Your message dated Fri, 13 Jan 2012 22:49:57 +0000
with message-id <[email protected]>
and subject line Bug#590061: fixed in snort 2.9.2-1
has caused the Debian Bug report #590061,
regarding /usr/sbin/snort-stat: ignores alerts that have no classification
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
590061: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590061
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: snort-common
Version: 2.7.0-20.4
Severity: important
File: /usr/sbin/snort-stat
When parsing /var/log/snort/alert alerts with only a priority and no
classification in the second line are ignored. Most preprocessor
alerts seem to have the classification missing, so very many
alerts are not counted in the statistics. Attached is a log for
input to snort-stat (snort-stat -a < file). It contains
7 alerts, of which one has no IP addresses, the other 6 should be
counted, but only 4 are counted. In real life, the vast majority
of alerts may be ignored for this reason.
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages snort-common depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii perl-modules 5.10.0-19lenny2 Core Perl modules
ii rsyslog [system-log-daem 3.18.6-4 enhanced multi-threaded syslogd
snort-common recommends no packages.
Versions of packages snort-common suggests:
pn snort-doc <none> (no description available)
-- debconf information:
snort/deprecated_config:
[**] [1:1321:8] BAD-TRAFFIC 0 ttl [**]
[Classification: Misc activity] [Priority: 3]
07/23-07:30:20.704726 0.0.0.0 -> 255.255.255.255
PROTO:099 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:68
[Xref => http://www.isi.edu/in-notes/rfc1122.txt][Xref =>
http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268]
[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
07/23-07:31:17.759889
[**] [122:19:0] (portscan) UDP Portsweep [**]
[Priority: 3]
07/23-08:22:31.477811 172.16.1.197 -> 195.194.121.66
PROTO:255 TTL:0 TOS:0x0 ID:6400 IpLen:20 DgmLen:163
[**] [1:1419:9] SNMP trap udp [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/23-08:32:13.675697 172.16.0.48:162 -> 195.194.122.46:162
UDP TTL:255 TOS:0x0 ID:653 IpLen:20 DgmLen:119
Len: 91
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref =>
http://www.securityfocus.com/bid/4132][Xref =>
http://www.securityfocus.com/bid/4089][Xref =>
http://www.securityfocus.com/bid/4088]
[**] [1:466:4] ICMP L3retriever Ping [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/23-08:52:40.397719 172.16.1.149 -> 148.79.164.13
ICMP TTL:32 TOS:0x0 ID:1865 IpLen:20 DgmLen:60
Type:8 Code:0 ID:512 Seq:256 ECHO
[Xref => http://www.whitehats.com/info/IDS311]
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
[Priority: 3]
07/23-08:53:14.531800 172.16.1.149:2198 -> 148.79.163.146:80
TCP TTL:128 TOS:0x0 ID:7114 IpLen:20 DgmLen:334 DF
***AP*** Seq: 0xF70F5266 Ack: 0xCDA63215 Win: 0x4470 TcpLen: 20
[**] [1:1042:9] WEB-IIS view source via translate header [**]
[Classification: access to a potentially vulnerable web application] [Priority:
2]
07/23-08:53:21.473129 172.16.1.149:2277 -> 148.79.164.13:80
TCP TTL:128 TOS:0x0 ID:7519 IpLen:20 DgmLen:184 DF
***AP*** Seq: 0x649778CD Ack: 0xD5063470 Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0778][Xref =>
http://www.securityfocus.com/bid/1578][Xref =>
http://www.whitehats.com/info/IDS305]
--- End Message ---
--- Begin Message ---
Source: snort
Source-Version: 2.9.2-1
We believe that the bug you reported is fixed in the latest version of
snort, which is due to be installed in the Debian FTP archive:
snort-common-libraries_2.9.2-1_i386.deb
to main/s/snort/snort-common-libraries_2.9.2-1_i386.deb
snort-common_2.9.2-1_all.deb
to main/s/snort/snort-common_2.9.2-1_all.deb
snort-doc_2.9.2-1_all.deb
to main/s/snort/snort-doc_2.9.2-1_all.deb
snort-mysql_2.9.2-1_i386.deb
to main/s/snort/snort-mysql_2.9.2-1_i386.deb
snort-pgsql_2.9.2-1_i386.deb
to main/s/snort/snort-pgsql_2.9.2-1_i386.deb
snort-rules-default_2.9.2-1_all.deb
to main/s/snort/snort-rules-default_2.9.2-1_all.deb
snort_2.9.2-1.debian.tar.gz
to main/s/snort/snort_2.9.2-1.debian.tar.gz
snort_2.9.2-1.dsc
to main/s/snort/snort_2.9.2-1.dsc
snort_2.9.2-1_i386.deb
to main/s/snort/snort_2.9.2-1_i386.deb
snort_2.9.2.orig.tar.gz
to main/s/snort/snort_2.9.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <[email protected]> (supplier of updated snort
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 13 Jan 2012 21:54:25 +0100
Source: snort
Binary: snort snort-common snort-doc snort-mysql snort-pgsql
snort-rules-default snort-common-libraries
Architecture: source i386 all
Version: 2.9.2-1
Distribution: unstable
Urgency: low
Maintainer: Javier Fernandez-Sanguino Pen~a <[email protected]>
Changed-By: Javier Fernandez-Sanguino Pen~a <[email protected]>
Description:
snort - flexible Network Intrusion Detection System
snort-common - flexible Network Intrusion Detection System [common files]
snort-common-libraries - flexible Network Intrusion Detection System ruleset
snort-doc - Documentation for the Snort IDS [documentation]
snort-mysql - flexible Network Intrusion Detection System [MySQL]
snort-pgsql - flexible Network Intrusion Detection System [PostgreSQL]
snort-rules-default - flexible Network Intrusion Detection System ruleset
Closes: 553584 577033 590061 631854 634660 638678 646547 654239
Changes:
snort (2.9.2-1) unstable; urgency=low
.
[ Andrew Pollock ]
* New upstream release, upload to unstable
- Fixes CVE-2009-3641: DoS while printing specially-crafted IPv6 packet
using the -v option (Closes: 553584)
- The package no longer build-depends on iptables-dev and the negated list
of architectures is no longer used (Closes: 634660)
* Switch to dpkg-source 3.0 (quilt) format
* Port across all changes from Snort 2.8.5.2-5 and later in unstable
* debian/snort.postinst: create the directory that the checksum for
snort.debian.conf will be created in if it doesn't already exist
* debian/rules: tell dh_makeshlibs to not call ldconfig in the
preinst/postinst of snort-common-libraries
* debian/rules: don't install README.WIN32 into snort-doc
.
[ Javier Fernandez-Sanguino Peña ]
* debian/rules:
- Set enable-zlib when configuring all packages to force it to be
enabled as this is required by the http_inspect preprocessor which
is enabled by default (Closes: #631854)
- Included (commented) the patch provided by Clint Byrum and included in
Ubuntu to prevent snort from FTFS with libmysqlclient-dev which will be
multiarch in the future. The patch uses mysql_config to find libraries
to fix FTBFS with multiarch libmysqlclient. Not enabled since the
version of libmysqlclient in unstable currently does not support the
--variable=pkglibdir option
* debian/snort{,-inline}.config: Use LC_ALL=C when calling ifconfig to make
the postinst work when ifconfig's output is internationalised (Closes:
577033)
* debian/control: Fix link in the rules package, point to
http://www.snort.org/snort-rules/ (Closes: 646547)
* debian/my/snort-stat: Modify so that alerts with Priority but without
classification
are analysed when parsing syslog information. Also set the class to
'Undefined'
instead of leaving it empty. (Closes: 590061)
* po-debconf translation updates:
- Danish, provided by Joe Dalton (Closes: 638678)
- Dutch, provided by Jeroen Schot (Closes: 654239)
Checksums-Sha1:
89780edd8c99e6973cdf78505fa77198eac7f233 1637 snort_2.9.2-1.dsc
b903e6e71b0bbf58703d9b1d8d9253807b9656f8 6467539 snort_2.9.2.orig.tar.gz
8c3f0a3a568d0b30832ce5a00a83ea385ce8dda7 1585674 snort_2.9.2-1.debian.tar.gz
c911e033f2dcf0b584a5e8fce05b910875df62aa 852698 snort_2.9.2-1_i386.deb
e90c2fc2d794372c6c65cf2dcf4e269c18ddb477 865820 snort-mysql_2.9.2-1_i386.deb
ee7e2caa33718fc97458cb9eec846ffb69d83656 864830 snort-pgsql_2.9.2-1_i386.deb
6f30f0236cba5c110b07b4efc00175ca70295a6d 526228
snort-common-libraries_2.9.2-1_i386.deb
f6128a9f262725a489502016a91770042e9fc8d8 203212 snort-common_2.9.2-1_all.deb
1e685b0c36256dfb733248cf80b516c0e352538a 2651816 snort-doc_2.9.2-1_all.deb
b3b1a1c8dd9343fac524132bc4419b18ded51c01 336784
snort-rules-default_2.9.2-1_all.deb
Checksums-Sha256:
62d2a553af2a8ada98afb34862907af2bae414929d2bef7b1fe733822536897b 1637
snort_2.9.2-1.dsc
04d375b627dd256d6257f2cbe5a770e4552e3f35d5e2100b97f75426b600d8cb 6467539
snort_2.9.2.orig.tar.gz
35a93ebc65d35884a69c2833bdce9696a63f045591aff865aca5e583449846ab 1585674
snort_2.9.2-1.debian.tar.gz
28dd310da56c32351ae7d98d25de28d06591b1b722aaa239c7825b884a9e3ebd 852698
snort_2.9.2-1_i386.deb
6972b90de3700c9a67b9186f7a09723a4279546f04d978328185dbe32186f761 865820
snort-mysql_2.9.2-1_i386.deb
5abdf3e1d45c2512a72a72f3f3ba12ecaf021a3edea2b4d5abd67ec9c30da3fa 864830
snort-pgsql_2.9.2-1_i386.deb
06647ab8d0d8bbfbf26640208340b0bcd33f39b40ef1f0c50cdc2bc09807998f 526228
snort-common-libraries_2.9.2-1_i386.deb
886f9ada2c5989886ab493d4f9e3f128fcb659fceb0c29803c8d228d89bdc57d 203212
snort-common_2.9.2-1_all.deb
dc3c0e7f0a3f69a895e00c62cac738e844575d3796c4b143247d18e5aded3627 2651816
snort-doc_2.9.2-1_all.deb
12a6e898cb2400d7d9ae753964b7a9c7bef6df3bc96e902a1720b2bcf3fb68b5 336784
snort-rules-default_2.9.2-1_all.deb
Files:
a58a7d2f68f3f312ed35d4014922e8e6 1637 net optional snort_2.9.2-1.dsc
22fa07ba915535b151329056439ae194 6467539 net optional snort_2.9.2.orig.tar.gz
fdd814c1bd0e59d60e92c39152ec6797 1585674 net optional
snort_2.9.2-1.debian.tar.gz
979f6cdbd827dcfcdfd1742a97c4cb0b 852698 net optional snort_2.9.2-1_i386.deb
e8188104dc02a61ff41bed90935452ef 865820 net extra snort-mysql_2.9.2-1_i386.deb
5931410c6ea48ec466c2672f2203130b 864830 net optional
snort-pgsql_2.9.2-1_i386.deb
3ad8b8706977727b07896796a53c6e54 526228 net optional
snort-common-libraries_2.9.2-1_i386.deb
d873b287f00157943daa9b3900f74817 203212 net optional
snort-common_2.9.2-1_all.deb
ae1ef5ebe85148becfa7c095921f7572 2651816 doc optional snort-doc_2.9.2-1_all.deb
fe26fe28fdd9d5cd6c5192c74c206e1b 336784 net optional
snort-rules-default_2.9.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFPELH7sandgtyBSwkRAvr0AJ44h/GSFFSKdVvIDIxkKPCCLJoHcQCcDV3o
yGRXgPxO0RhggUMn1oUkdO0=
=82XC
-----END PGP SIGNATURE-----
--- End Message ---
