Snort mailing list archives
Re: libpcap question?
From: Jason Costomiris <jcostom () jasons org>
Date: Sun, 15 Sep 2002 17:48:24 -0400
On Sun, Sep 15, 2002 at 03:16:14PM -0500, J. Craig Woods wrote: : Yes and no. First, I am running my gateway/router machine with older : mandrake version, LMDK7.2 (No thanks, I do not want to upgrade. Too much : work has gone into this baby, i.e. some very extensive, manually : created, ipchains rules, hand-crafted tripwire configuration with every : file loaded, and many other cooker and "homemade" customizations). As I : indicated, it is fully loaded with mysql components: I can appreciate not wanting to upgrade.. I would, however, suggest you consider dumping ipchains in favor of iptables. After all, iptables is stateful - you don't have to open up all ports >1024, just permit related and established connections. Surely you can see the (significant) benefits.. : MySQL-devel-3.23.31-1.1mdk : : Still snort src (snort.org version) would not compile for me. As I : indicated, it gave me some gibberish about not finding mysql-devel. : Maybe a "case" problem, you think? Absolutely. After all, this is *nix. : Here is a question for you, Jason: What is going on with your MTA? : Evertime my mail server receives mail from you, I get alerts: Seems like a false positive.. My tripwire report came up clean against verified signatures from RO media... I'm running postfix 1.1.11 with SASL and TLS support. I'd be interested in seeing a capture if you don't mind. Seems rather interesting.. : (When posting to snort list, I have never understood the need to : obfuscate IP addresses: they are all in the mail headers, right?) Sure, but who's obfuscating? : Any thoughts on this alert? Probably a false positive.. I used to see all kinds of crazy alerts caused by data in a file being xfer'd via FTP.. -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- libpcap question? J. Craig Woods (Sep 15)
- Re: libpcap question? Jason Costomiris (Sep 15)
- Re: libpcap question? J. Craig Woods (Sep 15)
- Re: libpcap question? Jason Costomiris (Sep 15)
- Re: libpcap question? J. Craig Woods (Sep 15)
- Re: libpcap question? Jason Costomiris (Sep 15)
- Re: libpcap question? J. Craig Woods (Sep 15)
- Re: libpcap question? Jason Costomiris (Sep 15)