[Snort-sigs] ack! bad virus! bad bad!

John Nagro john.nagro at ...2420...
Tue Jun 29 08:59:00 EDT 2004


Around here i run a simple shell script that runs oinkmaster to update
all the rules, then downloads the bleeding.rules to local.rules, then
downloads the bleeding-sid-msg.map and apprends that to the end of the
stock sid-msg.map. Then restart barnyard, and restart snort.

You need the sid-msg.map in order to see the real rule names, etc.

-John

On Mon, 28 Jun 2004 11:05:38 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> You are correct. Just add the bleeding.rules and you're all set.
> 
> 
> 
> Matt
> 
> Albers, Lucas wrote:
> 
> >
> > I log to a sql database, because I'm using acidlab web interface.
> > I do not need to configure the map file?
> >
> > -----Original Message-----
> > From: Matthew Jonkman
> > To: Albers, Lucas
> > Cc: 'snort-sigs mailinglist '
> > Sent: 6/28/2004 8:59 AM
> > Subject: Re: [Snort-sigs] ack! bad virus! bad bad!
> >
> > First off, if you're using the stock snort you don't need the map file.
> > That's for using an output processor like barnyard.
> >
> > I'm not a barnyard user, but my intention in putting that file in there
> > was to let you append it to your existing map file.
> >
> > If any barnyard users have a better way to use it we'd appreciate
> > hearing about it.
> >
> > Thanks
> >
> > Matt
> >
> > Albers, Lucas wrote:
> >
> >
> >>I configured oinkmaster to grab this, but I am unsure what settings I
> >
> > need
> >
> >>to change to have it read the included .map file.
> >>How do you configure snort.conf to include a new *.map file?
> >>I could not see any specific information on what the syntax is for
> >
> > including
> >
> >>a new .map file.
> >>I easily saw how to include a new rule file, which I've done.
> >>
> >>information appreciated.
> >>
> >>--Luke
> >>
> >>-----Original Message-----
> >>From: Matthew Jonkman
> >>To: Bryan Irvine
> >>Cc: snort-sigs mailinglist
> >>Sent: 6/25/2004 5:12 PM
> >>Subject: Re: [Snort-sigs] ack! bad virus! bad bad!
> >>
> >>http://www.bleedingsnort.com
> >>
> >>Matt
> >>
> >>Bryan Irvine wrote:
> >>
> >>
> >>
> >>>Is there any way to sniff for this?
> >>>
> >>>
> >>
> >>
> > http://www.informationweek.com/story/showArticle.jhtml?articleID=2210205
> >
> >>2
> >>
> >>
> >>>I have far too many machines to go patching and modifying security
> >>>settings.
> >>>
> >>>--Bryan
> >>>
> >>>
> >>
> >>
> >>
> >>-------------------------------------------------------
> >>This SF.Net email sponsored by Black Hat Briefings & Training.
> >>Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> >>digital self defense, top technical experts, no vendor pitches,
> >>unmatched networking opportunities. Visit www.blackhat.com
> >>_______________________________________________
> >>Snort-sigs mailing list
> >>Snort-sigs at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >>-------------------------------------------------------
> >>This SF.Net email sponsored by Black Hat Briefings & Training.
> >>Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> >>digital self defense, top technical experts, no vendor pitches,
> >>unmatched networking opportunities. Visit www.blackhat.com
> >>_______________________________________________
> >>Snort-sigs mailing list
> >>Snort-sigs at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> 
> --
> --------------------------------------------
> Matthew Jonkman, CISSP
> Senior Security Engineer
> Infotex
> 765-429-0398 Direct Anytime
> 765-448-6847 Office
> 866-679-5177 24x7 NOC
> my.infotex.com
> www.offsitefilter.com
> --------------------------------------------
> 
> NOTICE: The information contained in this email is confidential
> and intended solely for the intended recipient. Any use,
> distribution, transmittal or retransmittal of information
> contained in this email by persons who are not intended
> recipients may be a violation of law and is strictly prohibited.
> If you are not the intended recipient, please contact the sender
> and delete all copies.
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list