] snorting SSL/TLS traffic? > > > I've been playing with "ssldump" today and I've gotten it > so that I can see (when giving it the proper private key) I can decrypt > some traffic (how much I'm still not sure...but more than w/o the key). > > Is there a way I can get snort "see" the network the same way? > > Is somebody working on this...most of the traffic to our site is "https". > > thanks > todd > > -- > [It] contains "vegetable stabilizer" which sounds ominous. How unstable are vegetables? > Jeff Zahn > > > > --__--__-- > > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/snort-users > > > End of Snort-users Digest > ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users