Snort mailing list archives
Remove me
From: Boonruang Seedapunt <BoonruangS () samartcorp com>
Date: Thu, 14 Aug 2003 08:29:03 +0700
-----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, August 14, 2003 7:37 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #3451 - 10 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Snort rules updated? (CMartin () infosol com) 2. re: strange 135 packets (Kevin Binsfield) 3. no payload in any of my acid evnets! (Andy S Shrock) 4. Re: Snort rules updated? (Erek Adams) 5. RE: Snort rules updated? (Jim Grossl) 6. DCOM Snort Sigs (Dragos Ruiu) 7. RE: SPAN port packet related (Faiz Ahmad Shuja) 8. RE: Snort rules updated? (CMartin () infosol com) 9. RE: logging traffic (Faiz Ahmad Shuja) 10. RE: logging traffic (Erek Adams) --__--__-- Message: 1 From: CMartin () infosol com To: snort-users () lists sourceforge net Date: Wed, 13 Aug 2003 10:58:04 -0700 Subject: [Snort-users] Snort rules updated? Hello, Just wanted to get the word when the official rule sets get updated with the rules to detect DCOM exploit as well as the worm associated with the exploit (mblaster.exe). I like the idea of adding the rule myself; however, I wouldn't mind bringing my systems up to date by downloading the rule sets with the new rules implemented. I'm hoping the rule sets that are on the site now are updated :) Chris Martin Infosol cmartin () infosol com --__--__-- Message: 2 From: "Kevin Binsfield" <kbinsfield () iosintegrated com> To: <snort-users () lists sourceforge net> Date: Wed, 13 Aug 2003 14:40:33 -0400 Subject: [Snort-users] re: strange 135 packets off topic but 0/8 was/is reserved. It was used as an histrorical broadcast and more recently for addressing local machines. See RFC3330. From: "Marc Quibell" <mquibell () fbfs com> To: snort-users () lists sourceforge net Date: Wed, 13 Aug 2003 10:28:48 -0500 Subject: [Snort-users] Strange 135 packets Not exactly the proper forum, but I consider the experiences here to be most bountiful! While watching for msblaster infections, I've been tcpdump'ing for 135 packets. On a few Win98 machines, I get a few TCP 135 connection attempts to the 0/8 network, example: 13:35:28.053338 0:e0:f7:7a:c9:80 0:2:b3:90:65:e2 ip 62: [source IP].1235 > 0.33.172.101.135: S [tcp sum ok] 11647891:11647891(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 126, id 34570, len 48) These packets are retrans'ed in double'd intervals. Naturally, it does not make it to anywhere. Has anyone else seen this? TIA! Marc --__--__-- Message: 3 To: snort-users () lists sourceforge net From: "Andy S Shrock" <Andy.S.Shrock () usa dupont com> Date: Wed, 13 Aug 2003 15:54:38 -0400 Subject: [Snort-users] no payload in any of my acid evnets! Am I missing something? I am using snort + barnyard + mysql + ACID. I am processing the log file, and not the alert file but I still don't get the payload in acid reports. For example I put in rules for the MS RPC vuln yesterday, and have generated a few alerts based on them, but I don't have any payload data for any of them. Any suggestions would be highly apperciated. Thanks, Andy Shrock This communication is for use by the intended recipient and contains information that may be privileged, confidential or copyrighted under applicable law. If you are not the intended recipient, you are hereby formally notified that any use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by return e-mail and delete this e-mail from your system. Unless explicitly and conspicuously designated as "E-Contract Intended", this e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer. This e-mail does not constitute a consent to the use of sender's contact information for direct marketing purposes or for transfers of data to third parties. Francais Deutsch Italiano Espanol Portugues Japanese Chinese Korean http://www.DuPont.com/corp/email_disclaimer.html --__--__-- Message: 4 Date: Wed, 13 Aug 2003 16:40:07 -0400 (EDT) From: Erek Adams <erek () snort org> To: CMartin () infosol com cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rules updated? On Wed, 13 Aug 2003 CMartin () infosol com wrote:
Just wanted to get the word when the official rule sets get updated with the rules to detect DCOM exploit as well as the worm associated with the exploit (mblaster.exe). I like the idea of adding the rule myself; however, I wouldn't mind bringing my systems up to date by downloading the rule sets with the new rules implemented. I'm hoping the rule sets that
are
on the site now are updated :)
Join the snort-sigs mailing list. It's been posted numerous times over the last few days. And as for adding rules yourself: Create a "my.rules" and place your rules in there. Then whenever you auto update rules, that won't get overwritten. Be sure and add it to the include lines at the bottom of snort.conf. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 5 From: "Jim Grossl" <jim () idahy org> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Snort rules updated? Date: Wed, 13 Aug 2003 14:43:43 -0600 FWIW, Symantec has snort sigs available in this pdf file: https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd f -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of CMartin () infosol com Sent: Wednesday, August 13, 2003 11:58 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort rules updated? Hello, Just wanted to get the word when the official rule sets get updated with the rules to detect DCOM exploit as well as the worm associated with the exploit (mblaster.exe). I like the idea of adding the rule myself; however, I wouldn't mind bringing my systems up to date by downloading the rule sets with the new rules implemented. I'm hoping the rule sets that are on the site now are updated :) Chris Martin Infosol cmartin () infosol com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01 /01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 6 From: Dragos Ruiu <dr () kyx net> Organization: All Terrain Ninjas To: snort-users () lists sourceforge net Date: Wed, 13 Aug 2003 14:38:08 -0700 Subject: [Snort-users] DCOM Snort Sigs Counterpane has some useful snort sigs at: http://www.counterpane.com/alert-v20030801-001.html cheers, --dr -- pgpkey http://dragos.com/ kyxpgp --__--__-- Message: 7 From: "Faiz Ahmad Shuja" <faizshuja () yahoo it> To: "'Ahmad Masood Shah'" <jahil () 66-uetclub com>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] SPAN port packet related Date: Thu, 14 Aug 2003 02:53:45 +0500 This is a multi-part message in MIME format. ------=_NextPart_000_0002_01C3620F.45DA1EE0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit A copy of all the traffic on port 0/11 and 0/12 will be sent on port 0/10 by switch. It will send "everything" coming on these ports. Regards, Faiz -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ahmad Masood Shah Sent: Wednesday, August 13, 2003 12:48 PM To: snort-users () lists sourceforge net Subject: [Snort-users] SPAN port packet related I'm using Catalyst 3500 to mirror traffic for port 0/11 0/12. SPAN port is 0/10. my 0/11 port data is upto 1 Mbps. My question is that when switch will send packet information to my IDS via SPAN port it will redirect all traffic or it will send simple packet header to IDS sensor. -- Best Regs, Masood Ahmad Shah ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01 /01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------=_NextPart_000_0002_01C3620F.45DA1EE0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJJDCCArMw ggIcoAMCAQICAwkcwjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAzMDEyMTE5MzU0OVoXDTA0MDEyMTE5MzU0OVowZjEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSZmFpenNodWphQHlhaG9vLml0MSAwHgYJ KoZIhvcNAQkBFhFmYWl6QGN5YmVyLm5ldC5wazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA yt4ROiuCUn2LnaBbg7E0MFyBFWINp2dGZTq4TB8T4pTPn/MzzajAkEFRIcWt2KJIYbDvYuG1BMCp 2B1RkLwDsDdyMcSaUY8Xr12TLTGICL6TEBu9/71XsFk4/AaPj6t6eVa/3/lzySViL7XkCAqXH5lD TlWPYNmsVKmm0MYpEhsCAwEAAaNCMEAwMAYDVR0RBCkwJ4ESZmFpenNodWphQHlhaG9vLml0gRFm YWl6QGN5YmVyLm5ldC5wazAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAEfYZ2J+cxhG bBdrhLEZVwv9IdXumcY5w4HLTpCqQC8C7mf75PnjrUqsU/VYeupRzuV40XDB86Mhzztoa7cHeUaB ZAyJlbHpIdq0BOA0tdNyjNZucKluTeEWnhpBzdIYeOb4SoTYu6urrY7nn9J10J6jRy4v8uMHAv0P 10p5nPXRMIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUg Q29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIG A1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdEx CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G 6qPduc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56a JtVquzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjPMPuoSpaKH2JCI4wXD/S6 ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl 8uacLxXK/qarigd1iwzdUYRr5PjRzneigTCCAzgwggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEw DQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0Nl cnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMDA4MzAwMDAwMDBaFw0wNDA4MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAy MDAwLjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZ gpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWo J67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGj TjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8E CDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQAxsUtHXfkBceX1U2xdedY9 mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3sDSo491BVqGz3Da1MG7wD9LXrokefbKIMWI0x QgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLzWtvKPPZE6iZph39Ins6ln+eE2MliYq0FxjGC A2kwggNlAgEBMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2Vy dmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzACAwkcwjAJBgUr DgMCGgUAoIICJDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzA4 MTMyMTUzNDNaMCMGCSqGSIb3DQEJBDEWBBRAVumaiSrDkvwcPlWaaJMQBywtdzBnBgkqhkiG9w0B CQ8xWjBYMAoGCCqGSIb3DQMHMAcGBSsOAwIaMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB QDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAKBggqhkiG9w0CBTCBqwYJKwYBBAGCNxAEMYGdMIGa MIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRv d24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNV BAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzACAwkcwjCBrQYLKoZIhvcNAQkQAgsx gZ2ggZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEo MCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCRzCMA0GCSqGSIb3DQEB AQUABIGAN1+rlx28ExjgSgVTbHKvpL3T4QtXy+lKLogUmQga5U2Nq34pib//vS16vClQfvuHeXrJ E1MIeNWjAY3hb69V7qjZJVKQKEqI3XUQ+Fp/ClxrH0PsG9z1H5yEvBFfSrlNjVrRVEzRuI/RJCFO XRdEOBUcN9kedQFreEWi9m2TRxkAAAAAAAA= ------=_NextPart_000_0002_01C3620F.45DA1EE0-- --__--__-- Message: 8 From: CMartin () infosol com To: erek () snort org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort rules updated? Date: Wed, 13 Aug 2003 14:18:09 -0700 Thanks Erek, I'll join the mailing list to keep myself up to date on the sigs, and I like your idea for my own signatures. But since I missed the email says whether the sigs are up to date with DCOM detection ability. I was wondering if you can tell me if the rules are up to date? -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Wednesday, August 13, 2003 1:40 PM To: CMartin () infosol com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort rules updated? On Wed, 13 Aug 2003 CMartin () infosol com wrote:
Just wanted to get the word when the official rule sets get updated with the rules to detect DCOM exploit as well as the worm associated with the exploit (mblaster.exe). I like the idea of adding the rule myself; however, I wouldn't mind bringing my systems up to date by downloading the rule sets with the new rules implemented. I'm hoping the rule sets that
are
on the site now are updated :)
Join the snort-sigs mailing list. It's been posted numerous times over the last few days. And as for adding rules yourself: Create a "my.rules" and place your rules in there. Then whenever you auto update rules, that won't get overwritten. Be sure and add it to the include lines at the bottom of snort.conf. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 9 From: "Faiz Ahmad Shuja" <faizshuja () yahoo it> To: <zidan () popmail com>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] logging traffic Date: Thu, 14 Aug 2003 03:27:23 +0500 This is a multi-part message in MIME format. ------=_NextPart_000_0035_01C36213.F96AE9E0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Yes, I think you can. Anyone please correct if I am wrong. You can limit file size by using unified output plugin. /--- # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging # and generating alerts from Snort, the "unified" format. The # unified format is a straight binary format for logging data # out of Snort that is designed to be fast and efficient. Used # with barnyard (the new alert/log processor), most of the overhead # for logging and alerting to various slow storage mechanisms # such as databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 ---/ Regards, Faiz -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of zidan () popmail com Sent: Wednesday, August 13, 2003 1:26 PM To: snort-users () lists sourceforge net Subject: [Snort-users] logging traffic Hi, I wish to log traffic using snort, Im using snort -debD. I would like to limit the file sizes, so I can transfer them over network. f.e. configure the snort to rollover files, each one 50MB. can it be done ? Thank you, -Z .................................... Get your own free email account from http://www.popmail.com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01 /01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------=_NextPart_000_0035_01C36213.F96AE9E0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJJDCCArMw ggIcoAMCAQICAwkcwjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAzMDEyMTE5MzU0OVoXDTA0MDEyMTE5MzU0OVowZjEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSZmFpenNodWphQHlhaG9vLml0MSAwHgYJ KoZIhvcNAQkBFhFmYWl6QGN5YmVyLm5ldC5wazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA yt4ROiuCUn2LnaBbg7E0MFyBFWINp2dGZTq4TB8T4pTPn/MzzajAkEFRIcWt2KJIYbDvYuG1BMCp 2B1RkLwDsDdyMcSaUY8Xr12TLTGICL6TEBu9/71XsFk4/AaPj6t6eVa/3/lzySViL7XkCAqXH5lD TlWPYNmsVKmm0MYpEhsCAwEAAaNCMEAwMAYDVR0RBCkwJ4ESZmFpenNodWphQHlhaG9vLml0gRFm YWl6QGN5YmVyLm5ldC5wazAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAEfYZ2J+cxhG bBdrhLEZVwv9IdXumcY5w4HLTpCqQC8C7mf75PnjrUqsU/VYeupRzuV40XDB86Mhzztoa7cHeUaB ZAyJlbHpIdq0BOA0tdNyjNZucKluTeEWnhpBzdIYeOb4SoTYu6urrY7nn9J10J6jRy4v8uMHAv0P 10p5nPXRMIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUg Q29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIG A1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdEx CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G 6qPduc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56a JtVquzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjPMPuoSpaKH2JCI4wXD/S6 ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl 8uacLxXK/qarigd1iwzdUYRr5PjRzneigTCCAzgwggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEw DQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0Nl cnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMDA4MzAwMDAwMDBaFw0wNDA4MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAy MDAwLjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZ gpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWo J67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGj TjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8E CDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQAxsUtHXfkBceX1U2xdedY9 mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3sDSo491BVqGz3Da1MG7wD9LXrokefbKIMWI0x QgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLzWtvKPPZE6iZph39Ins6ln+eE2MliYq0FxjGC A2kwggNlAgEBMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2Vy dmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzACAwkcwjAJBgUr DgMCGgUAoIICJDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMzA4 MTMyMjI3MjJaMCMGCSqGSIb3DQEJBDEWBBStdk+bKVAZiQ9gawpGqoUFOqf3/TBnBgkqhkiG9w0B CQ8xWjBYMAoGCCqGSIb3DQMHMAcGBSsOAwIaMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB QDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAKBggqhkiG9w0CBTCBqwYJKwYBBAGCNxAEMYGdMIGa MIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRv d24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNV BAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzACAwkcwjCBrQYLKoZIhvcNAQkQAgsx gZ2ggZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEo MCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCRzCMA0GCSqGSIb3DQEB AQUABIGAHHTqEuvJgjiUUuc6sBwTOI0GYP3tYKb4RkdeNroIg8n68jb9HCvH5WSKBHdzERxI4a5/ yItOo6PwEDc6PLEndNHnmK6JUHMa2M/iMTMgHUF4+YNUUxz9q47irRvxujpw/CBibagkpjiSsUfp WHjVNzqyHhDeJw9vY5n4fXgS+tYAAAAAAAA= ------=_NextPart_000_0035_01C36213.F96AE9E0-- --__--__-- Message: 10 Date: Wed, 13 Aug 2003 20:16:54 -0400 (EDT) From: Erek Adams <erek () snort org> To: Faiz Ahmad Shuja <faizshuja () yahoo it> cc: zidan () popmail com, snort-users () lists sourceforge net Subject: RE: [Snort-users] logging traffic On Thu, 14 Aug 2003, Faiz Ahmad Shuja wrote:
Yes, I think you can. Anyone please correct if I am wrong. You can limit file size by using unified output plugin.
Close, but not quite. He wanted files to be rotated every time they reached a certain size. Unified doesn't do that. The limit is the max size of the file. Once the size is reached, the file pointer wraps around and starts filling up again from the 'front' of the file. I think I've heard things like that referred to as a 'circular file'. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Remove me Boonruang Seedapunt (Aug 13)