Snort mailing list archives
Re: another question
From: twig les <twigles () yahoo com>
Date: Mon, 16 Dec 2002 12:06:47 -0800 (PST)
That is about the crudest way possible to capture AIM traffic. If someone changes the port you miss them and the potential for false alarms is staggering. And no it doesn't log the session or content. To implement a custom rule you can simply create a text file called custom.rules and type/paste them in, then add an include statement to the new rules file at the end of snort.conf. --- "Shafer, Troy" <tshafer () laurel k12 ky us> wrote:
I found this code on the net for logging aim traffic... alert tcp any any -> any 5190 (msg:"AIM Message"; content:"HTML";) my first question, does this actually log the content of the messages and two how would I implement this with snort... write a .rules file... then put and include in the the snort.conf? Still trying to figure this snort thing out... Troy Shafer Network Engineer Laurel County Schools 606-862-4616 tshafer () laurel k12 ky us -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Monday, December 16, 2002 1:49 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2587 - 8 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Exclude IP addresses for all rules (Jens Krabbenhoeft) 2. writing to DB (only!) (Eduard San Anselmo Mateu) 3. RE: DB ERROR (Luo, Philip) 4. Ignorehosts, once again (Marc Quibell) 5. Newbie (Shafer, Troy) 6. Update (=?iso-8859-1?q?Luiz=20Alberto=20Cataldo=20Jr?=) 7. Re: Snort-users digest, Vol 1 #2581 - 7 msgs (Robert Young) 8. RE: New Trend: Intrusion Prevention (Sheahan, Paul (PCLN-NW)) --__--__-- Message: 1 Date: Mon, 16 Dec 2002 09:11:15 +0100 From: Jens Krabbenhoeft <tschenz-snort-users () noris net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Exclude IP addresses for all rules Hi,I want to exclude IP addresses in my home net frombeing watched atall.As you write 'being watched at all' the best thing to do is to ignore the IPs via BPF. Have a look at Erek Adams post:
http://marc.theaimsgroup.com/?l=snort-users&m=102347618314311&w=2
Try starting snort with "snort -options.... not host 192.168.1.1 and not host 192.168.1.2".var HOME_NET [!$EXCLUDE,192.168.1.0/24]The problem is, that you have an ORed list in HOME_NET. !192.168.1.1 OR 192.168.1.0/24 matches on all IPs in 192.168.1.0/24. Have a look at my last week's post at
http://marc.theaimsgroup.com/?l=snort-users&m=103942066423750&w=2
HTH, Jens --__--__-- Message: 2 Date: Mon, 16 Dec 2002 12:04:29 +0100 From: Eduard San Anselmo Mateu <esananselmo () albasoft com> To: snort-users () lists sourceforge net Subject: [Snort-users] writing to DB (only!) Hi everyone, I think I can't get to understand the way snort stores information, i.e. output plugins. The thing is that I would like snort to only store information in the database (so I set the database output plugin with log(?)...), but I don't want any information being written to a file (so I put -A none on the command line, is it right?). Of course, the output database plugin is the only one I have uncommented at the conf file, so snort should only log to the database, but I get the message "WARNING: command line overrides rules file alert plugin", and I've read that snort won't log to the database when this message shows up. So what am I doing wrong? Could anyone point me to a doc where output plugins are explained? Thanks in advance. Eduard --__--__-- Message: 3 From: "Luo, Philip" <Philip_Luo () adp com> To: 'Steve Suehring' <snort () braingia org> Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] DB ERROR Date: Mon, 16 Dec 2002 08:43:07 -0500 There is no error when I tried mysql -u snort -p snort, Then I tried the rest, here is what I got, mysql> show grants for snort@localhost;
+---------------------------------------------------------------------------
----
-----------------------------------------------------+
| Grants for snort@localhost |
+---------------------------------------------------------------------------
----
-----------------------------------------------------+
| GRANT SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES ON *.* TO 'snort'@' localhost' IDENTIFIED BY PASSWORD '1e6b29186dd45e97' | | GRANT SELECT, INSERT, DELETE, CREATE ON `snort`.* TO 'snort'@'localhost' |
+---------------------------------------------------------------------------
----
-----------------------------------------------------+
2 rows in set (0.00 sec) mysql> show grants for snort@127.0.0.1;
+---------------------------------------------------------------------------
----
-----------------------------------------------------+
| Grants for snort@127.0.0.1 |
+---------------------------------------------------------------------------
----
-----------------------------------------------------+
| GRANT SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES ON *.* TO 'snort'@' 127.0.0.1' IDENTIFIED BY PASSWORD '1e6b29186dd45e97' | | GRANT SELECT, INSERT, DELETE, CREATE ON `snort`.* TO 'snort'@'127.0.0.1' |
+---------------------------------------------------------------------------
----
=== message truncated === ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- another question Shafer, Troy (Dec 16)
- Re: another question twig les (Dec 16)