[Snort-users] another question

twig les twigles at ...131...
Mon Dec 16 12:07:49 EST 2002


That is about the crudest way possible to capture AIM
traffic.  If someone changes the port you miss them
and the potential for false alarms is staggering.  And
no it doesn't log the session or content.

To implement a custom rule you can simply create a
text file called custom.rules and type/paste them in,
then add an include statement to the new rules file at
the end of snort.conf.

--- "Shafer, Troy" <tshafer at ...7761...> wrote:
> I found this code on the net for logging aim
> traffic...
> 
> alert tcp any any -> any 5190 (msg:"AIM Message";
> content:"HTML";)
> 
> my first question, does this actually log the
> content of the messages and
> two how would I implement this with snort... write a
> .rules file... then put
> and include in the the snort.conf?  Still trying to
> figure this snort thing
> out...
> 
> Troy Shafer
> Network Engineer
> Laurel County Schools
>  
> 606-862-4616
> tshafer at ...7761...
> 
> -----Original Message-----
> From: snort-users-request at lists.sourceforge.net
> [mailto:snort-users-request at lists.sourceforge.net] 
> Sent: Monday, December 16, 2002 1:49 PM
> To: snort-users at lists.sourceforge.net
> Subject: Snort-users digest, Vol 1 #2587 - 8 msgs
> 
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web,
> visit
> 
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body
> 'help' to
> 	snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-users-admin at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Exclude IP addresses for all rules (Jens
> Krabbenhoeft)
>    2. writing to DB (only!) (Eduard San Anselmo
> Mateu)
>    3. RE: DB ERROR (Luo, Philip)
>    4. Ignorehosts, once again (Marc Quibell)
>    5. Newbie (Shafer, Troy)
>    6. Update
> (=?iso-8859-1?q?Luiz=20Alberto=20Cataldo=20Jr?=)
>    7. Re: Snort-users digest, Vol 1 #2581 - 7 msgs
> (Robert Young)
>    8. RE: New Trend: Intrusion Prevention (Sheahan,
> Paul (PCLN-NW))
> 
> --__--__--
> 
> Message: 1
> Date:	Mon, 16 Dec 2002 09:11:15 +0100
> From:	Jens Krabbenhoeft
> <tschenz-snort-users at ...7018...>
> To:	snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Exclude IP addresses for
> all rules
> 
> Hi,
> 
> > I want to exclude IP addresses in my home net from
> being watched at
> > all.
> 
> As you write 'being watched at all' the best thing
> to do is to ignore
> the IPs via BPF. Have a look at Erek Adams post:
> 
>
http://marc.theaimsgroup.com/?l=snort-users&m=102347618314311&w=2
> 
> Try starting snort with "snort -options.... not host
> 192.168.1.1 and not
> host 192.168.1.2".
> 
> > var HOME_NET [!$EXCLUDE,192.168.1.0/24]
> 
> The problem is, that you have an ORed list in
> HOME_NET. !192.168.1.1 OR
> 192.168.1.0/24 matches on all IPs in 192.168.1.0/24.
> 
> Have a look at my last week's post at
>
http://marc.theaimsgroup.com/?l=snort-users&m=103942066423750&w=2
> 
> HTH,
> 	Jens
> 
> 
> --__--__--
> 
> Message: 2
> Date: Mon, 16 Dec 2002 12:04:29 +0100
> From: Eduard San Anselmo Mateu
> <esananselmo at ...6002...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] writing to DB (only!)
> 
> Hi everyone,
> I think I can't get to understand the way snort
> stores information, i.e.
> output
> plugins. The thing is that I would like snort to
> only store information in
> the
> database (so I set the database output plugin with
> log(?)...), but I don't
> want
> any information being written to a file (so I put -A
> none on the command
> line,
> is it right?). Of course, the output database plugin
> is the only one I have
> uncommented at the conf file, so snort should only
> log to the database, but
> I
> get the message "WARNING: command line overrides
> rules file alert plugin",
> and
> I've read that snort won't log to the database when
> this message shows up.
> So what am I doing wrong? Could anyone point me to a
> doc where output
> plugins
> are explained?
> Thanks in advance.
> Eduard
> 
> 
> 
> --__--__--
> 
> Message: 3
> From: "Luo, Philip" <Philip_Luo at ...4729...>
> To: 'Steve Suehring' <snort at ...7160...>
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] DB ERROR
> Date: Mon, 16 Dec 2002 08:43:07 -0500
> 
> There is no error when I tried mysql -u snort -p
> snort,
> Then I tried the rest, here is what I got,
> 
> mysql> show grants for snort at ...274...;
>
+---------------------------------------------------------------------------
> ----
>
-----------------------------------------------------+
> | Grants for snort at ...274...
>                                                     
> |
>
+---------------------------------------------------------------------------
> ----
>
-----------------------------------------------------+
> | GRANT SHOW DATABASES, CREATE TEMPORARY TABLES,
> LOCK TABLES ON *.* TO
> 'snort'@'
> localhost' IDENTIFIED BY PASSWORD '1e6b29186dd45e97'
> |
> | GRANT SELECT, INSERT, DELETE, CREATE ON `snort`.*
> TO 'snort'@'localhost'
>                                                     
> |
>
+---------------------------------------------------------------------------
> ----
>
-----------------------------------------------------+
> 2 rows in set (0.00 sec)
> 
> mysql> show grants for snort at ...263...;
>
+---------------------------------------------------------------------------
> ----
>
-----------------------------------------------------+
> | Grants for snort at ...263...
>                                                     
> |
>
+---------------------------------------------------------------------------
> ----
>
-----------------------------------------------------+
> | GRANT SHOW DATABASES, CREATE TEMPORARY TABLES,
> LOCK TABLES ON *.* TO
> 'snort'@'
> 127.0.0.1' IDENTIFIED BY PASSWORD '1e6b29186dd45e97'
> |
> | GRANT SELECT, INSERT, DELETE, CREATE ON `snort`.*
> TO 'snort'@'127.0.0.1'
>                                                     
> |
>
+---------------------------------------------------------------------------
> ----
> 
=== message truncated ===


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself                       
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




More information about the Snort-users mailing list