Snort mailing list archives
RE: "trons" Rules
From: "Jeff Dell" <jdell () activeworx com>
Date: Fri, 1 Mar 2002 07:58:13 -0500
If you check out Robert Grahams website, you will see that he talks about BlackICE using snort Signatures.. <clip from http://robertgraham.com/pubs/ids/trons.html> What is TRONS? TRONS is an independent IDS subsystem in BlackICE that reads in Snort-like signatures. TRONS is currently an unsupported feature. If you contact tech support, they will know less about it than what's on this webpage. TRONS has not been tested; bad stuff may happen if you use it.
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Lampe, John W. Sent: Friday, March 01, 2002 7:26 AM To: 'dr.kaos'; snort-users () lists sourceforge net Subject: RE: [Snort-users] "trons" Rules seems obvious to me...trons = snort (backwards). "imitation is the sincerest form of flattery" :-) John Lampe -----Original Message----- From: dr.kaos [mailto:dr.kaos () kaos to] Sent: Friday, March 01, 2002 12:43 AM To: snort-users () lists sourceforge net Subject: [Snort-users] "trons" Rules Hmmmmm. Anbody else find this interesting? trons, huh... From BugTraq in a response re: missing blackice signatures and a means by which to make blackice log certain attacks... ./dr.k [...snip...] "I can't recommend you use this feature, but it may be interesting for entertainment purposes. Add the following lines to the "blackice.ini" file: trons = enabled trons.rule = alert tcp any any -> any any (msg:"URG Scan";flags:U;) trons.filename = trons-needs-filename-even-if-dont-exist I can't stress enough that this feature is unsupported and that you can't get any help from us about this feature at this time. However, you might find documentation somewhere on the net :-). As a user, I added those lines and transmitted the packet described in the NtWaK0 message, and BlackICE triggered on it." Robert Graham Internet Security Systems PS: I'll be putting up a small TRONS document up on my personal website tomorrow. The link will be: http://robertgraham.com/pubs/ids/trons.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "trons" Rules dr . kaos (Feb 28)
- RE: "trons" Rules Jason Lewis (Feb 28)
- <Possible follow-ups>
- RE: "trons" Rules Lampe, John W. (Mar 01)
- RE: "trons" Rules Jeff Dell (Mar 01)
- Re: "trons" Rules Jeff Nathan (Mar 02)
- Re: "trons" Rules dr . kaos (Mar 01)
- RE: "trons" Rules Jeff Dell (Mar 01)
- RE:"trons" Rules counter . spy (Mar 01)
- RE:"trons" Rules counter . spy (Mar 02)
- Re: "trons" Rules Fyodor (Mar 02)
- RE:"trons" Rules counter . spy (Mar 02)
- RE: "trons" Rules Kohlenberg, Toby (Mar 02)
- Re: "trons" Rules Fyodor (Mar 03)