[Snort-users] RE: Exchange 2000

Richard Lyons lyonsrf at ...7815...
Thu Dec 19 13:20:17 EST 2002


Has anyone dealt with putting Snort onto a Exchange 2000 box?  Anything
in particular that I would need to know, i.e., disable certain things
initially before installation?  Any help would greatly be appreciated!

RL

-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net] 
Sent: Thursday, December 19, 2002 12:51 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #2600 - 9 msgs

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: Barnyard/acid reconfigure question (Henning, David)
   2. Ignorehosts still not working... (Marc Quibell)
   3. ACID Graph Page (Gary Borgeson)
   4. RE: Ignorehosts still not working... (Hicks, John)
   5. RE: ACID Graph Page (Steve Halligan)
   6. RE: DB ERROR (Luo, Philip)
   7. Re: One question (Matt Kettler)
   8. Redhat 8.0 and Snort...playing nice? (Madziarczyk, Jonathan)
   9. RE: Clueless in Toronto (Rich Stryker)

--__--__--

Message: 1
From: "Henning, David" <henningd at ...7800...>
To: "'snort-users at lists.sourceforge.net'	"
<snort-users at lists.sourceforge.net>
Date: Thu, 19 Dec 2002 09:01:38 -0500
Subject: RE: [Snort-users] Barnyard/acid reconfigure question

Excellent explanation!  Thank you!

Dave

-----Original Message-----
From: Jens Krabbenhoeft

Hi,

> What am I missing on how to assign this number and keep it consistent?

op_acid_db.c:

  /* if sensor id == 0, then we attempt attempt to determine it
dynamically */
  if(data->sensor_id == 0)
  {
      data->sensor_id = AcidDbGetSensorId(data);
  }

And AcidDbGetSensorId does the following:

  "SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' "
  "AND filter='%s' AND detail='%u' AND encoding='0'", pv.hostname,
  pv.interface, pv.filter, op_data->detail)

If it gets a sensor back, it uses that sensor_id, if not, it inserts the
new sensor.

So from the code, to keep it consistent, don't change the hostname /
interface / filter and detail.

Hope that helps,

	Jens

BTW: It works for me. Changing any of these values inserts a new sensor,
chaning nothing doesn't do anything to the sensor-table.


-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--__--__--

Message: 2
From: "Marc Quibell" <mquibell at ...7759...>
To: snort-users at lists.sourceforge.net
Date: Thu, 19 Dec 2002 09:07:15 -0600
Subject: [Snort-users] Ignorehosts still not working...



My snort cmd line is:
 /usr/local/bin/snort -o -q -i eth1  -c
/usr/local/demarc/conf/snorteth1.conf

My snorteth1.conf is as follows:
var HOME_NET any
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
#var DNS_SERVERS $HOME_NET
var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
var HTTP_PORTS 80
var ORACLE_PORTS 1521

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor stream4: detect_scans, disable_evasion_alerts

output database: log, mysql, user=snort_ike dbname=snortmaster
password=ikeacc3s
s host=192.168.45.111 sensor_name=ike.fbfs.com


#BEGIN RULES:

I cannot get it to ignore those two hosts. Suggestions?

THanks.

Marc




--__--__--

Message: 3
From: Gary Borgeson <gborgeson at ...7012...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Date: Thu, 19 Dec 2002 09:53:35 -0600
Subject: [Snort-users] ACID Graph Page

This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2A776.C9B929D0
Content-Type: text/plain

 

Does someone know what causes this?

 

, * * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University * (see
the
file 'acid_main.php' for license details) * * Purpose: displays form for
graphing */ echo ' 

'; echo ' 


'; echo 'Chart Title:   
'; echo 'Chart Type:   { chart type }  Time (hour) vs. Number of Alerts
Time (day) vs. Number of Alerts  Time (month) vs. Number of Alerts  Src.
IP
address vs. Number of Alerts  Dst. IP address vs. Number of Alerts  Dst.
UDP
Port vs. Number of Alerts  Src. UDP Port vs. Number of Alerts  Dst. TCP
Port
vs. Number of Alerts  Src. TCP Port vs. Number of Alerts  Sig.
Classification vs. Number of Alerts  Sensor vs. Number of Alerts '; //
Do
you need other periods? Simply add them! echo '  Chart Period:   no
period
7 (a week)  24 (whole day)  168 (24x7) 
'; echo '  Size: (width x height)    x     
'; echo '  Plot Margins: (left x right x top x bottom)    x    x    x

'; echo '  Plot type:    bar    line    pie '; echo '

 

 

Thanks, G


------_=_NextPart_001_01C2A776.C9B929D0
Content-Type: text/html

<html>

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">


<meta name=Generator content="Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p
	{margin-right:0in;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle17
	{font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>Does someone know what causes this?</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>,
<ROMAN at ...7809...>*
* Copyright (C) 2000, 2001, 2002 </span></font>Carnegie Mellon
University *
(see the file 'acid_main.php' for license details) * * Purpose: displays
form
for graphing */ echo ' </p>

<form>

<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:
12.0pt'>'; echo ' </span></font></p>

<table class=MsoNormalTable border=1 cellpadding=0 width="100%"
 bgcolor="#CCCC99" style='width:100.0%;background:#CCCC99;border:outset
1.5pt'>
 <tr>
  <td style='padding:.75pt .75pt .75pt .75pt'>
  <p class=MsoNormal><font size=3 face="Times New Roman"><span
  style='font-size:12.0pt'>'; echo '<b><span
style='font-weight:bold'>Chart
  Title:</span></b>   <INPUT TYPE="TEXT" SIZE="60"
NAME="user_chart_title" VALUE="'.$user_chart_title.'"><br>
  '; echo '<b><span style='font-weight:bold'>Chart
Type:</span></b>  <SELECT NAME="chart_type">
<OPTION SELECTED VALUE=" ">{ chart type }
<OPTION VALUE="1">Time (hour) vs. Number of Alerts
<OPTION VALUE="2">Time (day) vs. Number of Alerts
<OPTION VALUE="4">Time (month) vs. Number of Alerts
<OPTION VALUE="6">Src. IP address vs. Number of Alerts
<OPTION VALUE="7">Dst. IP address vs. Number of Alerts
<OPTION VALUE="8">Dst. UDP Port vs. Number of Alerts
<OPTION VALUE="10">Src. UDP Port vs. Number of Alerts
<OPTION VALUE="9">Dst. TCP Port vs. Number of Alerts
<OPTION VALUE="11">Src. TCP Port vs. Number of Alerts
<OPTION VALUE="12">Sig. Classification vs. Number of Alerts
<OPTION VALUE="13">Sensor vs. Number of Alerts
</SELECT>';
  // Do you need other periods? Simply add them! echo
'  <b><span
  style='font-weight:bold'>Chart Period:</span></b>  <SELECT
NAME="chart_interval">
<OPTION SELECTED VALUE="0">no period
<OPTION VALUE="7">7 (a week)
<OPTION VALUE="24">24 (whole day)
<OPTION VALUE="168">168 (24x7)
</SELECT><br>
  '; echo '  <b><span style='font-weight:bold'>Size: (width x
height)</span></b>
   <INPUT TYPE="TEXT" SIZE="4" NAME="width" VALUE="'.$width.'">
 <b><span
  style='font-weight:bold'>x</span></b>  <INPUT TYPE="TEXT"
SIZE="4" NAME="height" VALUE="'.$height.'">
    <br>
  '; echo '  <b><span style='font-weight:bold'>Plot Margins:
(left x
  right x top x bottom)</span></b>  <INPUT TYPE="TEXT" SIZE="4"
NAME="pmargin0" VALUE="'.$pmargin0.'">
   <b><span style='font-weight:bold'>x</span></b>  <INPUT
TYPE="TEXT" SIZE="4" NAME="pmargin1" VALUE="'.$pmargin1.'">
   <b><span style='font-weight:bold'>x</span></b>  <INPUT
TYPE="TEXT" SIZE="4" NAME="pmargin2" VALUE="'.$pmargin2.'">
   <b><span style='font-weight:bold'>x</span></b>  <INPUT
TYPE="TEXT" SIZE="4" NAME="pmargin3" VALUE="'.$pmargin3.'">
    <br>
  '; echo '  <b><span style='font-weight:bold'>Plot
type:</span></b>
     <INPUT TYPE="radio" NAME="chart_style" VALUE="bar"
?bar?).?
  ?.chk_check($chart_style,>bar    <INPUT TYPE="radio"
NAME="chart_style" VALUE="line"
  ?.chk_check($chart_style, ?line?).?>line    <INPUT
TYPE="radio" NAME="chart_style" VALUE="pie"
  ?.chk_check($chart_style, ?pie?).?>pie '; echo '</span></font></p>
  </td>
 </tr>
</table>

</form>

<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>Thanks, G</span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C2A776.C9B929D0--


--__--__--

Message: 4
From: "Hicks, John" <JHicks at ...5857...>
To: 'Marc Quibell' <mquibell at ...7759...>, "Snort Users (E-mail)"
	 <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Ignorehosts still not working...
Date: Thu, 19 Dec 2002 11:25:23 -0500

add /32 for CIDR notation?
var DNS_SERVERS [207.108.40.xxx/32,207.108.40.xxx/32]

hth,
John

-----Original Message-----
From: Marc Quibell [mailto:mquibell at ...7759...]
Sent: Thursday, December 19, 2002 10:07 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Ignorehosts still not working...




My snort cmd line is:
 /usr/local/bin/snort -o -q -i eth1  -c
/usr/local/demarc/conf/snorteth1.conf

My snorteth1.conf is as follows:
var HOME_NET any
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
#var DNS_SERVERS $HOME_NET
var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
var HTTP_PORTS 80
var ORACLE_PORTS 1521

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor stream4: detect_scans, disable_evasion_alerts

output database: log, mysql, user=snort_ike dbname=snortmaster
password=ikeacc3s
s host=192.168.45.111 sensor_name=ike.fbfs.com


#BEGIN RULES:

I cannot get it to ignore those two hosts. Suggestions?

THanks.

Marc




-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--__--__--

Message: 5
From: Steve Halligan <giermo at ...187...>
To: 'Gary Borgeson' <gborgeson at ...7012...>,
	"'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] ACID Graph Page
Date: Thu, 19 Dec 2002 10:31:49 -0600


Does someone know what causes this?

****cut*****


You are missing a ' somewhere at the end of an echo statement somewhere
near
the beginning of that mess.


-steve



--__--__--

Message: 6
From: "Luo, Philip" <Philip_Luo at ...4729...>
To: 'twig les' <twigles at ...131...>
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] DB ERROR
Date: Thu, 19 Dec 2002 11:36:37 -0500

It still happens to me, especially when I looked at the detail of
alerts.

-----Original Message-----
From: twig les [mailto:twigles at ...131...] 
Sent: Friday, December 13, 2002 1:05 PM
To: Steve Suehring; Luo, Philip
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] DB ERROR

Actually you may shed some light on it if you try:

mysql -h localhost -u snort -p snort
mysql -h 127.0.0.1 -u snort -p snort

--- Steve Suehring <snort at ...7160...> wrote:
> Can you try doing something like this from the
> command-line:
> 
> mysql -u snort -p snort
> 
> Then see what error and/or error number you get.
> 
> Also, from with the MySQL CLI (as root):
> show grants for snort at ...274...;
> show grants for snort at ...263...;
> 
> Steve
> 
> On Fri, Dec 13, 2002 at 09:20:46AM -0500, Luo,
> Philip wrote:
> > I did, no luck. I modifies the hosts file too.
> > 
> > -----Original Message-----
> > From: Jens Krabbenhoeft
> [mailto:tschenz-snort-users at ...7018...] 
> > Sent: Thursday, December 12, 2002 11:36 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] DB ERROR
> > 
> > Hi,
> > 
> > > grant INSERT,SELECT,CREATE,DELETE on snort.* to
> snort at ...274... identified
> >                                                   
>      ^^^^^^^^^
> > > Database ERROR:Database ERROR:Access denied for
> user: 'snort at ...263...' to
> >                                                   
>             ^^^^^^^^^
> > 
> > Try doing a grant for snort at ...263...
> > 
> > HTH,
> > 	Jens 
> > 
> > 
> >
>
-------------------------------------------------------
> > This sf.net email is sponsored by:
> > With Great Power, Comes Great Responsibility 
> > Learn to use your power at OSDN's High Performance
> Computing Channel
> > http://hpc.devchannel.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> > 
> >
>
-------------------------------------------------------
> > This sf.net email is sponsored by:
> > With Great Power, Comes Great Responsibility 
> > Learn to use your power at OSDN's High Performance
> Computing Channel
> > http://hpc.devchannel.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:
> With Great Power, Comes Great Responsibility 
> Learn to use your power at OSDN's High Performance
> Computing Channel
> http://hpc.devchannel.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself

-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com



--__--__--

Message: 7
Date: Thu, 19 Dec 2002 12:01:13 -0500
To: Carmelo Zubeldia <czubeldia at ...7523...>,
   snort-users at lists.sourceforge.net
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] One question

No, not a bridge, a router. However I suspect what you are calling a 
"bridge" is really a router anyway.

A Bridge is a simple ethernet layer device that bridges 2 ethernet
segments 
(ie: a switch with only 2 ports is a bridge), a router is an IP layer 
device with multiple interfaces that routes IP packets between them. The

significant difference here is that some non-IP things like ARP don't 
generally pass through a router (although they might be proxied by it),
but 
any type ethernet packet can go through a bridge, provided the MAC 
addresses dictate it is headed to the other side.

Since hogwash relies on IPTables for filtering, that filtering is IP
layer, 
thus must happen on a system which routes at an IP layer. It can't
merely 
be an ethernet layer bridge.

At 12:11 PM 12/19/2002 +0100, Carmelo Zubeldia wrote:
>Hi all,
>
>Run hogwash in a Bridge?
>
>Thxs
>--



--__--__--

Message: 8
Date: Thu, 19 Dec 2002 11:18:57 -0600
From: "Madziarczyk, Jonathan" <than at ...3657...>
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Redhat 8.0 and Snort...playing nice?

This is a multi-part message in MIME format.

------_=_NextPart_001_01C2A782.B6B7C5D2
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hey all,=20
=20
  So I've seen a couple of questions regarding RedHat 8 and Snort but
not a lot of answers....Does anyone have this combo working right now?
Were there problems you hadn't encountered in other installs?
=20
Thanks,
JonM

------_=_NextPart_001_01C2A782.B6B7C5D2
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml at ...7810...">
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;
	text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;
	text-underline:single;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	mso-style-noshow:yes;
	mso-ansi-font-size:10.0pt;
	mso-bidi-font-size:10.0pt;
	font-family:Arial;
	mso-ascii-font-family:Arial;
	mso-hansi-font-family:Arial;
	mso-bidi-font-family:Arial;
	color:windowtext;}
span.SpellE
	{mso-style-name:"";
	mso-spl-e:yes;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
	{mso-style-name:"Table Normal";
	mso-tstyle-rowband-size:0;
	mso-tstyle-colband-size:0;
	mso-style-noshow:yes;
	mso-style-parent:"";
	mso-padding-alt:0in 5.4pt 0in 5.4pt;
	mso-para-margin:0in;
	mso-para-margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hey all, <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span style=3D'mso-spacerun:yes'>  </span>So =
I’ve
seen a couple of questions regarding <span class=3DSpellE>RedHat</span>
=
8 and
Snort but not a lot of answers….Does anyone have this combo =
working right
now?<span style=3D'mso-spacerun:yes'>  </span>Were there problems =
you hadn’t
encountered in other installs?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thanks,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><span class=3DSpellE><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>JonM</span></font></span><f
o=
nt
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></
p=
>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C2A782.B6B7C5D2--


--__--__--

Message: 9
Subject: RE: [Snort-users] Clueless in Toronto
Date: Thu, 19 Dec 2002 12:50:11 -0500
From: "Rich Stryker" <rstryker at ...7794...>
To: "SnortUsers (E-mail)" <snort-users at ...314...>

Is there any reason that you can think of as to why my SNORT, when set =
to log to a binary file, would die after a few seconds or a minute or =
two? And why the binary file that is created can't be read by SNORT =
afterwards like the SNORT document says it can?

Thanks,

Rich

-----Original Message-----
From: Joel Healy [mailto:Joel.Healy at ...7405...]
Sent: Wednesday, December 18, 2002 2:48 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto


Hi Rich,

Ok... When you run snort you will need to tell it where it's =
configuration
file is unless you have it in the default location and i don't know =
where
that is on a W2K box.  Have a read what command line options (check out
http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.1) you can =
pass
to it as it sounds like you are using the -l command to create packets =
logs
which is in affect creating the IP address subfolders, but for a fairly
vanilla installation you could run it as "snort -c =
C:\mypath\snort.conf",
your snort.conf should be where your rules are.

So the next step is to edit your snort.conf file (check out
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5) and =
configure
one of the output plugins.. for example for your alert.ids file..
	output alert_fast: alert.ids

A best practise configurtion is to configure snort to use the unified =
output
plugin
	output alert_unified: snort.alert

which writes out the alerts in a binary format that is much quicker than
=
any
of the other plugins.. then use barnyard to read the file and output the
alert.. it can output in any of ways snort can.  That allows snort (or
hogwash) to keep up with quite high traffic throughput.

anyway hope that helps.

cheers

joel


-----Original Message-----
From: Rich Stryker [mailto:rstryker at ...7794...]
Sent: Thursday, December 19, 2002 7:43 AM
To: SnortUsers (E-mail)
Subject: RE: [Snort-users] Clueless in Toronto


Great Thanks Keith!

Got it. I understand now why that is. Switches will broadcast only once
until they know which port to send traffic out of.=20
This would mean I would miss just about everything except for the =
broadcasts
and multicasts. Whereas a hub is in constant broadcast mode since it
shouldn't have the ability to have a MAC table...right?

Assuming I am correct can you or anyone else now help me with =
SNORTSNARF?
When I followed the instructions from Silicon Defense, for installing =
SNORT
on a W2K machine with IIS, SNORT created an alert.ids file. I setup =
SNORT to
run as a service but I didn't get anything, no logs etc. When SNORT runs
from the command line it doesn't write to the alert.ids but creates sub
folders for every IP address it finds, which I have read to mean that is
=
the
default setting.

Any suggestions on how I can get the logs to be put into the alert.ids =
and
thereby allowing me to get SNORTSNARF to work?

-----Original Message-----
From: Knight, Ric [mailto:RKnight at ...7145...]
Sent: Wednesday, December 18, 2002 1:28 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto
Importance: Low


Rich,=20

If you only have dumb switches, then get a hub. Force all traffic you =
want
to monitor through the hub. You only need one interface on the SNORT box
=
to
monitor traffic. If you want to use switches, you need to enable port
spanning so that one switch port receives att the traffic on the switch
=
and
then plug snort into that port.

Crude text diagram...
                  =20
              Snort
               ||
               \/
Router <----> Hub <-------> firewall

=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Ric Knight
Network Engineer
TransUnion Canada
170 Jackson St. E.=20
Hamilton Ontario, L8N 1L4
(905) 525-9013 x6212



-----Original Message-----
From: Rich Stryker [mailto:rstryker at ...7794...]
Sent: December 18, 2002 11:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Clueless in Toronto


Hi,

I have installed SNORT 1.8x on a W2K Server. No service packs as yet =
because
i am just testing the waters with it. There are 2 NICs.=20

I can seem to figure out how to implement it now that it is running. I
figure I will put it behind my firewall. But how do i force traffic to =
go
through one NIC on the server and out through the other? Do i even need
=
to
do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing =
but
it only tracked the local computer's traffic and nothing else.=20

I have SNORTSNARF installed to see the reports but when I seem to have =
SNORT
running I can't find the log files. I want SNORT setup for NIDS.

All help is greatly appreciated.

Thanks,

Rich


-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
(This e-mail message and any accompanying attachments may contain
information that is confidential and subject to legal privilege. If you
=
are
not the intended recipient, do not read, use, disseminate, distribute or
copy this message or attachments.  If you have received this message in
error, please delete the message and, if convenient, inform the sender =
as
soon as possible.)



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list