michael_b

Members
  • Content count

    17
  • Joined

  • Last visited

About michael_b

  • Rank
    Member

Profile Information

  • Country
    Belgium
  1. Using the following exact enablesid.conf enables all (5 exceptions) rules: # example enablesid.conf v3.1 # SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file # will be set back to their ORIGINAL state as it was read when they were # originally extracted from the source tarball! # Example of modifying state for individual rules # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 # Example of modifying state for rule ranges # 1:220-1:3264,3:13010-3:13013 # Comments are allowed in this file, and can also be on the same line # As the modify state syntax, as long as it is a trailing comment # 1:1011 # I Disabled this rule because I could! # Example of modifying state for MS and cve rules, note the use of the : # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, # and all MS00 and all cve 2000 related sids! These support regular expression # matching only after you have specified what you are looking for, i.e. # MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) # for this. # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ # Example of using the pcre: keyword to modify rulestate. the pcre keyword # allows for full use of regular expression syntax, you do not need to designate # with / and all pcre searches are treated as case insensitive. For more information # about regular expression syntax: http://www.regular-expressions.info/ # The following example modifies state for all MS07 through MS10 # pcre:MS(0[7-9]|10)-\d+ # Example of modifying state for specific categories entirely (see README.CATEGORIES) # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp # Any of the above values can be on a single line or multiple lines, when # on a single line they simply need to be separated by a , # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 # The modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment. app-detect blacklist browser-chrome browser-firefox browser-ie browser-other browser-plugins browser-webkit content-replace decoder dos exploit-kit file-executable file-flash file-identify file-image file-java file-multimedia file-office file-other file-pdf indicator-compromise indicator-obfuscation indicator-scan indicator-shellcode malware-backdoor malware-cnc malware-other malware-tools netbios os-linux os-mobile os-other os-solaris os-windows policy-multimedia policy-other policy-social policy-spam preprocessor protocol-dns protocol-finger protocol-ftp protocol-icmp protocol-imap protocol-nntp protocol-pop protocol-rpc protocol-scada protocol-services protocol-snmp protocol-telnet protocol-tftp protocol-voip pua-adware pua-other pua-p2p pua-toolbars server-apache server-iis server-mail server-mssql server-mysql server-oracle server-other server-samba server-webapp sql x11
  2. Sure, I think I got it from the snort archive, a reply to a question of you yourself. I commented out the full list, and enabled only some of them. If you remove the enabled items and then uncomment them all, all my rules became enabled. # example enablesid.conf v3.1 # SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file # will be set back to their ORIGINAL state as it was read when they were # originally extracted from the source tarball! # Example of modifying state for individual rules # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 # Example of modifying state for rule ranges # 1:220-1:3264,3:13010-3:13013 # Comments are allowed in this file, and can also be on the same line # As the modify state syntax, as long as it is a trailing comment # 1:1011 # I Disabled this rule because I could! # Example of modifying state for MS and cve rules, note the use of the : # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, # and all MS00 and all cve 2000 related sids! These support regular expression # matching only after you have specified what you are looking for, i.e. # MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) # for this. # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ # Example of using the pcre: keyword to modify rulestate. the pcre keyword # allows for full use of regular expression syntax, you do not need to designate # with / and all pcre searches are treated as case insensitive. For more information # about regular expression syntax: http://www.regular-expressions.info/ # The following example modifies state for all MS07 through MS10 # pcre:MS(0[7-9]|10)-\d+ # Example of modifying state for specific categories entirely (see README.CATEGORIES) # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp # Any of the above values can be on a single line or multiple lines, when # on a single line they simply need to be separated by a , # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 # The modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment. preprocessor protocol-ftp server-iis server-mssql server-mysql os-windows malware-backdoor malware-cnc malware-other malware-tools browser-chrome browser-firefox browser-id browser-other exploit-kit blacklist #full list: #app-detect #blacklist #browser-chrome #browser-firefox #browser-ie #browser-other #browser-plugins #browser-webkit #content-replace #decoder #dos #exploit-kit #file-executable #file-flash #file-identify #file-image #file-java #file-multimedia #file-office #file-other #file-pdf #indicator-compromise #indicator-obfuscation #indicator-scan #indicator-shellcode #malware-backdoor #malware-cnc #malware-other #malware-tools #netbios #os-linux #os-mobile #os-other #os-solaris #os-windows #policy-multimedia #policy-other #policy-social #policy-spam #preprocessor #protocol-dns #protocol-finger #protocol-ftp #protocol-icmp #protocol-imap #protocol-nntp #protocol-pop #protocol-rpc #protocol-scada #protocol-services #protocol-snmp #protocol-telnet #protocol-tftp #protocol-voip #pua-adware #pua-other #pua-p2p #pua-toolbars #server-apache #server-iis #server-mail #server-mssql #server-mysql #server-oracle #server-other #server-samba #server-webapp #sql #x11 I can post a screenshot of the amount of enabled rules in the PulledPork command line later today if you wish. I use the following command to update the rules without redownload: perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T -nP
  3. Hi, Is it possible to add TLS & authentication support to the EventWatchNT tool? I would like to use a simple gmail address to send the mails, but that seems to be impossible with the eventwatchnt tool. Or, do you know about other good tools that can accomplish something similar? Regards
  4. Hello Morpheus, 1) As I didn't know yet how the enablesid.conf and the ips_policy exactly worked together with the snort.conf, I enabled all rules for my first tests. (I enabled them all through the enablesid.conf, by adding all possible classificactions, preprocessor, protocol-ftp, blacklist, etc.). Now if you do that, there are about 24095 rules that become enabled. 25 of them concern the IGMP protocol. Snort knows about this protocol, but apparently it needs the number (2 in this case). Two out of the 25 rules were specified with 'igmp' (not the number), Snort looks at the Windows protocols file to translate it to a protocol number. Problem was that not all protocol numbers are included by default in that file. So yes, I think it would be good to add that in the modder.vbs.  By the way, I also had to add '132' (SCTP). It's possible that in future updates, other protocol numbers will be necessary (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) 2) Yes, I've posted two questions in the snort users list today, and received an answer maximum 30 minutes later. The link between PulledPork and Snort is becoming very clear.  Thanks for these guides, you must have put a lot of work in them.
  5. And in response to my comment about the fact that all rules are disabled by default, it seems to be more complicated than that. I don't quite understand how the pulledpork conf (ips_policy) and the snort.conf work together. However, that is more a pulledpork issue, so I asked the question on the users list: http://sourceforge.net/p/snort/mailman/snort-users/thread/DUB119-W52031FD174234DE21E7744A5EA0%40phx.gbl/#msg34041805.
  6. Ok, found the cause. It seems on Windows there is a protocols file: C:\Windows\System32\drivers\etc\protocol It didn't contain number 2 ;).
  7. Good guide, however less clearly explained than the Snort setup guide. After completing the guide, all rules are DISABLED, you have to add the complete list of classifications in the enablesid.conf, before rules become enabled. But that helps in learning how it works, so thanks! However, the real issue I'm having is that the igmp protocol doesn't seem to be supported. Upon testing Snort, I receive an error: Invalid protocol name for "ip_proto" rule option: "igmp". Therefore, I have disabled these rules in my disable.conf (pcre:ip_proto:igmp). Any idea how to enable support for the igmp protocol? (21 rules are disabled by this regular expression, so it is not such a big deal, but still). UPDATE: Hmm it's pretty strange, cause Snort doesn't throw an error on 'ip_proto:2', even though that is exactly the same as syaing 'ip_proto:igmp'. Maybe a very small issue in the protocol number to name link? Can that link be changed manually?
  8. Ok, after debuggin BASE i've found the issue. It seems one query in base_cache.inc.php is broken. It looks (among others) for '(spp_%' instead of 'spp_%', which is the correct start of the arpspoof preprocessor signature name. So i changed the part of the query that is created from line 234 in base_cache.inc.php: /* Preprocessor events only */ # The original "(sig_name LIKE '(spp_%')" is too limited. Cf. # /usr/local/src/snort-2.8.3.1_unpatched/etc/gen-msg.map # /usr/local/src/snort-2.8.3.1_unpatched/src/generators.h # Currently I have included all the names that I have found in # these files. # Note: Do always add '%' in LIKE-statements. Otherwise the entries # won't match. if ( $db->baseGetDBversion() >= 100 ) { $schema_specific[3] = " ( " . "(sig_name LIKE '(spp_%') OR " . "(sig_name LIKE '(spo_%') OR " . "(sig_name LIKE '(snort_decoder)%') OR " . "(sig_name LIKE '(http_decode)%') OR " . "(sig_name LIKE '(http_inspect)%') OR " . "(sig_name LIKE '(portscan)%') OR " . "(sig_name LIKE '(flow-portscan)%') OR " . "(sig_name LIKE '(frag3)%') OR " . "(sig_name LIKE '(smtp)%') OR " . "(sig_name LIKE '(ftp_pp)%') OR " . "(sig_name LIKE '(telnet_pp)%') OR " . "(sig_name LIKE '(ssh)%') OR " . "(sig_name LIKE '(stream5)%') OR " . "(sig_name LIKE '(dcerpc)%') OR " . "(sig_name LIKE '(dns)%') OR " . "(sig_name LIKE '(ppm)%') OR " . "(sig_name LIKE 'spp_%') OR " . "(sig_name LIKE 'spo_%') OR " . "(sig_name LIKE 'snort_decoder%') OR " . "(sig_name LIKE 'http_decode%') OR " . "(sig_name LIKE 'http_inspect%') OR " . "(sig_name LIKE 'portscan%') OR " . "(sig_name LIKE 'flow-portscan%') OR " . "(sig_name LIKE 'frag3%') OR " . "(sig_name LIKE 'smtp%') OR " . "(sig_name LIKE 'ftp_pp%') OR " . "(sig_name LIKE 'telnet_pp%') OR " . "(sig_name LIKE 'ssh%') OR " . "(sig_name LIKE 'stream5%') OR " . "(sig_name LIKE 'dcerpc%') OR " . "(sig_name LIKE 'dns%') OR " . "(sig_name LIKE 'ppm%') " . " ) "; To not break existing functionality, I have just added all variables without brackets.
  9. Hmm I don't seem to get a reply on the Snort user lists. I assume it has something to do with the way Barnyard writes the items in MySQL, but since it is not the debug version there's not much to see. The arp spoof preprocessor does not capture IP addresses, so I set the ip_src, ip_dst, ip_proto in the iphdr and comparable items in the tcphdr table to 'nullable', but no success yet.
  10. Hello, My Snort is up & running and loads of events are being logged. After yielding out some false positives, I wanted to test the arpspoof preprocessor. So I enabled: preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.1.1 58:6d:8f:a0:40:7f preprocessor arpspoof_detect_host: 192.168.1.3 d4:3d:7e:38:37:4d And ran a arp attack using ettercap. The problem is that these events do not show up in my winids (and neither in mysql database). It seems to be a similar problem to this: http://seclists.org/snort/2012/q1/99 Now, Ive checked my barnyard output window, and the ettercap events DO show up there (see screenshot), they are just not stored in my database. My feeling is thus that it is a formatting issue: the arpspoof preprocessor outputs the events in a format which barnyard cannot log to mysql. What I dont know is how I can solve this. Any ideas?
  11. This is a perfect guide. All is running fine on SBS2011. I just need to complete the post-installation tasks. Thank you very much. Only two very, very small mistakes in the guide: -adding entry to hosts through the modder script. In case there's already an entry in the hosts file, the winids entry is copied right next to the last existing entry, without spaces -unzip -oqq d:\temp\php-5.6.7 -nts-Win32-VC11-x64.zip -d d:\winids\php => here is one space too much, between 5.6.7 and -nts Regards
  12. All the above was true so changed the line. The script has run now. Will report back once everything is completed :). Thanks
  13. Thanks for the quick answer. Running the above command gives me: CurrentVersion REG_SZ 6.1 However, line 16 of modder.vbs already reads as: Case 6.0, 6.1, 6.2, 6.3: So it seems 6.1 is already added. The exact error message that I receive is given in the attached image. I took a screenshot of the version command and output as well. And to be sure a screenshot of the modder file as well.
  14. Hello, Is there any way to modify the install so that this guide can also be used for a Small Business Server 2011? The modder.vbs gives me a warning that the OS is not supported.