Snort mailing list archives
RE: Exchange 2000
From: "Richard Lyons" <lyonsrf () linxlogix com>
Date: Thu, 19 Dec 2002 13:20:54 -0500
Has anyone dealt with putting Snort onto a Exchange 2000 box? Anything in particular that I would need to know, i.e., disable certain things initially before installation? Any help would greatly be appreciated! RL -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, December 19, 2002 12:51 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2600 - 9 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Barnyard/acid reconfigure question (Henning, David) 2. Ignorehosts still not working... (Marc Quibell) 3. ACID Graph Page (Gary Borgeson) 4. RE: Ignorehosts still not working... (Hicks, John) 5. RE: ACID Graph Page (Steve Halligan) 6. RE: DB ERROR (Luo, Philip) 7. Re: One question (Matt Kettler) 8. Redhat 8.0 and Snort...playing nice? (Madziarczyk, Jonathan) 9. RE: Clueless in Toronto (Rich Stryker) --__--__-- Message: 1 From: "Henning, David" <henningd () fortrex com> To: "'snort-users () lists sourceforge net' " <snort-users () lists sourceforge net> Date: Thu, 19 Dec 2002 09:01:38 -0500 Subject: RE: [Snort-users] Barnyard/acid reconfigure question Excellent explanation! Thank you! Dave -----Original Message----- From: Jens Krabbenhoeft Hi,
What am I missing on how to assign this number and keep it consistent?
op_acid_db.c: /* if sensor id == 0, then we attempt attempt to determine it dynamically */ if(data->sensor_id == 0) { data->sensor_id = AcidDbGetSensorId(data); } And AcidDbGetSensorId does the following: "SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' " "AND filter='%s' AND detail='%u' AND encoding='0'", pv.hostname, pv.interface, pv.filter, op_data->detail) If it gets a sensor back, it uses that sensor_id, if not, it inserts the new sensor. So from the code, to keep it consistent, don't change the hostname / interface / filter and detail. Hope that helps, Jens BTW: It works for me. Changing any of these values inserts a new sensor, chaning nothing doesn't do anything to the sensor-table. ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 2 From: "Marc Quibell" <mquibell () fbfs com> To: snort-users () lists sourceforge net Date: Thu, 19 Dec 2002 09:07:15 -0600 Subject: [Snort-users] Ignorehosts still not working... My snort cmd line is: /usr/local/bin/snort -o -q -i eth1 -c /usr/local/demarc/conf/snorteth1.conf My snorteth1.conf is as follows: var HOME_NET any var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET #var DNS_SERVERS $HOME_NET var DNS_SERVERS [207.108.40.xx,207.108.40.xxx] var HTTP_PORTS 80 var ORACLE_PORTS 1521 preprocessor defrag preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 preprocessor unidecode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor stream4: detect_scans, disable_evasion_alerts output database: log, mysql, user=snort_ike dbname=snortmaster password=ikeacc3s s host=192.168.45.111 sensor_name=ike.fbfs.com #BEGIN RULES: I cannot get it to ignore those two hosts. Suggestions? THanks. Marc --__--__-- Message: 3 From: Gary Borgeson <gborgeson () aecc com> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Thu, 19 Dec 2002 09:53:35 -0600 Subject: [Snort-users] ACID Graph Page This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C2A776.C9B929D0 Content-Type: text/plain Does someone know what causes this? , * * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University * (see the file 'acid_main.php' for license details) * * Purpose: displays form for graphing */ echo ' '; echo ' '; echo 'Chart Title: '; echo 'Chart Type: { chart type } Time (hour) vs. Number of Alerts Time (day) vs. Number of Alerts Time (month) vs. Number of Alerts Src. IP address vs. Number of Alerts Dst. IP address vs. Number of Alerts Dst. UDP Port vs. Number of Alerts Src. UDP Port vs. Number of Alerts Dst. TCP Port vs. Number of Alerts Src. TCP Port vs. Number of Alerts Sig. Classification vs. Number of Alerts Sensor vs. Number of Alerts '; // Do you need other periods? Simply add them! echo ' Chart Period: no period 7 (a week) 24 (whole day) 168 (24x7) '; echo ' Size: (width x height) x '; echo ' Plot Margins: (left x right x top x bottom) x x x '; echo ' Plot type: bar line pie '; echo ' Thanks, G ------_=_NextPart_001_01C2A776.C9B929D0 Content-Type: text/html <html> <head> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII"> <meta name=Generator content="Microsoft Word 10 (filtered)"> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p {margin-right:0in; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman";} span.EmailStyle17 {font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=EN-US link=blue vlink=purple> <div class=Section1> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>Does someone know what causes this?</span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'> </span></font></p> <p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>, <ROMAN () DANYLIW COM>* * Copyright (C) 2000, 2001, 2002 </span></font>Carnegie Mellon University * (see the file 'acid_main.php' for license details) * * Purpose: displays form for graphing */ echo ' </p> <form> <p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size: 12.0pt'>'; echo ' </span></font></p> <table class=MsoNormalTable border=1 cellpadding=0 width="100%" bgcolor="#CCCC99" style='width:100.0%;background:#CCCC99;border:outset 1.5pt'> <tr> <td style='padding:.75pt .75pt .75pt .75pt'> <p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>'; echo '<b><span style='font-weight:bold'>Chart Title:</span></b> <INPUT TYPE="TEXT" SIZE="60" NAME="user_chart_title" VALUE="'.$user_chart_title.'"><br> '; echo '<b><span style='font-weight:bold'>Chart Type:</span></b> <SELECT NAME="chart_type"> <OPTION SELECTED VALUE=" ">{ chart type } <OPTION VALUE="1">Time (hour) vs. Number of Alerts <OPTION VALUE="2">Time (day) vs. Number of Alerts <OPTION VALUE="4">Time (month) vs. Number of Alerts <OPTION VALUE="6">Src. IP address vs. Number of Alerts <OPTION VALUE="7">Dst. IP address vs. Number of Alerts <OPTION VALUE="8">Dst. UDP Port vs. Number of Alerts <OPTION VALUE="10">Src. UDP Port vs. Number of Alerts <OPTION VALUE="9">Dst. TCP Port vs. Number of Alerts <OPTION VALUE="11">Src. TCP Port vs. Number of Alerts <OPTION VALUE="12">Sig. Classification vs. Number of Alerts <OPTION VALUE="13">Sensor vs. Number of Alerts </SELECT>'; // Do you need other periods? Simply add them! echo ' <b><span style='font-weight:bold'>Chart Period:</span></b> <SELECT NAME="chart_interval"> <OPTION SELECTED VALUE="0">no period <OPTION VALUE="7">7 (a week) <OPTION VALUE="24">24 (whole day) <OPTION VALUE="168">168 (24x7) </SELECT><br> '; echo ' <b><span style='font-weight:bold'>Size: (width x height)</span></b> <INPUT TYPE="TEXT" SIZE="4" NAME="width" VALUE="'.$width.'"> <b><span style='font-weight:bold'>x</span></b> <INPUT TYPE="TEXT" SIZE="4" NAME="height" VALUE="'.$height.'"> <br> '; echo ' <b><span style='font-weight:bold'>Plot Margins: (left x right x top x bottom)</span></b> <INPUT TYPE="TEXT" SIZE="4" NAME="pmargin0" VALUE="'.$pmargin0.'"> <b><span style='font-weight:bold'>x</span></b> <INPUT TYPE="TEXT" SIZE="4" NAME="pmargin1" VALUE="'.$pmargin1.'"> <b><span style='font-weight:bold'>x</span></b> <INPUT TYPE="TEXT" SIZE="4" NAME="pmargin2" VALUE="'.$pmargin2.'"> <b><span style='font-weight:bold'>x</span></b> <INPUT TYPE="TEXT" SIZE="4" NAME="pmargin3" VALUE="'.$pmargin3.'"> <br> '; echo ' <b><span style='font-weight:bold'>Plot type:</span></b> <INPUT TYPE="radio" NAME="chart_style" VALUE="bar" ?bar?).? ?.chk_check($chart_style,>bar <INPUT TYPE="radio" NAME="chart_style" VALUE="line" ?.chk_check($chart_style, ?line?).?>line <INPUT TYPE="radio" NAME="chart_style" VALUE="pie" ?.chk_check($chart_style, ?pie?).?>pie '; echo '</span></font></p> </td> </tr> </table> </form> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'> </span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>Thanks, G</span></font></p> </div> </body> </html> ------_=_NextPart_001_01C2A776.C9B929D0-- --__--__-- Message: 4 From: "Hicks, John" <JHicks () JUSTICE GC CA> To: 'Marc Quibell' <mquibell () fbfs com>, "Snort Users (E-mail)" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Ignorehosts still not working... Date: Thu, 19 Dec 2002 11:25:23 -0500 add /32 for CIDR notation? var DNS_SERVERS [207.108.40.xxx/32,207.108.40.xxx/32] hth, John -----Original Message----- From: Marc Quibell [mailto:mquibell () fbfs com] Sent: Thursday, December 19, 2002 10:07 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Ignorehosts still not working... My snort cmd line is: /usr/local/bin/snort -o -q -i eth1 -c /usr/local/demarc/conf/snorteth1.conf My snorteth1.conf is as follows: var HOME_NET any var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET #var DNS_SERVERS $HOME_NET var DNS_SERVERS [207.108.40.xx,207.108.40.xxx] var HTTP_PORTS 80 var ORACLE_PORTS 1521 preprocessor defrag preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 preprocessor unidecode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor stream4: detect_scans, disable_evasion_alerts output database: log, mysql, user=snort_ike dbname=snortmaster password=ikeacc3s s host=192.168.45.111 sensor_name=ike.fbfs.com #BEGIN RULES: I cannot get it to ignore those two hosts. Suggestions? THanks. Marc ------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 5 From: Steve Halligan <giermo () geeksquad com> To: 'Gary Borgeson' <gborgeson () aecc com>, "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] ACID Graph Page Date: Thu, 19 Dec 2002 10:31:49 -0600 Does someone know what causes this? ****cut***** You are missing a ' somewhere at the end of an echo statement somewhere near the beginning of that mess. -steve --__--__-- Message: 6 From: "Luo, Philip" <Philip_Luo () adp com> To: 'twig les' <twigles () yahoo com> Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] DB ERROR Date: Thu, 19 Dec 2002 11:36:37 -0500 It still happens to me, especially when I looked at the detail of alerts. -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Friday, December 13, 2002 1:05 PM To: Steve Suehring; Luo, Philip Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] DB ERROR Actually you may shed some light on it if you try: mysql -h localhost -u snort -p snort mysql -h 127.0.0.1 -u snort -p snort --- Steve Suehring <snort () braingia org> wrote:
Can you try doing something like this from the command-line: mysql -u snort -p snort Then see what error and/or error number you get. Also, from with the MySQL CLI (as root): show grants for snort@localhost; show grants for snort@127.0.0.1; Steve On Fri, Dec 13, 2002 at 09:20:46AM -0500, Luo, Philip wrote:I did, no luck. I modifies the hosts file too. -----Original Message----- From: Jens Krabbenhoeft[mailto:tschenz-snort-users () noris net]Sent: Thursday, December 12, 2002 11:36 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] DB ERROR Hi,grant INSERT,SELECT,CREATE,DELETE on snort.* tosnort@localhost identified^^^^^^^^^Database ERROR:Database ERROR:Access denied foruser: 'snort@127.0.0.1' to^^^^^^^^^Try doing a grant for snort@127.0.0.1 HTH, Jens
-------------------------------------------------------
This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High PerformanceComputing Channelhttp://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High PerformanceComputing Channelhttp://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --__--__-- Message: 7 Date: Thu, 19 Dec 2002 12:01:13 -0500 To: Carmelo Zubeldia <czubeldia () innovatd com>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] One question No, not a bridge, a router. However I suspect what you are calling a "bridge" is really a router anyway. A Bridge is a simple ethernet layer device that bridges 2 ethernet segments (ie: a switch with only 2 ports is a bridge), a router is an IP layer device with multiple interfaces that routes IP packets between them. The significant difference here is that some non-IP things like ARP don't generally pass through a router (although they might be proxied by it), but any type ethernet packet can go through a bridge, provided the MAC addresses dictate it is headed to the other side. Since hogwash relies on IPTables for filtering, that filtering is IP layer, thus must happen on a system which routes at an IP layer. It can't merely be an ethernet layer bridge. At 12:11 PM 12/19/2002 +0100, Carmelo Zubeldia wrote:
Hi all, Run hogwash in a Bridge? Thxs --
--__--__-- Message: 8 Date: Thu, 19 Dec 2002 11:18:57 -0600 From: "Madziarczyk, Jonathan" <than () cityofevanston org> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Redhat 8.0 and Snort...playing nice? This is a multi-part message in MIME format. ------_=_NextPart_001_01C2A782.B6B7C5D2 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hey all,=20 =20 So I've seen a couple of questions regarding RedHat 8 and Snort but not a lot of answers....Does anyone have this combo working right now? Were there problems you hadn't encountered in other installs? =20 Thanks, JonM ------_=_NextPart_001_01C2A782.B6B7C5D2 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:filelist.xml@01C2A750.6C02A490"> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:SpellingState>Clean</w:SpellingState> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} span.EmailStyle17 {mso-style-type:personal-compose; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:windowtext;} span.SpellE {mso-style-name:""; mso-spl-e:yes;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Hey all, <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><span style=3D'mso-spacerun:yes'> </span>So = I’ve seen a couple of questions regarding <span class=3DSpellE>RedHat</span> = 8 and Snort but not a lot of answers….Does anyone have this combo = working right now?<span style=3D'mso-spacerun:yes'> </span>Were there problems = you hadn’t encountered in other installs?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Thanks,<o:p></o:p></span></font></p> <p class=3DMsoNormal><span class=3DSpellE><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>JonM</span></font></span><f o= nt size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></ p=
</div> </body> </html> =00 ------_=_NextPart_001_01C2A782.B6B7C5D2-- --__--__-- Message: 9 Subject: RE: [Snort-users] Clueless in Toronto Date: Thu, 19 Dec 2002 12:50:11 -0500 From: "Rich Stryker" <rstryker () virtuallearning net> To: "SnortUsers (E-mail)" <snort-users () lists sourceforge net.> Is there any reason that you can think of as to why my SNORT, when set = to log to a binary file, would die after a few seconds or a minute or = two? And why the binary file that is created can't be read by SNORT = afterwards like the SNORT document says it can? Thanks, Rich -----Original Message----- From: Joel Healy [mailto:Joel.Healy () amphenderson co nz] Sent: Wednesday, December 18, 2002 2:48 PM To: Rich Stryker Subject: RE: [Snort-users] Clueless in Toronto Hi Rich, Ok... When you run snort you will need to tell it where it's = configuration file is unless you have it in the default location and i don't know = where that is on a W2K box. Have a read what command line options (check out http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.1) you can = pass to it as it sounds like you are using the -l command to create packets = logs which is in affect creating the IP address subfolders, but for a fairly vanilla installation you could run it as "snort -c = C:\mypath\snort.conf", your snort.conf should be where your rules are. So the next step is to edit your snort.conf file (check out http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5) and = configure one of the output plugins.. for example for your alert.ids file.. output alert_fast: alert.ids A best practise configurtion is to configure snort to use the unified = output plugin output alert_unified: snort.alert which writes out the alerts in a binary format that is much quicker than = any of the other plugins.. then use barnyard to read the file and output the alert.. it can output in any of ways snort can. That allows snort (or hogwash) to keep up with quite high traffic throughput. anyway hope that helps. cheers joel -----Original Message----- From: Rich Stryker [mailto:rstryker () virtuallearning net] Sent: Thursday, December 19, 2002 7:43 AM To: SnortUsers (E-mail) Subject: RE: [Snort-users] Clueless in Toronto Great Thanks Keith! Got it. I understand now why that is. Switches will broadcast only once until they know which port to send traffic out of.=20 This would mean I would miss just about everything except for the = broadcasts and multicasts. Whereas a hub is in constant broadcast mode since it shouldn't have the ability to have a MAC table...right? Assuming I am correct can you or anyone else now help me with = SNORTSNARF? When I followed the instructions from Silicon Defense, for installing = SNORT on a W2K machine with IIS, SNORT created an alert.ids file. I setup = SNORT to run as a service but I didn't get anything, no logs etc. When SNORT runs from the command line it doesn't write to the alert.ids but creates sub folders for every IP address it finds, which I have read to mean that is = the default setting. Any suggestions on how I can get the logs to be put into the alert.ids = and thereby allowing me to get SNORTSNARF to work? -----Original Message----- From: Knight, Ric [mailto:RKnight () TUC ca] Sent: Wednesday, December 18, 2002 1:28 PM To: Rich Stryker Subject: RE: [Snort-users] Clueless in Toronto Importance: Low Rich,=20 If you only have dumb switches, then get a hub. Force all traffic you = want to monitor through the hub. You only need one interface on the SNORT box = to monitor traffic. If you want to use switches, you need to enable port spanning so that one switch port receives att the traffic on the switch = and then plug snort into that port. Crude text diagram... =20 Snort || \/ Router <----> Hub <-------> firewall =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Ric Knight Network Engineer TransUnion Canada 170 Jackson St. E.=20 Hamilton Ontario, L8N 1L4 (905) 525-9013 x6212 -----Original Message----- From: Rich Stryker [mailto:rstryker () virtuallearning net] Sent: December 18, 2002 11:32 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Clueless in Toronto Hi, I have installed SNORT 1.8x on a W2K Server. No service packs as yet = because i am just testing the waters with it. There are 2 NICs.=20 I can seem to figure out how to implement it now that it is running. I figure I will put it behind my firewall. But how do i force traffic to = go through one NIC on the server and out through the other? Do i even need = to do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing = but it only tracked the local computer's traffic and nothing else.=20 I have SNORTSNARF installed to see the reports but when I seem to have = SNORT running I can't find the log files. I want SNORT setup for NIDS. All help is greatly appreciated. Thanks, Rich ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users (This e-mail message and any accompanying attachments may contain information that is confidential and subject to legal privilege. If you = are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please delete the message and, if convenient, inform the sender = as soon as possible.) --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Exchange 2000 Richard Lyons (Dec 19)
- Re: RE: Exchange 2000 twig les (Dec 19)
- <Possible follow-ups>
- Re: RE: Exchange 2000 aaron g (Dec 19)