Snort mailing list archives
unsubscribe
From: "Ryan McClure (Systems Admin) - United Shipping" <rmcclure () unitedshipping com>
Date: Fri, 11 May 2001 07:45:16 -0600
-----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Friday, May 11, 2001 1:24 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #634 - 9 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Snort won't run (alexus) 2. Re: ******unsubscribe****** (shawn . moyer) 3. RE: Snort won't run (Watson, Ed) 4. Re: ******unsubscribe****** (Martin Roesch) 5. Re: loggin issue (roman () danyliw com) 6. Re: Snort + Acid w/ MySQL question(s) (roman () danyliw com) 7. Snort 1.8-beta4 Build 17 coredump (Steve Shockley) 8. RE: Rules vs performance (Jean-Francois Zwobada) 9. Antwort: [Snort-users] DNS Query Logging? (holger.bumke () nbg net) --__--__-- Message: 1 From: "alexus" <ml () db nexgen com> To: "Dave Ryan" <dave.ryan () eircom net> Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort won't run Date: Thu, 10 May 2001 18:17:10 -0400 hmm works with this one:) thanks ----- Original Message ----- From: "Dave Ryan" <dave.ryan () eircom net> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 6:12 PM Subject: Re: [Snort-users] Snort won't run
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The latest rulesfile is specific to 1.8 Try these rules instead: www.snort.org/Files/Current/snortrules.tar.gz Rgds. Quoting alexus (ml () db nexgen com):i'm using snort 1.7 with latest set of rules for some reason it won't run, any ideas? su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf --== Initializing Snort ==-- Initializing Network Interface fxp0 Decoding Ethernet on interface fxp0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... *WARNING*: unknown preprocessor "stream2", ignoring! *WARNING*: unknown preprocessor "rpc_decode", ignoring! *WARNING*: unknown preprocessor "bo", ignoring! *WARNING*: unknown preprocessor "telnet_decode", ignoring! database: compiled support for ( mysql ) database: configured to use mysql database: user = alexus database: database name = alexus database: password is set database: host = localhost database: sensor name = 64.81.208.245 database: sensor id = 1 database: using the "log" facility Error: Unknown config: classification su-2.04# what am i doin wrong now? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users- -- Dave Ryan Computer Incident Response Team dave.ryan () eircom net Eircom Multimedia -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (OpenBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjr7EkoACgkQHSjBCI+q2yL2jACfZmDIpaL7ajbIC4As0AqpYjkG w0cAn3hTAY6RgjvX2aJykUVMlFYsOO+D =pFey -----END PGP SIGNATURE-----
--__--__--
Message: 2
Date: Thu, 10 May 2001 17:32:40 -0500
From: "shawn . moyer" <shawn () net-connect net>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ******unsubscribe******
"Insanity is doing the same thing
and expecting different results."
Dr. Edwards Deming
--
s h a w n m o y e r
shawn () net-connect net
"May the forces of evil become
confused on the way to your house."
--George Carlin
--__--__--
Message: 3
From: "Watson, Ed" <ewatson () academic com>
To: 'alexus' <ml () db nexgen com>, snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort won't run
Date: Thu, 10 May 2001 15:38:28 -0700
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0D9A1.EEDE1DF0
Content-Type: text/plain;
charset="iso-8859-1"
don't know if this will make a difference, this works for me.
/usr/local/bin/snort -A full -c /usr/local/bin/rules/snort.conf
-----Original Message-----
From: alexus [mailto:ml () db nexgen com]
Sent: Thursday, May 10, 2001 2:50 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort won't run
i'm using snort 1.7 with latest set of rules
for some reason it won't run, any ideas?
su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf
--== Initializing Snort ==--
Initializing Network Interface fxp0
Decoding Ethernet on interface fxp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
*WARNING*: unknown preprocessor "stream2", ignoring!
*WARNING*: unknown preprocessor "rpc_decode", ignoring!
*WARNING*: unknown preprocessor "bo", ignoring!
*WARNING*: unknown preprocessor "telnet_decode", ignoring!
database: compiled support for ( mysql )
database: configured to use mysql
database: user = alexus
database: database name = alexus
database: password is set
database: host = localhost
database: sensor name = 64.81.208.245
database: sensor id = 1
database: using the "log" facility
Error: Unknown config: classification
su-2.04#
what am i doin wrong now?
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------_=_NextPart_001_01C0D9A1.EEDE1DF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] Snort won't run</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>don't know if this will make a difference, this works =
for me.</FONT>
</P>
<P><FONT SIZE=3D2>/usr/local/bin/snort -A full -c =
/usr/local/bin/rules/snort.conf</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: alexus [<A =
HREF=3D"mailto:ml () db nexgen com">mailto:ml () db nexgen com</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 2:50 PM</FONT>
<BR><FONT SIZE=3D2>To: snort-users () lists sourceforge net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Snort won't run</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>i'm using snort 1.7 with latest set of rules</FONT>
</P>
<P><FONT SIZE=3D2>for some reason it won't run, any ideas?</FONT>
</P>
<P><FONT SIZE=3D2>su-2.04# /usr/local/bin/snort -c =
/usr/local/bin/rules/snort.conf</FONT>
</P>
<P><FONT SIZE=3D2> --=3D=3D =
Initializing Snort =3D=3D--</FONT>
</P>
<P><FONT SIZE=3D2>Initializing Network Interface fxp0</FONT>
<BR><FONT SIZE=3D2>Decoding Ethernet on interface fxp0</FONT>
<BR><FONT SIZE=3D2>Initializing Preprocessors!</FONT>
<BR><FONT SIZE=3D2>Initializing Plug-ins!</FONT>
<BR><FONT SIZE=3D2>Initializating Output Plugins!</FONT>
</P>
<P><FONT =
SIZE=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT>
<BR><FONT SIZE=3D2>Initializing rule chains...</FONT>
</P>
<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "stream2", =
ignoring!</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor =
"rpc_decode", ignoring!</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "bo", =
ignoring!</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor =
"telnet_decode", ignoring!</FONT>
</P>
<P><FONT SIZE=3D2>database: compiled support for ( mysql )</FONT>
<BR><FONT SIZE=3D2>database: configured to use mysql</FONT>
<BR><FONT =
SIZE=3D2>database: =
user =3D alexus</FONT>
<BR><FONT SIZE=3D2>database: database name =3D alexus</FONT>
<BR><FONT SIZE=3D2>database: password is set</FONT>
<BR><FONT =
SIZE=3D2>database: =
host =3D localhost</FONT>
<BR><FONT SIZE=3D2>database: sensor name =3D =
64.81.208.245</FONT>
<BR><FONT SIZE=3D2>database: sensor id =3D =
1</FONT>
<BR><FONT SIZE=3D2>database: using the "log" facility</FONT>
<BR><FONT SIZE=3D2>Error: Unknown config: classification</FONT>
<BR><FONT SIZE=3D2>su-2.04# </FONT>
</P>
<P><FONT SIZE=3D2>what am i doin wrong now?</FONT>
</P>
<BR>
<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users () lists sourceforge net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or =
unsubscribe:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://lists.sourceforge.net/lists/listinfo/snort-users"; =
TARGET=3D"_blank">http://lists.sourceforge.net/lists/listinfo/snort-user=
s</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users"; =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A></FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0D9A1.EEDE1DF0--
--__--__--
Message: 4
Date: Thu, 10 May 2001 18:39:50 -0400
From: Martin Roesch <roesch () sourcefire com>
To: "shawn . moyer" <shawn () net-connect net>
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ******unsubscribe******
Especially when *every message to the list* ends with instructions on
how to perform that function....
"shawn . moyer" wrote:
"Insanity is doing the same thing
and expecting different results."
Dr. Edwards Deming
--
s h a w n m o y e r
shawn () net-connect net
"May the forces of evil become
confused on the way to your house."
--George Carlin
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org --__--__-- Message: 5 To: Koaps <koaps () 2nutz com> Cc: roman () danyliw com, snort-users () lists sourceforge net From: roman () danyliw com Subject: Re: [Snort-users] loggin issue Date: Thu, 10 May 2001 21:15:11 US/Eastern Well, -N disables the log facility and only enables the alert facility. However, from your previous email, it would appear that you have set the database plug-in to only read the log facility. Either remove the -N or reconfigure the DB plugin to use alert output database: log, postgresql, user=root ... ^^^ |========= with -N this needs to be alert cheers, Roman
nope no loggin and no -A I use this /usr/local/bin/snort -c /var/snort/snort.conf -N L8rZ, )\_/( < o,0 > ~ \ / KoAps ----- Original Message ----- From: <roman () danyliw com> To: "Koaps" <koaps () 2nutz com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 8:35 AM Subject: Re: [Snort-users] loggin issue Is it logging anywhere else (e.g. to a file)? What does you command line look like? Does it have a "-A", if so remove it. RomanI don't get it.... I have Snort 1.7 on OpenBSd it's telling me it's seeing Packets, it's sending alerts, but I see nodatain mysql....
============================================================================
=== Snort received 5065 packets and dropped 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 5048 (99.664%) ALERTS: 7 UDP: 0 (0.000%) LOGGED: 7 ICMP: 12 (0.237%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ======================================= connect info Initializing rule chains... database: compiled support for ( mysql ) database: configured to use mysql database: user = ids database: password is set database: database name = snortdb database: host = 192.168.69.5 database: sensor name = 192.168.69.12 database: sensor id = 2 database: using the "log" facility 796 Snort rules read... 796 Option Chains linked into 114 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ I am using ACID to look at the SnortDB I can see it's registered in the database as a sensor... I just see no data from it L8rZ, )\_/( < o,0 > ~ \ / KoAps _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------
This message was sent using Voicenet WebMail.
http://www.voicenet.com/webmail/
--__--__--
Message: 6
To: alexus <ml () db nexgen com>
Cc: snort-users () lists sourceforge net
From: roman () danyliw com
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
Date: Thu, 10 May 2001 21:23:05 US/Eastern
OK, lets avoid the automated table creation for now. Try running
the SQL manually (create_acid_tbls_mysql.sql)
Roman
mysql> select * from user where user='alexus';
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+ | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+ | localhost | alexus | 34484ed463a66850 | Y | Y | N | Y | N | N | N | N | N | N | N | N | N | N |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+ 1 row in set (0.00 sec) mysql> i copy and paste mysql output to show you that i do have all right privileges i also upgrade acid to 0.9.6b9 (which is latest beta for today) it still doesn't work ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 11:18 AM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)One observation: - ACID 0.9.5 does not use ADODB. This DB abstraction was introduced in 0.9.6b2 (Jan 2001). Hence, this addition into acid_conf.php will be ignored. Two recommendations: - are you sure that you have CREATE permissions on the DB user set in acid_conf.php? If all else fails, try using the "create_acid_tbls_mysql.sql" to manually create the ACID tables. - upgrade to a more recent version of ACID => 0.9.6b9. There are significant feature improvements as well as bug fixes. If you prefer an older version, upgrade to at least 0.9.6b1 for it has a number of important bug fixes cheers, RomanI'm using the following: FreeBSD 4.3 - RELEASE (STABLE) ACID-0.9.5 - RELEASE (STABLE) ADODB v1.0.1 - RELEASE (STABLE) PHP - 4.0.5 - RELEASE (STABLE) APACHE - 1.3.19 - RELEASE (STABLE) SNORT - 1.7 - RELEASE (STABLE) to compile snort i used following line: ../configure --with-mysql=/usr/local/mysql;make;make install i did change acid_conf.php i put path to adodb in adodb i put local path in adodb.inc.php when i go to http://localhost/acid it redirects me to acid_main.php
and
whenit gets there i get this: The underlying database alexus@localhost apears to be invalid. The database version is valid, but the ACID DB structure (table:acid_ag) isnot present. Use the Setup page to configure and optimize the DB when i click on "Setup page" in status window i get "DONE" for "Search Indexes" and i have "CreateACIDAG" for "ACID tables" i'm assuming i need to click on "Create ACID
AG",
whenI do that nothing happenes, it won't disappear or it won't change
status
to"DONE".. what am i missing? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/
---------------------------------------------
This message was sent using Voicenet WebMail.
http://www.voicenet.com/webmail/
--__--__--
Message: 7
From: "Steve Shockley" <steve.shockley () shockley net>
To: <snort-users () lists sourceforge net>
Date: Thu, 10 May 2001 22:35:06 -0400
Subject: [Snort-users] Snort 1.8-beta4 Build 17 coredump
I'm running (or trying to!) Snort 1.8 Beta 4 Build 17 on OpenBSD
2.9-snapshot (5/10). I'm mostly running the standard ruleset/config
file, except I've turned on syslog logging. I used to have it running
on this machine with Snort 1.7 and OpenBSD 2.8-Release, but somewhere
along the way it broke and I didn't have time to fix it. I've
recompiled Snort and I have the latest CVS update. Are there any known
issues with this build? It seems to dump core a few minutes after
starting it, even running it interactively as root.
--__--__--
Message: 8
Date: Fri, 11 May 2001 08:54:39 +0200
To: Kevin Brown <Kevin.M.Brown () asu edu>,
"'Robinson, Ken'" <ken.robinson () ccra-adrc gc ca>,
"Snort List (E-mail)" <snort-users () lists sourceforge net>
From: Jean-Francois Zwobada <zwobada () fluxus net>
Subject: RE: [Snort-users] Rules vs performance
Hi guys
What's the average and peak bandwidth you're trying to analyse ?
Regards
JF
At 12:53 10/05/01 -0700, Kevin Brown wrote:
I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s link the snort was clocking 40% of the cpu with absolutely no rules or plugins. I don't remember the specifics, but I was removing rules from the list till snort dropped to 80% or less and of the ruleset of 400 rules I had to drop all but 50 I believe to get it down. I'm currently using a Sparc 500 and it is clocking 50% of the CPU (same link) with the full ruleset in place (snort1.8b5 build 20). I downloaded top and compiled it and just watch the processes and notice that with just the database and spp plugins snort is slowing eating up my 1GB of memory. I don't know if that is a memory leak or just a lot of memory caching going on within
snort.
-----Original Message----- From: Robinson, Ken [<mailto:ken.robinson () ccra-adrc gc ca>mailto:ken.robinson () ccra-adrc gc ca] Sent: Thursday, May 10, 2001 12:42 To: Snort List (E-mail) Subject: [Snort-users] Rules vs performance Hello, Are there any rule-of-thumb, or such on how the number of Snort rules affects the performance? In doing some lab tests, we found that has the amount of traffic went up,
we
detected fewer and fewer test attacks. CPU usage was high, but not peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit NICs and 256Meg RAM. I don't know of the misses were due to an issue with the hardware (NIC missing packets?), or if there were too many rules to sort through for the Snort software, or too much logging? We've looked through the snort rules from Whitehats and found many cases were we could reduce the rules by either dropping them (i.e. don't care), reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping instead of detecting which OS), or making groups of them as activate rules (i.e. the DeepThroat backdoor rules). We could also use the Activate rules to log the next 50 packets and then run a full set or rules on those logged packets. So, any advise for us? Should we use Activate rules as much as possible? Should we generalize rules? Or is all of this not going to make much of a difference? Thanks. ---- Ken Robinson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>http://lists.sourc
eforge.net/lists/listinfo/snort-users
Snort-users list archive: <http://www.geocrawler.com/redir-sf.php3?list=snort-users>http://www.geocra
wler.com/redir-sf.php3?list=snort-users
Jean-Francois Zwobada
Cellule Securite - Fluxus
Phone : +33.1.44.97.70.00 - Fax : +33.1.44.97.70.14
30, rue du Chateau des Rentiers - 75013 PARIS
--__--__--
Message: 9
From: <holger.bumke () nbg net>
To: "Richard, Jeff" <Jeff-Richard () forum-financial com>
cc: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Date: Fri, 11 May 2001 09:22:13 +0200
Subject: Antwort: [Snort-users] DNS Query Logging?
Try this small Shell-Skript:
----------------------------------------------------------------------------
----
#!/bin/bash
# suite to your needs
NAMEDSTATS="/etc/named.stats"
PID="/var/run/named.pid"
LOG="/tmp/namedqueries.tmp"
# nothing to be changed below if you're using bash.
declare -i RR_new=0
declare -i RR_old=0
kill -SIGILL `cat $PID`
RR_old=`tail -1 $LOG`
RR_new=`tail -3 $NAMEDSTATS | head -1 | awk '{print $1}'`
echo $RR_new >$LOG
echo "$[RR_new-${RR_old}]"
----------------------------------------------------------------------------
----
Other stats could be get by changing the field-parameter.
Nice job for cron/MRTG. =:^)
Hope it helps....
Regards,
Holger
"Richard, Jeff" <Jeff-Richard () forum-financial com> am 10.05.2001 22:47:34
An: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Kopie: (Blindkopie: Holger Bumke/nbg/DE)
Thema: [Snort-users] DNS Query Logging?
I hope someone can give a hand on this. I need to get a count of how many
DNS queries my DNS servers are receiving. What should a rule for DNS
queries look like? I'm not failure with DNS traffic, but realize that UDP
53, is the protocol/port, just not sure of any signature(s).
-Jeff
--__--__--
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
http://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 10)
- <Possible follow-ups>
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- Re: unsubscribe Andy Lowton (May 11)
- unsubscribe per.thorsheim (May 13)