From =?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?= Tue Feb 2 11:52:36 2010 From: =?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?= (=?ISO-8859-1?Q?Alberto_Nicol=E1s_Gentil_Otero_-_GenSys_?=) Date: Tue, 02 Feb 2010 17:52:36 +0100 Subject: [Snortsam-discussion] Snortsam errors Message-ID: <4B685854.1060704@gensys.es> Hi, When I start snortsam, return de following: > sudo snortsam SnortSam, v 2.69. Copyright (c) 2001-2009 Frank Knobbe . All rights reserved. Plugin 'fwsam': v 2.5, by Frank Knobbe Plugin 'fwexec': v 2.7, by Frank Knobbe Plugin 'pix': v 2.9, by Frank Knobbe Plugin 'ciscoacl': v 2.12, by Ali Basel Plugin 'cisconullroute': v 2.5, by Frank Knobbe Plugin 'cisconullroute2': v 2.2, by Wouter de Jong Plugin 'netscreen': v 2.10, by Frank Knobbe Plugin 'ipchains': v 2.8, by Hector A. Paterno Plugin 'iptables': v 2.9, by Fabrizio Tivano , Luis Marichal Plugin 'ebtables': v 2.4, by Bruno Scatolin Plugin 'watchguard': v 2.7, by Thomas Maier Plugin 'email': v 2.12, by Frank Knobbe Plugin 'email-blocks-only': v 2.12, by Frank Knobbe Plugin 'snmpinterfacedown': v 2.3, by Ali BASEL Plugin 'forward': v 2.8, by Frank Knobbe Parsing config file /etc/snortsam.conf... Linking plugin 'cisconullroute2'... Checking for existing state file "/var/db/snortsam.state". Found. Reading state file. Starting to listen for Snort alerts. Error: Packet out of sequence from 127.0.0.1, trying to re-sync. Snort station 127.0.0.1 using wrong password, trying to re-sync. Error: Packet out of sequence from 127.0.0.1, trying to re-sync. Blocking host **.**.**.** completely for 300 seconds (Sig_ID: 882). Snort station 127.0.0.1 using wrong password, trying to re-sync. Blocking host **.**.**.** completely for 300 seconds (Sig_ID: 882). Snort station 127.0.0.1 using wrong password, trying to re-sync. Blocking host **.**.**.** completely for 300 seconds (Sig_ID: 882). Snort station 127.0.0.1 using wrong password, trying to re-sync. Snort station 127.0.0.1 using wrong password, trying to re-sync. Snort station 127.0.0.1 using wrong password, trying to re-sync. ... On the router the rules are added ok. What happen? in snort.conf: output alert_fwsam: 127.0.0.1/passprobe in snortsam.conf: defaultkey passprobe accept 127.0.0.1 ... Another question, How can I add to all the rules "fwsam"? Thank you for your attention and sorry for my English. From frank at snortsam.net Wed Feb 3 16:14:33 2010 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 03 Feb 2010 15:14:33 -0600 Subject: [Snortsam-discussion] Snortsam errors In-Reply-To: <4B685854.1060704@gensys.es> References: <4B685854.1060704@gensys.es> Message-ID: <1265231673.39631.11.camel@localhost> On Tue, 2010-02-02 at 17:52 +0100, Alberto Nicol?s Gentil Otero - GenSys Telecomunicaciones wrote: > Starting to listen for Snort alerts. > Error: Packet out of sequence from 127.0.0.1, trying to re-sync. > Snort station 127.0.0.1 using wrong password, trying to re-sync. > Error: Packet out of sequence from 127.0.0.1, trying to re-sync. That appears to be normal when Snort and Snortsam are running on the same host. For some reason the packets arrive out of order. Add "disableseqnocheck" to snortsam.conf and those errors will go away. (sequence number checks were implemented to detect when something fishy happens on the wire, possibly interception/MITM on Snortsam packets. Not really useful if the packets don't leave the host) > Another question, How can I add to all the rules "fwsam"? Instead of modifying a lot of rules, create a file called sid-block.map in the same directory where the snort.conf and sid-msg.map files are. The format of the file is: : For example: 2003156: src, 14 days # WEB Crewbox Proxy Scan I would not enable blocking on all rules though. Only automatically block on rules that have a low (or zero) false positive rate. Regards, Frank From jjasen at realityfailure.org Wed Feb 3 21:24:06 2010 From: jjasen at realityfailure.org (John Jasen) Date: Wed, 03 Feb 2010 21:24:06 -0500 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <1261595810.34379.9.camel@localhost> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2C0739.9070800@gmx.de> <4B313084.20205@realityfailure.org> <1261595810.34379.9.camel@localhost> Message-ID: <4B6A2FC6.5090602@realityfailure.org> Frank Knobbe wrote: > On Tue, 2009-12-22 at 15:48 -0500, John Jasen wrote: >>> Is this command executed from the mgmt machine working? >>> #> fw sam -v -t 20 -i src 1.2.3.4 >> Didn't the first time, then started working. No dice with snortsam, though. > > Weird.... > > But since "fw sam" works, you could run the Snortsam binary on the > firewall itself configured with the "fwexec" plugin until the OPSEC > issue is figured out. Letting it sit for a few weeks, and expire out a lot of SAM entries, things magically started working again -- without any other changes to the firewall system. My guess is that checkpoint has a limit in the amount of remote SAM entries it will handle. I think its somewhat confirmed, because on the actual security gateways, you can configure SAM for backwards compatibility and set resource limits for it. Unfortunately, this does not appear to be an exposed function on the management server -- or at least I've not discovered it yet! -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire From frank at snortsam.net Wed Feb 3 21:44:20 2010 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 03 Feb 2010 20:44:20 -0600 Subject: [Snortsam-discussion] opsec or fwsam versus checkpoint firewalls? In-Reply-To: <4B6A2FC6.5090602@realityfailure.org> References: <4B2BE1A0.70206@realityfailure.org> <4B2BEB82.2060603@lissproductions.com> <4B2BEDB8.2030202@realityfailure.org> <4B2C0739.9070800@gmx.de> <4B313084.20205@realityfailure.org> <1261595810.34379.9.camel@localhost> <4B6A2FC6.5090602@realityfailure.org> Message-ID: <1265251460.39631.61.camel@localhost> On Wed, 2010-02-03 at 21:24 -0500, John Jasen wrote: > Letting it sit for a few weeks, and expire out a lot of SAM entries, > things magically started working again -- without any other changes to > the firewall system. > > > My guess is that checkpoint has a limit in the amount of remote SAM > entries it will handle. I think its somewhat confirmed, because on the > actual security gateways, you can configure SAM for backwards > compatibility and set resource limits for it. Yeah, I can't believe I didn't think about that. The Checkpoint installations I worked with has an upper limit of about 10,000 IP addresses. Setting the duration appropriately can help overflow. Glad its working again! Cheers, Frank From luis.daniel.lucio at gmail.com Wed Feb 10 13:57:35 2010 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Wed, 10 Feb 2010 12:57:35 -0600 Subject: [Snortsam-discussion] When 2.70? In-Reply-To: <1264383040.60075.5.camel@localhost> References: <201001201002.38932.luis.daniel.lucio@gmail.com> <1264383040.60075.5.camel@localhost> Message-ID: <201002101257.36089.luis.daniel.lucio@gmail.com> Le Dimanche 24 Janvier 2010 19:30:40, Frank Knobbe a ?crit : > On Wed, 2010-01-20 at 10:02 -0600, Luis Daniel Lucio Quiroz wrote: > > Is a newar 2.70 version planned? Because snort will release shortly 2.6 > > No 2.70 is planned. Snortsam is independent of Snort. For a new Snort > version, you just need to compile the Snortsam plugin into Snort. > > -Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion I know, just only wondering because there has been longtime witout a new version. Big Question, has anyone has trye the patch we posted for 2.8.5.x in 2.8.6rc, just to know if it works or we have to rediff. I will but I dont have here where to test now. TIA LD