[Snort-users] RE: Exchange 2000

twig les twigles at ...131...
Thu Dec 19 15:15:02 EST 2002


No, never done that.  Off the top of my head that
sounds like a terrible idea.  A NIDS is only effective
if it can keep up with the traffic on your network. 
If you are using Windows+Exchange then you would need
a lot more horsepower.  Also consider the security
implications.  The next round of zero-day Exchange
exploits could get your IDS owned.

Better to confiscate an old box (old nowadays seems to
mean 700MHz) and throw redhat or freebsd on it per the
guides.  This isn't an OS war thing (dear god I don't
want that yet again) but simply an overhead issue.


--- Richard Lyons <lyonsrf at ...7815...> wrote:
> Has anyone dealt with putting Snort onto a Exchange
> 2000 box?  Anything
> in particular that I would need to know, i.e.,
> disable certain things
> initially before installation?  Any help would
> greatly be appreciated!
> 
> RL
> 
> -----Original Message-----
> From: snort-users-request at lists.sourceforge.net
> [mailto:snort-users-request at lists.sourceforge.net] 
> Sent: Thursday, December 19, 2002 12:51 PM
> To: snort-users at lists.sourceforge.net
> Subject: Snort-users digest, Vol 1 #2600 - 9 msgs
> 
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web,
> visit
> 
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body
> 'help' to
> 	snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-users-admin at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> Today's Topics:
> 
>    1. RE: Barnyard/acid reconfigure question
> (Henning, David)
>    2. Ignorehosts still not working... (Marc
> Quibell)
>    3. ACID Graph Page (Gary Borgeson)
>    4. RE: Ignorehosts still not working... (Hicks,
> John)
>    5. RE: ACID Graph Page (Steve Halligan)
>    6. RE: DB ERROR (Luo, Philip)
>    7. Re: One question (Matt Kettler)
>    8. Redhat 8.0 and Snort...playing nice?
> (Madziarczyk, Jonathan)
>    9. RE: Clueless in Toronto (Rich Stryker)
> 
> --__--__--
> 
> Message: 1
> From: "Henning, David" <henningd at ...7800...>
> To: "'snort-users at lists.sourceforge.net'	"
> <snort-users at lists.sourceforge.net>
> Date: Thu, 19 Dec 2002 09:01:38 -0500
> Subject: RE: [Snort-users] Barnyard/acid reconfigure
> question
> 
> Excellent explanation!  Thank you!
> 
> Dave
> 
> -----Original Message-----
> From: Jens Krabbenhoeft
> 
> Hi,
> 
> > What am I missing on how to assign this number and
> keep it consistent?
> 
> op_acid_db.c:
> 
>   /* if sensor id == 0, then we attempt attempt to
> determine it
> dynamically */
>   if(data->sensor_id == 0)
>   {
>       data->sensor_id = AcidDbGetSensorId(data);
>   }
> 
> And AcidDbGetSensorId does the following:
> 
>   "SELECT sid FROM sensor WHERE hostname='%s' AND
> interface='%s' "
>   "AND filter='%s' AND detail='%u' AND
> encoding='0'", pv.hostname,
>   pv.interface, pv.filter, op_data->detail)
> 
> If it gets a sensor back, it uses that sensor_id, if
> not, it inserts the
> new sensor.
> 
> So from the code, to keep it consistent, don't
> change the hostname /
> interface / filter and detail.
> 
> Hope that helps,
> 
> 	Jens
> 
> BTW: It works for me. Changing any of these values
> inserts a new sensor,
> chaning nothing doesn't do anything to the
> sensor-table.
> 
> 
>
-------------------------------------------------------
> This SF.NET email is sponsored by: Order your
> Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control
> Tanks, Caffeinated Soap,
> MP3 Players,  XBox Games,  Flying Saucers,  WebCams,
>  Smart Putty.
> T H I N K G E E K . C O M      
> http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> --__--__--
> 
> Message: 2
> From: "Marc Quibell" <mquibell at ...7759...>
> To: snort-users at lists.sourceforge.net
> Date: Thu, 19 Dec 2002 09:07:15 -0600
> Subject: [Snort-users] Ignorehosts still not
> working...
> 
> 
> 
> My snort cmd line is:
>  /usr/local/bin/snort -o -q -i eth1  -c
> /usr/local/demarc/conf/snorteth1.conf
> 
> My snorteth1.conf is as follows:
> var HOME_NET any
> var EXTERNAL_NET any
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> #var DNS_SERVERS $HOME_NET
> var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
> var HTTP_PORTS 80
> var ORACLE_PORTS 1521
> 
> preprocessor defrag
> preprocessor stream2: timeout 10, ports 21 23 80 110
> 143, maxbytes 16384
> preprocessor unidecode: 80
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> preprocessor stream4: detect_scans,
> disable_evasion_alerts
> 
> output database: log, mysql, user=snort_ike
> dbname=snortmaster
> password=ikeacc3s
> s host=192.168.45.111 sensor_name=ike.fbfs.com
> 
> 
> #BEGIN RULES:
> 
> I cannot get it to ignore those two hosts.
> Suggestions?
> 
> THanks.
> 
> Marc
> 
> 
> 
> 
> --__--__--
> 
> Message: 3
> From: Gary Borgeson <gborgeson at ...7012...>
> To: "'snort-users at lists.sourceforge.net'"
> 	 <snort-users at lists.sourceforge.net>
> Date: Thu, 19 Dec 2002 09:53:35 -0600
> Subject: [Snort-users] ACID Graph Page
> 
> This message is in MIME format. Since your mail
> reader does not
> understand
> this format, some or all of this message may not be
> legible.
> 
> ------_=_NextPart_001_01C2A776.C9B929D0
> Content-Type: text/plain
> 
=== message truncated ===


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself                       
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




More information about the Snort-users mailing list