Snort mailing list archives

Re: Testing Snort

From: Josh Bitto <jbitto () onlineschool ca>
Date: Wed, 30 Jan 2013 15:10:37 -0800

Hmmm.....now I have another question...lol...it's hump day (middle of the week)

Is there a program out there that works with snort in a way to capture data from users.....let's say...sensitive data 
rule gets fired (example Email Addresses) and we want to make sure that whatever rule that is....the content lines up 
with company policy.

I know of wireshark, but that is just packets...





From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Wednesday, January 30, 2013 12:52 PM
To: Josh Bitto
Cc: Jeremy Hoel; Snort Users
Subject: Re: [Snort-users] Testing Snort

On Jan 30, 2013, at 3:44 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca>> wrote:


1. The rules update....I obtained the oinkmaster code and put it in. It has the option to update at certain time every 
12 hours for example.....Does it automatically do that or do I have to buy a subscription for that to actually work? I 
know the definitions will be 30 days old for just a regular registered user, but still.

You'd probably want to cron it.


2. Back to the rules search....ok I searched a couple of SID numbers and it came back as "this rule as been deprecated 
and placed into deleted.rules"
Should I suppress that or is my definitions outdated?

Your definitions may be outdated.  When we delete a rule, it usually because it's no longer useful or it's been 
replaced by better detection.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Testing Snort, (continued)
- - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Jeremy Hoel (Jan 30)
    - Re: Testing Snort Justin Knox (Jan 30)
    - Re: Testing Snort Russ Combs (Jan 30)
    - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Joel Esler (Jan 30)
    - Re: Testing Snort Jeremy Hoel (Jan 30)
    - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Joel Esler (Jan 30)
    - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Josh Bitto (Jan 30)
    - Re: Testing Snort Jeremy Hoel (Jan 31)
    - Re: Testing Snort JJC (Jan 31)