Snort mailing list archives

Snort - ACID Displays NO data on IE

From: fkseow () datascan com my
Date: Tue, 7 Oct 2003 09:02:01 +0800

After I setup everything as in the instruction list, I can't see any data
display on my IE http://localhost/acid/acid_main.php.

The IE just displays the template with NO data (like TCP, ICMP or UDP
traffic).

How do troubleshoot on this ?

I am using Snort 2.0.1.

-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net] 
Sent: Tuesday, October 07, 2003 7:48 AM
To: snort-users () lists sourceforge net

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort Kernel Module (Matt Kettler)
   2. NIDS test steps (twig les)
   3. Re: Snort Kernel Module (Josh Berry)
   4. RE: Can we send email using Outlook as the smtp server with ACID?
(Michael Steele)
   5. Remote Syslog... (Mike Koponick)
   6. Re: Snort Kernel Module (pieter claassen)
   7. Re: Snort Kernel Module (Mark Nipper)

--__--__--

Message: 1
Date: Mon, 06 Oct 2003 17:07:10 -0400
To: "Josh Berry" <josh.berry () netschematics com>,
   snort-users () lists sourceforge net
From: Matt Kettler <mkettler () evi-inc com>
Subject: Re: [Snort-users] Snort Kernel Module

At 02:04 PM 10/6/2003, Josh Berry wrote:

Are there any projects out there that are trying to move snort into the
Linux kernel, or as a kernel loadable module.  Would this provide any
benefits (security, speed, accuracy)?


Speed would be improved somewhat.
Security would certainly go down very significantly due it increased 
privileges. (ie: a exploit of the snort code would now give kernel-mode 
privilege, instead of root or non-root user privilege.)

  Is there any reason this would not
be possible?


It's possible, but IMO that's not the point.

 Would this be incredibly difficult?


Yes, it would be difficult as most of the code would require rewrite to use 
kernel-level memory and IO APIs.

Functionality would be limited, since kernel processes don't really have 
extensive libraries like glibc provides. ie: no more mysql support for sure.

It would also be incredibly foolish from a security prespective and it 
would make snort a linux-specific tool.

The kernel should only implement things which belong in the kernel. Moving 
complex user-space processes into the kernel is dangerous and should only 
be done with considerable reason to do so. Unlike an application, if a 
piece of the kernel fails and munges memory, most time the system goes down 
completely with no graceful shutdown. No disk sync, no nothing.. just oops 
and crash.

If an app munges memory, it just segfaults and gets dumped, but the system 
keeps running.

Also, code running at the kernel level has significantly more privilege 
than even the root user has. It can touch any memory, or any hardware in 
the entire system without any restrictions. Even root has to jump through 
some hoops (ie: loading a module) to do this, and on a well-secured system, 
even root can't load kernel mode code. (yes, I do use grsecurity patches on 
my linux boxes and have no loadable module support.)






--__--__--

Message: 2
Date: Mon, 6 Oct 2003 14:12:18 -0700 (PDT)
From: twig les <twigles () yahoo com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] NIDS test steps

--0-1396597591-1065474738=:62658
Content-Type: text/plain; charset=us-ascii
Content-Id: 
Content-Disposition: inline

Hey *, I've been sitting on this doc I made that guided my
latest NIDS tests (the NIDS was not snort, but this thing is
pretty general).  I've been wanting to get a real web site up
and post it there for dl, but I'm freakin' swamped so I just
zipped it and attached it (5.6k).  Lemme know if anyone can
improve it.

Oh BTW it's in Excel 2k format.  Sorry.

----------------------------------------------------------
If you receive something that says 'Send this to everyone you
know, pretend you don't know me.
----------------------------------------------------------

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
--0-1396597591-1065474738=:62658
Content-Type: application/x-zip-compressed; name="NIDS Test Plan 1.1 -
2003-09-05.zip"
Content-Transfer-Encoding: base64
Content-Description: NIDS Test Plan 1.1 - 2003-09-05.zip
Content-Disposition: attachment; filename="NIDS Test Plan 1.1 -
2003-09-05.zip"

UEsDBBQAAAAIACx/JS8X4J6n1hUAAABkAAAjAAAATklEUyBUZXN0IFBsYW4g
MS4xIC0gMjAwMy0wOS0wNS54bHPtXWuMJNdVPjWP3Zl9zr5mX7Pj61nHntmd
7VlvHHvjV+/bntiznuzsegNxsq7uvt1dnuqqdlX1zI4hsIT4B8KRQh4YCaPg
fwEjMEJaEMoPmwgJJCwQYFk8JBwSIYQEESiREog9fOfcW9WP7bV3jWMRpW+r
q+rce+695557nlU1PX/1l1vefPH393yTOsqD1E9vrw7TmpY6B9/DKTBCaF9d
5cv0PIPvaq/8WJXhIWzkmkF6e+y1tX9+DJfY5G9SH7088CqORP+M7xNU571/
Wn2A5YTQ4DpMwyuY/AFnHa0FFX2QyzX0As6baLdQuFWO2+T4e4L/dTk+gJbL
tJn+4sTPHDhq5fcTfccE7/NynJDjJhwd+kPp8/dScyftoT9jWf75LzhG2Aed
4xSRRy75P/JWB61fZzL6uvddR9L3Oq1D79hq5+1oHR8Yo0HaCYbcNrF/ev/+
w5em7ntiMgWemBofuBU8H2tr/+Q5XfpUO9IENmhfEyl3uH0cwIx1B0ic6MTq
GM2i3kMH6AjRJa4/oNKZLfjEpJ04rZg4NCGtxy6ha46m8EHX1n7tnTp65Gma
7m2fzNDWPp+Q1jJlPt8c4m46CE43J037X9O5o+ebtF1k4XuriprlFcX1Tlr/
3Rur77vJevoJrHdIUbOk/Dxo8L/fWT91nfrp69QfuE79cNf6QWJ6Jol2tddT
Wj/SrX7qmvo11xln7XXqh7rUf6lvgEau9K/yecuVNXLeemVAztuurJUzXSE5
b78yuPqk2MxnaSP9yziPMEgnwyUdPQuT+uv7uWINnXBjrxg/S6NUmuKaTXSu
4ev49jPaTRqRRss4OUe4ZZTOhY3EC7Q6Xqp5gRcnkZt4YfAsTPh372WMtXQ8
SdziYvwcDYB2h151hvAletJz6If0tZ11IGl8YakuVt1ElUI1q+p+o6K8QLlB
SS1XdaTzW4gW6rrolb2iOhkGRR0FMbZhIdH1GNx4SAc6cn31SBAu+7pU0Sos
q0J4eT3RiSh0S+qh0PXjrWSpUZEuhpXAY1qx6JNugElBulZJVSvXUKwKKyrW
4I2XrOQ3kGGCTlTsPaOxBw+Hy6rmBisq4nrlRui45Hq+W/A1dy3pstvwk/xU
V9RyGKlGoIs6jt1oBdN6QSXOb8QsuhaCDrfITeOGtmWtFhYeVpNHcoenwJYk
FDKxvDwEakEXsSlYUT2MsBWVXZZT4IZ+uuHVazpIVKB1SZfAxPORW2YeVoRh
SRhhhFOgeoUJdCuascGmE9r3Y2H/xSp2FVQDbw7L8epYXayDOIziQy0rs1Wq
CHINKQpkhpCMYuj7uoiZ8jMGvxSCB7yArEVVMZOvZ+puFNst8HWUxPnRJtfd
NgHblO4kZqyGmHwsHZuZxbuLfVN1N46Xw6gU528xzWE50YFFqrpLmmmMdCEM
k/xBrM9dBFGgpaLN2hPZGV1Ty15ShaBbXDB5d7YxdVTjau6x86ewXOUl+XuY
yys8NLehDlyYBoO08spoV16sSl5c990VXeLmYhhAEHjUEDrgRTrdXbTUwO5E
8+6sxNovC1U1JjPmPcdgWN5inJu1FzzDrOyBsIsRuAdOXMckuKrA2m1lPLeW
BS7Gvsa3Ez3uhT7rQIrD0jqtlt2kWBWSwAGs6G5WVM3SHqX7xLufsL4yVi2M
EzsAVlb2Kg2zZfki0ekl12+kahbWuTqeVnUPGsk1yXKoCjoW0Un4zMTHVWwc
t0ZcA7Xm60oUNuqiRGUvgKSDocVGHGO8j1g7EvE2MnqqzZnYnZ09tWB4wawp
gXSvvJI/zRIFY4OuPpTe566+FyyqmI2erKBziMQ1Ul7z4jidJr9k5/cMJuS1
pA+FZVgjnSxrSF/QqBUgmxherAETcXL+goIZ9b1nDKeUOtuOJKTWo7DgFoCV
rHADzwqZySaGIb0A7QHntc8WuWXpLL4qCD00l6OwhpH0khc24iaTKyCz4foQ
NCP/QnsHpdMqLMQ6WpKdYJHJTbYqXSlcDnw2tU2K3XrdNxqUn82UYhn2lGWM
0ZQb89RBw3cjvq6HWFOBpW7JyqKXXDvtA0SPhuGibH/sMdGWPpG3qIYZsQGY
dkVkVFC4sRFIbe2p1OIXGmx2jHAJ0V4QQyCEdQq7WwBHZp7x6mXPF1NRdovM
fqarBgMjlhW4gV42/WcKYDfkEnWhz7qt43wOctWhKNZ+N82f1Zyir90or2C/
A69c1lJfDCNYM8hkWPGKEHSYjaJ2iWbL6ZCyxBb9k1GmReGXpaVkbNiS56rZ
eXgLiJdI6DL4Ij28Wt3FFAXN1ij1LA/DCTQ8rEL6qKQBI+WrSRiYdJOmmjtT
1xE2A46gmI3WHCr3cSj+ZSiCgtImWBYb3UbQPnBSRWOliiHhDdiCpLYDNhL4
1kY2F3GbVTPwI+Gp1eRjC1Op0jVdziz7x6SpsxxgCG+ZYaLnMe8Wey8EA0us
Wiy4dl1RandE7OBijseLagkcDcHgxIizDsThe8kjXZtTV8QDpe7I6CObGi1e
KgqLuiT2nCXQbPEvszsKvHrDz6ISs93tfR+6MMu9MMQSBLeUUwqCkejL0Br0
CVp8hQsVq8VG/5ssSN02C5FELiUTdoEDxkJgTxEobDZrO6fr0EwEROWV/deG
A5A5DMlRWMb/+4ymZewvRNpdVDA+PjqJuY7z6kK9JF6nyHvBBj3Sy1C8OH+x
ZdZMHDLnCObC8CD2kNgJtnqR27yYXS2rpVWQ1v3MthKh6SmjhBNxtRFMQFvq
xrR6sAISGcAAeDVY7kZio1BYrUM+ApD8cSt6TTcRVipMAjaiGQFGuuJGJa6G
OizqxFpEa6wv3OQYAWsXEOvauKJYTbJFCOIZtrGwDFI5lT9jx+X9rK1YDlhH
C70/XcPQ0wr8dtlPgFUrMcaZVg+fPz8PR4wAEKKrk2JuB9FZtyamcKEYefVk
xpCOgOGUTjBKjBBM9hTxQx2j6/zhVm9grLxYRczL9Zmdt5apopP8XZlXqLUL
uwk1OIwWf8QsEFV0OUzK7bFTn2f3Ne9jvMd1xNKk7szdiUj9Ec1Kcj5cdOPq
QkuQitAZhgraZQQ+4TBmxsZxbgmRVYhMQ83GpkWiV/YxEkulkSdq/RWOFtkF
TcNpNVUe0gXTW6wa5YelLGtXLOUvOXS+ysodmwBjlgUVoQVvNnq5cWiMCFis
a/WErVQcgvkl4TR0MkaaI6Sww2ZmnEUwgYBPzULhGrJy7AoHkbhaWAE6VH2S
eTTFJsFIdCPW4goQBfB4YjXKRgvF84tlkXnjhmQf6DrHpthg87pBLFKKSNv4
zmQtRvVcSI8nwYLv1pOwbuRdhiticUCEbWe+LnMYYkmqIThCz4AzHuEMJKEQ
8RYjBAoTM6f4Keg/dqCBFaIbBDLxil5c456q2oCMQ9jLmgOfCgyAZ51bVft1
jLQQgqYVrg2DHDzCyWqIlEEdOXwQG+/7hxaRNAZZsMRk+24jMEFvDf2Rb4Lp
DXAQZ58DQi8ue7C2D8GxIQrE6uLqdQMvtiCJybqsUS5CE0zAa2KyRj0H53Ey
i0+mOUCDgcbAEj1ZAQPLWF5qGmOKU3SXQq8EfTPa4UnCyplU7rEsz625ReyR
noyn7PbazDAJQz+eiZEPLUsYz6YJzhXsrbX0yRBye7N8Z8nTJhyPvUpg7gfk
txk15litqQ+5I+0OsQynYCP5khcZWY2nxUHCJaaWeWdzqI6WEidH2NQGu4vM
INjskOOCFk6xyzUWKGzA4DTiBF7PhHhoTVM8ztAifQiJOpZr49b8AsuHhMBY
r77sGX0zwSq4VIS6ZuGr3c+GcWAt9FxD/KH2/NOmEZZa29+Dj7D9maOtvLOB
7ZdvwCFqlwWXt4HNF7sCcWQ34hWVOsEyIwJb1S2ZgKT0WLeYoADRBWJFRMbL
5tYAx+PWivNditb7ExzTm6R3mQ0qQosV3hAvKEeuUWcsgL2xFS4sKolC3979
gPVoRGyseXc5p5VaccIzaZSQv68jsZBVZ7mHl2BVj7fkEh37crcVqpRe9hAV
uREkyzjvFt1iPHlwauacW/Ia8cwjOkJKFMb5D0tgiVif6WowjxLrhZUNHXlj
odyZCIEwUcyuyKKcbeky1DApVm1HE7b5bPs6eHeweSOC75m5YihDCcpk4Gw3
2BnkHySaN2jGSDeb025y58aS3lpvhst9RgInzMY3lDJrUvQ9CSattRAX6qVx
h+vnJSqNQ2Pi04idbRKHAkDkbCA0d/s42RfbvaxbNkMSOs5KPm00gCmDFmBv
7d4/BRVn6ZtJtB9oyYUy28u2qtXQ2WSl7Y4S3wqCzsS5W9sVL+ZMLGVEYIwW
87wZ6GT20MbnNu9ppiBTGLEl17PWlfGMlecMJ+VJh9qbUDtXY6ZrYal4TRsM
Lpydm2fPUo9n6hgeopJXgicNZXgwkSOooL6MjUp0Kc385mZPLAgrlmzYJDlk
o86bDyxEdjJERvTnyTlOMS2SoiXSFFCJQopoGnAM2MV1kaqAEhw1zmXyyMdV
TCv4JriqoTZEfROnAPgyzsuADbaScT2MX8H1BOpCXC3LXNxrBXWmv8GJAU3i
2JDaEMcIxxDX03KtZW5XeitQ2BA4FFpcquPjY6QirhOcQ4wZS09eiyszaIG4
hVdUwQhRG/btaooOkNwE19GMVbkC33AuulbrI1EdidnOz+dco67YSbZiMKyQ
XdQ3+4iD4u1kw8ItZlAbQ5cyMZAbF4imK807lpz/w9KzB2sKkZhstrnZ3TYj
VEaluKEphQYlk5y4VXRyq/QUDdHfriFCgE2fRR7wxzhfGiJ63oEJHiZ6ro9o
bD2uB4h+ZyPRt4H7FWSOrwHnT7YQ/fc6on2Q8AsYIBol+m20fR/+/jDaPoqQ
/mm0XUKS/fwOfl5KZJ5yj7Q95V7fZ56m8DOMW/D9owmix5GLbpTnwRtwLNFm
ud4iOCOg+Ye/9Z9/PVeYz1+S+gNSf1COn5WaK/JcxZQP8dMSWqVfQMurAzwX
iKFfFOzPyXGOtvZD/2keovEohIEVIKKP4chCNosPt8xDtFjcrlecARr8R7qr
7+R3rgzyU5F/WxcOlXDeTNMOw9MOU/aojJrIDP/34rSc++yZ3yboxDs1e/YC
2ArqiEq/0T/e2d5azBOsXvlJLy/CNDtUkid8/L7HtDNtxeLNfHp26AJahugz
YkGIrp4bBdwnMJCd24ZhFFgy+zZl+m2ka6hvxEqsFVZns9RtlLr/GWitG+/A
ewu2hPuOEhPCEPfaQyctNC5tx3B8A1AZ50nahM+DfVvpqrxIdYyaZR80tH+d
GRvofPUdUYJ76N2NFhc2Nd4dRNumPlijtel9M1qH/18brcM9o9UrN1Dek8Ha
3WqwHLo6uSOD+Xz1SLO9H5+rqgkP4EPov8bCgx0Gj4vRaH65hA2ZuW43eI7U
XeznqmO2rl/q3uprxRuUured1rq1HXVvkbFjO5gyCzmAnAzqox2icwbqB7Qx
gwYAjVmIe4wKHQZyxP6kUB/a9vLYfWsADdBOqe8XrOMWq1+wTlhoUNrGM4jb
9llorbR9NIO4jR3FGzDZR0DIPJ2hu0DZmDHgsqZj1Cy/CQqG0VMM+Xoh3aH1
+DjOzRlyhe/dh4h+9c5e9HkjpRd99sqPqrw3Y9403saYN411N2P+xdvajfnV
7e9szJUc392Ytxvu/i54N2LMuW6oS9/hLnXru8y7saUudSybu/RFqo61t8+7
Terax9shde19d3bB292lbm+XOfZ1qbulo+/769B2CN9ThzYq+9l0aKcyqB/Q
Q5S6McZck0GM+SA1ndoo3ZpB3HY6g3iUTZQ6NZ59bQY54NJQBnG/M2Tc6ZC0
cf2wXA1brGHBut1C62XmiQzitv0W2ihzbc8gxrwtgxjzYxbaLG1nM4jbHrPQ
Fml7IIO47UMW2iZtd2QQtz1ioR3S9nAGcdushXZK26MZxG1zFtotVI9kEGPe
lUGMOW+hvdJ2dwZx20cstE9G2ZJBjLk1gxjzSAbx/nzYQrcI5rYMYkwEAQhB
JulfocDnnTN0FLJ0AJ91EoockONYdn3UBicsp8eoWdqCk71S5YBovrqR4CR7
K1jE7G+wzrl7iV66t5dp3ki52QCll2n2yo2UDyI4udoRnNTUOwcnt8rx3YOT
9joTnLQ7YROc/Edb4DDUgpfWraNrg44NXebY1AWPKex0/lvp2gBjO10bTIx2
6buzS99dXfru7oK3pwve3i54Y13mHe/Ae4ve34BlXQaxg1qfQeygPm4hE6Kc
yyBuW7CQCVHOZxC3XcggdoGPW2hIMC9mEGN+wkLrpO2nMojbftpCG4TODRnE
mJMZxJifzCCeb8pCmwTzQAYx5sEMYsxpC40I5qEMYsxSBjHmpyy0VTCfyCDG
/LSFjGfbnEGMeSmD2jF5zCctNEocht2TQYyZIxOscUCzS+p3CdZRi7VLsFyL
tZvSkG6PXBUt1h7BmskgnrVg++zN+ozJ1ajFGpM+hy00LqvYmUHcxlL/Bvt8
CGAVYcuBLFg5KuHLmAQy6+RrghmWY0Uc9rbLsZLRd9vRlYy+R0ZfY//8OL0f
Q9eEPNxPQh7jSx0Qx1c3dz+G1eTl+xC03P9BhjsvSly9Ssa4D1CzXN+4f3GE
BWMgM+6z401YjPuhJszGfXZrEx7IjPlAZsyNLeK5U2PeaYycjjoWGi47ZLOM
0eG/1jIQG537MoiNzv0WMmaGefAG1vMUztsRd3ffWNnQfuniyDI6b7D1ynsu
b6+SmOfOwsx+89mv/tcPHquOvPQrQ3Twjj/4O1a+l4ns3w6SZFssK/O27kki
caY+vuwyPkfmCf8XiMTZvEAkuc7XyEjat9GZtZO3Ut6zpbLA3PY0eQlfsxTO
ecUo5Pdu1OnLRe2LbFxRv7brW6+/6vA1Xfq5f/in9Pp7L404yTccua/dK73S
K73SK73SK73SK73SK73SK73SK1LeKf/ve/2111/I7R350vPI/6d/8Luc/w+h
Ydi2c97PNzb5di3fDOSbo5z3c/7PeXtCJt//WSK5kcj3A/g+wHNk7gt8i9rv
A5i8f1EeDvz7pmEZi+yY3c7jI+bBA98/kF8ekifd5ieHhLD23xoSGrv/yJDc
vrC/AkMbRgwp43aqi/xzKFWtk9g+tuiVXumVXumVXumVXumVXumVXumVXvlx
K+krqpzZ8rP8NJ/mTJqTYs71+RULToQ5Z+f8nd8V4fSac3x+55mf+XOen77V
wrk+59r8ShC/xsMv7/CLbfyKGb8pzYk1/88AReb1QX7vhd8i57fF+V3v2207
v87Fr23xy1r8iha/mMWvY+Vs+1v4vt39Z+175QbLOfszF4pOU4BzRCt0M2WU
Bp10LJYjNWTuJb1ims+04r5SuPerc899w0n/XwSXi/KTHIvyEx4hzjdbtlJf
Nv/q6rWvWF+v/On95jxIC9SgGj6urH1WfqCDaaq1/DzH9csk5mcdYv250fn5
r03S3+8epFOYoSg0aNmBm6Pn6HtYP/8FRfr74f8LUEsBAhQAFAAAAAgALH8l
LxfgnqfWFQAAAGQAACMAAAAAAAAAAAAAALaBAAAAAE5JRFMgVGVzdCBQbGFu
IDEuMSAtIDIwMDMtMDktMDUueGxzUEsFBgAAAAABAAEAUQAAABcWAAAAAA==


--0-1396597591-1065474738=:62658--


--__--__--

Message: 3
Date: Mon, 6 Oct 2003 15:15:58 -0500 (CDT)
Subject: Re: [Snort-users] Snort Kernel Module
From: "Josh Berry" <josh.berry () netschematics com>
To: "Matt Kettler" <mkettler () evi-inc com>
Cc: snort-users () lists sourceforge net

Mostly I need the performance improvements this would add.  Where I work
we have some developers, so the cost wouldn't be an issue.  We would like
to run a linux Intrusion Prevention System with
Bridge/Netfilter/Snort-Inline, however, for where we would like to use it,
we are worried that the system would not be able to handle the traffic.  I
been using Bridge/Netfilter/Snort-Inline at home now for some time and
have done some testing, but do not think that it could handle the load we
would need.  If we could get it to perform at a satisfactory level that
would allow us to use an open-source solution rather than pay $20,000 to
$50,000 for a commercial IPS system.

At 02:04 PM 10/6/2003, Josh Berry wrote:

Are there any projects out there that are trying to move snort into the
Linux kernel, or as a kernel loadable module.  Would this provide any
benefits (security, speed, accuracy)?


Speed would be improved somewhat.
Security would certainly go down very significantly due it increased
privileges. (ie: a exploit of the snort code would now give kernel-mode
privilege, instead of root or non-root user privilege.)

  Is there any reason this would not
be possible?


It's possible, but IMO that's not the point.

 Would this be incredibly difficult?


Yes, it would be difficult as most of the code would require rewrite to
use
kernel-level memory and IO APIs.

Functionality would be limited, since kernel processes don't really have
extensive libraries like glibc provides. ie: no more mysql support for
sure.

It would also be incredibly foolish from a security prespective and it
would make snort a linux-specific tool.

The kernel should only implement things which belong in the kernel. Moving
complex user-space processes into the kernel is dangerous and should only
be done with considerable reason to do so. Unlike an application, if a
piece of the kernel fails and munges memory, most time the system goes
down
completely with no graceful shutdown. No disk sync, no nothing.. just oops
and crash.

If an app munges memory, it just segfaults and gets dumped, but the system
keeps running.

Also, code running at the kernel level has significantly more privilege
than even the root user has. It can touch any memory, or any hardware in
the entire system without any restrictions. Even root has to jump through
some hoops (ie: loading a module) to do this, and on a well-secured
system,
even root can't load kernel mode code. (yes, I do use grsecurity patches
on
my linux boxes and have no loadable module support.)

--__--__--

Message: 4
From: "Michael Steele" <michaels () winsnort com>
To: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Can we send email using Outlook as the smtp
server with ACID?
Date: Mon, 6 Oct 2003 15:14:51 -0700

Demetri,

Why in the heck did you even respond if you know nothing about Microsoft!

To answer his question; Using Outlook, there is no way. Why can't you use
your SMTP server from your ISP and receive alerts in real time?

Here is what you need to do to send Email alerts in real time from a Windows
box, you can also browse on over to Winsnort.com and retrieve some install
docs. You will need to modify paths, and download event watch, not the
newest one. You can grab the file off my site by using the link in one of
the guides.

Install:

Snort sets a priority on triggered alerts. These priority alerts range from
1-3. One being the highest priority to 3 being the lowest priority alert.
This section of the documentation will walk you through setting up the IDS
for sending alerts based on the highest priority alert.

Note: You MUST have a valid outgoing SMTP server that can be accessed form
the IDS.

$B!|(B Load the file 'D:\Applications\snort\etc\snort.conf' into WordPad
search
routine for and change:

Original: # output alert_syslog: LOG_AUTH LOG_ALERT
Change: output alert_syslog: LOG_AUTH LOG_ALERT

Now save the file and exit$B!D(B

$B!|(B Uncompress the downloaded 'eventwatchnt' file into
'D:\Applications\eventwatchnt'.

$B!|(B Navigate into the 'D:\Applications\eventwatchnt' folder and double
click
on $B!F(Beventwatchnt.exe$B!G(B

Note: A shortcut could be placed on the desktop for easy access to the
management console.

Note: The EventwatchNT Configuration applet will appear with some dialog
boxes filled in.

$B!|(B In the $B!F(BSender Name:$B!G(B dialog box type the name of the
IDS

$B!|(B In the $B!F(BSender Email Address:$B!G(B dialog box type
eventwatch () yourdomain com

$B!|(B In the $B!F(BRecipients:$B!G(B dialog box type the email
address where the alerts
will be sent

$B!|(B In the $B!F(BSMPT Server:$B!G(B dialog box type the name or IP
of the SMTP server

$B!|(B In the $B!F(BEmail Subject:$B!G(B type Snort Priority 1 Alert!

$B!|(B In the $B!F(BFilter(s):$B!G(B dialog box type (including the [
] and must be
typed exact) [Priority: 1]

$B!|(B In the $B!F(BType:$B!G(B select box choose
$B!F(BInclude$B!G(B

Note: At this pint you should be able to click the $B!F(BTest$B!G(B
button and send
a test message to the $B!F(BSender Email Address$B!G(B that was selected
above.

$B!|(B In the $B!F(BEvent logs to monitor$B!G(B select box, only
$B!F(BApplication$B!G(B needs
to be ticked

$B!|(B In the $B!F(BEvents to report$B!G(B select box, only
$B!F(BINFORMATION needs to be
ticked

$B!|(B In the $B!F(BOptions$B!G(B select box. Only $B!F(BHTML
Email$B!G(B needs to be ticked

$B!|(B In the $B!F(BInstallation$B!G(B select box, click the
$B!F(BInstall$B!G(B button

$B!|(B In the $B!F(BService Control$B!G(B Select box, click on the
$B!F(BStart$B!G(B button

$B!|(B Click the $B!F(BOK$B!G(B button at the top right

$B!|(B Navigate to $B!F(BAdministrative Tools$B!G(B, select Event
Viewer, right click
$B!F(BApplication$B!G(B, select $B!F(BProperties$B!G(B, tick
$B!F(BOverwrite events as needed$B!G(B,
click the $B!F(BApply$B!G(B button, click the $B!F(BOK$B!G(B button,
and exit

Note: To test the email alerting, run a scanner on the network. If there
were no email alerts sent out check the Event log under the Application log
and see if any [Priority: 1] alerts were detected and logged. If there were
alerts then make sure that the SMTP setting are set correctly and there is a
clear path to the SMTP server. Use the $B!F(BTest$B!G(B button in the
Event Watch NT
applet to make sure that the email is functioning properly.

Cheers...

-Michael Steele
--
 System Engineer / Security Support Technician
 mailto:michaels () winsnort com
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Demetri
Mouratis
Sent: Monday, October 06, 2003 11:30 AM
To: Chhabria, Kavita - Apogent
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Can we send email using Outlook as the smtp
server with ACID?

On Mon, 6 Oct 2003, Chhabria, Kavita - Apogent wrote:

Hello all:

Does anyone know as to how to send emails using Outlook as the SMTP server
from ACID.


Well, you haven't specified your local MTA on the ACID box.  Assuming you
still have qmail there, you need to instruct qmail to relay to the
ip/hostname of the M$ box you want to deliver the mail.
http://cr.yp.to/qmail/faq/outgoing.html#notlocal

I think you mean Exchange rather than Outlook but what the hell do I know
about M$ anyway.

HTH.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--__--__--

Message: 5
Date: Mon, 6 Oct 2003 15:23:04 -0700
From: "Mike Koponick" <mike () redhawk info>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] Remote Syslog...

Hello!

I have been trying to configure snort to log to a remote syslog server.

I have the remote syslog server setup to accept syslog packets (and is
accepting them from the firewall device), but am having a problem
getting snort to start.

I consulted 3.20 in the FAQ without any luck.

I'm using 2.0 Snort on Linux 9.0.

Syslog.conf:

auth.alert                                              @console

************************************************************************
*

Portion of the snort startup file:

       /usr/local/bin/snort -o -z -i eth1 -d -D -c \
/etc/snort/snort.conf -I -A full -s console:514

************************************************************************

From the /var/log/messages file:


Oct  6 15:07:17 ids1 kernel: eth1: Promiscuous mode enabled.
Oct  6 15:07:17 ids1 snort: OpenPcap() device eth1 network lookup:
^Ieth1: no IPv4 address assigned
Oct  6 15:07:17 ids1 snort: FATAL ERROR: OpenPcap() FSM compilation
failed:  ^IPCAP command: %s
Oct  6 15:07:17 ids1 snortd: snort startup failed

************************************************************************

Thanks in advance,

Mike

 Mike Koponick
 RedHawk. - Network Engineering
 mike () redhawk info

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify
 security () redhawk info.
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



--__--__--

Message: 6
Subject: Re: [Snort-users] Snort Kernel Module
From: pieter claassen <pieter () countersnipe com>
To: Matt Kettler <mkettler () evi-inc com>
Cc: Josh Berry <josh.berry () netschematics com>,
snort-users () lists sourceforge net
Date: Tue, 07 Oct 2003 00:25:44 +0100

Most points raised I do believe are valid. However, what about the
possibilities on embedded devices that don't have any need for multi
user environments (separation of kernel and user space)?

Pieter

On Mon, 2003-10-06 at 22:07, Matt Kettler wrote:

At 02:04 PM 10/6/2003, Josh Berry wrote:

Are there any projects out there that are trying to move snort into the
Linux kernel, or as a kernel loadable module.  Would this provide any
benefits (security, speed, accuracy)?


Speed would be improved somewhat.
Security would certainly go down very significantly due it increased 
privileges. (ie: a exploit of the snort code would now give kernel-mode 
privilege, instead of root or non-root user privilege.)

  Is there any reason this would not
be possible?


It's possible, but IMO that's not the point.

 Would this be incredibly difficult?


Yes, it would be difficult as most of the code would require rewrite to

use

kernel-level memory and IO APIs.

Functionality would be limited, since kernel processes don't really have 
extensive libraries like glibc provides. ie: no more mysql support for

sure.


It would also be incredibly foolish from a security prespective and it 
would make snort a linux-specific tool.

The kernel should only implement things which belong in the kernel. Moving

complex user-space processes into the kernel is dangerous and should only 
be done with considerable reason to do so. Unlike an application, if a 
piece of the kernel fails and munges memory, most time the system goes

down

completely with no graceful shutdown. No disk sync, no nothing.. just oops

and crash.

If an app munges memory, it just segfaults and gets dumped, but the system

keeps running.

Also, code running at the kernel level has significantly more privilege 
than even the root user has. It can touch any memory, or any hardware in 
the entire system without any restrictions. Even root has to jump through 
some hoops (ie: loading a module) to do this, and on a well-secured

system,

even root can't load kernel mode code. (yes, I do use grsecurity patches

on

my linux boxes and have no loadable module support.)






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
pieter claassen <pieter () countersnipe com>



--__--__--

Message: 7
Date: Mon, 6 Oct 2003 18:29:36 -0500
From: Mark Nipper <nipsy () tamu edu>
To: Josh Berry <josh.berry () netschematics com>
Cc: Matt Kettler <mkettler () evi-inc com>,
        snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Kernel Module

On 06 Oct 2003, Josh Berry wrote:

Mostly I need the performance improvements this would add.  Where I work
we have some developers, so the cost wouldn't be an issue.  We would like
to run a linux Intrusion Prevention System with
Bridge/Netfilter/Snort-Inline, however, for where we would like to use it,
we are worried that the system would not be able to handle the traffic.  I
been using Bridge/Netfilter/Snort-Inline at home now for some time and
have done some testing, but do not think that it could handle the load we
would need.  If we could get it to perform at a satisfactory level that
would allow us to use an open-source solution rather than pay $20,000 to
$50,000 for a commercial IPS system.


        Out of curiosity, are you using ebtables
(http://ebtables.sourceforge.net/) to do this in the Linux
kernel?  I'm using OpenBSD and Snort currently to do this, but
I'm using Snort passively (not inline) so there is a second or so
of delay and some packets do get through.  I was just wondering
if the ebtables stuff in Linux (netfilter over a bridge) was
actually mostly stable.

        For what it's worth, the biggest issue seems to be how
well the box can hold up based on very small packets per second.
If you can maintain high rates of throughput with very small
packets, then your box should be a success.  Also, gigabit
interfaces tend to perform better under these kinds of loads,
even on 100Mbps connections, so buy some Intel gigabit desktop
adapters and see if it helps.

        What I'd really like to see is a box that works fully at
layer 7 like a Packeteer (http://www.packeteer.com/) but didn't
cost $25k and actually worked under heavy loads (which our
Packeteers seem to have problems doing).

-- 
Mark Nipper                                                e-contacts:
Computing and Information Services                      nipsy () tamu edu
Texas A&M University                        http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142     AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193                                      MSN: nipsy () tamu edu

-----BEGIN GEEK CODE BLOCK-----
GG/IT d- s++:+ a-- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------

---begin random quote of the moment---
"If the fool would persist in his folly he would become wise."
 -- one of the Proverbs of Hell from William Blake's _The
    Marraige of Heaven and Hell_, 1789-1790
----end random quote of the moment----



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest

Current thread:

Snort - ACID Displays NO data on IE fkseow (Oct 06)