Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0

["Castle, Shane" <scastle () bouldercounty org>]

The home page (http://www.snortsam.net/) gives a succinct explanation of
the idea behind it and how in general it works.

I use it with Snort and some modified rules (ET has a whole set of rules
with "fwsam") to generate automatic blocks on our Check Point firewall.
Granted, it's not true IPS, but it adds another bit of protection while
still permitting more IDS rules to be allowed, which I could not do if
running in IPS mode. As you know, FPs can't be tolerated very well for
HIPS.

For instance: we have a couple of Windows RDP-accessible devices on
which we don't permit administrative logins. If Snort rule 4060 triggers
(POLICY RDP attempted administrator connection request), it will send a
block message to the firewall and the IP that tried to connect as
administrator is completely blocked from our network for 24 hours. This
is done easily without actually modifying any rules by means of a
"sid-block.map" file that has the rule number and how long to block
correlated.

I use the components of snortsam with other systems, too, so that
certain events will trigger a firewall block, but those don't involve
Snort so aren't really relevant.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Thursday, January 06, 2011 13:17
To: Castle, Shane; Jeff Kell
Cc: snort-users () lists sourceforge net; snort-sigs () lists sourceforge net;
snort-devel () lists sourceforge net
Subject: Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0

What features of SnortSam do you guys use now?

(I don't know SnortSam, at all, so walk me through it)

J


On Jan 6, 2011, at 3:10 PM, Castle, Shane wrote:

> Nope. Adding SnortSam to 2.8.6.1 fails owing to the use of
> autoconf/libtool releases in 2.8.6.1 later than supported on RH5.
>
> About ready to ditch RHEL completely for the IDS install but as I
wrote,
> things are moving slow. 
>
> -- 
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
>
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com] 
> Sent: Thursday, January 06, 2011 12:51
> To: Castle, Shane
> Cc: snort-users () lists sourceforge net;
snort-sigs () lists sourceforge net;
> snort-devel () lists sourceforge net
> Subject: Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0
>
> I understand.  
>
> We don't maintain the SnortSam mod, so I can't help you there.  But
you
> can upgrade to 2.8.6.1 if you can't go to 2.9.0.3.  I understand that
is
> a segment of users out there that are on RHEL5 and it has an older
> version of installed libpcap that people are having to recompile.
>
> J
>
>
> On Jan 6, 2011, at 2:47 PM, Castle, Shane wrote:
>
> > I can't add the SnortSam mods to any release >2.8.6.0 on my RHEL5
> > install. Plans are in place to migrate either to RH6 or a different
> > Linux distro so I can haz all the newer required components but it
> ain't
> > happening very quickly (sigh).
> >
> > -- 
> > Shane Castle
> > Data Security Mgr, Boulder County IT
> > CISSP GSEC GCIH
> >
> >
> > -----Original Message-----
> > From: Joel Esler [mailto:jesler () sourcefire com] 
> > Sent: Thursday, January 06, 2011 12:37
> > To: Castle, Shane
> > Cc: snort-users () lists sourceforge net;
> snort-sigs () lists sourceforge net;
> > snort-devel () lists sourceforge net
> > Subject: Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0
> >
> > Why do you have to find a new OS?  Using an old version of RH or
> > something?
> >
> > Can't you use 2.8.6.1?
> >
> > J
> >
> > On Jan 6, 2011, at 2:31 PM, Castle, Shane wrote:
> >
> > > Crap. Now I have to find a new OS. What, you couldn't wait another 6
> > > months?
> > >
> > > -- 
> > > Shane Castle
> > > Data Security Mgr, Boulder County IT
> > > CISSP GSEC GCIH
> > >
> > >
> > > -----Original Message-----
> > > From: Joel Esler [mailto:jesler () sourcefire com] 
> > > Sent: Thursday, January 06, 2011 12:24
> > > To: snort-users () lists sourceforge net;
> > snort-sigs () lists sourceforge net;
> > > snort-devel () lists sourceforge net
> > > Subject: [Snort-sigs] RulePack update and End of Life of 2.8.6.0
> > >
> > > All--
> > >
> > > I just put up a blog post about the newest rulepack update and the
> EOL
> > > of 2.8.6.0's support for VRT rules.
> > >
> > > Please review it at:
http://blog.snort.org/2011/01/vrt-rule-update-available-now-and-eol.html
> > > Thanks!
> > >
> > > Joel Esler
> > > Manager, OpenSource Community


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users