[Snort-users] unsubscribe

Ryan McClure (Systems Admin) - United Shipping rmcclure at ...2011...
Fri May 11 09:45:16 EDT 2001


-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Friday, May 11, 2001 1:24 AM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #634 - 9 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort won't run (alexus)
   2. Re: ******unsubscribe****** (shawn . moyer)
   3. RE: Snort won't run (Watson, Ed)
   4. Re: ******unsubscribe****** (Martin Roesch)
   5. Re: loggin issue (roman at ...438...)
   6. Re: Snort + Acid w/ MySQL question(s) (roman at ...438...)
   7. Snort 1.8-beta4 Build 17 coredump (Steve Shockley)
   8. RE: Rules vs performance (Jean-Francois Zwobada)
   9. Antwort: [Snort-users] DNS Query Logging? (holger.bumke at ...1216...)

--__--__--

Message: 1
From: "alexus" <ml at ...1718...>
To: "Dave Ryan" <dave.ryan at ...2017...>
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort won't run
Date: Thu, 10 May 2001 18:17:10 -0400

hmm works with this one:)
thanks

----- Original Message ----- 
From: "Dave Ryan" <dave.ryan at ...2017...>
To: "alexus" <ml at ...1718...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 6:12 PM
Subject: Re: [Snort-users] Snort won't run


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> The latest rulesfile is specific to 1.8
> 
> Try these rules instead: www.snort.org/Files/Current/snortrules.tar.gz
> 
> Rgds.
> 
> Quoting alexus (ml at ...1718...):
> > i'm using snort 1.7 with latest set of rules
> > 
> > for some reason it won't run, any ideas?
> > 
> > su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf
> > 
> >         --== Initializing Snort ==--
> > 
> > Initializing Network Interface fxp0
> > Decoding Ethernet on interface fxp0
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Initializating Output Plugins!
> > 
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > 
> > *WARNING*: unknown preprocessor "stream2", ignoring!
> > 
> > 
> > *WARNING*: unknown preprocessor "rpc_decode", ignoring!
> > 
> > 
> > *WARNING*: unknown preprocessor "bo", ignoring!
> > 
> > 
> > *WARNING*: unknown preprocessor "telnet_decode", ignoring!
> > 
> > database: compiled support for ( mysql )
> > database: configured to use mysql
> > database:          user = alexus
> > database: database name = alexus
> > database: password is set
> > database:          host = localhost
> > database:   sensor name = 64.81.208.245
> > database:     sensor id = 1
> > database: using the "log" facility
> > Error: Unknown config: classification
> > su-2.04# 
> > 
> > what am i doin wrong now?
> > 
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> - -- 
> Dave Ryan Computer Incident Response Team 
> dave.ryan at ...2017... Eircom Multimedia
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (OpenBSD)
> Comment: For info see http://www.gnupg.org
> 
> iEYEARECAAYFAjr7EkoACgkQHSjBCI+q2yL2jACfZmDIpaL7ajbIC4As0AqpYjkG
> w0cAn3hTAY6RgjvX2aJykUVMlFYsOO+D
> =pFey
> -----END PGP SIGNATURE-----
> 



--__--__--

Message: 2
Date: Thu, 10 May 2001 17:32:40 -0500
From: "shawn . moyer" <shawn at ...1184...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ******unsubscribe******


"Insanity is doing the same thing
and expecting different results."

                 Dr. Edwards Deming





-- 

s h a w n   m o y e r
shawn at ...1184...

"May the forces of evil become 
confused on the way to your house."

                    --George Carlin


--__--__--

Message: 3
From: "Watson, Ed" <ewatson at ...2004...>
To: 'alexus' <ml at ...1718...>, snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort won't run
Date: Thu, 10 May 2001 15:38:28 -0700

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0D9A1.EEDE1DF0
Content-Type: text/plain;
	charset="iso-8859-1"

don't know if this will make a difference, this works for me.

/usr/local/bin/snort -A full -c /usr/local/bin/rules/snort.conf

-----Original Message-----
From: alexus [mailto:ml at ...1718...]
Sent: Thursday, May 10, 2001 2:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort won't run


i'm using snort 1.7 with latest set of rules

for some reason it won't run, any ideas?

su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf

        --== Initializing Snort ==--

Initializing Network Interface fxp0
Decoding Ethernet on interface fxp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

*WARNING*: unknown preprocessor "stream2", ignoring!


*WARNING*: unknown preprocessor "rpc_decode", ignoring!


*WARNING*: unknown preprocessor "bo", ignoring!


*WARNING*: unknown preprocessor "telnet_decode", ignoring!

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = alexus
database: database name = alexus
database: password is set
database:          host = localhost
database:   sensor name = 64.81.208.245
database:     sensor id = 1
database: using the "log" facility
Error: Unknown config: classification
su-2.04# 

what am i doin wrong now?


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------_=_NextPart_001_01C0D9A1.EEDE1DF0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] Snort won't run</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>don't know if this will make a difference, this works =
for me.</FONT>
</P>

<P><FONT SIZE=3D2>/usr/local/bin/snort -A full -c =
/usr/local/bin/rules/snort.conf</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: alexus [<A =
HREF=3D"mailto:ml at ...1718...">mailto:ml at ...1718...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 2:50 PM</FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Snort won't run</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>i'm using snort 1.7 with latest set of rules</FONT>
</P>

<P><FONT SIZE=3D2>for some reason it won't run, any ideas?</FONT>
</P>

<P><FONT SIZE=3D2>su-2.04# /usr/local/bin/snort -c =
/usr/local/bin/rules/snort.conf</FONT>
</P>

<P><FONT SIZE=3D2>        --=3D=3D =
Initializing Snort =3D=3D--</FONT>
</P>

<P><FONT SIZE=3D2>Initializing Network Interface fxp0</FONT>
<BR><FONT SIZE=3D2>Decoding Ethernet on interface fxp0</FONT>
<BR><FONT SIZE=3D2>Initializing Preprocessors!</FONT>
<BR><FONT SIZE=3D2>Initializing Plug-ins!</FONT>
<BR><FONT SIZE=3D2>Initializating Output Plugins!</FONT>
</P>

<P><FONT =
SIZE=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT>
<BR><FONT SIZE=3D2>Initializing rule chains...</FONT>
</P>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "stream2", =
ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor =
"rpc_decode", ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "bo", =
ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor =
"telnet_decode", ignoring!</FONT>
</P>

<P><FONT SIZE=3D2>database: compiled support for ( mysql )</FONT>
<BR><FONT SIZE=3D2>database: configured to use mysql</FONT>
<BR><FONT =
SIZE=3D2>database:         =
 user =3D alexus</FONT>
<BR><FONT SIZE=3D2>database: database name =3D alexus</FONT>
<BR><FONT SIZE=3D2>database: password is set</FONT>
<BR><FONT =
SIZE=3D2>database:         =
 host =3D localhost</FONT>
<BR><FONT SIZE=3D2>database:   sensor name =3D =
64.81.208.245</FONT>
<BR><FONT SIZE=3D2>database:     sensor id =3D =
1</FONT>
<BR><FONT SIZE=3D2>database: using the "log" facility</FONT>
<BR><FONT SIZE=3D2>Error: Unknown config: classification</FONT>
<BR><FONT SIZE=3D2>su-2.04# </FONT>
</P>

<P><FONT SIZE=3D2>what am i doin wrong now?</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or =
unsubscribe:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://lists.sourceforge.net/lists/listinfo/snort-users" =
TARGET=3D"_blank">http://lists.sourceforge.net/lists/listinfo/snort-user=
s</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C0D9A1.EEDE1DF0--


--__--__--

Message: 4
Date: Thu, 10 May 2001 18:39:50 -0400
From: Martin Roesch <roesch at ...1935...>
To: "shawn . moyer" <shawn at ...1184...>
CC: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ******unsubscribe******

Especially when *every message to the list* ends with instructions on
how to perform that function....

"shawn . moyer" wrote:
> 
> "Insanity is doing the same thing
> and expecting different results."
> 
>                  Dr. Edwards Deming
> 
> --
> 
> s h a w n   m o y e r
> shawn at ...1184...
> 
> "May the forces of evil become
> confused on the way to your house."
> 
>                     --George Carlin
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org


--__--__--

Message: 5
To: Koaps <koaps at ...1804...>
Cc: roman at ...438..., snort-users at lists.sourceforge.net
From: roman at ...438...
Subject: Re: [Snort-users] loggin issue
Date: Thu, 10 May 2001 21:15:11 US/Eastern

Well, -N disables the log facility and only enables the alert facility.  
However, from your previous email, it would appear that you 
have set the database plug-in to only read the log facility.
Either remove the -N or reconfigure the DB plugin to use
alert

output database: log, postgresql, user=root ...
                           ^^^
                            |========= with -N this needs to be alert

cheers,
Roman

> nope
> 
> no loggin and no -A
> 
> I use this
> 
> /usr/local/bin/snort -c /var/snort/snort.conf -N
> 
> L8rZ,
> 
>   )\_/(
>  < o,0 >
>     ~
>    \ /
> 
> KoAps
> 
> 
> 
> ----- Original Message -----
> From: <roman at ...438...>
> To: "Koaps" <koaps at ...1804...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Thursday, May 10, 2001 8:35 AM
> Subject: Re: [Snort-users] loggin issue
> 
> 
> Is it logging anywhere else (e.g. to a file)? What does you
> command line look like?  Does it have a "-A", if so remove it.
> 
> Roman
> 
> > I don't get it....
> >
> > I have Snort 1.7 on OpenBSd
> >
> > it's telling me it's seeing Packets, it's sending alerts, but I see no
> data
> > in mysql....
> >
> >
> >
>
============================================================================
> > ===
> > Snort received 5065 packets and dropped 0(0.000%) packets
> >
> > Breakdown by protocol:                Action Stats:
> >     TCP: 5048       (99.664%)         ALERTS: 7
> >     UDP: 0          (0.000%)          LOGGED: 7
> >    ICMP: 12         (0.237%)          PASSED: 0
> >     ARP: 0          (0.000%)
> >    IPv6: 0          (0.000%)
> >     IPX: 0          (0.000%)
> >   OTHER: 0          (0.000%)
> > DISCARD: 0          (0.000%)
> > =======================================
> >
> > connect info
> >
> > Initializing rule chains...
> > database: compiled support for ( mysql )
> > database: configured to use mysql
> > database:          user = ids
> > database: password is set
> > database: database name = snortdb
> > database:          host = 192.168.69.5
> > database:   sensor name = 192.168.69.12
> > database:     sensor id = 2
> > database: using the "log" facility
> > 796 Snort rules read...
> > 796 Option Chains linked into 114 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> >
> > I am using ACID to look at the SnortDB
> > I can see it's registered in the database as a sensor...
> >
> > I just see no data from it
> >
> >
> >
> > L8rZ,
> >
> >   )\_/(
> >  < o,0 >
> >     ~
> >    \ /
> >
> > KoAps
> >
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> 
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/




--__--__--

Message: 6
To: alexus <ml at ...1718...>
Cc: snort-users at lists.sourceforge.net
From: roman at ...438...
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
Date: Thu, 10 May 2001 21:23:05 US/Eastern

OK, lets avoid the automated table creation for now.  Try running
the SQL manually (create_acid_tbls_mysql.sql)

Roman

> mysql> select * from user where user='alexus';
>
+-----------+--------+------------------+-------------+-------------+-------
>
------+-------------+-------------+-----------+-------------+---------------
>
+--------------+-----------+------------+-----------------+------------+----
> --------+
> | Host      | User   | Password         | Select_priv | Insert_priv |
> Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
> Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv |
> Index_priv | Alter_priv |
>
+-----------+--------+------------------+-------------+-------------+-------
>
------+-------------+-------------+-----------+-------------+---------------
>
+--------------+-----------+------------+-----------------+------------+----
> --------+
> | localhost | alexus | 34484ed463a66850 | Y           | Y           | N
> | Y           | N           | N         | N           | N             | N
> | N         | N          | N               | N          | N          |
>
+-----------+--------+------------------+-------------+-------------+-------
>
------+-------------+-------------+-----------+-------------+---------------
>
+--------------+-----------+------------+-----------------+------------+----
> --------+
> 1 row in set (0.00 sec)
> 
> mysql>
> 
> 
> i copy and paste mysql output to show you that i do have all right
> privileges
> 
> i also upgrade acid to 0.9.6b9 (which is latest beta for today)
> 
> it still doesn't work
> 
> ----- Original Message -----
> From: <roman at ...438...>
> To: "alexus" <ml at ...1718...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Thursday, May 10, 2001 11:18 AM
> Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
> 
> 
> > One observation:
> >
> > - ACID 0.9.5 does not use ADODB.  This DB abstraction was
> > introduced in 0.9.6b2 (Jan 2001).  Hence, this addition into
> > acid_conf.php will be ignored.
> >
> > Two recommendations:
> >
> > - are you sure that you have CREATE permissions on the DB
> > user set in acid_conf.php?  If all else fails, try using the
> > "create_acid_tbls_mysql.sql" to manually create the ACID
> > tables.
> >
> > - upgrade to a more recent version of ACID => 0.9.6b9.  There
> > are significant feature improvements as well as bug fixes.  If you
> > prefer an older version, upgrade to at least 0.9.6b1 for it has
> > a number of important bug fixes
> >
> > cheers,
> > Roman
> >
> > > I'm using the following:
> > >
> > > FreeBSD 4.3 - RELEASE (STABLE)
> > > ACID-0.9.5 - RELEASE (STABLE)
> > > ADODB v1.0.1 - RELEASE (STABLE)
> > > PHP - 4.0.5 - RELEASE (STABLE)
> > > APACHE - 1.3.19 - RELEASE (STABLE)
> > > SNORT - 1.7 - RELEASE (STABLE)
> > >
> > > to compile snort i used following line:
> > > ../configure --with-mysql=/usr/local/mysql;make;make install
> > >
> > > i did change acid_conf.php i put path to adodb
> > >
> > > in adodb
> > >
> > > i put local path in adodb.inc.php
> > >
> > > when i go to http://localhost/acid it redirects me to acid_main.php
and
> when
> > > it gets there i get this:
> > >
> > > The underlying database alexus at ...274... apears to be invalid.
> > >
> > > The database version is valid, but the ACID DB structure (table:
> acid_ag) is
> > > not present. Use the Setup page to configure and optimize the DB
> > >
> > > when i click on "Setup page"
> > >
> > > in status window i get "DONE" for "Search Indexes" and i have "Create
> ACID
> > > AG" for "ACID tables" i'm assuming i need to click on "Create ACID
AG",
> when
> > > I do that nothing happenes, it won't disappear or it won't change
status
> to
> > > "DONE".. what am i missing?
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
> >
> > ---------------------------------------------
> > This message was sent using Voicenet WebMail.
> >       http://www.voicenet.com/webmail/
> >
> >
> >
> 
> 



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/




--__--__--

Message: 7
From: "Steve Shockley" <steve.shockley at ...1658...>
To: <snort-users at lists.sourceforge.net>
Date: Thu, 10 May 2001 22:35:06 -0400
Subject: [Snort-users] Snort 1.8-beta4 Build 17 coredump

I'm running (or trying to!) Snort 1.8 Beta 4 Build 17 on OpenBSD
2.9-snapshot (5/10).  I'm mostly running the standard ruleset/config
file, except I've turned on syslog logging.  I used to have it running
on this machine with Snort 1.7 and OpenBSD 2.8-Release, but somewhere
along the way it broke and I didn't have time to fix it.  I've
recompiled Snort and I have the latest CVS update.  Are there any known
issues with this build?  It seems to dump core a few minutes after
starting it, even running it interactively as root.






--__--__--

Message: 8
Date: Fri, 11 May 2001 08:54:39 +0200
To: Kevin Brown <Kevin.M.Brown at ...1022...>,
   "'Robinson, Ken'" <ken.robinson at ...1563...>,
   "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
From: Jean-Francois Zwobada <zwobada at ...1938...>
Subject: RE: [Snort-users] Rules vs performance


Hi guys

What's the average and peak bandwidth you're trying to analyse ?

Regards

JF

At 12:53 10/05/01 -0700, Kevin Brown wrote:

>I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s 
>link the snort was clocking 40% of the cpu with absolutely no rules or 
>plugins.  I don't remember the specifics, but I was removing rules from 
>the list till snort dropped to 80% or less and of the ruleset of 400 rules 
>I had to drop all but 50 I believe to get it down.  I'm currently using a 
>Sparc 500 and it is clocking 50% of the CPU (same link) with the full 
>ruleset in place (snort1.8b5 build 20).  I downloaded top and compiled it 
>and just watch the processes and notice that with just the database and 
>spp plugins snort is slowing eating up my 1GB of memory.  I don't know if 
>that is a memory leak or just a lot of memory caching going on within
snort.
>
>-----Original Message-----
>From: Robinson, Ken 
>[<mailto:ken.robinson at ...1563...>mailto:ken.robinson at ...1563...]
>Sent: Thursday, May 10, 2001 12:42
>To: Snort List (E-mail)
>Subject: [Snort-users] Rules vs performance
>
>Hello,
>
>Are there any rule-of-thumb, or such on how the number of Snort rules
>affects the performance?
>
>In doing some lab tests, we found that has the amount of traffic went up,
we
>detected fewer and fewer test attacks.     CPU usage was high, but not
>peaked right out.     The lab boxes were PIII 800Mhz systems with 100Mbit
>NICs and 256Meg RAM.
>
>I don't know of the misses were due to an issue with the hardware (NIC
>missing packets?), or if there were too many rules to sort through for the
>Snort software, or too much logging?
>
>We've looked through the snort rules from Whitehats and found many cases
>were we could reduce the rules by either dropping them (i.e. don't care),
>reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
>instead of detecting which OS),  or making groups of them as activate rules
>(i.e. the DeepThroat backdoor rules).    We could also use the Activate
>rules to log the next 50 packets and then run a full set or rules on those
>logged packets.
>
>So, any advise for us?   Should we use Activate rules as much as possible?
>Should we generalize rules?   Or is all of this not going to make much of a
>difference?
>
>Thanks.
>
>----
>Ken Robinson
>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
><http://lists.sourceforge.net/lists/listinfo/snort-users>http://lists.sourc
eforge.net/lists/listinfo/snort-users 
>
>Snort-users list archive:
><http://www.geocrawler.com/redir-sf.php3?list=snort-users>http://www.geocra
wler.com/redir-sf.php3?list=snort-users 
>

Jean-Francois Zwobada
Cellule Securite - Fluxus
Phone : +33.1.44.97.70.00 - Fax : +33.1.44.97.70.14
30, rue du Chateau des Rentiers - 75013 PARIS



--__--__--

Message: 9
From: <holger.bumke at ...1216...>
To: "Richard, Jeff" <Jeff-Richard at ...562...>
cc: "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
Date: Fri, 11 May 2001 09:22:13 +0200
Subject: Antwort: [Snort-users] DNS Query Logging?



Try this small Shell-Skript:

----------------------------------------------------------------------------
----
#!/bin/bash

# suite to your needs
NAMEDSTATS="/etc/named.stats"
PID="/var/run/named.pid"
LOG="/tmp/namedqueries.tmp"

# nothing to be changed below if you're using bash.
declare -i RR_new=0
declare -i RR_old=0

kill -SIGILL  `cat $PID`
RR_old=`tail -1 $LOG`
RR_new=`tail -3 $NAMEDSTATS | head -1 | awk '{print $1}'`
echo $RR_new >$LOG
echo "$[RR_new-${RR_old}]"
----------------------------------------------------------------------------
----

Other stats could be get by changing the field-parameter.

Nice job for cron/MRTG. =:^)

Hope it helps....

Regards,
   Holger







"Richard, Jeff" <Jeff-Richard at ...562...> am 10.05.2001 22:47:34

An:   "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
Kopie:     (Blindkopie: Holger Bumke/nbg/DE)

Thema:    [Snort-users] DNS Query Logging?




I hope someone can give a hand on this.  I need to get a count of how many
DNS queries my DNS servers are receiving.  What should a rule for DNS
queries look like?  I'm not failure with DNS traffic, but realize that UDP
53, is the protocol/port, just not sure of any signature(s).

-Jeff







--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list