Snort mailing list archives
Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Thu, 6 Jan 2011 15:46:31 -0500
I'm a heavy snortsam user as well, great tool. (Don't tell Frank, his ego will puff up even farther) Major advantage is being able to distribute blocks among all senors, and among all perimeter firewall devices. Or among differet organizations. We're building this into Suricata via IP reputation distribution, but it's not there yet. Snortsam is still a critical piece. Matt On Jan 6, 2011, at 3:39 PM, Joel Esler wrote:
Okay, so the feature set you are looking for is the ability to block using an external firewall, is that correct? You can't do the time based blocking from within Snort itself? (need to be inline) J On Jan 6, 2011, at 3:28 PM, Jeff Kell wrote:On 1/6/2011 3:17 PM, Joel Esler wrote:What features of SnortSam do you guys use now? (I don't know SnortSam, at all, so walk me through it)The executable (which itself is independent) here is 2.50, and it is rather old. But that part just plain works.SnortSam, v 2.50. Copyright (c) 2001-2006 Frank Knobbe <frank () knobbe us>. All rights reserved. Plugin 'fwsam': v 2.4, by Frank Knobbe Plugin 'fwexec': v 2.4, by Frank Knobbe Plugin 'pix': v 2.8, by Frank Knobbe Plugin 'ciscoacl': v 2.10, by Ali Basel <alib () sabanciuniv edu> (etc)There is a "patch" which is applied to the snort /src directory that does the magic of installing the "fwsam:" rule hook and sid-block.map file linkages for the "output alert_fwsam:" functionality. It is this patch installation (and the subsequent build) that is rather fragile. The patch files are available from the snortsam repository. The last I have is for 2.8.6...patch -p1 < ../snortsam-2.8.6.diffAnd my last binary was:$ snort -V ,,_ -*> Snort! <*- o" )~ Version 2.8.6 (Build 38) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 6.6 06-Feb-2006That was my last round on CentOS 5 with overriding libpcap-1.1.1 / tcpdump-4.1.1 modules/libraries. I haven't made the leap to the 2.9 additional requirements. Jeff------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Castle, Shane (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Castle, Shane (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Castle, Shane (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Jeff Kell (Jan 06)
- SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 06)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Matthew Jonkman (Jan 06)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Michael Scheidell (Jan 27)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Michael Scheidell (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Michael Scheidell (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Will Metcalf (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Crusty Saint (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 28)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Joel Esler (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Castle, Shane (Jan 06)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Matthew Jonkman (Jan 28)