Snort mailing list archives
RE: Tao of doing it right: Ignoring bad advice and doing it the Bilanoway!
From: "Arseneault, Thomas (HQP)" <thomas.arseneault () rhi com>
Date: Tue, 22 Feb 2005 14:06:02 -0800
First off, just because the packets are kept in a db does not mean they can be replayed. I'm assuming here that these are processed packets and not raw (though it would be faster to stick raw packets in the DB then processing them). Even if they are raw packets, if a hacker gets in far enough to pull packets out of your DB he is in far enough to generate his/her own set of attacks (again "assuming" proper DB security practices)(come to think of it, he/she has already successfully attacked you if he can reach your DB in the first place). As for your idea of printing out your packet logs and manually flipping thru the pages, 1)even on a lightly loaded network, your talking millions of packets equating to 10's of thousands of pages. 2)While the fanfold paper industry would love you, but anyone else would be cursing the idea of having to flip thru reams of paper or lugging around large daily volumes to backtrack an attack that would be long done and over with by the time you figure out what page to flip to. 3)How would you do correlation on a thing like that? You'd have analysis's sitting behind desks poking thru these volumes for day's on end trying to find evidence of stealth scans while the crackers tramp merrily thru your network. As for your "white-cracker friends at the IARC" they were probably giggling at your idea rather than excited by it. Tom Arseneault Security Engineer -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Billy B. Bilano Sent: Tuesday, February 22, 2005 12:52 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Tao of doing it right: Ignoring bad advice and doing it the Bilanoway! Hasta la hola, dudes! The intrepid Bill Bilano here and I need some help with the Snorter... I was reading up on the competition and was thinking about using them instead of Snart until I started reading their stupid docs. But then it is so cool, so I set out to see if Snorpt can do the same stuff that this other thinger does... See, at first I decided I would use this Squil IDS thing but that crazy Russian guy that wrote down the docs said I needed to keep every packet in a database (who has time for being a packet rat like that?) to make sure I don't get hackered by the nerds! Well that makes a whole hell of a lot of sense! If you keep them online in a database and you get hacked then the hacker will be able to just copy and paste them packets and whammo! Instant replay attack! Maybe I should I gift wrap them too? Smart thinking there you Bolshevik dundernuts! First Northcut drops his drawers at SANS and now this Betjitch guy wants to pinch it off for the hackers! His book should be called Tao of Network Reach-arounds! Anyway, so I was thinking about what to do while working on trying to get the air vent on the wall to point more at my face when I got my foot caught on the mouse cable and I tripped and my USB memo-sticker went flying down the air vent and my Shasta spilled all over my lunch! I had to get it back because it had all my recipes on it as well as all the SSL certificates for the bank so I jumped from my chair and took off like a nut! So, I went down into the basement to give a look see around to see about finding it (the basement at the bank is a huge place with lots of dark tunnels and empty rooms I almost expected to see Geraldo down there poking his beak into something dumb again). Anyway, I found this one room that had a garage door thingy and it was locked. So I got this security guy (or so he says, he just hangs out down by the ladies room in the lobby and he has a beater stick thing that shocks people, believe me I know) and he unlocked the room and all I found were about fifty old impact printers. Crapo! So I was sitting on the throne Friday night and then this idea plopped into my head! It was so good, that I called my white-cracker friends at the IARC and they were so excited by my idea they just starting giggling like school kids and hung up and then they probably went back to their squirrels or whatever the hell it is they use to amuse themselves while they do nothing all day long but expropriate my tax dollars. Anyway, I thought that instead of keeping the packets in some stupid database where they can get stolen, why not use these old printers to make harder copies instead? Then, if something that smells like fish happens later, I can get out the packet logs, turn to the correct page, scan in the relevant packets, and use some OCR software to put them back into something for the Snoart to look and parse through! So, these printers really worked out greaty great good for me and that basement room became my new glory hole for the entire weekend! So, to make a long story better, I ordered up some fresh meat for the grinder (some interns from the local community college you know those people they are all destitute vagrants who think they can get smarter than Bill by reading about how not to make babies in the workplace). So I assigned these crappy interns to printer detail in the basement to change paper and load ink - we get a ton of traffic on our OC3! Does anyone else have interns working for them? Because these kids are stupid! All they've done all day is complain about the noise and you know what? I already was generous enough to buy them some earmuffs. One of them already quit after only one day of this! Kids these days are unreliable and only concerned about themselves. They don't understand that they are hired to do a job... do they really think that I am going to stand down there around all those noisy printers? Give moi a breaker! Anyway... so now I am looking for some hot cool OCR software for *NIX to work with my drum scanner so I can test my theory out... can anyone make any recommendations? P.S. My bloglog is still here <http://www.bilano.biz/> and you should read it because it is the best! -- Mr. Billy B. Bilano, MSCE, CCNA <http://www.bilano.biz/> Expert Sysadmin Since 2003! 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Tao of doing it right: Ignoring bad advice and doing it the Bilanoway! Arseneault, Thomas (HQP) (Feb 22)
- <Possible follow-ups>
- Re: RE: Tao of doing it right: Ignoring bad advice and doing it the Bilanoway! Sean Brown (Feb 22)