[Snort-users] Win32-snort users

H Carvey keydet89 at ...131...
Thu Jul 27 06:07:00 EDT 2000


Mike,

I, for one, am using the snot out of snort!  

I've been looking at it, playing with it, and firing
off attacks against my own box.  I've recommended it
to guys like Brent as a great way to protect IIS 
servers to some degree...use the web-based rules for
attacks that affect IIS, and make them all alerts. 
Then include an RST as a response to the 'attack'.

Carv

--- Mike <Mike at ...164...> wrote:
> Wow, people actually use snort for WIN32 ;-)
> 
> Anyone running snort-WIN32 on Win2k Advanced Server?
> 
> Michael Davis
> Chief Technical Officer
> Data Nerds, LLC.
> http://www.datanerds.net
> 
> > Brent,
> > 
> > Take a look at the script I have posted at:
> > 
> > http://patriot.net/~carvdawg/perl.html
> > 
> > It's called 'snortrpt.pl'.  It's easily
> customizeable
> > to your file structure...where nmapNT is sitting,
> etc.
> > 
> > You'll also find scripts for pulling the
> EventLogs,
> > etc.
> > 
> > Regarding the emailing you of certain alerts...I
> am 
> > working on such a script...unfortunately, I have
> found
> > that the Win32::ChangeNotify module doesn't work
> with
> > the EventLog files.  So, the only immediate,
> short-
> > term solution I can offer is to write you script
> that 
> > polls the EventLog (or multiple EventLogs) every
> 60 or
> > so seconds, and will email you if certain alerts
> are
> > found.  What I want to do is write a script that
> will
> > respond when an event is generated, rather than
> > polling
> > the 'Logs.
> > 
> > I just updated my alert file with several new
> entries
> > from the most recent rule base...I've been getting
> > some
> > Sub7 scans lately and want to see what else I'm 
> > getting...
> > 
> > Carv
> > 
> > > I have also been using Snort both on Mandrake
> Linux
> > > and Win32. 
> > > 
> > > I would be very interested in finding Perl
> scripts
> > > to organize alerts in a
> > > report and also have a tool or script to e-mail
> me
> > > during certain alerts.
> > > 
> > > Right now all my alerts go into the NT event
> viewer.
> > > I would like to run
> > > Snort with a highly customized rule set on a web
> > > server in our DMZ and have
> > > the script e-mail me during certain alerts.
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Get Yahoo! Mail - Free email you can access from
> anywhere!
> > http://mail.yahoo.com/
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> >
>
http://lists.sourceforge.net/mailman/listinfo/snort-users
> > 
> 


__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/




More information about the Snort-users mailing list