Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort-users digest, Vol 1 #4864 - 5 msgs

From: "Joe & Angie" <ajtamayo () cableone net>
Date: Tue, 25 Jan 2005 22:13:52 -0700
GET ME OUT OF THIS LIST

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
snort-users-request () lists sourceforge net
Sent: Tuesday, January 25, 2005 9:32 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #4864 - 5 msgs

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. A New White Paper - Baseline Analysis of Security Data (Orit Vidas)
   2. Snort 2.3.0 Rulesets (Eric Hines)
   3. RE: Windows Logon Failures (Bristol, Gary L.)
   4. Re: php 5 - base error resolution? (Kevin Johnson)
   5. streaming media detection (Paul Aviles)

--__--__--

Message: 1
From: "Orit Vidas" <orit () securimine com>
To: <snort-users () lists sourceforge net>
Date: Tue, 25 Jan 2005 15:07:30 -0800
Subject: [Snort-users] A New White Paper - Baseline Analysis of Security
Data

This is a multi-part message in MIME format.

------=_NextPart_000_0041_01C502EF.977BF610
Content-Type: text/plain;
        charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Hello,
 
A new white paper has been released by the Securimine Team. To download
the white paper, go to http://www.securimine.com/product.html
 
Title: Baseline Analysis of Security Data
 
Abstract: Regardless of the development in the SIM (Security Information
Management) area, there is still a huge problem with existing detection
tools. Although these tools detect all the intrusions, they detect much
more than that. This problem, known as false positives, is a big barrier
for intrusion detection tools to cross before their deployment can be
practical. To date, intrusion detection vendors, or more precisely
security experts, are struggling with an inherent conflict and are
sometimes forced to write less adequate detection rules just to reduce
the number of false positives.
 
In this paper we suggest a different approach for using data mining
technology in the intrusion detection area. We claim that the best
positioning for a data mining technology within an intrusion detection
system is not as a detection engine, but rather as an analysis layer
that will filter out the false positives. The ability of data mining
technology to build behavioral models representing 'normal' behavior of
data is most suitable to model the data generated by the intrusion
detection engines.
 
 
Best regards,
 
The Securimine Team
www.securimine.com <http://www.securimine.com/> 
 

------=_NextPart_000_0041_01C502EF.977BF610
Content-Type: text/html;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C502EF.96412C20">
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:ApplyBreakingRules/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
   <w:UseFELayout/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;
        mso-font-alt:\5B8B\4F53;
        mso-font-charset:134;
        mso-generic-font-family:auto;
        mso-font-pitch:variable;
        mso-font-signature:3 135135232 16 0 262145 0;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;
        mso-font-charset:0;
        mso-generic-font-family:swiss;
        mso-font-pitch:variable;
        mso-font-signature:536871559 0 0 0 415 0;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;
        mso-font-charset:134;
        mso-generic-font-family:auto;
        mso-font-pitch:variable;
        mso-font-signature:3 135135232 16 0 262145 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {mso-style-parent:"";
        margin:0in;
        margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:12.0pt;
        font-family:"Times New Roman";
        mso-fareast-font-family:SimSun;}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;
        text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;
        text-underline:single;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        mso-style-noshow:yes;
        mso-ansi-font-size:10.0pt;
        mso-bidi-font-size:10.0pt;
        font-family:Verdana;
        mso-ascii-font-family:Verdana;
        mso-hansi-font-family:Verdana;
        color:windowtext;
        font-weight:normal;
        font-style:normal;
        text-decoration:none;
        text-underline:none;
        text-decoration:none;
        text-line-through:none;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;
        mso-header-margin:.5in;
        mso-footer-margin:.5in;
        mso-paper-source:0;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
        {mso-style-name:"Table Normal";
        mso-tstyle-rowband-size:0;
        mso-tstyle-colband-size:0;
        mso-style-noshow:yes;
        mso-style-parent:"";
        mso-padding-alt:0in 5.4pt 0in 5.4pt;
        mso-para-margin:0in;
        mso-para-margin-bottom:.0001pt;
        mso-pagination:widow-orphan;
        font-size:10.0pt;
        font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'>Hello,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'>A new white paper has been released by the =
Securimine Team.
To download the white paper, go to <a
href=3D"http://www.securimine.com/product.html";>http://www.securimine.com=
/product.html</a><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'>Title: Baseline Analysis of Security =
Data<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'>Abstract: Regardless of the development in the SIM
(Security Information Management) area, there is still a huge problem =
with
existing detection tools. Although these tools detect all the =
intrusions, they
detect much more than that. This problem, known as false positives, is a =
big
barrier for intrusion detection tools to cross before their deployment =
can be
practical. To date, intrusion detection vendors, or more precisely =
security
experts, are struggling with an inherent conflict and are sometimes =
forced to
write less adequate detection rules just to reduce the number of false
positives.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'>In this paper we suggest a different approach for =
using
data mining technology in the intrusion detection area. We claim that =
the best
positioning for a data mining technology within an intrusion detection =
system
is not as a detection engine, but rather as an analysis layer that will =
filter
out the false positives. The ability of data mining technology to build
behavioral models representing &#8216;normal&#8217; behavior of data is =
most
suitable to model the data generated by the intrusion detection =
engines.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'>Best regards,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'>The Securimine Team<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DVerdana><span =
style=3D'font-size:10.0pt;
font-family:Verdana'><a =
href=3D"http://www.securimine.com/";>www.securimine.com</a><o:p></o:p></sp=
an></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0041_01C502EF.977BF610--



--__--__--

Message: 2
From: "Eric Hines" <eric.hines () appliedwatch com>
To: <snort-users () lists sourceforge net>
Date: Tue, 25 Jan 2005 17:15:59 -0600
Subject: [Snort-users] Snort 2.3.0 Rulesets

Can anyone tell me when the snortrules-snapshot-2_3.tar.gz will be available
now that 2.3.0 is officially released?

Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Eric Hines, GCIA, CISSP                Toll Free: (877) 262-7593
CEO, President                         Direct: (877) 262-7593 x327
Applied Watch Technologies, Inc.       Fax: (877) 262-7593
1134 N. Main St.                       Web: www.appliedwatch.com
Algonquin, IL 60102 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"Browserless Enterprise Snort Management is Finally Here"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




--__--__--

Message: 3
Subject: RE: [Snort-users] Windows Logon Failures
Date: Tue, 25 Jan 2005 17:54:43 -0600
From: "Bristol, Gary L." <gbristol () ou edu>
To: <kimhick () cfl rr com>,
        <snort-users () lists sourceforge net>

In the event logs you might also find another event associated with this
same logon failure which lists the sourece ip.
Event ID: 529

EVENT #
 270658
=20
EVENT LOG
 Security
=20
EVENT TYPE
 Audit Failure
=20
SOURCE
 Security
=20
CATEGORY
 Logon/Logoff
=20
EVENT ID
 529
=20
USERNAME
 NT AUTHORITY\SYSTEM
 =20

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
kimhick () cfl rr com
Sent: Tuesday, January 25, 2005 10:14 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Windows Logon Failures

We have a Window 2003 domain and we are see a lot of logon failures
from apparently fictitious hosts.  Here is an example from the event
viewer:

Event Type:     Audit Failure
Event Source:   Security
Event Category: Account Logon
Event ID:       680
Date:           1/24/2005
Time:           10:26:33 AM
User:           SYSTEM
Computer:       DC1
Description:
Logon attempt by:       MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: root
Source Workstation:    \\RYDER
Error Code:    0xC0000064

In this case \\RYDER does not resolve through DNS or WINS so we don't
know where these are coming from.

We have snort up and running but what rules would we use that could
give us an IP number on these hosts.

Any help or advice would be appreciated.

Thanks,

Brian

=09



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users



--__--__--

Message: 4
From: Kevin Johnson <kjohnson () secureideas net>
To: mdpeters <michael.peters () lazarusalliance com>
Cc: Snort Users <snort-users () lists sourceforge net>, twebster () daksoft com
Date: Tue, 25 Jan 2005 19:05:31 -0500
Subject: [Snort-users] Re: php 5 - base error resolution?

Hi-

The fix to this issue is in CVS for BASE and was provided to us by Tim
Rupp, one of our core developers.  The "patch" below does not seem to
fix the issue on any of our systems without breaking the flexibility of
the application.  If anyone is interested in the fix and do not want to
run CVS code, they can visit the link below to view the changes.  These
changes work with the 1.0.1 release also.

I would also like to comment that your line numbers are different
because, as you explained in our phone call, you have removed all
licensing and copyright information from the application.

Thank you,
Kevin Johnson
-----------------
BASE Project Lead
http://sourceforge.net/projects/secureideas
http://base.secureideas.net
The next step in IDS analysis!

On Tue, 2005-01-25 at 17:30, mdpeters wrote:

Yes I did. I offered the solution to the BASE folks but never received

word 

back. My line numbers will be different that everyone else's. Just look in



the following pages for these values and I think you should be good to go.



Here are the changes I made including the debugging code.



...snip...


Best regards,

Michael D. Peters
Director of Security Services
CISSP




----- Original Message ----- 
From: <twebster () daksoft com>
To: <michael.peters () lazarusalliance com>
Sent: Tuesday, January 25, 2005 3:53 PM
Subject: php 5 - base error resolution?



Michael,

On 12-27-2004 you sent a message to snort mailing list regarding the
following error.

Fatal error: Cannot use string offset as an array in =
/usr/local/apache2/htdocs/includes/base_state_citems.inc.php on line 710


Did you ever get BASE to work with PHP 5?  I am having the same problem?
Do you have a solution?

thanks,

Tony Webster
Daksoft
(605) 721-2141
twebster @ daksoft.com






-- 




--__--__--

Message: 5
Date: Tue, 25 Jan 2005 23:22:22 -0500
From: "Paul Aviles" <paviles () adjoined com>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] streaming media detection

SXMgdGhlcmUgYSB3YXkgdG8gZGV0ZWN0IHBlb3BsZSBzdHJlYW1pbmcgbWVkaWEgb3IgbGlzdGVu
aW5nIHRvIG11c2ljPyBXaXRoIG1vc3Qgb2YgdGhlbSB1c2luZyBwb3J0IDgwIEkgYW0gY3VyaW91
cyBhcyB0byB3aGF0IGFwcHJvYWNoIHRvIHVzZS4NCg0KQWxzbywgaXMgdGhlcmUgYSB3YXkgdG8g
c2VuZCBhbiBlbWFpbCB1cG9uIGNlcnRhaW4gYWxlcnRzPw0KDQpUaGFua3MNCg0K



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: