Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: another question

From: twig les <twigles () yahoo com>
Date: Mon, 16 Dec 2002 12:06:47 -0800 (PST)
That is about the crudest way possible to capture AIM
traffic.  If someone changes the port you miss them
and the potential for false alarms is staggering.  And
no it doesn't log the session or content.

To implement a custom rule you can simply create a
text file called custom.rules and type/paste them in,
then add an include statement to the new rules file at
the end of snort.conf.

--- "Shafer, Troy" <tshafer () laurel k12 ky us> wrote:

I found this code on the net for logging aim
traffic...

alert tcp any any -> any 5190 (msg:"AIM Message";
content:"HTML";)

my first question, does this actually log the
content of the messages and
two how would I implement this with snort... write a
.rules file... then put
and include in the the snort.conf?  Still trying to
figure this snort thing
out...

Troy Shafer
Network Engineer
Laurel County Schools
 
606-862-4616
tshafer () laurel k12 ky us

-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net] 
Sent: Monday, December 16, 2002 1:49 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #2587 - 8 msgs

Send Snort-users mailing list submissions to
      snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web,
visit



https://lists.sourceforge.net/lists/listinfo/snort-users

or, via email, send a message with subject or body
'help' to
      snort-users-request () lists sourceforge net

You can reach the person managing the list at
      snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it
is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Exclude IP addresses for all rules (Jens
Krabbenhoeft)
   2. writing to DB (only!) (Eduard San Anselmo
Mateu)
   3. RE: DB ERROR (Luo, Philip)
   4. Ignorehosts, once again (Marc Quibell)
   5. Newbie (Shafer, Troy)
   6. Update
(=?iso-8859-1?q?Luiz=20Alberto=20Cataldo=20Jr?=)
   7. Re: Snort-users digest, Vol 1 #2581 - 7 msgs
(Robert Young)
   8. RE: New Trend: Intrusion Prevention (Sheahan,
Paul (PCLN-NW))

--__--__--

Message: 1
Date: Mon, 16 Dec 2002 09:11:15 +0100
From: Jens Krabbenhoeft
<tschenz-snort-users () noris net>
To:   snort-users () lists sourceforge net
Subject: Re: [Snort-users] Exclude IP addresses for
all rules

Hi,


I want to exclude IP addresses in my home net from

being watched at

all.


As you write 'being watched at all' the best thing
to do is to ignore
the IPs via BPF. Have a look at Erek Adams post:



http://marc.theaimsgroup.com/?l=snort-users&m=102347618314311&w=2


Try starting snort with "snort -options.... not host
192.168.1.1 and not
host 192.168.1.2".


var HOME_NET [!$EXCLUDE,192.168.1.0/24]


The problem is, that you have an ORed list in
HOME_NET. !192.168.1.1 OR
192.168.1.0/24 matches on all IPs in 192.168.1.0/24.

Have a look at my last week's post at


http://marc.theaimsgroup.com/?l=snort-users&m=103942066423750&w=2


HTH,
      Jens


--__--__--

Message: 2
Date: Mon, 16 Dec 2002 12:04:29 +0100
From: Eduard San Anselmo Mateu
<esananselmo () albasoft com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] writing to DB (only!)

Hi everyone,
I think I can't get to understand the way snort
stores information, i.e.
output
plugins. The thing is that I would like snort to
only store information in
the
database (so I set the database output plugin with
log(?)...), but I don't
want
any information being written to a file (so I put -A
none on the command
line,
is it right?). Of course, the output database plugin
is the only one I have
uncommented at the conf file, so snort should only
log to the database, but
I
get the message "WARNING: command line overrides
rules file alert plugin",
and
I've read that snort won't log to the database when
this message shows up.
So what am I doing wrong? Could anyone point me to a
doc where output
plugins
are explained?
Thanks in advance.
Eduard



--__--__--

Message: 3
From: "Luo, Philip" <Philip_Luo () adp com>
To: 'Steve Suehring' <snort () braingia org>
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] DB ERROR
Date: Mon, 16 Dec 2002 08:43:07 -0500

There is no error when I tried mysql -u snort -p
snort,
Then I tried the rest, here is what I got,

mysql> show grants for snort@localhost;


+---------------------------------------------------------------------------

----


-----------------------------------------------------+

| Grants for snort@localhost
                                                    
|


+---------------------------------------------------------------------------

----


-----------------------------------------------------+

| GRANT SHOW DATABASES, CREATE TEMPORARY TABLES,
LOCK TABLES ON *.* TO
'snort'@'
localhost' IDENTIFIED BY PASSWORD '1e6b29186dd45e97'
|
| GRANT SELECT, INSERT, DELETE, CREATE ON `snort`.*
TO 'snort'@'localhost'
                                                    
|


+---------------------------------------------------------------------------

----


-----------------------------------------------------+

2 rows in set (0.00 sec)

mysql> show grants for snort@127.0.0.1;


+---------------------------------------------------------------------------

----


-----------------------------------------------------+

| Grants for snort@127.0.0.1
                                                    
|


+---------------------------------------------------------------------------

----


-----------------------------------------------------+

| GRANT SHOW DATABASES, CREATE TEMPORARY TABLES,
LOCK TABLES ON *.* TO
'snort'@'
127.0.0.1' IDENTIFIED BY PASSWORD '1e6b29186dd45e97'
|
| GRANT SELECT, INSERT, DELETE, CREATE ON `snort`.*
TO 'snort'@'127.0.0.1'
                                                    
|


+---------------------------------------------------------------------------

----


=== message truncated ===


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself                       
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: