Snort mailing list archives
RE: Snort-users digest, Vol 1 #4239 - 5 msgs
From: "New Kabon" <nukabon () hotmail com>
Date: Sun, 16 May 2004 06:49:29 +0000
any tools can be used to autodate the rules ? thanks alot New
From: snort-users-request () lists sourceforge net
Reply-To: snort-users () lists sourceforge net
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #4239 - 5 msgs
Date: Sat, 15 May 2004 20:07:24 -0700
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. RE: Administrativia: No advertising please (Kreimendahl, Chad J)
2. Oinkmaster v1.0 released. (=?iso-8859-1?Q?Andreas_=D6stling?=)
3. localhost alert (kev.p () pandora be)
4. SnortDB-Extra Issues (Josh Berry)
5. attack classification (Marcin Laskowski)
--__--__--
Message: 1
Subject: RE: [Snort-users] Administrativia: No advertising please
Date: Fri, 14 May 2004 23:07:20 -0500
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
To: <snort-users () lists sourceforge net>
I was bored, so I thought I'd just add something into this whole fire.
A wise man once said: "You taught me that not everything is stupid.
Some things are gay."
-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]=20
Sent: Friday, May 14, 2004 8:36 PM
To: M. Jamil
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Administrativia: No advertising please
On May 14, 2004, at 7:08 PM, M. Jamil wrote:
> I don't really see a need for such a spectacle, nor a long winded rant
> from Martin Roesch on the matter.
If you've ever seen one of my rants then you'll know that what I posted=20
was nowhere near a rant. People were questioning whether vendors=20
needed to adhere to the rules for etiquette that we've had for this=20
list for years and I just wanted to assure them that they did in no=20
uncertain terms.
> There isn't really a need for all of you to jump down the sales lady's
> throat for an accidental CC that she apologized for. On a side note,=20
> I've taken a look at what they are doing over there and it all looks=20
> pretty cool.. I might even consider it over Sourcefire and their=20
> overpriced appliances.
Be my guest. I wasn't assessing the value of their solution, just=20
pointing out that we don't like vendors advertising around here after=20
Mr. Hines indicated that he thought that people should expect to be=20
marketed to if they post to this list.
> p.s.
> If Martin Roesch and the others are so upset about the accidental CC=20
> of the sales email, why don't you configure your list software to=20
> disallow CCs or start moderating?
We've thought about it from time to time and decided to let the list=20
police itself due to the time constraints that most of the people who=20
admin the Snort project are under. The accidental CC wasn't what got=20
me to post, that happens from time to time and I don't care all that=20
much. It *does* bother me when people say we should expect to see=20
these sorts of thing because "it's the way the game is played", and=20
that's what got me to respond.
-Marty
--=20
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=3D2562&alloc_id=3D6184&op=3Dclick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
--__--__--
Message: 2
Date: Sat, 15 May 2004 10:53:58 +0200 (CEST)
From: =?iso-8859-1?Q?Andreas_=D6stling?= <andreaso () it su se>
To: snort-users () lists sourceforge net,
snort-announce () lists sourceforge net
Subject: [Snort-users] Oinkmaster v1.0 released.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
Oinkmaster v1.0 has been released.
Download:
http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-1.0.tar.gz?download
someone how ACID works. I just started working with Snort so I would really appreciate the help.MD5: 1140fb5484944691268579ca7fc83518 PGP signature: http://oinkmaster.sourceforge.net/oinkmaster-1.0.tar.gz.asc For those who don't know, Oinkmaster is a simple tool to update/manage Snort signatures. The homepage is at http://oinkmaster.sourceforge.net/ Changes from v0.9: o Default URL in distribution oinkmaster.conf is now http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz. Don't forget to change it if it's not the right one for your version of Snort! o You can now set "rule_actions = ..." in oinkmaster.conf to tell Oinkmaster what keywords are valid as the start of a Snort rule. Useful if you create your own ruletypes and want those lines to be regarded as rules instead of non-rule lines. If unset, "alert|drop|log|pass|reject|sdrop|activate|dynamic" will be used (same as before). o You can now run without external binaries if you have the required Perl modules installed (Archive::Tar, IO::Zlib and LWP::UserAgent). You can set use_external_bins to 0 or 1 in oinkmaster.conf to override the default. 0 means to use the Perl modules, 1 means to use external binaries. It's set to 0 by default on Win32 (since the required Perl modules are already included in ActivePerl 5.8.1+), and 1 on other systems (i.e. same behavior as before). This makes it much easier to install Oinkmaster on Windows/ActivePerl. See the new default oinkmaster.conf for more information. o A simple graphical multi-platform front-end to Oinkmaster written in Perl/Tk is included in the contrib directory (oinkgui.pl). See README.gui for more information. Screenshots are available on Oinkmaster's homepage. o contrib/makesidex.pl has been rewritten to handle multi-line rules and multiple rules directories. It will now also include the rule's "msg" string as a comment on each disablesid line it prints. Usage syntax is unchanged. o The other contrib scripts have been improved with misc feature updates and small bug fixes as well. For example, addmsg.pl now handles multiple rules directories just like the others. All scripts now give a short description when run without arguments. Full descriptions can still be found in contrib/README.contrib. o The new default oinkmaster.conf has been updated with more and better examples (mostly "modifysid" stuff). o Slightly improved multi-line rule parsing. o Perl version is checked on startup and must be >= 5.6.1. o Permission on all rules files in the output directory that are subject to become updated by Oinkmaster (i.e. files matching the "update_rules" regexp and that are not ignore by a "skipfile") are now checked before starting, so that we don't bail out in a middle of execution if a copy of an updated file should fail because of permission problem. o A manual page is now included which describes all the command line options in detail. o Major documentation updates (INSTALL, README, README.win32, FAQ). o Many other improvements. /Andreas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (OpenBSD) iD8DBQFApdZgytHlY5LIf/YRAmRhAJ0ZJ4AQmw2L4EdKj4mT/i1Vgvg9iACfceK+ yBXMWha7bEyHlv4ZUUc86vc= =LrsS -----END PGP SIGNATURE----- --__--__-- Message: 3 From: kev.p () pandora be To: snort-users () lists sourceforge net Date: Sat, 15 May 2004 16:22:34 +0000 Subject: [Snort-users] localhost alertI need a rule so I can generate a simple alert on localhost to show
--__--__--
Message: 4
Date: Sat, 15 May 2004 12:30:00 -0500 (CDT)
From: "Josh Berry" <josh.berry () netschematics com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] SnortDB-Extra Issues
I recently loaded the snortdb-extra stuff to my database because I am
working on my own analysis front-end and it seemed like some of the data
was wrong.
For instance, when the spp_stream4 preprocessor generates a SYN/FIN alert,
it inserts the tcp_flags value into tcphdr as 3 as it should be. But then
looking up the value of 3 in the flags table shows 3 as being NULL packet
with both of the reserved bits set.
Am I just using this wrong or are the values wrong.
Thanks
--__--__--
Message: 5
From: "Marcin Laskowski" <cineklas () wp pl>
To: <snort-users () lists sourceforge net>
Date: Sat, 15 May 2004 20:52:11 +0200
Subject: [Snort-users] attack classification
This is a multi-part message in MIME format.
------=_NextPart_000_00A8_01C43ABE.7EA694A0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
Hi all
I need information about the classification of the attacks in Snort.=20
Is there any parallel which says that for example XMAS Scan belongs to=20
attempt-recon group? There`s no problem with extracting such information
form rule files but it`s little boring. And what about the =
preprocessors?
How do they match attacks with groups?
......................................
Best Regards, Marcin
e-mail: mjl () chello pl
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20
Windows jest 32 bitowym patchem na 16 bitowe GUI
bazuj=B1cym na 8 bitowym systemie
napisanym dla 4 bitowego processora
przez 2 bitow=B1 firme
o 1 bitowej kompetencji.
------=_NextPart_000_00A8_01C43ABE.7EA694A0
Content-Type: text/html;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-2">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>Hi all</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I need information about the =
classification of=20
</FONT><FONT face=3DArial size=3D2>the attacks in Snort. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Is there any parallel which says =
</FONT><FONT=20
face=3DArial size=3D2>that for example XMAS Scan belongs to =
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>attempt-recon group? There`s no problem =
with=20
extracting such information</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>form rule files but it`s little boring. =
And what=20
about the preprocessors?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>How do they match attacks with =
groups?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2>......................................<BR>Best=20
Regards, Marcin</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>e-mail: <A=20
href=3D"mailto:mjl () chello pl">mjl () chello pl</A></DIV>
<DIV> </DIV>
<DIV>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D &= nbsp; =20 <BR>Windows jest 32 bitowym patchem na 16 bitowe GUI<BR>bazuj=B1cym na 8 = bitowym=20 systemie<BR>napisanym dla 4 bitowego processora<BR>przez 2 bitow=B1 = firme<BR>o 1=20 bitowej kompetencji.<BR></DIV></FONT></DIV></BODY></HTML> ------=_NextPart_000_00A8_01C43ABE.7EA694A0-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
_________________________________________________________________与联机的朋友进行交流,请使用 MSN Messenger: http://messenger.msn.com/cn
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #4239 - 5 msgs New Kabon (May 16)