From john at lissproductions.com Sat Dec 12 01:36:15 2009 From: john at lissproductions.com (John Liss) Date: Fri, 11 Dec 2009 23:36:15 -0700 Subject: [Snortsam-discussion] MS ISA 2006 functionality Message-ID: <4B2339DF.1060407@lissproductions.com> Hey all! I am trying to figure out how to compile snort to support snortsam, as well as getting it to work with ISA 2006. Any how to's to point me in the general direction would be appreciated! -John* * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091211/801ccef2/attachment.html From mark.clift at usitek.com Sat Dec 12 14:20:33 2009 From: mark.clift at usitek.com (Mark Clift) Date: Sat, 12 Dec 2009 14:20:33 -0500 Subject: [Snortsam-discussion] MS ISA 2006 functionality In-Reply-To: <4B2339DF.1060407@lissproductions.com> References: <4B2339DF.1060407@lissproductions.com> Message-ID: <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D1@Exchange-02.USitek.local> Attached is a readme I wrote sometime back. What specific issues are you having compiling? The is a precompiled binary on the snortsam.net site for 2.8.5. The ISA binary there is compiled for ISA2004 and probably used the dll from that version. Though untested it may still function for 2006 as the plugin uses the ISA management interface which is largely unchanged between the versions of ISA 2004 and 2006 otherwise you will need to compile snortsam with the dll from the version and patch level that matches the ISA version you are using. Best Regards, Mark P. Clift ________________________________ From: snortsam-discussion-bounces at snortsam.net [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss [john at lissproductions.com] Sent: Saturday, December 12, 2009 1:36 AM To: snortsam-discussion at snortsam.net Subject: [Snortsam-discussion] MS ISA 2006 functionality Hey all! I am trying to figure out how to compile snort to support snortsam, as well as getting it to work with ISA 2006. Any how to's to point me in the general direction would be appreciated! -John ________________________________ DISCLAIMER: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091212/10447615/attachment.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: README.isa2004_2006 Url: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091212/10447615/README.ksh From john at lissproductions.com Sat Dec 12 15:11:28 2009 From: john at lissproductions.com (John Liss) Date: Sat, 12 Dec 2009 13:11:28 -0700 Subject: [Snortsam-discussion] MS ISA 2006 functionality In-Reply-To: <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D1@Exchange-02.USitek.local> References: <4B2339DF.1060407@lissproductions.com> <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D1@Exchange-02.USitek.local> Message-ID: <4B23F8F0.60703@lissproductions.com> Hey Mark, I'm having problems compiling snort to talk to snortsam. (I haven't even gotten to compile snortsam yet) What I have: Snort 2.8.5.1 + mssql support on XPSp3 Win32 with Visual Studio 2008. (I'm about to load VS 6 to see if it fixes some weird upgrade issues that may be happening when VS2008 upgrades the VS6 project files.) Taking the 2.8.5.1 snort code base code and compiling it with out the snortsam-2.8.5.diff The SQLServer Release project seems build ok after I resolved some minor issues like missing the sql 2000 ntwdblib.lib, dll and cygwin stuff. During the build there are lots of warnings about strcpy and fopen but it builds. What is weird, is that the file sizes are way off. (I would suspect a tad difference in size but not huge amounts) Almost like it is missing some class or something. 12/12/2009 01:03 PM 905,216 snort.exe <- Mine 10/21/2009 01:18 PM 913,408 snortworking.exe <- downloaded from snort.org in the win32 2.8.5.1 package. When mine runs it tosses an exception error. Event Type: Error Event Source: Application Error Event Category: None Event ID: 1000 Date: 12/12/2009 Time: 12:55:17 PM User: N/A Computer: Description: Faulting application snort.exe, version 0.0.0.0, faulting module snort.exe, version 0.0.0.0, fault address 0x0008838a. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 73 6e 6f ure sno 0018: 72 74 2e 65 78 65 20 30 rt.exe 0 0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i 0028: 6e 20 73 6e 6f 72 74 2e n snort. 0030: 65 78 65 20 30 2e 30 2e exe 0.0. 0038: 30 2e 30 20 61 74 20 6f 0.0 at o 0040: 66 66 73 65 74 20 30 30 ffset 00 0048: 30 38 38 33 38 61 0d 0a 08838a.. I am clueless of where to even begin to fix this error. Is there any articles or howto's with VS2008/2005 to compile snort? Or better yet is there a win32 flavor of snort 2.8.5.x out there with mssql support and snortsam support. I haven't been able to find one. -John ------------------------------------------------------------------------ *From:* Mark Clift *To:* "snortsam-discussion at snortsam.net" *Sent:* Saturday, December 12, 2009 12:20:33 PM *Subject:* [Snortsam-discussion] MS ISA 2006 functionality > Attached is a readme I wrote sometime back. > What specific issues are you having compiling? The is a precompiled > binary on the snortsam.net site for 2.8.5. The ISA binary there is > compiled for ISA2004 and probably used the dll from that version. > Though untested it may still function for 2006 as the plugin uses the > ISA management interface which is largely unchanged between the > versions of ISA 2004 and 2006 otherwise you will need to compile > snortsam with the dll from the version and patch level that matches > the ISA version you are using. > > > Best Regards, > > *Mark P. Clift* > > ------------------------------------------------------------------------ > *From:* snortsam-discussion-bounces at snortsam.net > [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss > [john at lissproductions.com] > *Sent:* Saturday, December 12, 2009 1:36 AM > *To:* snortsam-discussion at snortsam.net > *Subject:* [Snortsam-discussion] MS ISA 2006 functionality > > Hey all! > I am trying to figure out how to compile snort to support snortsam, as > well as getting it to work with ISA 2006. > Any how to's to point me in the general direction would be appreciated! > > -John* > * > > ------------------------------------------------------------------------ > DISCLAIMER: > This transmission may contain information that is privileged, > confidential and/or exempt from disclosure under applicable law. If > you are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the > sender and destroy the material in its entirety, whether in electronic > or hard copy format. Internet communications cannot be guaranteed to > be timely, secure, error or virus-free. The sender does not accept > liability for any errors or omissions. > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091212/a69fb928/attachment.html From mark.clift at usitek.com Sat Dec 12 17:05:17 2009 From: mark.clift at usitek.com (Mark Clift) Date: Sat, 12 Dec 2009 17:05:17 -0500 Subject: [Snortsam-discussion] MS ISA 2006 functionality In-Reply-To: <4B23F8F0.60703@lissproductions.com> References: <4B2339DF.1060407@lissproductions.com> <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D1@Exchange-02.USitek.local>, <4B23F8F0.60703@lissproductions.com> Message-ID: <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D4@Exchange-02.USitek.local> I have had the best results using VC6 when working with this project. Moving to that will probably solve most if not all of your problems. I was just about to upgrade my coding PC but I think I will take a few minutes to see if I can get anything to compile before doing that. I has been a couple of years since I worked on this project. Best Regards, Mark P. Clift ________________________________ From: snortsam-discussion-bounces at snortsam.net [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss [john at lissproductions.com] Sent: Saturday, December 12, 2009 3:11 PM To: snortsam-discussion at snortsam.net Subject: Re: [Snortsam-discussion] MS ISA 2006 functionality Hey Mark, I'm having problems compiling snort to talk to snortsam. (I haven't even gotten to compile snortsam yet) What I have: Snort 2.8.5.1 + mssql support on XPSp3 Win32 with Visual Studio 2008. (I'm about to load VS 6 to see if it fixes some weird upgrade issues that may be happening when VS2008 upgrades the VS6 project files.) Taking the 2.8.5.1 snort code base code and compiling it with out the snortsam-2.8.5.diff The SQLServer Release project seems build ok after I resolved some minor issues like missing the sql 2000 ntwdblib.lib, dll and cygwin stuff. During the build there are lots of warnings about strcpy and fopen but it builds. What is weird, is that the file sizes are way off. (I would suspect a tad difference in size but not huge amounts) Almost like it is missing some class or something. 12/12/2009 01:03 PM 905,216 snort.exe <- Mine 10/21/2009 01:18 PM 913,408 snortworking.exe <- downloaded from snort.org in the win32 2.8.5.1 package. When mine runs it tosses an exception error. Event Type: Error Event Source: Application Error Event Category: None Event ID: 1000 Date: 12/12/2009 Time: 12:55:17 PM User: N/A Computer: Description: Faulting application snort.exe, version 0.0.0.0, faulting module snort.exe, version 0.0.0.0, fault address 0x0008838a. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 73 6e 6f ure sno 0018: 72 74 2e 65 78 65 20 30 rt.exe 0 0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i 0028: 6e 20 73 6e 6f 72 74 2e n snort. 0030: 65 78 65 20 30 2e 30 2e exe 0.0. 0038: 30 2e 30 20 61 74 20 6f 0.0 at o 0040: 66 66 73 65 74 20 30 30 ffset 00 0048: 30 38 38 33 38 61 0d 0a 08838a.. I am clueless of where to even begin to fix this error. Is there any articles or howto's with VS2008/2005 to compile snort? Or better yet is there a win32 flavor of snort 2.8.5.x out there with mssql support and snortsam support. I haven't been able to find one. -John ________________________________ From: Mark Clift To: "snortsam-discussion at snortsam.net" Sent: Saturday, December 12, 2009 12:20:33 PM Subject: [Snortsam-discussion] MS ISA 2006 functionality Attached is a readme I wrote sometime back. What specific issues are you having compiling? The is a precompiled binary on the snortsam.net site for 2.8.5. The ISA binary there is compiled for ISA2004 and probably used the dll from that version. Though untested it may still function for 2006 as the plugin uses the ISA management interface which is largely unchanged between the versions of ISA 2004 and 2006 otherwise you will need to compile snortsam with the dll from the version and patch level that matches the ISA version you are using. Best Regards, Mark P. Clift ________________________________ From: snortsam-discussion-bounces at snortsam.net [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss [john at lissproductions.com] Sent: Saturday, December 12, 2009 1:36 AM To: snortsam-discussion at snortsam.net Subject: [Snortsam-discussion] MS ISA 2006 functionality Hey all! I am trying to figure out how to compile snort to support snortsam, as well as getting it to work with ISA 2006. Any how to's to point me in the general direction would be appreciated! -John ________________________________ DISCLAIMER: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. _______________________________________________ Snortsam-discussion mailing list Snortsam-discussion at snortsam.nethttp://lists.snortsam.net/mailman/listinfo/snortsam-discussion ________________________________ DISCLAIMER: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091212/11033df0/attachment-0001.html From john at lissproductions.com Sun Dec 13 14:38:12 2009 From: john at lissproductions.com (John Liss) Date: Sun, 13 Dec 2009 12:38:12 -0700 Subject: [Snortsam-discussion] MS ISA 2006 functionality In-Reply-To: <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D4@Exchange-02.USitek.local> References: <4B2339DF.1060407@lissproductions.com> <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D1@Exchange-02.USitek.local>, <4B23F8F0.60703@lissproductions.com> <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D4@Exchange-02.USitek.local> Message-ID: <4B2542A4.2090004@lissproductions.com> Gang, After loading VS6, I was able to compile both snort + mssql and snortsam + isa2006. Appears functional and adding IP's to the block computer lists. Thanks Mark the the nudge in the right direction : ] Conclusion, VS2008's upgrade process (or just change in functionality) breaks the project. -John ------------------------------------------------------------------------ *From:* Mark Clift *To:* "john at lissproductions.com" , "snortsam-discussion at snortsam.net" *Sent:* Saturday, December 12, 2009 3:05:17 PM *Subject:* [Snortsam-discussion] MS ISA 2006 functionality > I have had the best results using VC6 when working with this project. > Moving to that will probably solve most if not all of your problems. I > was just about to upgrade my coding PC but I think I will take a few > minutes to see if I can get anything to compile before doing that. I > has been a couple of years since I worked on this project. > > > Best Regards, > > *Mark P. Clift* > ------------------------------------------------------------------------ > *From:* snortsam-discussion-bounces at snortsam.net > [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss > [john at lissproductions.com] > *Sent:* Saturday, December 12, 2009 3:11 PM > *To:* snortsam-discussion at snortsam.net > *Subject:* Re: [Snortsam-discussion] MS ISA 2006 functionality > > Hey Mark, > > I'm having problems compiling snort to talk to snortsam. (I haven't > even gotten to compile snortsam yet) > > What I have: > > Snort 2.8.5.1 + mssql support on XPSp3 Win32 with Visual Studio 2008. > (I'm about to load VS 6 to see if it fixes some weird upgrade issues > that may be happening when VS2008 upgrades the VS6 project files.) > > Taking the 2.8.5.1 snort code base code and compiling it with out the > snortsam-2.8.5.diff > > The SQLServer Release project seems build ok after I resolved some > minor issues like missing the sql 2000 ntwdblib.lib, dll and cygwin stuff. > > During the build there are lots of warnings about strcpy and fopen but > it builds. > > What is weird, is that the file sizes are way off. (I would suspect a > tad difference in size but not huge amounts) > Almost like it is missing some class or something. > > 12/12/2009 01:03 PM 905,216 snort.exe <- Mine > 10/21/2009 01:18 PM 913,408 snortworking.exe <- downloaded > from snort.org in the win32 2.8.5.1 package. > > When mine runs it tosses an exception error. > Event Type: Error > Event Source: Application Error > Event Category: None > Event ID: 1000 > Date: 12/12/2009 > Time: 12:55:17 PM > User: N/A > Computer: > Description: > Faulting application snort.exe, version 0.0.0.0, faulting module > snort.exe, version 0.0.0.0, fault address 0x0008838a. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 41 70 70 6c 69 63 61 74 Applicat > 0008: 69 6f 6e 20 46 61 69 6c ion Fail > 0010: 75 72 65 20 20 73 6e 6f ure sno > 0018: 72 74 2e 65 78 65 20 30 rt.exe 0 > 0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i > 0028: 6e 20 73 6e 6f 72 74 2e n snort. > 0030: 65 78 65 20 30 2e 30 2e exe 0.0. > 0038: 30 2e 30 20 61 74 20 6f 0.0 at o > 0040: 66 66 73 65 74 20 30 30 ffset 00 > 0048: 30 38 38 33 38 61 0d 0a 08838a.. > > > I am clueless of where to even begin to fix this error. > > Is there any articles or howto's with VS2008/2005 to compile snort? > > Or better yet is there a win32 flavor of snort 2.8.5.x out there with > mssql support and snortsam support. I haven't been able to find one. > -John > > ------------------------------------------------------------------------ > *From:* Mark Clift > *To:* "snortsam-discussion at snortsam.net" > > *Sent:* Saturday, December 12, 2009 12:20:33 PM > *Subject:* [Snortsam-discussion] MS ISA 2006 functionality > > >> Attached is a readme I wrote sometime back. >> What specific issues are you having compiling? The is a precompiled >> binary on the snortsam.net site for 2.8.5. The ISA binary there is >> compiled for ISA2004 and probably used the dll from that version. >> Though untested it may still function for 2006 as the plugin uses the >> ISA management interface which is largely unchanged between the >> versions of ISA 2004 and 2006 otherwise you will need to compile >> snortsam with the dll from the version and patch level that matches >> the ISA version you are using. >> >> >> Best Regards, >> >> *Mark P. Clift* >> >> ------------------------------------------------------------------------ >> *From:* snortsam-discussion-bounces at snortsam.net >> [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss >> [john at lissproductions.com] >> *Sent:* Saturday, December 12, 2009 1:36 AM >> *To:* snortsam-discussion at snortsam.net >> *Subject:* [Snortsam-discussion] MS ISA 2006 functionality >> >> Hey all! >> I am trying to figure out how to compile snort to support snortsam, >> as well as getting it to work with ISA 2006. >> Any how to's to point me in the general direction would be appreciated! >> >> -John* >> * >> >> ------------------------------------------------------------------------ >> DISCLAIMER: >> This transmission may contain information that is privileged, >> confidential and/or exempt from disclosure under applicable law. If >> you are not the intended recipient, you are hereby notified that any >> disclosure, copying, distribution, or use of the information >> contained herein (including any reliance thereon) is STRICTLY >> PROHIBITED. If you received this transmission in error, please >> immediately contact the sender and destroy the material in its >> entirety, whether in electronic or hard copy format. Internet >> communications cannot be guaranteed to be timely, secure, error or >> virus-free. The sender does not accept liability for any errors or >> omissions. >> >> >> _______________________________________________ >> Snortsam-discussion mailing list >> Snortsam-discussion at snortsam.nethttp://lists.snortsam.net/mailman/listinfo/snortsam-discussion >> > > ------------------------------------------------------------------------ > DISCLAIMER: > This transmission may contain information that is privileged, > confidential and/or exempt from disclosure under applicable law. If > you are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is STRICTLY PROHIBITED. If you > received this transmission in error, please immediately contact the > sender and destroy the material in its entirety, whether in electronic > or hard copy format. Internet communications cannot be guaranteed to > be timely, secure, error or virus-free. The sender does not accept > liability for any errors or omissions. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091213/8b5f8411/attachment.html From mark.clift at usitek.com Mon Dec 14 02:18:08 2009 From: mark.clift at usitek.com (Mark Clift) Date: Mon, 14 Dec 2009 02:18:08 -0500 Subject: [Snortsam-discussion] MS ISA 2006 functionality In-Reply-To: <4B2542A4.2090004@lissproductions.com> References: <4B2339DF.1060407@lissproductions.com> <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D1@Exchange-02.USitek.local>, <4B23F8F0.60703@lissproductions.com> <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D4@Exchange-02.USitek.local>, <4B2542A4.2090004@lissproductions.com> Message-ID: <4D74D1BED6FB2C4F96969E26F178E0BDCE7DF9D7@Exchange-02.USitek.local> I am happy to hear you had success and that someone besides myself is getting use out of the work. Best Regards, Mark P. Clift ________________________________ From: snortsam-discussion-bounces at snortsam.net [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss [john at lissproductions.com] Sent: Sunday, December 13, 2009 2:38 PM To: snortsam-discussion at snortsam.net Subject: Re: [Snortsam-discussion] MS ISA 2006 functionality Gang, After loading VS6, I was able to compile both snort + mssql and snortsam + isa2006. Appears functional and adding IP's to the block computer lists. Thanks Mark the the nudge in the right direction : ] Conclusion, VS2008's upgrade process (or just change in functionality) breaks the project. -John ________________________________ From: Mark Clift To: "john at lissproductions.com" , "snortsam-discussion at snortsam.net" Sent: Saturday, December 12, 2009 3:05:17 PM Subject: [Snortsam-discussion] MS ISA 2006 functionality I have had the best results using VC6 when working with this project. Moving to that will probably solve most if not all of your problems. I was just about to upgrade my coding PC but I think I will take a few minutes to see if I can get anything to compile before doing that. I has been a couple of years since I worked on this project. Best Regards, Mark P. Clift ________________________________ From: snortsam-discussion-bounces at snortsam.net [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss [john at lissproductions.com] Sent: Saturday, December 12, 2009 3:11 PM To: snortsam-discussion at snortsam.net Subject: Re: [Snortsam-discussion] MS ISA 2006 functionality Hey Mark, I'm having problems compiling snort to talk to snortsam. (I haven't even gotten to compile snortsam yet) What I have: Snort 2.8.5.1 + mssql support on XPSp3 Win32 with Visual Studio 2008. (I'm about to load VS 6 to see if it fixes some weird upgrade issues that may be happening when VS2008 upgrades the VS6 project files.) Taking the 2.8.5.1 snort code base code and compiling it with out the snortsam-2.8.5.diff The SQLServer Release project seems build ok after I resolved some minor issues like missing the sql 2000 ntwdblib.lib, dll and cygwin stuff. During the build there are lots of warnings about strcpy and fopen but it builds. What is weird, is that the file sizes are way off. (I would suspect a tad difference in size but not huge amounts) Almost like it is missing some class or something. 12/12/2009 01:03 PM 905,216 snort.exe <- Mine 10/21/2009 01:18 PM 913,408 snortworking.exe <- downloaded from snort.org in the win32 2.8.5.1 package. When mine runs it tosses an exception error. Event Type: Error Event Source: Application Error Event Category: None Event ID: 1000 Date: 12/12/2009 Time: 12:55:17 PM User: N/A Computer: Description: Faulting application snort.exe, version 0.0.0.0, faulting module snort.exe, version 0.0.0.0, fault address 0x0008838a. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 73 6e 6f ure sno 0018: 72 74 2e 65 78 65 20 30 rt.exe 0 0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i 0028: 6e 20 73 6e 6f 72 74 2e n snort. 0030: 65 78 65 20 30 2e 30 2e exe 0.0. 0038: 30 2e 30 20 61 74 20 6f 0.0 at o 0040: 66 66 73 65 74 20 30 30 ffset 00 0048: 30 38 38 33 38 61 0d 0a 08838a.. I am clueless of where to even begin to fix this error. Is there any articles or howto's with VS2008/2005 to compile snort? Or better yet is there a win32 flavor of snort 2.8.5.x out there with mssql support and snortsam support. I haven't been able to find one. -John ________________________________ From: Mark Clift To: "snortsam-discussion at snortsam.net" Sent: Saturday, December 12, 2009 12:20:33 PM Subject: [Snortsam-discussion] MS ISA 2006 functionality Attached is a readme I wrote sometime back. What specific issues are you having compiling? The is a precompiled binary on the snortsam.net site for 2.8.5. The ISA binary there is compiled for ISA2004 and probably used the dll from that version. Though untested it may still function for 2006 as the plugin uses the ISA management interface which is largely unchanged between the versions of ISA 2004 and 2006 otherwise you will need to compile snortsam with the dll from the version and patch level that matches the ISA version you are using. Best Regards, Mark P. Clift ________________________________ From: snortsam-discussion-bounces at snortsam.net [snortsam-discussion-bounces at snortsam.net] On Behalf Of John Liss [john at lissproductions.com] Sent: Saturday, December 12, 2009 1:36 AM To: snortsam-discussion at snortsam.net Subject: [Snortsam-discussion] MS ISA 2006 functionality Hey all! I am trying to figure out how to compile snort to support snortsam, as well as getting it to work with ISA 2006. Any how to's to point me in the general direction would be appreciated! -John ________________________________ DISCLAIMER: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. _______________________________________________ Snortsam-discussion mailing list Snortsam-discussion at snortsam.nethttp://lists.snortsam.net/mailman/listinfo/snortsam-discussion ________________________________ DISCLAIMER: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ________________________________ DISCLAIMER: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091214/5c1f4e4a/attachment-0001.html From jjasen at realityfailure.org Fri Dec 18 15:10:08 2009 From: jjasen at realityfailure.org (John Jasen) Date: Fri, 18 Dec 2009 15:10:08 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? Message-ID: <4B2BE1A0.70206@realityfailure.org> Hello; Long time user, first time caller. I've been using snortsam to push blocks to checkpoint firewalls for a while now, originally starting with checkpoint fw1 R54, now R70.1. I'm currently using snortsam 2.57, but the same problem appears with 2.69. With no changes on the client config, or the server, and using the opsec plugin, snortsam blocks were working on 12/11, and mysteriously stopped on 12/14. In 2.57, I get the following error from snortsam's log: 2009/12/18, 14:14:51, -, 1, opsec, Error: OPSEC request on 'my-firewall.fqdn.tld' (1/4) failed processing 'Inhibit-Drop any ip xxx.xxx.xxx.xxx on All'. With 2.69, I get the same thing, but I also get: 2009/12/18, 14:14:51, -, 1, opsec, Error: [(null)] OPSEC init failed! I am now effectively at my wit's end. Any ideas? -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From john at lissproductions.com Fri Dec 18 15:52:18 2009 From: john at lissproductions.com (John Liss) Date: Fri, 18 Dec 2009 13:52:18 -0700 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2BE1A0.70206@realityfailure.org> References: <4B2BE1A0.70206@realityfailure.org> Message-ID: <4B2BEB82.2060603@lissproductions.com> John, Can you crank your logging up to verbose and see if it gives you anymore details. in your snortsam.cfg loglevel 3 logfile /var/log/snortsam.log I'm sure you have tried this but... Can you ping my-firewall.fqdn.tld from the snortsam box? Does snort connect to snortsam? (keying issues?) Any other IDS's inbetween the firewall and the snortsam box? Any new rules on the firewall that would be blocking ? -John ------------------------------------------------------------------------ *From:* John Jasen *To:* snortsam-discussion at snortsam.net *Sent:* Friday, December 18, 2009 1:10:08 PM *Subject:* [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? > Hello; > > Long time user, first time caller. > > I've been using snortsam to push blocks to checkpoint firewalls for a > while now, originally starting with checkpoint fw1 R54, now R70.1. I'm > currently using snortsam 2.57, but the same problem appears with 2.69. > > With no changes on the client config, or the server, and using the opsec > plugin, snortsam blocks were working on 12/11, and mysteriously stopped > on 12/14. > > In 2.57, I get the following error from snortsam's log: > > 2009/12/18, 14:14:51, -, 1, opsec, Error: OPSEC request on > 'my-firewall.fqdn.tld' (1/4) failed processing 'Inhibit-Drop any ip > xxx.xxx.xxx.xxx on All'. > > With 2.69, I get the same thing, but I also get: > 2009/12/18, 14:14:51, -, 1, opsec, Error: [(null)] OPSEC init failed! > > I am now effectively at my wit's end. Any ideas? > > > > > > From jjasen at realityfailure.org Fri Dec 18 16:01:44 2009 From: jjasen at realityfailure.org (John Jasen) Date: Fri, 18 Dec 2009 16:01:44 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2BEB82.2060603@lissproductions.com> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> Message-ID: <4B2BEDB8.2030202@realityfailure.org> John Liss wrote: > John, > > Can you crank your logging up to verbose and see if it gives you anymore > details. > > in your snortsam.cfg > > loglevel 3 > logfile /var/log/snortsam.log Thanks for the suggestions. loglevel is already at 3. > I'm sure you have tried this but... > > Can you ping my-firewall.fqdn.tld from the snortsam box? No, but that's due to a router ACL. :) I can telnet to the SAM port (18183) on the firewall box. > Does snort connect to snortsam? (keying issues?) Fails using samtool as well. > Any other IDS's inbetween the firewall and the snortsam box? Nope. > Any new rules on the firewall that would be blocking ? Unless Checkpoint IPS is doing something profoundly stupid, no. And, actually, the Checkpoint IPS changes were after snortsam stopped working. Of course, being diligent: I've tried both: fwsam 10.0.45.7 #management station fwsam 10.0.45.8 #firewall box and opsec opsec.conf in the snortsam.conf Within opsec.conf, I've tried both 10.0.45.7 and 10.0.45.8 in sam_server ip, but get the same errors. Yes, fwsam and opsec entries at different times, and snortsam was restarted every time I made a change. fwsam reports success, but doesn't block. opsec fails out with the init error I reported earlier. My best completely uneducated guess is that the SAM pagefile is full on the security gateways, and that status isn't getting reported back. However, using the Suspicious Action tool under Smartview Monitor, I am able to push new blocks ... Odd. -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From john at lissproductions.com Fri Dec 18 16:38:28 2009 From: john at lissproductions.com (John Liss) Date: Fri, 18 Dec 2009 14:38:28 -0700 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2BEDB8.2030202@realityfailure.org> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> Message-ID: <4B2BF654.2050902@lissproductions.com> John, How is the checkpoint setup to talk with According to the snortsam read me "Currently, only clear-text is supported, but you may have luck with auth_port or SSL. If so, please let me know." How do you have your auth configured on the Checkpoint fw? fwopsec.conf file (in the $FWDIR/conf directory or the %FWDIR%\conf\ directory on Windows). lea_server auth_port 18184 lea_server auth_type ssl_opsec *To:* john at lissproductions.com, snortsam-discussion at snortsam.net *Sent:* Friday, December 18, 2009 2:01:44 PM *Subject:* [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? > John Liss wrote: > >> John, >> >> Can you crank your logging up to verbose and see if it gives you anymore >> details. >> >> in your snortsam.cfg >> >> loglevel 3 >> logfile /var/log/snortsam.log >> > > Thanks for the suggestions. loglevel is already at 3. > > >> I'm sure you have tried this but... >> >> Can you ping my-firewall.fqdn.tld from the snortsam box? >> > > No, but that's due to a router ACL. :) > > I can telnet to the SAM port (18183) on the firewall box. > > > >> Does snort connect to snortsam? (keying issues?) >> > > Fails using samtool as well. > > >> Any other IDS's inbetween the firewall and the snortsam box? >> > > Nope. > > >> Any new rules on the firewall that would be blocking ? >> > > Unless Checkpoint IPS is doing something profoundly stupid, no. And, > actually, the Checkpoint IPS changes were after snortsam stopped working. > > Of course, being diligent: > > I've tried both: > > fwsam 10.0.45.7 #management station > fwsam 10.0.45.8 #firewall box > > and opsec opsec.conf in the snortsam.conf > > Within opsec.conf, I've tried both 10.0.45.7 and 10.0.45.8 in sam_server > ip, but get the same errors. > > Yes, fwsam and opsec entries at different times, and snortsam was > restarted every time I made a change. > > fwsam reports success, but doesn't block. > > opsec fails out with the init error I reported earlier. > > My best completely uneducated guess is that the SAM pagefile is full on > the security gateways, and that status isn't getting reported back. > > However, using the Suspicious Action tool under Smartview Monitor, I am > able to push new blocks ... Odd. > > From john at lissproductions.com Fri Dec 18 16:42:35 2009 From: john at lissproductions.com (John Liss) Date: Fri, 18 Dec 2009 14:42:35 -0700 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2BF654.2050902@lissproductions.com> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2BF654.2050902@lissproductions.com> Message-ID: <4B2BF74B.70501@lissproductions.com> Hey John, If you are using Certificates, did they expire? I found this and just a wild stab in the dark... your port said 18183, which depending on version your on.... may or may not be certificate based. The OPSEC SDK 4.1.2 provides four modes of communication between the OPSEC application and VPN-1/FireWall-1. 1. clear - No authentication/encryption 2. auth_opsec - Check Point proprietary authentication 3. ssl_clear_opsec - Authentication via an SSL tunnel 4. ssl_opsec - Authenticated and Encrypted tunnel The default modes of communication and ports for VPN-1/FireWall-1 4.1.SPx are CVP 18181 auth_opsec UFP 18182 auth_opsec SAM 18183 auth_opsec LEA 18184 auth_opsec ELA 18187 ssl_opsec UAA 19191 ssl_opsec The default modes of communication and ports for VPN-1/FireWall-1 NG are: CVP 18181 sslca_clear UFP 18182 sslca_clear SAM 18183 sslca LEA 18184 sslca ELA 18187 sslca CPMI 18190 sslca AMON 18193 sslca UAA 19191 sslca ------------------------------------------------------------------------ *From:* John Liss *To:* jjasen at realityfailure.org *CC:* snortsam-discussion at snortsam.net *Sent:* Friday, December 18, 2009 2:38:28 PM *Subject:* [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? > John, > > How is the checkpoint setup to talk with > > According to the snortsam read me > > "Currently, only clear-text is supported, but you may have luck with > auth_port or SSL. If so, please let me know." > > How do you have your auth configured on the Checkpoint fw? > > fwopsec.conf file (in the $FWDIR/conf directory or the %FWDIR%\conf\ > directory on Windows). > lea_server auth_port 18184 > lea_server auth_type ssl_opsec > > > ------------------------------------------------------------------------ > *From:* John Jasen > *To:* john at lissproductions.com, snortsam-discussion at snortsam.net > *Sent:* Friday, December 18, 2009 2:01:44 PM > *Subject:* [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? > > > >> John Liss wrote: >> >> >>> John, >>> >>> Can you crank your logging up to verbose and see if it gives you anymore >>> details. >>> >>> in your snortsam.cfg >>> >>> loglevel 3 >>> logfile /var/log/snortsam.log >>> >>> >> Thanks for the suggestions. loglevel is already at 3. >> >> >> >>> I'm sure you have tried this but... >>> >>> Can you ping my-firewall.fqdn.tld from the snortsam box? >>> >>> >> No, but that's due to a router ACL. :) >> >> I can telnet to the SAM port (18183) on the firewall box. >> >> >> >> >>> Does snort connect to snortsam? (keying issues?) >>> >>> >> Fails using samtool as well. >> >> >> >>> Any other IDS's inbetween the firewall and the snortsam box? >>> >>> >> Nope. >> >> >> >>> Any new rules on the firewall that would be blocking ? >>> >>> >> Unless Checkpoint IPS is doing something profoundly stupid, no. And, >> actually, the Checkpoint IPS changes were after snortsam stopped working. >> >> Of course, being diligent: >> >> I've tried both: >> >> fwsam 10.0.45.7 #management station >> fwsam 10.0.45.8 #firewall box >> >> and opsec opsec.conf in the snortsam.conf >> >> Within opsec.conf, I've tried both 10.0.45.7 and 10.0.45.8 in sam_server >> ip, but get the same errors. >> >> Yes, fwsam and opsec entries at different times, and snortsam was >> restarted every time I made a change. >> >> fwsam reports success, but doesn't block. >> >> opsec fails out with the init error I reported earlier. >> >> My best completely uneducated guess is that the SAM pagefile is full on >> the security gateways, and that status isn't getting reported back. >> >> However, using the Suspicious Action tool under Smartview Monitor, I am >> able to push new blocks ... Odd. >> >> >> > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > From ohauer at gmx.de Fri Dec 18 17:50:33 2009 From: ohauer at gmx.de (olli hauer) Date: Fri, 18 Dec 2009 23:50:33 +0100 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2BEDB8.2030202@realityfailure.org> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> Message-ID: <4B2C0739.9070800@gmx.de> John Jasen wrote: > John Liss wrote: >> John, >> >> Can you crank your logging up to verbose and see if it gives you anymore >> details. >> >> in your snortsam.cfg >> >> loglevel 3 >> logfile /var/log/snortsam.log > > Thanks for the suggestions. loglevel is already at 3. > >> I'm sure you have tried this but... >> >> Can you ping my-firewall.fqdn.tld from the snortsam box? > > No, but that's due to a router ACL. :) > > I can telnet to the SAM port (18183) on the firewall box. > > >> Does snort connect to snortsam? (keying issues?) > > Fails using samtool as well. > >> Any other IDS's inbetween the firewall and the snortsam box? > > Nope. > >> Any new rules on the firewall that would be blocking ? > > Unless Checkpoint IPS is doing something profoundly stupid, no. And, > actually, the Checkpoint IPS changes were after snortsam stopped working. > > Of course, being diligent: > > I've tried both: > > fwsam 10.0.45.7 #management station > fwsam 10.0.45.8 #firewall box > > and opsec opsec.conf in the snortsam.conf > > Within opsec.conf, I've tried both 10.0.45.7 and 10.0.45.8 in sam_server > ip, but get the same errors. > > Yes, fwsam and opsec entries at different times, and snortsam was > restarted every time I made a change. > > fwsam reports success, but doesn't block. > > opsec fails out with the init error I reported earlier. > > My best completely uneducated guess is that the SAM pagefile is full on > the security gateways, and that status isn't getting reported back. > > However, using the Suspicious Action tool under Smartview Monitor, I am > able to push new blocks ... Odd. > Is this command executed from the mgmt machine working? #> fw sam -v -t 20 -i src 1.2.3.4 On which platform is snortsam running? From jjasen at realityfailure.org Fri Dec 18 19:32:11 2009 From: jjasen at realityfailure.org (John Jasen) Date: Fri, 18 Dec 2009 19:32:11 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2BF74B.70501@lissproductions.com> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2BF654.2050902@lissproductions.com> <4B2BF74B.70501@lissproductions.com> Message-ID: <4B2C1F0B.9000003@realityfailure.org> John Liss wrote: > Hey John, > > If you are using Certificates, did they expire? an old one we had for VPN did, but I renewed it anyway to no avail. The interesting thing is that this was working a week ago, with no changes on either the snortsam side or the FW1 side, > I found this and just a wild stab in the dark... your port said 18183, > which depending on version your on.... may or may not be certificate based. or how you munge fwopsec.conf. :) I believe that I changed 18183 to not require auth, and to be in the clear. However, I'm now home, and going on memory. Last time I played with that was when I was trying to get fw1-loggrabber and Eventia working against the same log sources, which was months ago. And both Eventia and loggrabber still work. :) -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From jjasen at realityfailure.org Fri Dec 18 19:35:30 2009 From: jjasen at realityfailure.org (John Jasen) Date: Fri, 18 Dec 2009 19:35:30 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2C0739.9070800@gmx.de> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2C0739.9070800@gmx.de> Message-ID: <4B2C1FD2.7090908@realityfailure.org> olli hauer wrote: > Is this command executed from the mgmt machine working? > #> fw sam -v -t 20 -i src 1.2.3.4 I will test on Monday. I believe it will, as I was able to add blocks via SmartMonitor's Suspicious Activity tool -- which unless I miss my guess, exercises the same function. > On which platform is snortsam running? RHEL 5, tested on 64 and 32 bit. Thanks for your suggestions! -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From ohauer at gmx.de Sun Dec 20 15:02:12 2009 From: ohauer at gmx.de (olli hauer) Date: Sun, 20 Dec 2009 21:02:12 +0100 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2C1FD2.7090908@realityfailure.org> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2C0739.9070800@gmx.de> <4B2C1FD2.7090908@realityfailure.org> Message-ID: <4B2E82C4.2080407@gmx.de> John Jasen wrote: > olli hauer wrote: > >> Is this command executed from the mgmt machine working? >> #> fw sam -v -t 20 -i src 1.2.3.4 > > I will test on Monday. I believe it will, as I was able to add blocks > via SmartMonitor's Suspicious Activity tool -- which unless I miss my > guess, exercises the same function. > >> On which platform is snortsam running? > > RHEL 5, tested on 64 and 32 bit. > > Thanks for your suggestions! > With RHEL you cannot use the opsec.conf only the fwsam plugin. I've setup a small R70 lab and found this combination working: snortsam.conf: -------------- fwsam gateway object in SmartDashboard: --------------------------------- -> Advanced -> SAM [x] Use early version combatibility mode [x] Clear (opsec) on the Gateway: --------------- $FWDIR/conf/fwopsec.conf sam_server auth_port 0 sam_server port 18183 Now the gateway accepts snortsam traps, and you can view Suspicious Activity Rules in SmartViewMonitor. If the gateway object is not reconfigured in SmartDashboard I get the following error in SmartViewMonitor. "Unable to fetch Suspicious Activity Rules from: ..." Additional you can configure the MGMT station as sam_proxy with the same settings in fwopsec.conf. Trapps send to the MGMT station are now forwarded to the gateway. Hint: close SmartViewMonitor it crashed every time cprestart was executed or after changing the GW object and installing the rulebase. If the setting on the GW object and fwopsec.conf did not match I got a timeout or the "Unable to fetch..." error message. hope this helps -- olli From jjasen at realityfailure.org Sun Dec 20 17:24:58 2009 From: jjasen at realityfailure.org (John Jasen) Date: Sun, 20 Dec 2009 17:24:58 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2E82C4.2080407@gmx.de> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2C0739.9070800@gmx.de> <4B2C1FD2.7090908@realityfailure.org> <4B2E82C4.2080407@gmx.de> Message-ID: <4B2EA43A.9020103@realityfailure.org> olli hauer wrote: > John Jasen wrote: >> olli hauer wrote: >> >>> Is this command executed from the mgmt machine working? >>> #> fw sam -v -t 20 -i src 1.2.3.4 >> I will test on Monday. I believe it will, as I was able to add blocks >> via SmartMonitor's Suspicious Activity tool -- which unless I miss my >> guess, exercises the same function. >> >>> On which platform is snortsam running? >> RHEL 5, tested on 64 and 32 bit. >> >> Thanks for your suggestions! >> > With RHEL you cannot use the opsec.conf only the fwsam plugin. Pardon? Why not? -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From frank at snortsam.net Sun Dec 20 18:34:12 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sun, 20 Dec 2009 17:34:12 -0600 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2BEDB8.2030202@realityfailure.org> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> Message-ID: <1261352052.27721.11.camel@localhost> Sorry, late to the emails. On Fri, 2009-12-18 at 16:01 -0500, John Jasen wrote: > > Does snort connect to snortsam? (keying issues?) > Fails using samtool as well. samtool would only ensure that the communication TO Snortsam is working. > opsec fails out with the init error I reported earlier. The opsec error "Error: [(null)] OPSEC init failed" should only occur if the opsec.conf file specified in snortsam.conf doesn't exist. > My best completely uneducated guess is that the SAM pagefile is full on > the security gateways, and that status isn't getting reported back. That wouldn't cause the init error. Instead you would get a "Opsec request failed" sorta error. Olli said: "With RHEL you cannot use the opsec.conf only the fwsam plugin." The OPSEC SDK is only supported on Windows and Linux systems, so if the OPSEC files in the Snortsam source tree are present, and it all compiled fine, then it should work on RedHat. When you used fwsam for testing, I assume the firewall also ignored block requests? You said it stopped suddenly without and configuration or code changes on Snortsam or Checkpoint. Is there anything at all that changed? Perhaps a RedHat update? Lastly, make sure you have "nothreads" in the snortsam.conf. There were multithreading issues with Snortsam on Linux in the past, especially in conjunction with the OPSEC SDK. Using "nothreads" will cause Snortsam not to use threads. Maybe that'll help. Regards, Frank From jjasen at realityfailure.org Sun Dec 20 20:27:01 2009 From: jjasen at realityfailure.org (John Jasen) Date: Sun, 20 Dec 2009 20:27:01 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <1261352052.27721.11.camel@localhost> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <1261352052.27721.11.camel@localhost> Message-ID: <4B2ECEE5.6000203@realityfailure.org> Frank Knobbe wrote: > Sorry, late to the emails. > > On Fri, 2009-12-18 at 16:01 -0500, John Jasen wrote: >>> Does snort connect to snortsam? (keying issues?) >> Fails using samtool as well. > > samtool would only ensure that the communication TO Snortsam is working. > >> opsec fails out with the init error I reported earlier. > > The opsec error "Error: [(null)] OPSEC init failed" should only occur if > the opsec.conf file specified in snortsam.conf doesn't exist. With either opsec opsec.conf or opsec /etc/opsec.conf, I get the same error. > Olli said: > "With RHEL you cannot use the opsec.conf only the fwsam plugin." > > The OPSEC SDK is only supported on Windows and Linux systems, so if the > OPSEC files in the Snortsam source tree are present, and it all compiled > fine, then it should work on RedHat. Yes. I've had some issues compiling them statically, so the 2.57 were compiled dynamically against the opsec 2.2 libraries. Again, it worked like a champ for at least months. Now, 2.57 fails on a RHEL 5 64 bit box, and 2.69 fails on either 32 or 64 bit, and it seems regardless of being linked dynamically against opsec 2.2 or 3.0. It could be something endemic to RH 5, I suppose. But somehow, I'm suspecting the firewall management station has gone silly. > When you used fwsam for testing, I assume the firewall also ignored > block requests? Yes, sorry if I was not clear. > You said it stopped suddenly without and configuration or code changes > on Snortsam or Checkpoint. Is there anything at all that changed? > Perhaps a RedHat update? Automated network scans were added to the box, so 3x a day, it scans for unapproved systems or services. Other than that, no changes. > Lastly, make sure you have "nothreads" in the snortsam.conf. There were > multithreading issues with Snortsam on Linux in the past, especially in > conjunction with the OPSEC SDK. Using "nothreads" will cause Snortsam > not to use threads. Maybe that'll help. I will try that. Thanks for your suggestions! -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From jjasen at realityfailure.org Tue Dec 22 15:26:57 2009 From: jjasen at realityfailure.org (John Jasen) Date: Tue, 22 Dec 2009 15:26:57 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2ECEE5.6000203@realityfailure.org> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <1261352052.27721.11.camel@localhost> <4B2ECEE5.6000203@realityfailure.org> Message-ID: <4B312B91.60308@realityfailure.org> John Jasen wrote: > Frank Knobbe wrote: >> Lastly, make sure you have "nothreads" in the snortsam.conf. There were >> multithreading issues with Snortsam on Linux in the past, especially in >> conjunction with the OPSEC SDK. Using "nothreads" will cause Snortsam >> not to use threads. Maybe that'll help. > > I will try that. > > Thanks for your suggestions! nothreads offered no change to the situation. -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From jjasen at realityfailure.org Tue Dec 22 15:43:19 2009 From: jjasen at realityfailure.org (John Jasen) Date: Tue, 22 Dec 2009 15:43:19 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B2BF654.2050902@lissproductions.com> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2BF654.2050902@lissproductions.com> Message-ID: <4B312F67.9080208@realityfailure.org> John Liss wrote: > lea_server auth_port 18184 > lea_server auth_type ssl_opsec References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2C0739.9070800@gmx.de> Message-ID: <4B313084.20205@realityfailure.org> > Is this command executed from the mgmt machine working? > #> fw sam -v -t 20 -i src 1.2.3.4 Didn't the first time, then started working. No dice with snortsam, though. -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From frank at snortsam.net Wed Dec 23 14:16:50 2009 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 23 Dec 2009 13:16:50 -0600 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B313084.20205@realityfailure.org> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2C0739.9070800@gmx.de> <4B313084.20205@realityfailure.org> Message-ID: <1261595810.34379.9.camel@localhost> On Tue, 2009-12-22 at 15:48 -0500, John Jasen wrote: > > Is this command executed from the mgmt machine working? > > #> fw sam -v -t 20 -i src 1.2.3.4 > > Didn't the first time, then started working. No dice with snortsam, though. Weird.... But since "fw sam" works, you could run the Snortsam binary on the firewall itself configured with the "fwexec" plugin until the OPSEC issue is figured out. Cheers, Frank