Snort mailing list archives
Snort - ACID Displays NO data on IE
From: fkseow () datascan com my
Date: Tue, 7 Oct 2003 09:02:01 +0800
After I setup everything as in the instruction list, I can't see any data display on my IE http://localhost/acid/acid_main.php. The IE just displays the template with NO data (like TCP, ICMP or UDP traffic). How do troubleshoot on this ? I am using Snort 2.0.1. -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Tuesday, October 07, 2003 7:48 AM To: snort-users () lists sourceforge net Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Snort Kernel Module (Matt Kettler) 2. NIDS test steps (twig les) 3. Re: Snort Kernel Module (Josh Berry) 4. RE: Can we send email using Outlook as the smtp server with ACID? (Michael Steele) 5. Remote Syslog... (Mike Koponick) 6. Re: Snort Kernel Module (pieter claassen) 7. Re: Snort Kernel Module (Mark Nipper) --__--__-- Message: 1 Date: Mon, 06 Oct 2003 17:07:10 -0400 To: "Josh Berry" <josh.berry () netschematics com>, snort-users () lists sourceforge net From: Matt Kettler <mkettler () evi-inc com> Subject: Re: [Snort-users] Snort Kernel Module At 02:04 PM 10/6/2003, Josh Berry wrote:
Are there any projects out there that are trying to move snort into the Linux kernel, or as a kernel loadable module. Would this provide any benefits (security, speed, accuracy)?
Speed would be improved somewhat. Security would certainly go down very significantly due it increased privileges. (ie: a exploit of the snort code would now give kernel-mode privilege, instead of root or non-root user privilege.)
Is there any reason this would not be possible?
It's possible, but IMO that's not the point.
Would this be incredibly difficult?
Yes, it would be difficult as most of the code would require rewrite to use kernel-level memory and IO APIs. Functionality would be limited, since kernel processes don't really have extensive libraries like glibc provides. ie: no more mysql support for sure. It would also be incredibly foolish from a security prespective and it would make snort a linux-specific tool. The kernel should only implement things which belong in the kernel. Moving complex user-space processes into the kernel is dangerous and should only be done with considerable reason to do so. Unlike an application, if a piece of the kernel fails and munges memory, most time the system goes down completely with no graceful shutdown. No disk sync, no nothing.. just oops and crash. If an app munges memory, it just segfaults and gets dumped, but the system keeps running. Also, code running at the kernel level has significantly more privilege than even the root user has. It can touch any memory, or any hardware in the entire system without any restrictions. Even root has to jump through some hoops (ie: loading a module) to do this, and on a well-secured system, even root can't load kernel mode code. (yes, I do use grsecurity patches on my linux boxes and have no loadable module support.) --__--__-- Message: 2 Date: Mon, 6 Oct 2003 14:12:18 -0700 (PDT) From: twig les <twigles () yahoo com> To: snort-users () lists sourceforge net Subject: [Snort-users] NIDS test steps --0-1396597591-1065474738=:62658 Content-Type: text/plain; charset=us-ascii Content-Id: Content-Disposition: inline Hey *, I've been sitting on this doc I made that guided my latest NIDS tests (the NIDS was not snort, but this thing is pretty general). I've been wanting to get a real web site up and post it there for dl, but I'm freakin' swamped so I just zipped it and attached it (5.6k). Lemme know if anyone can improve it. Oh BTW it's in Excel 2k format. Sorry. ---------------------------------------------------------- If you receive something that says 'Send this to everyone you know, pretend you don't know me. ---------------------------------------------------------- __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --0-1396597591-1065474738=:62658 Content-Type: application/x-zip-compressed; name="NIDS Test Plan 1.1 - 2003-09-05.zip" Content-Transfer-Encoding: base64 Content-Description: NIDS Test Plan 1.1 - 2003-09-05.zip Content-Disposition: attachment; filename="NIDS Test Plan 1.1 - 2003-09-05.zip" UEsDBBQAAAAIACx/JS8X4J6n1hUAAABkAAAjAAAATklEUyBUZXN0IFBsYW4g MS4xIC0gMjAwMy0wOS0wNS54bHPtXWuMJNdVPjWP3Zl9zr5mX7Pj61nHntmd 7VlvHHvjV+/bntiznuzsegNxsq7uvt1dnuqqdlX1zI4hsIT4B8KRQh4YCaPg fwEjMEJaEMoPmwgJJCwQYFk8JBwSIYQEESiREog9fOfcW9WP7bV3jWMRpW+r q+rce+695557nlU1PX/1l1vefPH393yTOsqD1E9vrw7TmpY6B9/DKTBCaF9d 5cv0PIPvaq/8WJXhIWzkmkF6e+y1tX9+DJfY5G9SH7088CqORP+M7xNU571/ Wn2A5YTQ4DpMwyuY/AFnHa0FFX2QyzX0As6baLdQuFWO2+T4e4L/dTk+gJbL tJn+4sTPHDhq5fcTfccE7/NynJDjJhwd+kPp8/dScyftoT9jWf75LzhG2Aed 4xSRRy75P/JWB61fZzL6uvddR9L3Oq1D79hq5+1oHR8Yo0HaCYbcNrF/ev/+ w5em7ntiMgWemBofuBU8H2tr/+Q5XfpUO9IENmhfEyl3uH0cwIx1B0ic6MTq GM2i3kMH6AjRJa4/oNKZLfjEpJ04rZg4NCGtxy6ha46m8EHX1n7tnTp65Gma 7m2fzNDWPp+Q1jJlPt8c4m46CE43J037X9O5o+ebtF1k4XuriprlFcX1Tlr/ 3Rur77vJevoJrHdIUbOk/Dxo8L/fWT91nfrp69QfuE79cNf6QWJ6Jol2tddT Wj/SrX7qmvo11xln7XXqh7rUf6lvgEau9K/yecuVNXLeemVAztuurJUzXSE5 b78yuPqk2MxnaSP9yziPMEgnwyUdPQuT+uv7uWINnXBjrxg/S6NUmuKaTXSu 4ev49jPaTRqRRss4OUe4ZZTOhY3EC7Q6Xqp5gRcnkZt4YfAsTPh372WMtXQ8 SdziYvwcDYB2h151hvAletJz6If0tZ11IGl8YakuVt1ElUI1q+p+o6K8QLlB SS1XdaTzW4gW6rrolb2iOhkGRR0FMbZhIdH1GNx4SAc6cn31SBAu+7pU0Sos q0J4eT3RiSh0S+qh0PXjrWSpUZEuhpXAY1qx6JNugElBulZJVSvXUKwKKyrW 4I2XrOQ3kGGCTlTsPaOxBw+Hy6rmBisq4nrlRui45Hq+W/A1dy3pstvwk/xU V9RyGKlGoIs6jt1oBdN6QSXOb8QsuhaCDrfITeOGtmWtFhYeVpNHcoenwJYk FDKxvDwEakEXsSlYUT2MsBWVXZZT4IZ+uuHVazpIVKB1SZfAxPORW2YeVoRh SRhhhFOgeoUJdCuascGmE9r3Y2H/xSp2FVQDbw7L8epYXayDOIziQy0rs1Wq CHINKQpkhpCMYuj7uoiZ8jMGvxSCB7yArEVVMZOvZ+puFNst8HWUxPnRJtfd NgHblO4kZqyGmHwsHZuZxbuLfVN1N46Xw6gU528xzWE50YFFqrpLmmmMdCEM k/xBrM9dBFGgpaLN2hPZGV1Ty15ShaBbXDB5d7YxdVTjau6x86ewXOUl+XuY yys8NLehDlyYBoO08spoV16sSl5c990VXeLmYhhAEHjUEDrgRTrdXbTUwO5E 8+6sxNovC1U1JjPmPcdgWN5inJu1FzzDrOyBsIsRuAdOXMckuKrA2m1lPLeW BS7Gvsa3Ez3uhT7rQIrD0jqtlt2kWBWSwAGs6G5WVM3SHqX7xLufsL4yVi2M EzsAVlb2Kg2zZfki0ekl12+kahbWuTqeVnUPGsk1yXKoCjoW0Un4zMTHVWwc t0ZcA7Xm60oUNuqiRGUvgKSDocVGHGO8j1g7EvE2MnqqzZnYnZ09tWB4wawp gXSvvJI/zRIFY4OuPpTe566+FyyqmI2erKBziMQ1Ul7z4jidJr9k5/cMJuS1 pA+FZVgjnSxrSF/QqBUgmxherAETcXL+goIZ9b1nDKeUOtuOJKTWo7DgFoCV rHADzwqZySaGIb0A7QHntc8WuWXpLL4qCD00l6OwhpH0khc24iaTKyCz4foQ NCP/QnsHpdMqLMQ6WpKdYJHJTbYqXSlcDnw2tU2K3XrdNxqUn82UYhn2lGWM 0ZQb89RBw3cjvq6HWFOBpW7JyqKXXDvtA0SPhuGibH/sMdGWPpG3qIYZsQGY dkVkVFC4sRFIbe2p1OIXGmx2jHAJ0V4QQyCEdQq7WwBHZp7x6mXPF1NRdovM fqarBgMjlhW4gV42/WcKYDfkEnWhz7qt43wOctWhKNZ+N82f1Zyir90or2C/ A69c1lJfDCNYM8hkWPGKEHSYjaJ2iWbL6ZCyxBb9k1GmReGXpaVkbNiS56rZ eXgLiJdI6DL4Ij28Wt3FFAXN1ij1LA/DCTQ8rEL6qKQBI+WrSRiYdJOmmjtT 1xE2A46gmI3WHCr3cSj+ZSiCgtImWBYb3UbQPnBSRWOliiHhDdiCpLYDNhL4 1kY2F3GbVTPwI+Gp1eRjC1Op0jVdziz7x6SpsxxgCG+ZYaLnMe8Wey8EA0us Wiy4dl1RandE7OBijseLagkcDcHgxIizDsThe8kjXZtTV8QDpe7I6CObGi1e KgqLuiT2nCXQbPEvszsKvHrDz6ISs93tfR+6MMu9MMQSBLeUUwqCkejL0Br0 CVp8hQsVq8VG/5ssSN02C5FELiUTdoEDxkJgTxEobDZrO6fr0EwEROWV/deG A5A5DMlRWMb/+4ymZewvRNpdVDA+PjqJuY7z6kK9JF6nyHvBBj3Sy1C8OH+x ZdZMHDLnCObC8CD2kNgJtnqR27yYXS2rpVWQ1v3MthKh6SmjhBNxtRFMQFvq xrR6sAISGcAAeDVY7kZio1BYrUM+ApD8cSt6TTcRVipMAjaiGQFGuuJGJa6G OizqxFpEa6wv3OQYAWsXEOvauKJYTbJFCOIZtrGwDFI5lT9jx+X9rK1YDlhH C70/XcPQ0wr8dtlPgFUrMcaZVg+fPz8PR4wAEKKrk2JuB9FZtyamcKEYefVk xpCOgOGUTjBKjBBM9hTxQx2j6/zhVm9grLxYRczL9Zmdt5apopP8XZlXqLUL uwk1OIwWf8QsEFV0OUzK7bFTn2f3Ne9jvMd1xNKk7szdiUj9Ec1Kcj5cdOPq QkuQitAZhgraZQQ+4TBmxsZxbgmRVYhMQ83GpkWiV/YxEkulkSdq/RWOFtkF TcNpNVUe0gXTW6wa5YelLGtXLOUvOXS+ysodmwBjlgUVoQVvNnq5cWiMCFis a/WErVQcgvkl4TR0MkaaI6Sww2ZmnEUwgYBPzULhGrJy7AoHkbhaWAE6VH2S eTTFJsFIdCPW4goQBfB4YjXKRgvF84tlkXnjhmQf6DrHpthg87pBLFKKSNv4 zmQtRvVcSI8nwYLv1pOwbuRdhiticUCEbWe+LnMYYkmqIThCz4AzHuEMJKEQ 8RYjBAoTM6f4Keg/dqCBFaIbBDLxil5c456q2oCMQ9jLmgOfCgyAZ51bVft1 jLQQgqYVrg2DHDzCyWqIlEEdOXwQG+/7hxaRNAZZsMRk+24jMEFvDf2Rb4Lp DXAQZ58DQi8ue7C2D8GxIQrE6uLqdQMvtiCJybqsUS5CE0zAa2KyRj0H53Ey i0+mOUCDgcbAEj1ZAQPLWF5qGmOKU3SXQq8EfTPa4UnCyplU7rEsz625ReyR noyn7PbazDAJQz+eiZEPLUsYz6YJzhXsrbX0yRBye7N8Z8nTJhyPvUpg7gfk txk15litqQ+5I+0OsQynYCP5khcZWY2nxUHCJaaWeWdzqI6WEidH2NQGu4vM INjskOOCFk6xyzUWKGzA4DTiBF7PhHhoTVM8ztAifQiJOpZr49b8AsuHhMBY r77sGX0zwSq4VIS6ZuGr3c+GcWAt9FxD/KH2/NOmEZZa29+Dj7D9maOtvLOB 7ZdvwCFqlwWXt4HNF7sCcWQ34hWVOsEyIwJb1S2ZgKT0WLeYoADRBWJFRMbL 5tYAx+PWivNditb7ExzTm6R3mQ0qQosV3hAvKEeuUWcsgL2xFS4sKolC3979 gPVoRGyseXc5p5VaccIzaZSQv68jsZBVZ7mHl2BVj7fkEh37crcVqpRe9hAV uREkyzjvFt1iPHlwauacW/Ia8cwjOkJKFMb5D0tgiVif6WowjxLrhZUNHXlj odyZCIEwUcyuyKKcbeky1DApVm1HE7b5bPs6eHeweSOC75m5YihDCcpk4Gw3 2BnkHySaN2jGSDeb025y58aS3lpvhst9RgInzMY3lDJrUvQ9CSattRAX6qVx h+vnJSqNQ2Pi04idbRKHAkDkbCA0d/s42RfbvaxbNkMSOs5KPm00gCmDFmBv 7d4/BRVn6ZtJtB9oyYUy28u2qtXQ2WSl7Y4S3wqCzsS5W9sVL+ZMLGVEYIwW 87wZ6GT20MbnNu9ppiBTGLEl17PWlfGMlecMJ+VJh9qbUDtXY6ZrYal4TRsM Lpydm2fPUo9n6hgeopJXgicNZXgwkSOooL6MjUp0Kc385mZPLAgrlmzYJDlk o86bDyxEdjJERvTnyTlOMS2SoiXSFFCJQopoGnAM2MV1kaqAEhw1zmXyyMdV TCv4JriqoTZEfROnAPgyzsuADbaScT2MX8H1BOpCXC3LXNxrBXWmv8GJAU3i 2JDaEMcIxxDX03KtZW5XeitQ2BA4FFpcquPjY6QirhOcQ4wZS09eiyszaIG4 hVdUwQhRG/btaooOkNwE19GMVbkC33AuulbrI1EdidnOz+dco67YSbZiMKyQ XdQ3+4iD4u1kw8ItZlAbQ5cyMZAbF4imK807lpz/w9KzB2sKkZhstrnZ3TYj VEaluKEphQYlk5y4VXRyq/QUDdHfriFCgE2fRR7wxzhfGiJ63oEJHiZ6ro9o bD2uB4h+ZyPRt4H7FWSOrwHnT7YQ/fc6on2Q8AsYIBol+m20fR/+/jDaPoqQ /mm0XUKS/fwOfl5KZJ5yj7Q95V7fZ56m8DOMW/D9owmix5GLbpTnwRtwLNFm ud4iOCOg+Ye/9Z9/PVeYz1+S+gNSf1COn5WaK/JcxZQP8dMSWqVfQMurAzwX iKFfFOzPyXGOtvZD/2keovEohIEVIKKP4chCNosPt8xDtFjcrlecARr8R7qr 7+R3rgzyU5F/WxcOlXDeTNMOw9MOU/aojJrIDP/34rSc++yZ3yboxDs1e/YC 2ArqiEq/0T/e2d5azBOsXvlJLy/CNDtUkid8/L7HtDNtxeLNfHp26AJahugz YkGIrp4bBdwnMJCd24ZhFFgy+zZl+m2ka6hvxEqsFVZns9RtlLr/GWitG+/A ewu2hPuOEhPCEPfaQyctNC5tx3B8A1AZ50nahM+DfVvpqrxIdYyaZR80tH+d GRvofPUdUYJ76N2NFhc2Nd4dRNumPlijtel9M1qH/18brcM9o9UrN1Dek8Ha 3WqwHLo6uSOD+Xz1SLO9H5+rqgkP4EPov8bCgx0Gj4vRaH65hA2ZuW43eI7U XeznqmO2rl/q3uprxRuUured1rq1HXVvkbFjO5gyCzmAnAzqox2icwbqB7Qx gwYAjVmIe4wKHQZyxP6kUB/a9vLYfWsADdBOqe8XrOMWq1+wTlhoUNrGM4jb 9llorbR9NIO4jR3FGzDZR0DIPJ2hu0DZmDHgsqZj1Cy/CQqG0VMM+Xoh3aH1 +DjOzRlyhe/dh4h+9c5e9HkjpRd99sqPqrw3Y9403saYN411N2P+xdvajfnV 7e9szJUc392Ytxvu/i54N2LMuW6oS9/hLnXru8y7saUudSybu/RFqo61t8+7 Terax9shde19d3bB292lbm+XOfZ1qbulo+/769B2CN9ThzYq+9l0aKcyqB/Q Q5S6McZck0GM+SA1ndoo3ZpB3HY6g3iUTZQ6NZ59bQY54NJQBnG/M2Tc6ZC0 cf2wXA1brGHBut1C62XmiQzitv0W2ihzbc8gxrwtgxjzYxbaLG1nM4jbHrPQ Fml7IIO47UMW2iZtd2QQtz1ioR3S9nAGcdushXZK26MZxG1zFtotVI9kEGPe lUGMOW+hvdJ2dwZx20cstE9G2ZJBjLk1gxjzSAbx/nzYQrcI5rYMYkwEAQhB JulfocDnnTN0FLJ0AJ91EoockONYdn3UBicsp8eoWdqCk71S5YBovrqR4CR7 K1jE7G+wzrl7iV66t5dp3ki52QCll2n2yo2UDyI4udoRnNTUOwcnt8rx3YOT 9joTnLQ7YROc/Edb4DDUgpfWraNrg44NXebY1AWPKex0/lvp2gBjO10bTIx2 6buzS99dXfru7oK3pwve3i54Y13mHe/Ae4ve34BlXQaxg1qfQeygPm4hE6Kc yyBuW7CQCVHOZxC3XcggdoGPW2hIMC9mEGN+wkLrpO2nMojbftpCG4TODRnE mJMZxJifzCCeb8pCmwTzQAYx5sEMYsxpC40I5qEMYsxSBjHmpyy0VTCfyCDG /LSFjGfbnEGMeSmD2jF5zCctNEocht2TQYyZIxOscUCzS+p3CdZRi7VLsFyL tZvSkG6PXBUt1h7BmskgnrVg++zN+ozJ1ajFGpM+hy00LqvYmUHcxlL/Bvt8 CGAVYcuBLFg5KuHLmAQy6+RrghmWY0Uc9rbLsZLRd9vRlYy+R0ZfY//8OL0f Q9eEPNxPQh7jSx0Qx1c3dz+G1eTl+xC03P9BhjsvSly9Ssa4D1CzXN+4f3GE BWMgM+6z401YjPuhJszGfXZrEx7IjPlAZsyNLeK5U2PeaYycjjoWGi47ZLOM 0eG/1jIQG537MoiNzv0WMmaGefAG1vMUztsRd3ffWNnQfuniyDI6b7D1ynsu b6+SmOfOwsx+89mv/tcPHquOvPQrQ3Twjj/4O1a+l4ns3w6SZFssK/O27kki caY+vuwyPkfmCf8XiMTZvEAkuc7XyEjat9GZtZO3Ut6zpbLA3PY0eQlfsxTO ecUo5Pdu1OnLRe2LbFxRv7brW6+/6vA1Xfq5f/in9Pp7L404yTccua/dK73S K73SK73SK73SK73SK73SK73SK1LeKf/ve/2111/I7R350vPI/6d/8Luc/w+h Ydi2c97PNzb5di3fDOSbo5z3c/7PeXtCJt//WSK5kcj3A/g+wHNk7gt8i9rv A5i8f1EeDvz7pmEZi+yY3c7jI+bBA98/kF8ekifd5ieHhLD23xoSGrv/yJDc vrC/AkMbRgwp43aqi/xzKFWtk9g+tuiVXumVXumVXumVXumVXumVXumVXvlx K+krqpzZ8rP8NJ/mTJqTYs71+RULToQ5Z+f8nd8V4fSac3x+55mf+XOen77V wrk+59r8ShC/xsMv7/CLbfyKGb8pzYk1/88AReb1QX7vhd8i57fF+V3v2207 v87Fr23xy1r8iha/mMWvY+Vs+1v4vt39Z+175QbLOfszF4pOU4BzRCt0M2WU Bp10LJYjNWTuJb1ims+04r5SuPerc899w0n/XwSXi/KTHIvyEx4hzjdbtlJf Nv/q6rWvWF+v/On95jxIC9SgGj6urH1WfqCDaaq1/DzH9csk5mcdYv250fn5 r03S3+8epFOYoSg0aNmBm6Pn6HtYP/8FRfr74f8LUEsBAhQAFAAAAAgALH8l LxfgnqfWFQAAAGQAACMAAAAAAAAAAAAAALaBAAAAAE5JRFMgVGVzdCBQbGFu IDEuMSAtIDIwMDMtMDktMDUueGxzUEsFBgAAAAABAAEAUQAAABcWAAAAAA== --0-1396597591-1065474738=:62658-- --__--__-- Message: 3 Date: Mon, 6 Oct 2003 15:15:58 -0500 (CDT) Subject: Re: [Snort-users] Snort Kernel Module From: "Josh Berry" <josh.berry () netschematics com> To: "Matt Kettler" <mkettler () evi-inc com> Cc: snort-users () lists sourceforge net Mostly I need the performance improvements this would add. Where I work we have some developers, so the cost wouldn't be an issue. We would like to run a linux Intrusion Prevention System with Bridge/Netfilter/Snort-Inline, however, for where we would like to use it, we are worried that the system would not be able to handle the traffic. I been using Bridge/Netfilter/Snort-Inline at home now for some time and have done some testing, but do not think that it could handle the load we would need. If we could get it to perform at a satisfactory level that would allow us to use an open-source solution rather than pay $20,000 to $50,000 for a commercial IPS system.
At 02:04 PM 10/6/2003, Josh Berry wrote:Are there any projects out there that are trying to move snort into the Linux kernel, or as a kernel loadable module. Would this provide any benefits (security, speed, accuracy)?Speed would be improved somewhat. Security would certainly go down very significantly due it increased privileges. (ie: a exploit of the snort code would now give kernel-mode privilege, instead of root or non-root user privilege.)Is there any reason this would not be possible?It's possible, but IMO that's not the point.Would this be incredibly difficult?Yes, it would be difficult as most of the code would require rewrite to use kernel-level memory and IO APIs. Functionality would be limited, since kernel processes don't really have extensive libraries like glibc provides. ie: no more mysql support for sure. It would also be incredibly foolish from a security prespective and it would make snort a linux-specific tool. The kernel should only implement things which belong in the kernel. Moving complex user-space processes into the kernel is dangerous and should only be done with considerable reason to do so. Unlike an application, if a piece of the kernel fails and munges memory, most time the system goes down completely with no graceful shutdown. No disk sync, no nothing.. just oops and crash. If an app munges memory, it just segfaults and gets dumped, but the system keeps running. Also, code running at the kernel level has significantly more privilege than even the root user has. It can touch any memory, or any hardware in the entire system without any restrictions. Even root has to jump through some hoops (ie: loading a module) to do this, and on a well-secured system, even root can't load kernel mode code. (yes, I do use grsecurity patches on my linux boxes and have no loadable module support.)
--__--__-- Message: 4 From: "Michael Steele" <michaels () winsnort com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Can we send email using Outlook as the smtp server with ACID? Date: Mon, 6 Oct 2003 15:14:51 -0700 Demetri, Why in the heck did you even respond if you know nothing about Microsoft! To answer his question; Using Outlook, there is no way. Why can't you use your SMTP server from your ISP and receive alerts in real time? Here is what you need to do to send Email alerts in real time from a Windows box, you can also browse on over to Winsnort.com and retrieve some install docs. You will need to modify paths, and download event watch, not the newest one. You can grab the file off my site by using the link in one of the guides. Install: Snort sets a priority on triggered alerts. These priority alerts range from 1-3. One being the highest priority to 3 being the lowest priority alert. This section of the documentation will walk you through setting up the IDS for sending alerts based on the highest priority alert. Note: You MUST have a valid outgoing SMTP server that can be accessed form the IDS. ● Load the file 'D:\Applications\snort\etc\snort.conf' into WordPad search routine for and change: Original: # output alert_syslog: LOG_AUTH LOG_ALERT Change: output alert_syslog: LOG_AUTH LOG_ALERT Now save the file and exit… ● Uncompress the downloaded 'eventwatchnt' file into 'D:\Applications\eventwatchnt'. ● Navigate into the 'D:\Applications\eventwatchnt' folder and double click on ‘eventwatchnt.exe’ Note: A shortcut could be placed on the desktop for easy access to the management console. Note: The EventwatchNT Configuration applet will appear with some dialog boxes filled in. ● In the ‘Sender Name:’ dialog box type the name of the IDS ● In the ‘Sender Email Address:’ dialog box type eventwatch () yourdomain com ● In the ‘Recipients:’ dialog box type the email address where the alerts will be sent ● In the ‘SMPT Server:’ dialog box type the name or IP of the SMTP server ● In the ‘Email Subject:’ type Snort Priority 1 Alert! ● In the ‘Filter(s):’ dialog box type (including the [ ] and must be typed exact) [Priority: 1] ● In the ‘Type:’ select box choose ‘Include’ Note: At this pint you should be able to click the ‘Test’ button and send a test message to the ‘Sender Email Address’ that was selected above. ● In the ‘Event logs to monitor’ select box, only ‘Application’ needs to be ticked ● In the ‘Events to report’ select box, only ‘INFORMATION needs to be ticked ● In the ‘Options’ select box. Only ‘HTML Email’ needs to be ticked ● In the ‘Installation’ select box, click the ‘Install’ button ● In the ‘Service Control’ Select box, click on the ‘Start’ button ● Click the ‘OK’ button at the top right ● Navigate to ‘Administrative Tools’, select Event Viewer, right click ‘Application’, select ‘Properties’, tick ‘Overwrite events as needed’, click the ‘Apply’ button, click the ‘OK’ button, and exit Note: To test the email alerting, run a scanner on the network. If there were no email alerts sent out check the Event log under the Application log and see if any [Priority: 1] alerts were detected and logged. If there were alerts then make sure that the SMTP setting are set correctly and there is a clear path to the SMTP server. Use the ‘Test’ button in the Event Watch NT applet to make sure that the email is functioning properly. Cheers... -Michael Steele -- System Engineer / Security Support Technician mailto:michaels () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Demetri Mouratis Sent: Monday, October 06, 2003 11:30 AM To: Chhabria, Kavita - Apogent Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Can we send email using Outlook as the smtp server with ACID? On Mon, 6 Oct 2003, Chhabria, Kavita - Apogent wrote:
Hello all: Does anyone know as to how to send emails using Outlook as the SMTP server from ACID.
Well, you haven't specified your local MTA on the ACID box. Assuming you still have qmail there, you need to instruct qmail to relay to the ip/hostname of the M$ box you want to deliver the mail. http://cr.yp.to/qmail/faq/outgoing.html#notlocal I think you mean Exchange rather than Outlook but what the hell do I know about M$ anyway. HTH. --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 5 Date: Mon, 6 Oct 2003 15:23:04 -0700 From: "Mike Koponick" <mike () redhawk info> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Remote Syslog... Hello! I have been trying to configure snort to log to a remote syslog server. I have the remote syslog server setup to accept syslog packets (and is accepting them from the firewall device), but am having a problem getting snort to start. I consulted 3.20 in the FAQ without any luck. I'm using 2.0 Snort on Linux 9.0. Syslog.conf: auth.alert @console ************************************************************************ * Portion of the snort startup file: /usr/local/bin/snort -o -z -i eth1 -d -D -c \ /etc/snort/snort.conf -I -A full -s console:514 ************************************************************************
From the /var/log/messages file:
Oct 6 15:07:17 ids1 kernel: eth1: Promiscuous mode enabled. Oct 6 15:07:17 ids1 snort: OpenPcap() device eth1 network lookup: ^Ieth1: no IPv4 address assigned Oct 6 15:07:17 ids1 snort: FATAL ERROR: OpenPcap() FSM compilation failed: ^IPCAP command: %s Oct 6 15:07:17 ids1 snortd: snort startup failed ************************************************************************ Thanks in advance, Mike Mike Koponick RedHawk. - Network Engineering mike () redhawk info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify security () redhawk info. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --__--__-- Message: 6 Subject: Re: [Snort-users] Snort Kernel Module From: pieter claassen <pieter () countersnipe com> To: Matt Kettler <mkettler () evi-inc com> Cc: Josh Berry <josh.berry () netschematics com>, snort-users () lists sourceforge net Date: Tue, 07 Oct 2003 00:25:44 +0100 Most points raised I do believe are valid. However, what about the possibilities on embedded devices that don't have any need for multi user environments (separation of kernel and user space)? Pieter On Mon, 2003-10-06 at 22:07, Matt Kettler wrote:
At 02:04 PM 10/6/2003, Josh Berry wrote:Are there any projects out there that are trying to move snort into the Linux kernel, or as a kernel loadable module. Would this provide any benefits (security, speed, accuracy)?Speed would be improved somewhat. Security would certainly go down very significantly due it increased privileges. (ie: a exploit of the snort code would now give kernel-mode privilege, instead of root or non-root user privilege.)Is there any reason this would not be possible?It's possible, but IMO that's not the point.Would this be incredibly difficult?Yes, it would be difficult as most of the code would require rewrite to
use
kernel-level memory and IO APIs. Functionality would be limited, since kernel processes don't really have extensive libraries like glibc provides. ie: no more mysql support for
sure.
It would also be incredibly foolish from a security prespective and it would make snort a linux-specific tool. The kernel should only implement things which belong in the kernel. Moving
complex user-space processes into the kernel is dangerous and should only be done with considerable reason to do so. Unlike an application, if a piece of the kernel fails and munges memory, most time the system goes
down
completely with no graceful shutdown. No disk sync, no nothing.. just oops
and crash. If an app munges memory, it just segfaults and gets dumped, but the system
keeps running. Also, code running at the kernel level has significantly more privilege than even the root user has. It can touch any memory, or any hardware in the entire system without any restrictions. Even root has to jump through some hoops (ie: loading a module) to do this, and on a well-secured
system,
even root can't load kernel mode code. (yes, I do use grsecurity patches
on
my linux boxes and have no loadable module support.) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- pieter claassen <pieter () countersnipe com> --__--__-- Message: 7 Date: Mon, 6 Oct 2003 18:29:36 -0500 From: Mark Nipper <nipsy () tamu edu> To: Josh Berry <josh.berry () netschematics com> Cc: Matt Kettler <mkettler () evi-inc com>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Kernel Module On 06 Oct 2003, Josh Berry wrote:
Mostly I need the performance improvements this would add. Where I work we have some developers, so the cost wouldn't be an issue. We would like to run a linux Intrusion Prevention System with Bridge/Netfilter/Snort-Inline, however, for where we would like to use it, we are worried that the system would not be able to handle the traffic. I been using Bridge/Netfilter/Snort-Inline at home now for some time and have done some testing, but do not think that it could handle the load we would need. If we could get it to perform at a satisfactory level that would allow us to use an open-source solution rather than pay $20,000 to $50,000 for a commercial IPS system.
Out of curiosity, are you using ebtables (http://ebtables.sourceforge.net/) to do this in the Linux kernel? I'm using OpenBSD and Snort currently to do this, but I'm using Snort passively (not inline) so there is a second or so of delay and some packets do get through. I was just wondering if the ebtables stuff in Linux (netfilter over a bridge) was actually mostly stable. For what it's worth, the biggest issue seems to be how well the box can hold up based on very small packets per second. If you can maintain high rates of throughput with very small packets, then your box should be a success. Also, gigabit interfaces tend to perform better under these kinds of loads, even on 100Mbps connections, so buy some Intel gigabit desktop adapters and see if it helps. What I'd really like to see is a box that works fully at layer 7 like a Packeteer (http://www.packeteer.com/) but didn't cost $25k and actually worked under heavy loads (which our Packeteers seem to have problems doing). -- Mark Nipper e-contacts: Computing and Information Services nipsy () tamu edu Texas A&M University http://ops.tamu.edu/nipsy/ College Station, TX 77843-3142 AIM/Yahoo: texasnipsy ICQ: 66971617 (979)575-3193 MSN: nipsy () tamu edu -----BEGIN GEEK CODE BLOCK----- GG/IT d- s++:+ a-- C++$ UBL+++$ P--->+++ L+++$ E--- W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+ PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**) ------END GEEK CODE BLOCK------ ---begin random quote of the moment--- "If the fool would persist in his folly he would become wise." -- one of the Proverbs of Hell from William Blake's _The Marraige of Heaven and Hell_, 1789-1790 ----end random quote of the moment---- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
Current thread:
- Snort - ACID Displays NO data on IE fkseow (Oct 06)