Thursday, January 28, 2016

How can you tell if Snort is properly running when using systemd (or a standard init.d startup script)? - Guest Post by Bill Parker

This is a Guest post by Bill Parker.  Bill writes many of the installation docs on Snort.org.  Please welcome him to the Snort Blog!

---

I receive more than a few emails from end users who are having difficultly determining if snort version 2.9.x is running on their server, though the quickest way to see if it is running is by using the commands 'ps' and 'grep'.

However, in many cases, there could be an issue with the 'snort.conf' file which can be found using the '-T' option to snort (run manually) to determine which line in snort.conf is causing difficulty.

On my system when snort is NOT running, the command below returns the following:

[bill@moocow ~]$ ps auxww | grep -i "snort"

bill      1025  0.0  0.2 116388  2164 pts/0    S+   09:01   0:00 grep --color=auto -i snort

If I use systemctl to check the status of snort, I get:

[root@moocow init.d]# systemctl status snort.service <--- here="" look="" p="">* snort.service - Snort NIDS Daemon
   Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
 
Jan 23 09:10:55 moocow systemd[1]: Stopped Snort NIDS Daemon.

Which shows that snort isn't currently running on my server.

However, when snort is running, the same command produces a slightly
different output:

[bill@moocow ~]$ ps auxww | grep -i "snort" <--- here="" look="" p="">
snort     1071 41.6 39.7 748988 404492 ?       Ssl  09:11   0:37 /usr/local/bin/snort -A fast -b -d -i enp0s8 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
bill      1090  0.0  0.2 116388  2204 pts/0    S+   09:13   0:00 grep --color=auto -i snort

Here is the output when systemctl is used instead of ps auxww | grep -i "snort":

When I start snort 2.9.8.x on Fedora 22, the output below is a partial
listing of the output that snort sends to /var/log/messages:

[root@moocow init.d]# systemctl status snort.service <--- font="" here="" look="">
* snort.service - Snort NIDS Daemon
   Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2016-01-10 10:02:38 PST; 1min 33s ago
 Main PID: 1070 (snort)
   CGroup: /system.slice/snort.service
           `-1070 /usr/local/bin/snort -A fast -b -d -i enp0s8 -u snort -g sn...

Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_IMAP  Version 1...1>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_SSLPP  Version ...4>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_DNP3  Version 1...1>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_SSH  Version 1....3>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_DNS  Version 1....4>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_DCERPC2  Versio...3>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_REPUTATION  Ver...1>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_FTPTELNET  Vers...3>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_SIP  Version 1....1>
Jan 10 10:03:26 moocow snort[1070]: Commencing packet processing (pid=1070)
Hint: Some lines were ellipsized, use -l to show in full.

On newer distributions of Linux, systemd has been implmented in favor of the old style init.d startup scripts, here is the README file from the /etc/init.d directory on my Fedora 22 Server system:

You are looking for the traditional init scripts in /etc/rc.d/init.d, and they are gone?

Here's an explanation on what's going on:

You are running a systemd-based OS where traditional init scripts have been replaced by native systemd services files. Service files provide very similar functionality to init scripts. To make use of service files simply invoke "systemctl", which will output a list of all currently running services (and other units). Use "systemctl list-unit-files" to get a listing of all known unit files, including stopped, disabled and masked ones. Use "systemctl start foobar.service" and "systemctl stop foobar.service" to start or stop a service, respectively. For further details, please refer to systemctl(1).

Note that traditional init scripts continue to function on a systemd system. An init script /etc/rc.d/init.d/foobar is implicitly mapped into a service unit foobar.service during system initialization.

Thank you!

Further reading:
        man:systemctl(1)
        man:systemd(1)
        http://0pointer.de/blog/projects/systemd-for-admins-3.html
        http://www.freedesktop.org/wiki/Software/systemd/Incompatibilities

Snort Subscriber Rule Set Update for 01/28/2016

Just released:
Snort Subscriber Rule Set Update for 01/28/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 26, 2016

Snort Subscriber Rule Set Update for 01/26/2016

Just released:
Snort Subscriber Rule Set Update for 01/26/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, browser-firefox, file-flash, file-identify, file-other, file-pdf, malware-cnc, os-windows, protocol-voip, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, January 25, 2016

Snort++ Update

Pushed build 185 to github (snortadmin/snort3):

  • initial host_tracker for new integrated netmap
  • new_http_inspect refactoring for time and space considerations
  • fix profiler depth bug
  • fatal on failed IP rep segment allocation - thanks to Bill Parker
  • tweaked style guide wrt class declarations

Thursday, January 21, 2016

Snort Subscriber Rule Set Update for 01/21/2016

Just released:
Snort Subscriber Rule Set Update for 01/21/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-pdf, malware-backdoor, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 19, 2016

Snort Subscriber Rule Set Update for 01/19/2016

Just released:
Snort Subscriber Rule Set Update for 01/19/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 50 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, exploit-kit, file-flash, file-office, file-other, file-pdf, malware-cnc, os-windows, protocol-icmp, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, January 14, 2016

Snort Subscriber Rule Set Update for 01/14/2016

Just released:
Snort Subscriber Rule Set Update for 01/14/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 68 new rules and made modifications to 31 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-scan, malware-cnc, netbios, policy-other, protocol-dns, protocol-rpc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 12, 2016

Snort Subscriber Rule Set Update for 01/12/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 01/12/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules and made modifications to 13 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS16-001:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 33287 through 33288, and
33897 through 33898.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 37283 through 37284.

Microsoft Security Bulletin MS16-002:
A coding deficiency exists in Microsoft Edge that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37279 through 37280.

Microsoft Security Bulletin MS16-004:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37259 through 37260, 37273 through
37274, and 37281 through 37282.

Microsoft Security Bulletin MS16-005:
A coding deficiency exists in Microsoft kernel-mode drivers that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37265 through 37266.

Microsoft Security Bulletin MS16-006:
A coding deficiency exists in Microsoft Silverlight that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37267 through 37268.

Microsoft Security Bulletin MS16-007:
A coding deficiency exists in Microsoft Windows that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37257 through 37258, 37261 through
37264, and 37275 through 37278.

Microsoft Security Bulletin MS16-008:
A coding deficiency exists in the Microsoft kernel that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37269 through 37272.

Talos has added and modified multiple rules in the browser-ie, browser-plugins,
file-office, file-other, malware-cnc and server-other rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, January 8, 2016

Snort++ Update

Pushed build 184 to github (snortadmin/snort3):

  • added new_http_inspect rule options
  • fixed build issue with Clang and thread_local
  • continued tcp session refactoring
  • fixed rule option string unescape issue

Snort 2.9.8.0 Installation Guides have been posted!

Thanks to our hard working community members William Parker and Noah Dietrich, the installation guides for Snort 2.9.8.0 have been posted on Snort.org!

We love it when our community pitches in and sends us documentation, FAQ updates, startup scripts, hints and tricks (which belong in the FAQ!)

If you'd like to contribute to the documentation repository, just email us at sfcommunity@cisco.com, and we can highlight your work, or, if you'd like to help out with the FAQ, we host it on Github, and allow anyone to submit a pull request against the docs.  Please considering helping out!

Thursday, January 7, 2016

Snort Subscriber Rule Set Update for 01/07/2016

Just released:
Snort Subscriber Rule Set Update for 01/07/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-flash, file-office, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 5, 2016

Snort Subscriber Rule Set Update for 01/05/2016

Just released:
Snort Subscriber Rule Set Update for 01/05/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 43 new rules and made modifications to 29 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-flash, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!