Snort mailing list archives

help

From: Lillebø Harald Sindre <halil () wmdata no>
Date: Tue, 18 May 2004 10:31:29 +0200

-----Opprinnelig melding-----
Fra: snort-users-admin () lists sourceforge net på vegne av snort-users-request () lists sourceforge net
Sendt: ty 18.05.04 05.07
Til: snort-users () lists sourceforge net
Kopi:
Emne: Snort-users digest, Vol 1 #4242 - 6 msgs

Send Snort-users mailing list submissions to
snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net

You can reach the person managing the list at
snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."

Today's Topics:

1. question about snort... actually cvs (john greene)
2. Re: question about snort... actually cvs (Frank Knobbe)
3. Re: About virus.rules (Frank Knobbe)
4. Re: About virus.rules (Michael Sconzo)
5. Re: About virus.rules (Frank Knobbe)
6. Re: About virus.rules (Jason Haar)

--__--__--

Message: 1
Date: Mon, 17 May 2004 13:24:14 -0700 (PDT)
From: john greene <john_g123_12 () yahoo com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] question about snort... actually cvs

cvs
-d:pserver:anonymous () cvs sourceforge net:/cvsroot/snort
login
cvs -z3
-d:pserver:anonymous () cvs sourceforge net:/cvsroot/snort
co snort

I am trying to download the source via cvs.

What client software is required to access the pserver
? what is the IP or domain name for this server ?

__________________________________
Do you Yahoo!?
SBC Yahoo! - Internet access at a great low price.
http://promo.yahoo.com/sbc/

--__--__--

Message: 2
Subject: Re: [Snort-users] question about snort... actually cvs
From: Frank Knobbe <frank () knobbe us>
To: john greene <john_g123_12 () yahoo com>
Cc: snort-users () lists sourceforge net
Date: Mon, 17 May 2004 16:01:26 -0500

--=-knqvi37VfNMrS55ulI8L
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, 2004-05-17 at 15:24, john greene wrote:
> I am trying to download the source via cvs.
>=20
> What client software is required to access the pserver
> ? what is the IP or domain name for this server ?

Sounds you are using a Windows system. Check out http://www.wincvs.org
for a good Windows CVS client. (If you were to use *nix, you would have
a command line CVS client named... well... cvs. :)

While you are at it, check out http://winmerge.sourceforge.net/ for easy
comparing/diffing of files.

Regards,
Frank
(part-time coffee-shop Revolutionary)

--=-knqvi37VfNMrS55ulI8L
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBAqSglJjGc5ftAw8wRApbTAJ4uyxLNj8mBnvFs0nGyn2UE9vc/MwCdEQpU
4k+TvQ2my5iQtxjN0bf/0Ek=
=W2lK
-----END PGP SIGNATURE-----

--=-knqvi37VfNMrS55ulI8L--

--__--__--

Message: 3
Subject: Re: [Snort-users] About virus.rules
From: Frank Knobbe <frank () knobbe us>
To: Michael Sconzo <msconzo () tamu edu>
Cc: snort-users () lists sourceforge net
Date: Mon, 17 May 2004 16:09:41 -0500

--=-93ms4uqJMa1NZtu2/IRm
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, 2004-05-17 at 13:22, Michael Sconzo wrote:
> I volunteered some time ago, but never received a response. So,
> I can only assume I'm either worthless or they aren't looking for
> a maintainer :) I would hope the 2nd as they say the rules are
> going away and they don't care.

No, actually... it's because you're worthless... hehe ;)

I think the issue is two-fold. For one, virus detection (and prevention)
is probably better done on the host than on the network. Second, the
signature list would have to be extensive, and up keep you add them
daily. Look how quickly viruses are added to Norton. I think the
virus.rules file would mushroom quickly to the point where Snort would
drag too much.

Your desktops/servers are a bit slower because of real-time virus
detection. Imagine all that load resting on Snort. Performance would
nose-dive.

Personally, I'd rather see all file based viruses and such removed and
dealt with by virus software. That said, however, I strongly vote for
continuing to keep up with worms. Since worms are network based, Snort
is better suited than host-based virus software.=20

So basically, remove virus.rules or trim it to only to those that also
spread through the network (hybrids), but create and maintain a
worm.rules file.

Regards,
Frank
(part-time coffee-shop rebel)

--=-93ms4uqJMa1NZtu2/IRm
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBAqSoVJjGc5ftAw8wRAgmNAKDO3Zh/VNOz0OKO02pbW1GAU0cWvgCg1taz
f/JnmJ6ExNb+wBzX0k4Hzyk=
=prhx
-----END PGP SIGNATURE-----

--=-93ms4uqJMa1NZtu2/IRm--

--__--__--

Message: 4
Date: Mon, 17 May 2004 16:53:58 -0500
From: Michael Sconzo <msconzo () tamu edu>
To: Frank Knobbe <frank () knobbe us>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] About virus.rules

> No, actually... it's because you're worthless... hehe ;)

My worst fear has come true *cry*. :)

> So basically, remove virus.rules or trim it to only to those that also
> spread through the network (hybrids), but create and maintain a
> worm.rules file.

Similiar to what we do around here at TAMU for the 40+ snort boxes
we have out in the wild. I figued it would be a benefit to most
people (especially .edu's) that are trying to be good 'net neighbors
to everybody else, due to the nature of our user base.

I try to monitor the snort-sigs list and a few other places to try
and keep up with worm rules, due to problems they cause around here.
Figured it might be a good way to help give back...but oh well.

I still wouldn't mind doing it offically or unoffically ...

-=Mike

--
The New Testament offers the basis for modern computer coding theory,
in the form of an affirmation of the binary number system.
But let your communication be Yea, yea; nay, nay: for
whatsoever is more than these cometh of evil.
-- Matthew 5:37

--__--__--

Message: 5
Subject: Re: [Snort-users] About virus.rules
From: Frank Knobbe <frank () knobbe us>
To: Michael Sconzo <msconzo () tamu edu>
Cc: snort-users () lists sourceforge net
Date: Mon, 17 May 2004 18:38:36 -0500

--=-cNxv9AeJNdSmWvY/8qwj
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, 2004-05-17 at 16:53, Michael Sconzo wrote:
> Similiar to what we do around here at TAMU for the 40+ snort boxes
> we have out in the wild. I figued it would be a benefit to most
> people (especially .edu's) that are trying to be good 'net neighbors
> to everybody else, due to the nature of our user base. =20
>=20
> I try to monitor the snort-sigs list and a few other places to try
> and keep up with worm rules, due to problems they cause around here.
> Figured it might be a good way to help give back...but oh well.

Mike,

I didn't mean to talk you out of it. But have you fully considered the
effort-benefit factor? It sounds like you already have started to extend
the virus.rules files in your .edu. How many rules do you have in there?
Does it impact performance? Can you keep up? If so, what process do you
have to add them?

Don't get me wrong. I'm all for sharing. But there also has to be one
standard -- the official Snort rule set.

Perhaps you want to Matthew and James (see postings from end of April in
Snort-sigs) to see if they want to include that in their custom rule
base? Or you can set up a central virus.rules repository yourself or at
SourceForge or wherever, so that you and other can share it. I think
everyone should make their custom rules available. That's what
snort-sigs is for. If you have a new virus sig rule, pass it on
snort-sigs.

As far a central repository for everyone, I don't think that is going to
work. Everyone has different needs or configurations, and doesn't want
to load the full set someone else might be using (especially with all
those false-positive prone rules). But the lack of a central repo
doesn't mean that we can't share.

(I'm sorry if I'm not making sense.... had too much work and too little
sleep lately...)

Regards,
Frank
(sometime coffee-shop something)

--=-cNxv9AeJNdSmWvY/8qwj
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBAqUz7JjGc5ftAw8wRAvOuAKCu2XzeWd/4ckG7fZWyP/ED17kutACfbFY/
CwLEXB8EdYpPJj6TCRqXHGQ=
=vtXD
-----END PGP SIGNATURE-----

--=-cNxv9AeJNdSmWvY/8qwj--

--__--__--

Message: 6
Date: Tue, 18 May 2004 12:58:52 +1200
From: Jason Haar <Jason.Haar () trimble co nz>
Organization: Trimble Navigation
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] About virus.rules

For my five cents I'd also like to trumpet the greatness of detecting
worms instead of viruses.

You are dead right: viruses are better dealt with by AV scanners, but
worms...

We have a world-wide installation of Snort, and it's primary use is in
WAN worm detection. It didn't start out that way - but that's where it's
ended up.

Sasser, Blaster, etc may be supposed to trigger "standard" DCOM rules,
but as the current Sasser DCOM vulnerability still isn't available
within the "standard" 2.1 rules series, there's a lot of snort people
who can't detect it (in fact I specifically moved to the CURRENT series
for those rules). The worm-specific rules that appeared afterwards were
much appreciated as a stop-gap measure.

In general I think even "worm" sigs shouldn't be needed as more standard
rules should also trigger (the worm had to break in someway), but in
some cases only the dev track of rules can detect such things...

(BTW: in case you were wondering, we trigger e-mail alerts on anything
that has an internal source address to capture such things - and no, it
can actually go weeks without triggering :-)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users

End of Snort-users Digest

<<winmail.dat>>

Current thread:

help Lillebø Harald Sindre (May 18)
- <Possible follow-ups>
- help Garry Murdoch (Jun 24)
  - Re: help Matt Kettler (Jun 24)
    - Re: help sekure (Jun 24)