Snort mailing list archives
RE: Snort-users digest, Vol 1 #3309 - 9 msgs
From: "Christian Tortorich" <ctorto1 () lsu edu>
Date: Fri, 27 Jun 2003 21:25:29 -0500
I have recently installed snort with snortcenter and the ACID management console on a dual pIII 500 system with a gig of ram and pretty good network cards (Intel gigabit and 100 Mb). The box is acting as a bridge and im filtering the incoming traffic with IPCHAINS. Im interested in both whats going on on the inside (!) and the outside of my network. This is an excellent tool. I have 2 quick questions 1) When snort reports that packets are dropped, should I take that to mean that they are dropped on the floor or just that Snort couldt look at them fast enough so it skipped them? I want to montior traffic, but not at the expense of packet loss. 2)I have a LAN on one side of this box with about 100 clients and a connection to a gig E backbone on the other side. Is my snort box configuration reasonable? Should I be droppping packets consistently? Regards Chris Tortorich ctorto1atlsudotedu -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort-users-request () lists sourceforge net Sent: Friday, June 27, 2003 5:52 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #3309 - 9 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: RE: Snort-users digest, Vol 1 #3302 - 13 msgs (Rodrigo Goya) 2. RE: encrypt barnyard connections (Hutchinson, Andrew) 3. RE: Snort problem (Faiz Ahmad Shuja) 4. sid=1042 IIS view source via translate header (Everist, Benjamin S. (NASWI)) 5. RE: Snort problem (Michael Steele) 6. Re: Snort problem (Matt Kettler) 7. Re[2]: [Snort-users] Cisco Catalyst - SNORT (Lukasz Bromirski) 8. snortcenter 1.0RC1 (Todd Holloway) 9. Re: re: Pass Rule question (Erek Adams) --__--__-- Message: 1 Date: Fri, 27 Jun 2003 10:25:58 -0500 From: Rodrigo Goya <lucent () securenet com mx> To: edward.hawkins () acuitysp com, snort-users () lists sourceforge net Subject: Re: [Snort-users] RE: Snort-users digest, Vol 1 #3302 - 13 msgs Hhhmm.. hope this is what you were asking for: Go to Resources -> Variables -> View Variables Edit "HOME_NET", change the value and click on "Duplicate" Now you have more than one HOME_NET defined. Go to Sensor Config -> Variable Selection Pick the sensor you want, activate the new HOME_NET. Then just push your new rules to the sensor and reaload it. Cheers, Rodrigo On Thu, Jun 26, 2003 at 12:22:55PM -0400, edward.hawkins () acuitysp com wrote:
How is Home_Net defined when using SnortCenter. I have installed acid and snortcenter and based on the install process how do you specifically define your home_net in snortcenter? I know how to manually do it but how do you do it in snortcenter?
--__--__-- Message: 2 Subject: RE: [Snort-users] encrypt barnyard connections Date: Fri, 27 Jun 2003 10:38:41 -0500 From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu> To: "Joerg Weber" <j.weber () infos de>, "SnortUsers" <snort-users () lists sourceforge net> You could do that, or... <ShamelessPostgreSQLPlug> you could use PostgreSQL, compiled with the --with-openssl option, and use ssl natively and bypass stunnel altogether. The PostgreSQL installation/configuration documentation explain how to set this up. </ShamelessPosgreSQLPlug> :-) Andrew Andrew Hutchinson - Network Security Vanderbilt University Medical Center (615) 936-2856
-----Original Message----- From: Joerg Weber [mailto:j.weber () infos de]=20 Sent: Friday, June 27, 2003 6:31 AM To: SnortUsers Subject: Re: [Snort-users] encrypt barnyard connections =20 =20 Hi, =20 =20i would to encrypt the barnyard connection to the the mysql=20database.-is this possible over stunnel?This works just fine for me without any issues. You can run Stunnel with certificates and strict cert checking. =20 On the snort-box do something like stunnel -c -d 127.0.0.1:3306 -r mysql-server-here:3307 -s stunnel -g stunnel =20 and on the remote mysql box /usr/sbin/stunnel -p /usr/share/ssl/stunnel/server.pem -P/tmp/ -d 3307 -r 127.0.01:3306 -s stunnel -g stunnel =20 or, with strict cert checking, something like this on the client /usr/sbin/stunnel -c -d 127.0.01:3306 -r=20 mysql-server-here:3307 -v 3 -A /usr/share/ssl/stunnel/server.cert -p=20 /usr/share/ssl/stunnel/client.pem -P /var/run/stunnel.pid -s stunnel -g stunnel =20 on the remote mysql box /usr/sbin/stunnel -A /usr/share/ssl/stunnel/all.cert -p /usr/share/ssl/stunnel/server.pem -d 3307 -r 127.0.0.1:3306 -v 3 -P /var/run/stunnel.pid -s stunnel -g stunnel =20 Now, if you distribute the proper certs to the client and the server, your connection is ssl-encrypted and connections are allowed with the proper certs only. =20 Works like a charm for me. =20 Oh, it's very possible I goofed up on the pasted lines, you=20 gotta check the parameters of course ;) =20 Cheers! =20 --=20 Joerg Weber Network Security =20 infoServe GmbH Nell-Breuning-Allee 6 D-66115 Saarbruecken =20 T: (0681) 8 80 08 - 0 F: (0681) 8 80 08 - 59 www.infos.de E: j.weber () infos de =20
--__--__-- Message: 3 From: "Faiz Ahmad Shuja" <faizshuja () yahoo it> To: <mshultz () vastcs net>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Snort problem Date: Fri, 27 Jun 2003 20:45:43 +0500 Try looking into IDScenter and Eagle X from Engage Security. http://www.engagesecurity.com/ You can find here the options you looking for. Regards, Faiz -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of mshultz () vastcs net Sent: Friday, June 27, 2003 2:41 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort problem Hello. I'm not sure if this is a support mailing list but hopefully someone could help me out. I am relativly new to Snort and it looks very decent for what I need it to do. I am running snort on a win32 machine. My problem is that I need snort to send either an email, which doesn't look possible as I am not a programmer, or an SMB message to a selected workstation. My problem is that SMB doesn't seem to be compiled into the windows binaries and there doesn't seem to be another way to configure it without the 'configure' executable. Any help would be appreciated. Mike. --__--__-- Message: 4 From: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil> To: snort-users () lists sourceforge net Date: Fri, 27 Jun 2003 09:02:21 -0700 Subject: [Snort-users] sid=1042 IIS view source via translate header This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C33CC5.7E278950 Content-Type: text/plain; charset="iso-8859-1" Has anyone seen anything like this before? It doesnt look like the translate: f vuln [0], except that it contains the translate: f header. The long string of gobbley-gook after the auth: negotiate looks suspicious to me, but what do I know? I looked through the IIS 'sploits at bugtraq and didnt see anything that matches. Is this valid traffic? 000 : 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31 OPTIONS / HTTP/1 010 : 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66 .1..translate: f 020 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 ..User-Agent: Mi 030 : 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D crosoft-WebDAV-M 040 : 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30 iniRedir/5.1.260 050 : 30 0D 0A 48 6F 73 74 3A 20 xx xx xx xx xx xx xx 0..Host: xxxxxxx 060 : xx xx xx xx xx xx xx 0D 0A 41 75 74 68 6F 72 69 xxxxxxx..Authori 070 : 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 61 74 zation: Negotiat 080 : 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 44 41 41 e TlRMTVNTUAADAA 090 : 41 41 47 41 41 59 41 47 6F 41 41 41 41 59 41 42 AAGAAYAGoAAAAYAB 0a0 : 67 41 67 67 41 41 41 41 67 41 43 41 42 41 41 41 gAggAAAAgACABAAA 0b0 : 41 41 47 67 41 61 41 45 67 41 41 41 41 49 41 41 AAGgAaAEgAAAAIAA 0c0 : 67 41 59 67 41 41 41 41 41 41 41 41 43 61 41 41 gAYgAAAAAAAACaAA 0d0 : 41 41 42 59 4B 49 6F 46 67 41 56 51 42 4D 41 46 AABYKIoFgAVQBMAF 0e0 : 55 41 51 51 42 6B 41 47 30 41 61 51 42 75 41 47 UAQQBkAG0AaQBuAG 0f0 : 6B 41 63 77 42 30 41 48 49 41 59 51 42 30 41 47 kAcwB0AHIAYQB0AG 100 : 38 41 63 67 42 59 41 46 55 41 54 41 42 56 41 50 8AcgBYAFUATABVAP 110 : 70 59 77 6F 45 2F 62 77 42 37 41 41 41 41 41 41 pYwoE/bwB7AAAAAA 120 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4E AAAAAAAAAAAAAAAN 130 : 7A 66 74 72 6F 7A 31 69 4A 6E 69 50 6D 34 33 4F zftroz1iJniPm43O 140 : 77 79 62 63 75 6B 61 55 53 66 53 46 64 45 43 67 wybcukaUSfSFdECg 150 : 3D 3D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 ==..Connection: 160 : 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 Keep-Alive..Cont 170 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 0D ent-Length: 0... 180 : 0A [0] http://www.securityfocus.com/bid/1578/discussion/ ------_=_NextPart_001_01C33CC5.7E278950 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>sid=3D1042 IIS view source via translate header</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Has anyone seen anything like this before? It = doesnt look like the translate:</FONT> <BR><FONT SIZE=3D2>f vuln [0], except that it contains the translate: f = header. The long string</FONT> <BR><FONT SIZE=3D2>of gobbley-gook after the auth: negotiate looks = suspicious to me, but what</FONT> <BR><FONT SIZE=3D2>do I know? I looked through the IIS 'sploits = at bugtraq and didnt see anything</FONT> <BR><FONT SIZE=3D2>that matches. Is this valid traffic? = </FONT> </P> <P><FONT SIZE=3D2>000 : 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F = 31 OPTIONS / HTTP/1</FONT> <BR><FONT SIZE=3D2>010 : 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 = 66 .1..translate: f</FONT> <BR><FONT SIZE=3D2>020 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D = 69 ..User-Agent: Mi</FONT> <BR><FONT SIZE=3D2>030 : 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D = 4D crosoft-WebDAV-M</FONT> <BR><FONT SIZE=3D2>040 : 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 = 30 iniRedir/5.1.260</FONT> <BR><FONT SIZE=3D2>050 : 30 0D 0A 48 6F 73 74 3A 20 xx xx xx xx xx xx = xx 0..Host: xxxxxxx</FONT> <BR><FONT SIZE=3D2>060 : xx xx xx xx xx xx xx 0D 0A 41 75 74 68 6F 72 = 69 xxxxxxx..Authori</FONT> <BR><FONT SIZE=3D2>070 : 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 61 = 74 zation: Negotiat</FONT> <BR><FONT SIZE=3D2>080 : 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 44 41 = 41 e TlRMTVNTUAADAA</FONT> <BR><FONT SIZE=3D2>090 : 41 41 47 41 41 59 41 47 6F 41 41 41 41 59 41 = 42 AAGAAYAGoAAAAYAB</FONT> <BR><FONT SIZE=3D2>0a0 : 67 41 67 67 41 41 41 41 67 41 43 41 42 41 41 = 41 gAggAAAAgACABAAA</FONT> <BR><FONT SIZE=3D2>0b0 : 41 41 47 67 41 61 41 45 67 41 41 41 41 49 41 = 41 AAGgAaAEgAAAAIAA</FONT> <BR><FONT SIZE=3D2>0c0 : 67 41 59 67 41 41 41 41 41 41 41 41 43 61 41 = 41 gAYgAAAAAAAACaAA</FONT> <BR><FONT SIZE=3D2>0d0 : 41 41 42 59 4B 49 6F 46 67 41 56 51 42 4D 41 = 46 AABYKIoFgAVQBMAF</FONT> <BR><FONT SIZE=3D2>0e0 : 55 41 51 51 42 6B 41 47 30 41 61 51 42 75 41 = 47 UAQQBkAG0AaQBuAG</FONT> <BR><FONT SIZE=3D2>0f0 : 6B 41 63 77 42 30 41 48 49 41 59 51 42 30 41 = 47 kAcwB0AHIAYQB0AG</FONT> <BR><FONT SIZE=3D2>100 : 38 41 63 67 42 59 41 46 55 41 54 41 42 56 41 = 50 8AcgBYAFUATABVAP</FONT> <BR><FONT SIZE=3D2>110 : 70 59 77 6F 45 2F 62 77 42 37 41 41 41 41 41 = 41 pYwoE/bwB7AAAAAA</FONT> <BR><FONT SIZE=3D2>120 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 = 4E AAAAAAAAAAAAAAAN</FONT> <BR><FONT SIZE=3D2>130 : 7A 66 74 72 6F 7A 31 69 4A 6E 69 50 6D 34 33 = 4F zftroz1iJniPm43O</FONT> <BR><FONT SIZE=3D2>140 : 77 79 62 63 75 6B 61 55 53 66 53 46 64 45 43 = 67 wybcukaUSfSFdECg</FONT> <BR><FONT SIZE=3D2>150 : 3D 3D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A = 20 =3D=3D..Connection: </FONT> <BR><FONT SIZE=3D2>160 : 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E = 74 Keep-Alive..Cont</FONT> <BR><FONT SIZE=3D2>170 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A = 0D ent-Length: 0...</FONT> <BR><FONT SIZE=3D2>180 : 0A </FONT> </P> <BR> <P><FONT SIZE=3D2>[0] <A = HREF=3D"http://www.securityfocus.com/bid/1578/discussion/" = TARGET=3D"_blank">http://www.securityfocus.com/bid/1578/discussion/</A><= /FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C33CC5.7E278950-- --__--__-- Message: 5 From: "Michael Steele" <michaels () winsnort com> To: <mshultz () vastcs net>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Snort problem Date: Fri, 27 Jun 2003 12:16:03 -0700 This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C33CA5.E583B3F0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Mike, =20 You can go to www.winsnort.com <http://www.winsnort.com/> and go to the Documentation section and check out the docs as it has a section on installing Email support for Windows. Cheers... -Michael Steele -- System Engineer / Security Support Technician =20 mailto:michaels () winsnort com =20 Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of mshultz () vastcs net Sent: Thursday, June 26, 2003 2:41 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort problem =20 Hello. I'm not sure if this is a support mailing list but hopefully = someone could help me out. =20 =20 I am relativly new to Snort and it looks very decent for what I need it = to do. I am running snort on a win32 machine. My problem is that I need = snort to send either an email, which doesn't look possible as I am not a programmer, or an SMB message to a selected workstation. My problem is = that SMB doesn't seem to be compiled into the windows binaries and there = doesn't seem to be another way to configure it without the 'configure' = executable. Any help would be appreciated. =20 Mike. ------=_NextPart_000_0001_01C33CA5.E583B3F0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)"> <style> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p {margin-right:0in; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman";} span.EmailStyle17 {font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Mike,</span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'> </span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>You can go to <a href=3D"http://www.winsnort.com/">www.winsnort.com</a> and go to the Documentation section and check out the docs as it has a section on = installing Email support for Windows.</span></font></p> <div> <p style=3D'margin-bottom:12.0pt'><font size=3D2 color=3Dnavy = face=3D"Times New Roman"><span style=3D'font-size:10.0pt;color:navy'>Cheers...<br> <br> -Michael Steele<br> --<br> System Engineer / Security Support = Technician <br> <a = href=3D"mailto:michaels () winsnort com">mailto:michaels () winsnort com</a>&nb= sp; <br> Website: <a = href=3D"http://www.winsnort.com">http://www.winsnort.com</a><br> Snort: Open Source Network IDS - <a = href=3D"http://www.snort.org">http://www.snort.org</a></span></font></p> </div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original = Message-----<br> <b><span style=3D'font-weight:bold'>From:</span></b> snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] <b><span = style=3D'font-weight: bold'>On Behalf Of </span></b>mshultz () vastcs net<br> <b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, June 26, = 2003 2:41 PM<br> <b><span style=3D'font-weight:bold'>To:</span></b> snort-users () lists sourceforge net<br> <b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] = Snort problem</span></font></p> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></font></p> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Hello. I'm not sure = if this is a support mailing list but hopefully someone could help me out. = </span></font></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></font></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>I am relativly new to Snort = and it looks very decent for what I need it to do. I am running snort on = a win32 machine. My problem is that I need snort to send either an email, = which doesn't look possible as I am not a programmer, or an SMB message to a = selected workstation. My problem is that SMB doesn't seem to be compiled = into the windows binaries and there doesn't seem to be another way to configure = it without the 'configure' executable. Any help would be = appreciated.</span></font></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 = face=3D"Times New Roman"><span style=3D'font-size:12.0pt'> </span></font></p> </div> <div> <p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Mike.</span></font></p> </div> </div> </body> </html> ------=_NextPart_000_0001_01C33CA5.E583B3F0-- --__--__-- Message: 6 Date: Fri, 27 Jun 2003 16:08:07 -0400 To: <mshultz () vastcs net>, <snort-users () lists sourceforge net> From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Snort problem At 05:41 PM 6/26/2003 -0400, mshultz () vastcs net wrote:
Hello. I'm not sure if this is a support mailing list but hopefully someone could help me out. I am relativly new to Snort and it looks very decent for what I need it to do. I am running snort on a win32 machine. My problem is that I need snort to send either an email, which doesn't look possible as I am not a programmer, or an SMB message to a selected workstation. My problem is that SMB doesn't seem to be compiled into the windows binaries and there doesn't seem to be another way to configure it without the 'configure' executable. Any help would be appreciated. Mike.
Well, sending an email from within snort is absolutely impossible, even if you are a programmer. Snort needs to be very very very fast (ie: 1/1000th of a second delay has a HUGE impact on performance). If it goes off and generates network connections, launches programs, etc, it will miss a large quantity of traffic, creating a very effective way for attackers to sneak past your snort sensor by only generating one alert that causes email. Really, I'd suggest using something like acid for your logging and alerting needs if you're restricted to the win32 platform. Emails, smb alerts, etc are really best done with an external program so that snort isn't wasting time babysitting a network messaging protocol. --__--__-- Message: 7 Date: Fri, 27 Jun 2003 22:23:36 +0200 From: Lukasz Bromirski <lbromirski () mr0vka eu org> Reply-To: Lukasz Bromirski <lbromirski () mr0vka eu org> Organization: mr0vka corpz To: "'Snort-users () lists sourceforge net'" <Snort-users () lists sourceforge net> Subject: Re[2]: [Snort-users] Cisco Catalyst - SNORT Hello, RA> Most current switches have either 8 or 16 port chip sets. That's quite correct. RA> Someone is likely to say that Cisco's mirroring (as an example onl= y) RA> functions at wire speeds even on gig ports, when in fact the= ir RA> experience involved other unknown conditions (such as port 1 to port= 4 RA> on the same chip set) for which they have little/no real knowledge. Well, the Catalyst 2950 and 3550 boxes for example do SPAN with wire-spee= d, regardless of which port is actually source port, and which one = is destination port. However, Cisco states clearly, that highly oversubscrib= ed destination port can slow down source ports - which is logical because = it come down to buffers capacity. With Snort installations the high= ly oversubscribed situation can surface quite easily (one port sniffi= ng traffic other 23 or 47 ones for example). RA> There are many switches on the market today that will do wire spe= ed RA> mirroring on adjacent gig ports, but may drop packets between ports = on RA> different chip sets or differnet blades. Indeed. It's just a question of detailed documentation available (includi= ng some architectural details), which most of the off-the-shelf switches lac= k. Just my 0,05PLN --=20 =A3ukasz Bromirski lbromirski[at]mr0vka.eu= .org PGP key http://mr0vka.eu.org/pgp.asc http://mr0vka.eu.o= rg PGP finger 5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C= 49 --__--__-- Message: 8 Date: Fri, 27 Jun 2003 15:24:24 -0500 From: Todd Holloway <todd () duckland org> To: snort-users () lists sourceforge net Subject: [Snort-users] snortcenter 1.0RC1 there are a few bugs with the snortcenter 1.0-RC1 that I'm experiencing... is this program even "active"...I noticed the last update with 2002-05-14. the most painful bug is I have to deactivate rules manually, the select all works but the "do with selected" doesn't :( it looks like a great product, but I don't know if it's something I can show off to the boss, if it's a year plus out of date. todd -- The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in. We're computer professionals. We cause accidents. Nathaniel Borenstein, inventor of MIME. --__--__-- Message: 9 Date: Fri, 27 Jun 2003 18:51:09 -0400 (EDT) From: Erek Adams <erek () snort org> To: Ciprian Badescu <ciprian.badescu () alcatel ro> cc: Erek Adams <erek () snort org>, lindsay.hunt () itc alstom com, snort-users () lists sourceforge net Subject: Re: [Snort-users] re: Pass Rule question On Fri, 27 Jun 2003, Ciprian Badescu wrote:
I also have the same problem: I've done the following modifications in scan.rules: pass tcp $EXTERNAL_NET any -> $HOME_NET 3128 alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; classtype:attempted-recon; sid:618; rev:4;) and still got the alert in ACID (with last snort tarball from CVS). It's normal ? How can I use pass rules.
Just on the off chance... Make sure you're using "-o" on the command line. If not pass rules be processed after alert rules. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #3309 - 9 msgs Christian Tortorich (Jun 27)
- Re: RE: Snort-users digest, Vol 1 #3309 - 9 msgs Erek Adams (Jun 27)
- Re: RE: Snort-users digest, Vol 1 #3309 - 9 msgs Rich Adamson (Jun 28)
- Re: RE: Snort-users digest, Vol 1 #3309 - 9 msgs Jeff Nathan (Jun 28)
- Re: RE: Snort-users digest, Vol 1 #3309 - 9 msgs Erek Adams (Jun 27)