[Snort-sigs] unsubscibe

Mattison Ward mattison_ward at ...144...
Wed Oct 8 17:58:06 EDT 2003


unsubscribe

--- snort-sigs-request at lists.sourceforge.net wrote:
> Send Snort-sigs mailing list submissions to
> 	snort-sigs at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
> 	snort-sigs-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-sigs-admin at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
> 
> 
> Today's Topics:
> 
>    1. detect edonkey (Cedric Foll)
>    2. Re: false positive: WEB-FRONTPAGE fourdots request (Joe Stewart)
>    3. Common encrytpion Identification? (Tony Hernandez)
>    4. Snort Start Error (Grimm, Paul F)
>    5. Re: false positive: WEB-FRONTPAGE fourdots request
> (dmitriy.dunavetsky at ...1922...)
>    6. Re: detect edonkey (Nigel Houghton)
>    7. Re: detect edonkey (Cedric Foll)
>    8. Re: Snort Start Error (Mike Messick)
> 
> --__--__--
> 
> Message: 1
> From: Cedric Foll <cedric.foll at ...1947...>
> To: snort-sigs <snort-sigs at lists.sourceforge.net>
> Date: Wed, 08 Oct 2003 13:52:36 +0200
> Subject: [Snort-sigs] detect edonkey
> 
> 
> --=-r5zkDPARXDj5ns6UxlQX
> Content-Type: text/plain; charset=iso-8859-15
> Content-Transfer-Encoding: quoted-printable
> 
> Hi,
> 
> I'm working on school environment and I'd like to stop Edonkey traffic.
> I've wrote the folowing rule for detect edonkey:
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Edonkey
> Traffic"; flow:established,to_server; content:"|e3|"; offset:0; depth:1;
> classtype:policy-violation; sid:10000001; rev:1;)
> 
> In fact in edonkey protocol, all packet seem to have the first byte of
> the data layer set to 0x03.
> I get very few false positives.
> 
> Regards.
> 
> --=20
> Cedric Foll
> Ing=E9nieur r=E9seaux, Rectorat de Rouen
> m=E8l: cedric.foll at ...1947...
> t=E8l: 02 35 14 77 51
> 
> 
> --=-r5zkDPARXDj5ns6UxlQX
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: Ceci est une partie de message
> 	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQA/g/qEL7xzmSvPn+8RAielAJ956brtoLfxr4Xl/UWIdjymRtjDLgCfVxdb
> D1V5IhearreCLN4z8L5CS2Q=
> =1+SZ
> -----END PGP SIGNATURE-----
> 
> --=-r5zkDPARXDj5ns6UxlQX--
> 
> 
> 
> --__--__--
> 
> Message: 2
> From: Joe Stewart <jstewart at ...5...>
> Organization: LURHQ Corporation
> To: <snort-sigs at lists.sourceforge.net>
> Subject: Re: [Snort-sigs] false positive: WEB-FRONTPAGE fourdots request
> Date: Wed, 8 Oct 2003 08:57:47 -0400
> 
> On Tuesday 07 October 2003 06:14 pm, Matt Kettler wrote:
> > At 04:59 PM 10/7/2003, Hugo van der Kooij wrote:
> > >alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> > >(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established;
> > >content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989;
> > >reference:cve,CAN-2000-0153; reference:arachnids,248;
> > >classtype:web-application-attack; sid:966;  rev:5;)
> >
> > <style rant>
> >
> > What's with the all these rules which consist entirely of ASCII text 
> > are written in hex format for no particularly good reason? What kind
> > of drugs do you need to be on to think that "|2e 2e 2e 2e 2f|" is a
> > better idea than "..../".
> >
> > Perhaps it's just copy-paste laziness from hex packet dumps, but it's
> > really quite silly and makes the intent of the rule significantly
> > harder to read IMO.
> >
> > I don't write my emails in |68 65 78| do I?
> >
> > </style rant>
> 
> There are times when writing the content in hex may be valid - if the 
> rule might possibly be triggered by content containing the rule itself.
> For instance, when visiting a web archive of this mailing list- the way
> the above rule is written would not cause a false positive, but the way 
> you would have it written might trigger an alert when reading the page 
> with the rule displayed, depending on how the user has configured
> EXTERNAL_NET and HTTP_SERVERS.
> 
> -Joe
> 
> --
> Joe Stewart, GCIH 
> Senior Security Researcher
> LURHQ Corporation
> http://www.lurhq.com/
> 
> 
> 
> --__--__--
> 
> Message: 3
> Date: Wed, 8 Oct 2003 09:08:17 -0400
> From: "Tony Hernandez" <tonyh at ...1915...>
> To: <snort-sigs at lists.sourceforge.net>
> Subject: [Snort-sigs] Common encrytpion Identification?
> 
> Has anyone got any rules for detecting encryption types? I believe that =
> I have some users that are encrypting p2p traffic and would like to poke =
> into this a bit. It's pretty obvious by the ports they are connecting to =
> however, the usual p2p rules dont work for this. I took a look at the =
> packets and they all begin with ".....=3D..._....E." anyone have any =
> ideas?
> 
> 
> Tony
> 
> 
> --__--__--
> 
> Message: 4
> Date: Tue, 7 Oct 2003 13:33:32 -0700
> From: "Grimm, Paul F" <paul.f.grimm at ...1949...>
> To: <snort-sigs at lists.sourceforge.net>
> Subject: [Snort-sigs] Snort Start Error
> 
> This is a multi-part message in MIME format.
> 
> ------_=_NextPart_001_01C38D12.464D9775
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> Hi,
> 
> =20
> 
> I loaded snort2.0.2 on a Linux 9 platform running mysql. Snort starts
> with this error:
> 
> =20
> 
> Starting Intrusion Database System: SNORT
> 
> /usr/local/bin/snort: error while loading shared libraries:
> libmysqlclient.so.12: cannot open shared object file: No such file or
> directory
> 
> =20
> 
> however libmysqlclient.so.12 is located in /usr/local/mysql/lib
> -rwxr-xr-x root root 159113 Oct 7 (date of server build)
> 
> =20
> 
> mysql was compiled as ./configure -prefix=3D/usr/local/mysql
> 
> snort was compiles as ./configure -with-mysql=3D/usr/local/mysql
> 
> =20
> 
> What can I do to fix this?
> 
> =20
> 
> Thanks, Paul
> 
> =20
> 
> Paul F Grimm
> 
> MPG - Wireless Verification Program
> 
=== message truncated ===


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com




More information about the Snort-sigs mailing list