Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: libpcap question?

From: Jason Costomiris <jcostom () jasons org>
Date: Sun, 15 Sep 2002 17:48:24 -0400
On Sun, Sep 15, 2002 at 03:16:14PM -0500, J. Craig Woods wrote:
: Yes and no. First, I am running my gateway/router machine with older
: mandrake version, LMDK7.2 (No thanks, I do not want to upgrade. Too much
: work has gone into this baby, i.e. some very extensive, manually
: created, ipchains rules, hand-crafted tripwire configuration with every
: file loaded, and many other cooker and "homemade" customizations). As I
: indicated, it is fully loaded with mysql components:

I can appreciate not wanting to upgrade..  I would, however, suggest you
consider dumping ipchains in favor of iptables.  After all, iptables is
stateful - you don't have to open up all ports >1024, just permit 
related and established connections.  Surely you can see the (significant)
benefits..

: MySQL-devel-3.23.31-1.1mdk
: 
: Still snort src (snort.org version) would not compile for me. As I
: indicated, it gave me some gibberish about not finding mysql-devel.
: Maybe a "case" problem, you think?

Absolutely.  After all, this is *nix.

: Here is a question for you, Jason: What is going on with your MTA?
: Evertime my mail server receives mail from you, I get alerts:

Seems like a false positive..

My tripwire report came up clean against verified signatures from RO
media...  I'm running postfix 1.1.11 with SASL and TLS support.  I'd
be interested in seeing a capture if you don't mind.  Seems rather
interesting..

: (When posting to snort list, I have never understood the need to
: obfuscate IP addresses: they are all in the mail headers, right?)      

Sure, but who's obfuscating?

: Any thoughts on this alert?

Probably a false positive..  I used to see all kinds of crazy alerts
caused by data in a file being xfer'd via FTP..

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: