[Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

Eric Hines eric.hines at ...1663...
Wed Jun 8 12:46:21 EDT 2005


Matt, et. al.,

These new SSH signatures brought down all of our customer's Snort
installations because that SSH_PORTS variable is not in the default
snort.conf file. I can't see anyone needing a variable for SSH port 22. Can
we kill the variable? I can't imagine how the AWCC nor any other Snort
management solution that downloads signatures from the Bleeding-Edge
database will then go in to the users snort.conf file and create this new
variable for the user.

The AWCC now downloads signatures from bleeding-edge automatically, I'm sure
there are other tools that do the same. Will we then expect everyone whose
maintaining a Snort ruleset management tool to also go in their and add the
SSH_PORTS variable to the snort.conf file in the case that they downloaded
Eric's SSH rules?

These are great sigs, but the variable for port 22 I find completely
unnecessary. It makes sense for HTTPD (443, 80, 8080, whatever) but for
SSHD?



Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
1134 N. Main St.
Algonquin, IL 60102
Tel: (877) 262-7593 e:327
Fax: (877) 262-7593
Mob: (847) 456-6785
Web: http://www.appliedwatch.com
----------------------------------------------------------------------------
- 
Enterprise Snort Management at http://www.appliedwatch.com.
Security Information Management for the Open Source Enterprise.
----------------------------------------------------------------------------
-
-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matt Jonkman
Sent: Friday, June 03, 2005 11:36 PM
To: bleeding-sigs at ...2727...; snort-sigs mailinglist
Subject: [Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

You need to add this line to your snort.conf if you're using the bleeding
snort policy rules:

var SSH_PORTS 22

Just a reminder in case you're not following other threads on the
bleeding-sigs list.

Back to your regular programming....

Matt

--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential and intended
solely for the intended recipient. Any use, distribution, transmittal or
retransmittal of information contained in this email by persons who are not
intended recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender and delete
all copies.


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
shotput a projector? How fast can you ride your desk chair down the office
luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list