[Snort-users] Re: Snort-users digest, Vol 1 #1349 - 12 msgs

Suke Li lisuke at ...4191...
Tue Nov 27 20:46:02 EST 2001


snort-users-request,

RSA  is an algorithm based on a one-way direction of big number facterization funtion.
There is no way for anyone who can use a public key to get the private key.
SSL is based on RSA algrorithm. So, no IDS can decrypt the encrypted sessions in polynomial
time. If the network traffic is heaven, how can you decrypt the sessions? That is impossible.


>Send Snort-users mailing list submissions to
>	snort-users at lists.sourceforge.net
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.sourceforge.net/lists/listinfo/snort-users
>or, via email, send a message with subject or body 'help' to
>	snort-users-request at lists.sourceforge.net
>
>You can reach the person managing the list at
>	snort-users-admin at lists.sourceforge.net
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Snort-users digest..."
>
>
>Today's Topics:
>
>   1. Re: Encrypted sessions (Mike Shaw)
>   2. Re: Encrypted sessions (Chr. v. Stuckrad)
>   3. Re: Encrypted sessions (Erek Adams)
>   4. Strange effect splitting 'alert' to 'redalert' + 'logalert' (Chr. v. Stuckrad)
>   5. Re: Encrypted sessions (Jason Haar)
>   6. RE: Encrypted sessions (Michael Aylor)
>   7. Encrypted sessions (Michael Scheidell)
>   8. Snort & ACID: WAS ([Snort-users] Encrypted sessions) (Ronneil Camara)
>   9. Snort 1.8 and RH 7.1 (D&D Jordan)
>  10. ARIS sensor 1.6 Beta RPM (Jensenne Roculan)
>  11. Next Update to spp_portscan (Stephen Shepherd)
>  12. mysql on win32 (Ali Zaree)
>
>--__--__--
>
>Message: 1
>Date: Tue, 27 Nov 2001 15:25:02 -0600
>To: "Ronneil Camara" <ronneilc at ...4042...>,
> <snort-users at lists.sourceforge.net>
>From: Mike Shaw <mshaw at ...3165...>
>Subject: Re: [Snort-users] Encrypted sessions
>
>No network based IDS is going to be able to see a signature in an encrypted
>session of any kind.  That goes for Snort or any commercial network
>IDS.  If they could see encrypted traffic, so could any eavesdropper.
>
>The vendor may be trying to sell you a host based IDS/integrity checker, in
>which case it's apples and oranges.  Host based and network based IDS are
>two different animals, and should be used to compliment not replace each other.
>
>The vendor could also be conveniently omitting that their own NIDS doesn't
>work with encrypted traffic.  The ol' Jedi mind trick.
>
>-Mike
>
>At 02:53 PM 11/27/2001 -0600, Ronneil Camara wrote:
>>How does snort deal with encrypted communication. Let say, I would to
>>monitor https connection to my web server or we've got an encrypted
>>connection to other mail server. Would snort know about those attacks?
>>
>>This is what the big vendor company mentioned to me about snort's
>>weakness.
>>
>>Thanks.
>>
>>Neil
>>
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list
>
>
>
>
>--__--__--
>
>Message: 2
>Date: Tue, 27 Nov 2001 22:25:31 +0100
>From: "Chr. v. Stuckrad" <stucki at ...3882...>
>To: Erek Adams <erek at ...577...>
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Encrypted sessions
>Reply-To: stucki at ...3882...
>
>On Tue, Nov 27, 2001 at 01:13:57PM -0800, Erek Adams wrote:
>> *sigh*  I just love marketing/sales techno-babble.  Not!
>*grin* there is another problem with 'encryption':
>I've seen a thing like an IRC-Bot used as DDOS Command-Center
>and communicating via an encrypted stream to the hacked host...
>
>No chance to see anything, except if the key is already known.
>
>> If it's encrypted traffic, to examine the traffic you would have to decode it.
>But how?  If for example you would want to look for specific bad traffic
>(we had that with ssh1) and you want to find logins via ssh, you only
>get the fact, that there IS a connection, no contents (else ssh would be
>useless anyway).
>
>Stucki
>
>--
>Christoph von Stuckrad       * *  | nickname  | <stucki at ...3882...> \
>Freie Universitaet Berlin    |/_* | 'stucki'  | Tel(days):+49 30 838-75 459 |
>Fachbereich Mathematik, EDV  |\ * | if online | Tel(else):+49 30 77 39 6600 |
>Arnimallee 2-6/14195 Berlin  * *  | on IRCnet | Fax(alle):+49 30 838-75454 /
>
>
>--__--__--
>
>Message: 3
>Date: Tue, 27 Nov 2001 13:30:44 -0800 (PST)
>From: Erek Adams <erek at ...577...>
>To: "Chr. v. Stuckrad" <stucki at ...3882...>
>cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Encrypted sessions
>
>On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:
>
>> *grin* there is another problem with 'encryption':
>> I've seen a thing like an IRC-Bot used as DDOS Command-Center
>> and communicating via an encrypted stream to the hacked host...
>>
>> No chance to see anything, except if the key is already known.
>
>Right!  But I was (pardon the pun) 'keying off' on the fact it was 'our
>mailservers/webservers'.  I made the assumption that they had they keys.  :)
>
>> But how?  If for example you would want to look for specific bad traffic
>> (we had that with ssh1) and you want to find logins via ssh, you only
>> get the fact, that there IS a connection, no contents (else ssh would be
>> useless anyway).
>
>Right again!  If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13, then
>you've got a bit of a chance.   :)  But if it's something akin to ssh--Good
>luck.
>
>-----
>Erek Adams
>Nifty-Type-Guy
>TheAdamsFamily.Net
>
>
>
>--__--__--
>
>Message: 4
>Date: Tue, 27 Nov 2001 22:43:22 +0100
>From: "Chr. v. Stuckrad" <stucki at ...3882...>
>To: snort-users at lists.sourceforge.net
>Reply-To: stucki at ...3882...
>Subject: [Snort-users] Strange effect splitting 'alert' to 'redalert' + 'logalert'
>
>Hi!
>
>May be I did something which is not meant to be used this way(?):
>
>I wanted to have two levels of alerts and logs, so I decided
>to use the user-dfined 'ruletype's like:
>------------------------------- snip ----------------------------
>ruletype logalert
>{
>   type alert
>   output alert_syslog: LOG_LOCAL3 LOG_WARNING
>   output alert_fast: /var/log/snort/logalert
>   output log_tcpdump: /var/log/snort/snort.log.dump
>}
>------------------------------- snip ----------------------------
>The 'redalert' is similar but has an higher log facility
>and different filenames.
>
>Then I decided which rule (originally 'alert') will become 'redalert'
>or 'logalert', and if I did it correctly only those two kinds of rule
>do exist now.
>
>HERE Snort is:  Version 1.8.3 (Build 87)
>has flexresponse but not yet databases and uses syslog so far.
>runs on LINUX (SuSE-7.2) on a routers mirror-port.
>
>What goes RIGHT is: syslog, alert_fast
>What goes WRONG is: output_tcpdup
>
>Is there a way to append instead of write from beginning of the file
>when snort restarts? (It seems to always begin from empty file).
>
>Somehow it seems as if not *every* alerting packet(contents) is logged,
>I often do not find a packet in those files, even if alert_fast did tell
>me it's from and to addresses...
>
>And besides this, portscans are logged to some other/own default file,
>which is acceptable so far :-)
>
>Any Ideas what I missed from 'snort.pdf' (may be it does nat explain
>something as of version *.3 and I'd rather read sources?)
>
>Thanks a lot,      Stucki
>
>--
>Christoph von Stuckrad       * *  | nickname  | <stucki at ...3882...> \
>Freie Universitaet Berlin    |/_* | 'stucki'  | Tel(days):+49 30 838-75 459 |
>Fachbereich Mathematik, EDV  |\ * | if online | Tel(else):+49 30 77 39 6600 |
>Arnimallee 2-6/14195 Berlin  * *  | on IRCnet | Fax(alle):+49 30 838-75454 /
>
>
>--__--__--
>
>Message: 5
>Date: Wed, 28 Nov 2001 10:55:41 +1300
>From: Jason Haar <Jason.Haar at ...294...>
>To: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Encrypted sessions
>Organization: Trimble Navigation New Zealand Ltd.
>
>On Tue, Nov 27, 2001 at 01:13:57PM -0800, Erek Adams wrote:
>> On Tue, 27 Nov 2001, Ronneil Camara wrote:
>>
>> > How does snort deal with encrypted communication. Let say, I would to
>> > monitor https connection to my web server or we've got an encrypted
>> > connection to other mail server. Would snort know about those attacks?
>>
>> Anyone else got a better way to play with encryption?  I'm looking for new
>> ideas!
>
>Yup - don't encrypt it :-)
>
>Seriously, encryption is too hard to do on the fly - so MOVE THE PROBLEM.
>Terminate your SSL sessions on a reverse proxy (either commercial or
>Squid-2.5 for instance), and then it'll talk HTTP to the backend Web servers.
>
>Not only can your IDS detect attacks again, but you've moved an expensive
>task off your Web servers onto something specifically installed to do SSL...
>
>
>--
>Cheers
>
>Jason Haar
>
>Information Security Manager
>Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>
>
>--__--__--
>
>Message: 6
>From: Michael Aylor <maylor at ...1991...>
>To: 'Erek Adams' <erek at ...577...>, "Chr. v. Stuckrad"
>	 <stucki at ...3882...>
>Cc: snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] Encrypted sessions
>Date: Tue, 27 Nov 2001 16:25:50 -0600
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_0017_01C17760.2C68B570
>Content-Type: text/plain;
>	charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>
>That would be neat, if there was a way of telling snort about the
>existance of a private RSA key that it had read access to, so it could
>reverse engineer the public key exchange it was watching...am I
>oversimplifying?  My understanding was that, if you had the private key
>(and presumably the password used to encrypt it), then you'd be able to
>decode any traffic using that key.  Am I incorrect?
>
>
>Mike
>
>-----Original Message-----
>From: Erek Adams [mailto:erek at ...577...]
>Sent: Tuesday, November 27, 2001 3:31 PM
>To: Chr. v. Stuckrad
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Encrypted sessions
>
>
>On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:
>
>> *grin* there is another problem with 'encryption':
>> I've seen a thing like an IRC-Bot used as DDOS Command-Center
>> and communicating via an encrypted stream to the hacked host...
>>
>> No chance to see anything, except if the key is already known.
>
>Right!  But I was (pardon the pun) 'keying off' on the fact it was 'our
>mailservers/webservers'.  I made the assumption that they had they keys.
>:)
>
>> But how?  If for example you would want to look for specific bad
>traffic
>> (we had that with ssh1) and you want to find logins via ssh, you only
>> get the fact, that there IS a connection, no contents (else ssh would
>be
>> useless anyway).
>
>Right again!  If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13,
>then
>you've got a bit of a chance.   :)  But if it's something akin to
>ssh--Good
>luck.
>
>-----
>Erek Adams
>Nifty-Type-Guy
>TheAdamsFamily.Net
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>------=_NextPart_000_0017_01C17760.2C68B570
>Content-Type: application/x-pkcs7-signature;
>	name="smime.p7s"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;
>	filename="smime.p7s"
>
>MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKCzCCAj0w
>ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG
>A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy
>dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw
>CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi
>bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
>MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH
>mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF
>4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d
>6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix
>3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR
>cZQwggNiMIICy6ADAgECAhAL2gsXwT+JjqsJdHq0zi4zMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNV
>BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMg
>UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIy
>MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
>c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv
>cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ
>bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEB
>AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFL
>uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+Hthzj
>zMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo4GwMIGtMA8GA1UdEwQIMAYBAf8CAQAw
>RwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t
>L3JlcG9zaXRvcnkvUlBBMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29t
>L3BjYTEuY3JsMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQECBQAD
>gYEAAn2eb0VLOKC43ulTZCG85Ewrjx7+kkCs2Ao5aqEyISwHm6tZ/tJiGn1VOLA3c9z0B2ZjYr3h
>U3BSh+eo2FLpWy2q4d7PrDFU1IsZyNgjqO8EKzJ9LBgcyHyJqC538kTRZQpNdLXu0xuSc3QuiTs1
>E3LnQDGa07LEq+dWvovj+xUwggRgMIIDyaADAgECAhArLw20P4LwKH8hVdE8C31yMA0GCSqGSIb3
>DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
>c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv
>cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ
>bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTAxMTExNjAwMDAw
>MFoXDTAyMDExNTIzNTk1OVowggEEMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMW
>VmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0
>b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBO
>b3QgVmFsaWRhdGVkMScwJQYDVQQLEx5EaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQxEzAR
>BgNVBAMUCk1pa2UgQXlsb3IxIjAgBgkqhkiG9w0BCQEWE21heWxvckBzd2Jhbmt0eC5jb20wgZ8w
>DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJFencYWRhCWVIFMBKJWt8AemLUvJGxsWJs8RljU/JhW
>A0HXcnSOF+Od6NTJ1LHq+MMp34eH4w7FOrmQok0gojHRa1pcuKaaV0GQvUxILt1ORWeXUgr1Pv19
>idTW5j1X/5GtAcAMM3HVHdAS8pYjJZ60j8AYPBUVBqnmHw7OVxBhAgMBAAGjggEGMIIBAjAJBgNV
>HRMEAjAAMIGsBgNVHSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRw
>czovL3d3dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4w
>AwIBARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5
>NyBWZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2Ny
>bC52ZXJpc2lnbi5jb20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQCGiHS8GgLEy5WGPvZP
>7HDJwjr0iFk5LhFnNcZNuMzpQRZvbT5UlddICEA/r6dSpx0YcqKRVPFXVgeFBBjmViJhs69JW5/+
>UMrBTpPuv4f/Fi3+maLBxkcMzCNx/cVR1FF1y6c1tBBLGZs9p/7TsvUR4uh/CK/bUNYOKTY/w+6w
>NTGCAzgwggM0AgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy
>aVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5
>L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xh
>c3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhArLw20
>P4LwKH8hVdE8C31yMAkGBSsOAwIaBQCgggGsMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
>KoZIhvcNAQkFMQ8XDTAxMTEyNzIyMjU0OFowIwYJKoZIhvcNAQkEMRYEFHcHlBK4GB+E2MlcATzK
>0R+g99UBMFgGCSqGSIb3DQEJDzFLMEkwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsO
>AwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHyBgkrBgEEAYI3EAQxgeQw
>geEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO
>ZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4g
>QnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2
>aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCECsvDbQ/gvAofyFV0TwLfXIw
>DQYJKoZIhvcNAQEBBQAEgYBaL1/5VLve8yA5qAbZUd1gXif8dH/EsNkMjQk4a6k8saUUJwts8Snn
>KCHKfqSF2SXNI8bXs66gFA3pTrNtovSUdmXvIrrnPBIqQiHH7A67rY3nEocu/osgWGzwWibsYH7A
>KkZ2rmB4b6qTlVuofZB9ofOcWcoVpq0IAv193iVqsAAAAAAAAA==
>
>------=_NextPart_000_0017_01C17760.2C68B570--
>
>
>
>--__--__--
>
>Message: 7
>From: "Michael Scheidell" <scheidell at ...3799...>
>To: <snort-users at lists.sourceforge.net>
>Cc: <ronneilc at ...4042...>
>Subject: [Snort-users] Encrypted sessions
>Date: Tue, 27 Nov 2001 17:49:55 -0500
>Organization: Florida Datamation, Inc.
>
>> Date: Tue, 27 Nov 2001 14:53:22 -0600
>> From: "Ronneil Camara" <ronneilc at ...4042...>
>> To: <snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] Encrypted sessions
>>
>> How does snort deal with encrypted communication. Let say, I would to
>> monitor https connection to my web server or we've got an encrypted
>> connection to other mail server. Would snort know about those attacks?
>>
>> This is what the big vendor company mentioned to me about snort's
>> weakness.
>
>And the 'big vendor' can decrypt encrypted sessions? or are they just
>blowing smoke?
>No, snort will not decrypt ssh or ssl sessions and I doubt 'big vendor' can
>either.
>
>
>
>
>
>--__--__--
>
>Message: 8
>Subject: Snort & ACID: WAS ([Snort-users] Encrypted sessions)
>Date: Tue, 27 Nov 2001 17:17:48 -0600
>From: "Ronneil Camara" <ronneilc at ...4042...>
>To: <snort-users at lists.sourceforge.net>
>
>Thank you very much for all the responses. It was really helpful to me.
>Anyways, are there any issues with versions of Snort and ACID? I
>actually would like to try it tonight. Aside from demarc, are there any
>other good console web interfaces for snort?
>
>Thanks.
>
>Neil
>
>
>--__--__--
>
>Message: 9
>From: "D&D Jordan" <info at ...4189...>
>To: <snort-users at lists.sourceforge.net>
>Date: Tue, 27 Nov 2001 15:35:35 -0800
>Subject: [Snort-users] Snort 1.8 and RH 7.1
>
>Greetings,
>I recently changed from my normal course of waiting for either source rpms
>or pre complied rpms to use version 1.8.2
>I d/l the i386 rpm from snort.org d/l page and while everything installed
>okay, I have one error that is keeping snortd from loading.
>
>This is the problem. When I run "/etc/rc.d/init.d/snortd start"
>I get this "Starting snort: execvp: No such file or directory    [FAILED]"
>
>Can anyone tell me what this means?
>
>Thanks,
>Don Jordan
>
>
>
>--__--__--
>
>Message: 10
>Date: Tue, 27 Nov 2001 16:43:54 -0700 (MST)
>From: Jensenne Roculan <jroculan at ...35...>
>To: <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] ARIS sensor 1.6 Beta RPM
>
>Hi there,
>
>For those who may be interested, SecurityFocus has released the ARIS
>sensor RPM which includes Snort 1.8.2, the default ruleset, and the newly
>released ARIS extractor 1.6.  It is built on RedHat Linux 7.1 but should
>install properly on most other Linux distributions.  It is available at:
>
>ARIS sensor 1.6 Beta
>http://aris.securityfocus.com/Download.asp
>
>To install this RPM, run :
>
># rpm --install aris-sensor-1.6-beta.i386.rpm
>
>This will install the included programs in /usr/local/aris-sensor. Next,
>run the "install.pl" script within the aris-sensor directory to configure
>ARIS extractor to automatically upload your data.
>
>If you installed the previous version of the RPM, you must uninstall it,
>by running the following commands:
>
># /etc/rc.d/init.d/snort stop
># rpm --erase aris-sensor-1.0-beta
>
>The standalone version of ARIS extractor is also available at the URL
>above.
>
>Users of ARIS extractor 1.6 can now enable the automatic generation of
>daily summary reports. These reports, sent by email, give you an overview
>of the activity seen by your IDS over the previous 24 hour period. For an
>example of this report, see the following:
>
>http://aris.securityfocus.com/HELP/dailysummarysetup.htm
>
>Any questions or comments can be directed to aris-bugs at ...35...
>
>Thanks for your time.
>
>Cheers,
>
>Jensenne Roculan
>SecurityFocus - http://www.securityfocus.com
>ARIS - http://aris.securityfocus.com
>(403) 213-3939 ext. 229
>
>
>
>
>
>
>--__--__--
>
>Message: 11
>Reply-To: <drew600_1999 at ...131...>
>From: "Stephen Shepherd" <drew600_1999 at ...131...>
>To: "Snort Users List \(E-mail\)" <snort-users at lists.sourceforge.net>
>Date: Tue, 27 Nov 2001 19:34:51 -0700
>Subject: [Snort-users] Next Update to spp_portscan
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_0010_01C1777A.9BBACA70
>Content-Type: text/plain;
>	charset="iso-8859-1"
>Content-Transfer-Encoding: 8bit
>
>Does anyone know when we might see and update to spp_portscan that will log
>into the snort DB in a structured format.? I poked around on the snort web
>site but I did not see any new news.
>?
>?Now that I have ACID up and running I am loving life but I sure would like
>to be able to mine the portscan data more effectively.? The
>current?unstructured logging is better than nothing but I want more... :-)?
>?
>?
>
>------=_NextPart_000_0010_01C1777A.9BBACA70
>Content-Type: text/html;
>	charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><HTML><HEAD>
><META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
>charset=3Diso-8859-1">
>
>
><META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR></HEAD>
><BODY>
><DIV><SPAN class=3D873413102-28112001><FONT face=3DArial size=3D2>Does =
>anyone know=20
>when we might see and update to spp_portscan that will log into the =
>snort DB in=20
>a structured format.  I poked around on the snort web site but I =
>did not=20
>see any new news.</FONT></SPAN></DIV>
><DIV><SPAN class=3D873413102-28112001><FONT face=3DArial=20
>size=3D2></FONT></SPAN> </DIV>
><DIV><SPAN class=3D873413102-28112001><FONT face=3DArial =
>size=3D2> Now that I=20
>have ACID up and running I am loving life but I sure would like to be =
>able to=20
>mine the portscan data more effectively.  The =
>current unstructured=20
>logging is better than nothing but I want more... :-)  =
></FONT></SPAN></DIV>
><DIV><SPAN class=3D873413102-28112001><FONT face=3DArial=20
>size=3D2></FONT></SPAN> </DIV>
><DIV><SPAN class=3D873413102-28112001></SPAN> </DIV></BODY></HTML>
>
>------=_NextPart_000_0010_01C1777A.9BBACA70--
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com
>
>
>
>--__--__--
>
>Message: 12
>From: "Ali Zaree" <a_zaree at ...4190...>
>To: snort-users at lists.sourceforge.net
>Date: Wed, 28 Nov 2001 10:56:46 +0800
>Subject: [Snort-users] mysql on win32
>
>I just joined the mailing list, so I hope this question hasn't been asked/answered before. I looked through the archive and couldn't find anything about it:
>
>Is there a mysql version of snort 1.8.2 for Windows?  I've got it working great for linux clients but when try the binary from the snort download page on a windows box I get:
>
><snip>
>>database: compiled support for ( )
>>database: configured to use mysql
>>database: mysql support is not compiled in this copy
>....
>>Fatal Error, Quitting..
>
>
>Thnx in advance,
>
>Ali Zaree
>
>--
>
>_______________________________________________
>Get your free email from http://www.graffiti.net
>
>Powered by Outblaze
>
>
>
>--__--__--
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
>End of Snort-users Digest

                    致
礼!

            Suke Li
            lisuke at ...4191...





More information about the Snort-users mailing list