From james at mandala-designs.com Tue Aug 11 15:01:27 2009 From: james at mandala-designs.com (James Chase) Date: Tue, 11 Aug 2009 15:01:27 -0400 Subject: [Snortsam-discussion] snortsam not linked to PF correctly OpenBSD 4.4 Message-ID: <4A81C007.8050707@mandala-designs.com> Hi, I'm having trouble setting up snortsam on OpenBSD 4.4 with pf. I have snortsam patched into barnyard from my snort sensor and this all seems to be fine but when a rule matches and snortsam tries to update the firewall rules I get this: Debug: Block triggered by Signature ID: 9999999 Blocking host 209.214.64.47 in connection 209.214.64.47->216.237.100.243:0 (icmp ) for 15 seconds (Sig_ID: 9999999). Debug: [pf][86b78400] Plugin Blocking... Error: Can't Block ip 202.70.244.185 (No such process) I have not created any of the pf tables or anchors because I wanted to observe how the pf plugin works in "auto" mode but when I try and set auto mode in snortsam.conf, it does not appear to read my configuration option. Here is my snortsam.conf file auto=1 defaultkey secrets port 6783 accept 192.168.1.0/24 keyinterval 30 minutes pf sis0 logall eth sis0 logfile /var/log/snortsam.log loglevel 3 On startup I see some of these debug messages relating to the pf plugin (and showing that it is ignoring some options in snortsam.conf). I'm not sure what I missed from reading the wiki pages online Linking plugin 'pf'... Debug: [pf] Plugin Parsing... Info: [/etc/snortsam.conf: 6] PF anchor name not defined, using "ssblock" Info: [/etc/snortsam.conf: 6] PF table name not defined, using "ssblockedips" Warning: [/etc/snortsam.conf: 6] PF ethernet name not defined, the IPs will be blocked on all interfaces ! Debug: [pf] Adding PF: auto=0 log=0 eth= anchor=ssblockedips table= Error: [/etc/snortsam.conf: 7] Unknown parameter 'eth' in config file ignored. Debug: Starting to keep track of blocks regardless of plugins used in file /var/db/snortsam.state. Thanks, James From frank at snortsam.net Fri Aug 14 16:13:30 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 14 Aug 2009 15:13:30 -0500 Subject: [Snortsam-discussion] snortsam not linked to PF correctly OpenBSD 4.4 In-Reply-To: <4A81C007.8050707@mandala-designs.com> References: <4A81C007.8050707@mandala-designs.com> Message-ID: <1250280810.60875.96.camel@localhost> On Tue, 2009-08-11 at 15:01 -0400, James Chase wrote: > I'm having trouble setting up snortsam on OpenBSD 4.4 with pf. I have > snortsam patched into barnyard from my snort sensor and this all seems > to be fine but when a rule matches and snortsam tries to update the > firewall rules I get this: > > Debug: Block triggered by Signature ID: 9999999 > Blocking host 209.214.64.47 in connection > 209.214.64.47->216.237.100.243:0 > (icmp > ) for 15 seconds (Sig_ID: 9999999). > Debug: [pf][86b78400] Plugin Blocking... > Error: Can't Block ip 202.70.244.185 (No such process) I don't have any experience with OpenBSD, but it looks like Snortsam can not communicate with pf through ioctl. Is the necessary pf control daemon running? Is Snortsam running as root? > I have not created any of the pf tables or anchors because I wanted to > observe how the pf plugin works in "auto" mode but when I try and set > auto mode in snortsam.conf, it does not appear to read my configuration > option. Here is my snortsam.conf file That might also be a problem. The proper tables need to be in place so that the call to pf can place the IP into the table. So if you don't have the tables created, it would explain the above error. Make sure that after starting Snortsam the proper tables are there. (I installed Snortsam on a FreeBSD box running pf once where it didn't create the tables. The solution was not to use the AUTO function and ensure the tables are there). > auto=1 Not a valid Snortsam config option. > eth sis0 Not a valid Snortsam config option. See http://doc.emergingthreats.net/bin/view/Main/SnortSamREADMEpf#3_Options for the documentation. When Hector wrote the doc, he meant that: "auto=0/1 log=0/1 anchor=[string] eth=[string] (table=[string] - ignored. Listed for historical purposes only)" are options for the "pf" config line. See the example: "pf auto=1 log=1 anchor=fwsamd table=blockedips eth=le1" Hope that helps. Regards, Frank From frank at snortsam.net Fri Aug 14 16:19:39 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 14 Aug 2009 15:19:39 -0500 Subject: [Snortsam-discussion] Seeking "Best Way" to use PF2 plugin and Pfsense In-Reply-To: <4A35A518.8050601@tatarsky.com> References: <4A287889.8000903@tatarsky.com> <1245007654.10699.8.camel@localhost> <4A35A518.8050601@tatarsky.com> Message-ID: <1250281179.60875.100.camel@localhost> On Sun, 2009-06-14 at 20:34 -0500, Paul Tatarsky wrote: > > bit. I'll post diffs for comments on that. > > I'd like to see that. I was having some issue I don't recall now that > involved the opposite (thats why I started using PF2 v.s PF). I'll > recheck this week why I came to that path. Yeah, regarding those diffs that I promised... :) These diffs are actually resident on the OpenBSD box where I hacked that in place, but I don't have access to the box. However, that user will soon be moving from FreeBSD/pf to a new box with pfsense. I intend to help him through that process, and when I do, I'll make sure I'll get a complete, clean version of the ssp_pf.{c|h} and ssp_pf2.{c|h} files for you. > However, the method described is working quite well for me, I'm just > trying to figure out how to make a snortsam "package" for pfsense > (somewhat different than a BSD package). If I figure that out, I'll let > the user define the filter names ;) If you had any success with that, let me know. Otherwise I'll get you what you need for the package when I get that new pfsense box pounded into shape. Cheers, Frank From ondrej.pesta at idc.cz Thu Aug 27 08:10:19 2009 From: ondrej.pesta at idc.cz (Ondrej Pesta) Date: Thu, 27 Aug 2009 14:10:19 +0200 Subject: [Snortsam-discussion] snortsam not sending emails Message-ID: <4A9677AB.90808@idc.cz> Hi. I have a problem with snortsam 2.60. If a rule matches, snort successfully notices snortsam and snortsam at host 192.168.1.100 adds "deny" rule in my FreeBSD 7.2 ipfw firewall. Unfortunately it doesn't send emails. This il the "email" line from my snortsam.conf file. email 192.168.1.33 netadmin at mydomain.tld snortsam at mydomain.tld On 192.168.1.33 I have open relay SMTP server with postfix. When rule matches, I can see line "connect from unknown[192.168.1.100]" in my postfix maillog. But then it waits for something and nothing else happens. -- ------------------------------------ Regards Ondrej Pesta From ondrej.pesta at idc.cz Thu Aug 27 08:09:37 2009 From: ondrej.pesta at idc.cz (Ondrej Pesta) Date: Thu, 27 Aug 2009 14:09:37 +0200 Subject: [Snortsam-discussion] snortsam not sending emails Message-ID: <4A967781.7020004@idc.cz> Hi. I have a problem with snortsam 2.60. If a rule matches, snort successfully notices snortsam and snortsam at host 192.168.1.100 adds "deny" rule in my FreeBSD 7.2 ipfw firewall. Unfortunately it doesn't send emails. This il the "email" line from my snortsam.conf file. email 192.168.1.33 netadmin at mydomain.tld snortsam at mydomain.tld On 192.168.1.33 I have open relay SMTP server with postfix. When rule matches, I can see line "connect from unknown[192.168.1.100]" in my postfix maillog. But then it waits for something and nothing else happens. -- ------------------------------------ Regards Ondrej Pesta From frank at snortsam.net Thu Aug 27 18:42:19 2009 From: frank at snortsam.net (Frank Knobbe) Date: Thu, 27 Aug 2009 17:42:19 -0500 Subject: [Snortsam-discussion] snortsam not sending emails In-Reply-To: <4A9677AB.90808@idc.cz> References: <4A9677AB.90808@idc.cz> Message-ID: <1251412939.72797.124.camel@localhost> On Thu, 2009-08-27 at 14:10 +0200, Ondrej Pesta wrote: > Hi. > I have a problem with snortsam 2.60. If a rule matches, snort > successfully notices snortsam and snortsam at host 192.168.1.100 adds > "deny" rule in my FreeBSD 7.2 ipfw firewall. > Unfortunately it doesn't send emails. This il the "email" line from my > snortsam.conf file. > > email 192.168.1.33 netadmin at mydomain.tld snortsam at mydomain.tld > > On 192.168.1.33 I have open relay SMTP server with postfix. > When rule matches, I can see line "connect from unknown[192.168.1.100]" > in my postfix maillog. > But then it waits for something and nothing else happens. Any error messages in snortsam.log? (like "Did not receive a response from mail server at 192.168.1.33" or such?) Snortsam just waits for the normal "220" banner from the mail server, says "HELO", waits for "250" status, and so on. Capture that mail session with ngrep and see where it fails. Perhaps Postfix is hanging trying to resolve your internal IP address? It could be that Snortsam is timing out before Postfix is timing out. The ngrep session capture of the mail session should tell you where the problem is. Regards, Frank From strippe at gmail.com Thu Aug 27 20:51:34 2009 From: strippe at gmail.com (Stacy Trippe) Date: Thu, 27 Aug 2009 19:51:34 -0500 Subject: [Snortsam-discussion] Quagga/Zebra router connect support ? Message-ID: <721FD2A0-358C-4197-A75C-D5EA125F35A3@gmail.com> Any chance I can get snortsam to connect to a Unix box running Quagga/ Zebra router? From ondrej.pesta at idc.cz Fri Aug 28 02:55:05 2009 From: ondrej.pesta at idc.cz (Ondrej Pesta) Date: Fri, 28 Aug 2009 08:55:05 +0200 Subject: [Snortsam-discussion] snortsam not sending emails In-Reply-To: <1251412939.72797.124.camel@localhost> References: <4A9677AB.90808@idc.cz> <1251412939.72797.124.camel@localhost> Message-ID: <4A977F49.3080005@idc.cz> > Any error messages in snortsam.log? (like "Did not receive a response > from mail server at 192.168.1.33" or such?) > > Snortsam just waits for the normal "220" banner from the mail server, > says "HELO", waits for "250" status, and so on. Capture that mail > session with ngrep and see where it fails. Perhaps Postfix is hanging > trying to resolve your internal IP address? It could be that Snortsam is > timing out before Postfix is timing out. The ngrep session capture of > the mail session should tell you where the problem is. > Hi. Unfortunately there is no message about mailing in snortsam.log. Even if I have "loglevel 3" in snortsam.conf. This is output from the ngrep: ######## T 192.168.1.33:25 -> 192.168.1.100:65120 [AP] 220 postfix.tld ESMTP Postfix.. # T 192.168.1.100:65120 -> 192.168.1.33:25 [AP] HELO snortsam.tld.. # T 192.168.1.33:25 -> 192.168.1.100:65120 [AP] 250 postfix.tld.. Ondrej From ondrej.pesta at idc.cz Fri Aug 28 03:42:33 2009 From: ondrej.pesta at idc.cz (Ondrej Pesta) Date: Fri, 28 Aug 2009 09:42:33 +0200 Subject: [Snortsam-discussion] snortsam not sending emails In-Reply-To: <4A977F49.3080005@idc.cz> References: <4A9677AB.90808@idc.cz> <1251412939.72797.124.camel@localhost> <4A977F49.3080005@idc.cz> Message-ID: <4A978A69.8050007@idc.cz> I also tried witch sendmail. The result is more strange, than with postfix. Sendmail sent banner, but snortsam did nothing... ##### T 192.168.1.100:113 -> 192.168.1.33:14663 [AR] ...... # T 192.168.1.33:25 -> 192.168.1.100:56972 [AP] 220 oppsbook.in.idc.cz ESMTP Sendmail 8.14.3/8.14.3; Fri, 28 Aug 2009 09:38:31 +0200 (CEST).. Ondrej Ondrej Pesta wrote: >> Any error messages in snortsam.log? (like "Did not receive a response >> from mail server at 192.168.1.33" or such?) >> >> Snortsam just waits for the normal "220" banner from the mail server, >> says "HELO", waits for "250" status, and so on. Capture that mail >> session with ngrep and see where it fails. Perhaps Postfix is hanging >> trying to resolve your internal IP address? It could be that Snortsam is >> timing out before Postfix is timing out. The ngrep session capture of >> the mail session should tell you where the problem is. >> >> > Hi. > Unfortunately there is no message about mailing in snortsam.log. Even if > I have "loglevel 3" in snortsam.conf. > This is output from the ngrep: > > ######## > T 192.168.1.33:25 -> 192.168.1.100:65120 [AP] > 220 postfix.tld ESMTP > Postfix.. > > # > T 192.168.1.100:65120 -> 192.168.1.33:25 [AP] > HELO > snortsam.tld.. > > # > T 192.168.1.33:25 -> 192.168.1.100:65120 [AP] > 250 > postfix.tld.. > > > Ondrej > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > From luis.daniel.lucio at gmail.com Fri Aug 28 19:49:39 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Fri, 28 Aug 2009 18:49:39 -0500 Subject: [Snortsam-discussion] 2.60? Message-ID: <200908281849.39537.luis.daniel.lucio@gmail.com> I see that In page there is a broken link http://www.snortsam.net/files/snortsam/snortsam-src-2.60.tar.gz any comment? LD From frank at snortsam.net Sat Aug 29 14:11:30 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sat, 29 Aug 2009 13:11:30 -0500 Subject: [Snortsam-discussion] Quagga/Zebra router connect support ? In-Reply-To: <721FD2A0-358C-4197-A75C-D5EA125F35A3@gmail.com> References: <721FD2A0-358C-4197-A75C-D5EA125F35A3@gmail.com> Message-ID: <1251569490.43992.3.camel@localhost> On Thu, 2009-08-27 at 19:51 -0500, Stacy Trippe wrote: > Any chance I can get snortsam to connect to a Unix box running Quagga/ > Zebra router? No one has written a plugin for that yet. It should be as simple as just executing commands on the Zebra router. Sort of like fw_exec does. The Cisco nullroute plugin can serve as an example. Instead of telnetting to the router, the proper commands just have to executed locally. If you want to try to write a plugin for it, feel free to do so. Regards, Frank From frank at snortsam.net Sat Aug 29 14:13:28 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sat, 29 Aug 2009 13:13:28 -0500 Subject: [Snortsam-discussion] snortsam not sending emails In-Reply-To: <4A978A69.8050007@idc.cz> References: <4A9677AB.90808@idc.cz> <1251412939.72797.124.camel@localhost> <4A977F49.3080005@idc.cz> <4A978A69.8050007@idc.cz> Message-ID: <1251569608.43992.5.camel@localhost> On Fri, 2009-08-28 at 09:42 +0200, Ondrej Pesta wrote: > I also tried witch sendmail. The result is more strange, than with postfix. > Sendmail sent banner, but snortsam did nothing... > > # > T 192.168.1.33:25 -> 192.168.1.100:56972 [AP] > 220 oppsbook.in.idc.cz ESMTP Sendmail 8.14.3/8.14.3; Fri, 28 Aug 2009 > 09:38:31 +0200 > (CEST).. > That's indeed odd, since the plugin waits for the 220 and 250 codes, which it obviously received here. What version of Snortsam are you using? And under what OS? Maybe try disabling multithreading by adding "nothreads" to the snortsam.conf and see if that makes a difference. Regards, Frank From frank at snortsam.net Sat Aug 29 14:19:08 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sat, 29 Aug 2009 13:19:08 -0500 Subject: [Snortsam-discussion] 2.60? In-Reply-To: <200908281849.39537.luis.daniel.lucio@gmail.com> References: <200908281849.39537.luis.daniel.lucio@gmail.com> Message-ID: <1251569948.43992.9.camel@localhost> On Fri, 2009-08-28 at 18:49 -0500, Luis Daniel Lucio Quiroz wrote: > I see that In page there is a broken link > http://www.snortsam.net/files/snortsam/snortsam-src-2.60.tar.gz There was a problem on the web site with a wrong link. From what I can see, the latest version on the web site is 2.57. Which is odd, since 2.59 was out for a while, and I recently committed a patch to CVS that brought it to 2.60 (although testing has shown that, while it was correct to change the unsigned long to an int for correctness sake, it hasn't fixed crashes on lost TCP sessions. I'm still trying to figure that one out. So, since it didn't fix the problem, I didn't announce it.) But it looks like the web site is indeed a bit behind. I may take the web site over again later this year so at least the tarballs get updated timely. If you want to be current, I suggest pulling the source from CVS. Regards, Frank From ondrej.pesta at idc.cz Mon Aug 31 02:45:21 2009 From: ondrej.pesta at idc.cz (Ondrej Pesta) Date: Mon, 31 Aug 2009 08:45:21 +0200 Subject: [Snortsam-discussion] snortsam not sending emails In-Reply-To: <1251569608.43992.5.camel@localhost> References: <4A9677AB.90808@idc.cz> <1251412939.72797.124.camel@localhost> <4A977F49.3080005@idc.cz> <4A978A69.8050007@idc.cz> <1251569608.43992.5.camel@localhost> Message-ID: <4A9B7181.7030800@idc.cz> Frank Knobbe wrote: > On Fri, 2009-08-28 at 09:42 +0200, Ondrej Pesta wrote: > >> I also tried witch sendmail. The result is more strange, than with postfix. >> Sendmail sent banner, but snortsam did nothing... >> >> # >> T 192.168.1.33:25 -> 192.168.1.100:56972 [AP] >> 220 oppsbook.in.idc.cz ESMTP Sendmail 8.14.3/8.14.3; Fri, 28 Aug 2009 >> 09:38:31 +0200 >> (CEST).. >> >> > > That's indeed odd, since the plugin waits for the 220 and 250 codes, > which it obviously received here. > > What version of Snortsam are you using? And under what OS? Maybe try > disabling multithreading by adding "nothreads" to the snortsam.conf and > see if that makes a difference. > It is strange, that when I run snortsam, it prints: SnortSam, v 2.56. Copyright (c) 2001-2008 Frank Knobbe . All rights reserved. It is installed on FreeBSD 7.2 from port /usr/ports/security/snortsam. There is written it is version 2.60 and also downloaded sources are snortsam-src-2.60.tar.gz. I will try to disable threads. > Regards, > Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > From ondrej.pesta at idc.cz Mon Aug 31 03:25:38 2009 From: ondrej.pesta at idc.cz (Ondrej Pesta) Date: Mon, 31 Aug 2009 09:25:38 +0200 Subject: [Snortsam-discussion] snortsam not sending emails In-Reply-To: <1251569608.43992.5.camel@localhost> References: <4A9677AB.90808@idc.cz> <1251412939.72797.124.camel@localhost> <4A977F49.3080005@idc.cz> <4A978A69.8050007@idc.cz> <1251569608.43992.5.camel@localhost> Message-ID: <4A9B7AF2.4080308@idc.cz> > That's indeed odd, since the plugin waits for the 220 and 250 codes, > which it obviously received here. > > What version of Snortsam are you using? And under what OS? Maybe try > disabling multithreading by adding "nothreads" to the snortsam.conf and > see if that makes a difference. > The problem was really caused by threading. If I add "nothreads" to the config file, it send emails like a charm... Ondrej From frank at snortsam.net Mon Aug 31 18:18:54 2009 From: frank at snortsam.net (Frank Knobbe) Date: Mon, 31 Aug 2009 17:18:54 -0500 Subject: [Snortsam-discussion] snortsam not sending emails In-Reply-To: <4A9B7AF2.4080308@idc.cz> References: <4A9677AB.90808@idc.cz> <1251412939.72797.124.camel@localhost> <4A977F49.3080005@idc.cz> <4A978A69.8050007@idc.cz> <1251569608.43992.5.camel@localhost> <4A9B7AF2.4080308@idc.cz> Message-ID: <1251757134.42741.22.camel@localhost> On Mon, 2009-08-31 at 09:25 +0200, Ondrej Pesta wrote: > > That's indeed odd, since the plugin waits for the 220 and 250 codes, > > which it obviously received here. > > > > What version of Snortsam are you using? And under what OS? Maybe try > > disabling multithreading by adding "nothreads" to the snortsam.conf and > > see if that makes a difference. > > > > The problem was really caused by threading. If I add "nothreads" to the > config file, it send emails like a charm... Yeah, there have been threading related patches in recent versions, 2.59 I believe. If you pull it from CVS, give the latest version a try. Regards, Frank