[Snort-users] RE: Exchange 2000

aaron g click46 at ...7386...
Thu Dec 19 22:14:02 EST 2002


Not to be snide, but perhaps you are mistake as to snort's intrustion detection purpose? Snort is a network IDS, not a host IDS.

-aarong    

----- Original Message -----
From: "Richard Lyons" <lyonsrf at ...7815...>
Date: Thu, 19 Dec 2002 13:20:54 -0500 
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] RE: Exchange 2000

> Has anyone dealt with putting Snort onto a Exchange 2000 box?  Anything
> in particular that I would need to know, i.e., disable certain things
> initially before installation?  Any help would greatly be appreciated!
> 
> RL
> 
> -----Original Message-----
> From: snort-users-request at lists.sourceforge.net
> [mailto:snort-users-request at lists.sourceforge.net] 
> Sent: Thursday, December 19, 2002 12:51 PM
> To: snort-users at lists.sourceforge.net
> Subject: Snort-users digest, Vol 1 #2600 - 9 msgs
> 
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> 	snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-users-admin at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> Today's Topics:
> 
>    1. RE: Barnyard/acid reconfigure question (Henning, David)
>    2. Ignorehosts still not working... (Marc Quibell)
>    3. ACID Graph Page (Gary Borgeson)
>    4. RE: Ignorehosts still not working... (Hicks, John)
>    5. RE: ACID Graph Page (Steve Halligan)
>    6. RE: DB ERROR (Luo, Philip)
>    7. Re: One question (Matt Kettler)
>    8. Redhat 8.0 and Snort...playing nice? (Madziarczyk, Jonathan)
>    9. RE: Clueless in Toronto (Rich Stryker)
> 
> --__--__--
> 
> Message: 1
> From: "Henning, David" <henningd at ...7800...>
> To: "'snort-users at lists.sourceforge.net'	"
> <snort-users at lists.sourceforge.net>
> Date: Thu, 19 Dec 2002 09:01:38 -0500
> Subject: RE: [Snort-users] Barnyard/acid reconfigure question
> 
> Excellent explanation!  Thank you!
> 
> Dave
> 
> -----Original Message-----
> From: Jens Krabbenhoeft
> 
> Hi,
> 
> > What am I missing on how to assign this number and keep it consistent?
> 
> op_acid_db.c:
> 
>   /* if sensor id == 0, then we attempt attempt to determine it
> dynamically */
>   if(data->sensor_id == 0)
>   {
>       data->sensor_id = AcidDbGetSensorId(data);
>   }
> 
> And AcidDbGetSensorId does the following:
> 
>   "SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' "
>   "AND filter='%s' AND detail='%u' AND encoding='0'", pv.hostname,
>   pv.interface, pv.filter, op_data->detail)
> 
> If it gets a sensor back, it uses that sensor_id, if not, it inserts the
> new sensor.
> 
> So from the code, to keep it consistent, don't change the hostname /
> interface / filter and detail.
> 
> Hope that helps,
> 
> 	Jens
> 
> BTW: It works for me. Changing any of these values inserts a new sensor,
> chaning nothing doesn't do anything to the sensor-table.
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
> MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
> T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> --__--__--
> 
> Message: 2
> From: "Marc Quibell" <mquibell at ...7759...>
> To: snort-users at lists.sourceforge.net
> Date: Thu, 19 Dec 2002 09:07:15 -0600
> Subject: [Snort-users] Ignorehosts still not working...
> 
> 
> 
> My snort cmd line is:
>  /usr/local/bin/snort -o -q -i eth1  -c
> /usr/local/demarc/conf/snorteth1.conf
> 
> My snorteth1.conf is as follows:
> var HOME_NET any
> var EXTERNAL_NET any
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> #var DNS_SERVERS $HOME_NET
> var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
> var HTTP_PORTS 80
> var ORACLE_PORTS 1521
> 
> preprocessor defrag
> preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
> preprocessor unidecode: 80
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> preprocessor stream4: detect_scans, disable_evasion_alerts
> 
> output database: log, mysql, user=snort_ike dbname=snortmaster
> password=ikeacc3s
> s host=192.168.45.111 sensor_name=ike.fbfs.com
> 
> 
> #BEGIN RULES:
> 
> I cannot get it to ignore those two hosts. Suggestions?
> 
> THanks.
> 
> Marc
> 
> 
> 
> 
> --__--__--
> 
> Message: 3
> From: Gary Borgeson <gborgeson at ...7012...>
> To: "'snort-users at lists.sourceforge.net'"
> 	 <snort-users at lists.sourceforge.net>
> Date: Thu, 19 Dec 2002 09:53:35 -0600
> Subject: [Snort-users] ACID Graph Page
> 
> This message is in MIME format. Since your mail reader does not
> understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_001_01C2A776.C9B929D0
> Content-Type: text/plain
> 
>  
> 
> Does someone know what causes this?
> 
>  
> 
> , * * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University * (see
> the
> file 'acid_main.php' for license details) * * Purpose: displays form for
> graphing */ echo ' 
> 
> '; echo ' 
> 
> 
> '; echo 'Chart Title:   
> '; echo 'Chart Type:   { chart type }  Time (hour) vs. Number of Alerts
> Time (day) vs. Number of Alerts  Time (month) vs. Number of Alerts  Src.
> IP
> address vs. Number of Alerts  Dst. IP address vs. Number of Alerts  Dst.
> UDP
> Port vs. Number of Alerts  Src. UDP Port vs. Number of Alerts  Dst. TCP
> Port
> vs. Number of Alerts  Src. TCP Port vs. Number of Alerts  Sig.
> Classification vs. Number of Alerts  Sensor vs. Number of Alerts '; //
> Do
> you need other periods? Simply add them! echo '  Chart Period:   no
> period
> 7 (a week)  24 (whole day)  168 (24x7) 
> '; echo '  Size: (width x height)    x     
> '; echo '  Plot Margins: (left x right x top x bottom)    x    x    x
> 
> '; echo '  Plot type:    bar    line    pie '; echo '
> 
>  
> 
>  
> 
> Thanks, G
> 
> 
> ------_=_NextPart_001_01C2A776.C9B929D0
> Content-Type: text/html
> 
> <html>
> 
> <head>
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">
> 
> 
> <meta name=Generator content="Microsoft Word 10 (filtered)">
> 
> <style>
> <!--
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> 	{color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{color:purple;
> 	text-decoration:underline;}
> p
> 	{margin-right:0in;
> 	margin-left:0in;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman";}
> span.EmailStyle17
> 	{font-family:Arial;
> 	color:windowtext;}
> @page Section1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
> 	{page:Section1;}
> -->
> </style>
> 
> </head>
> 
> <body lang=EN-US link=blue vlink=purple>
> 
> <div class=Section1>
> 
> <p class=MsoNormal><font size=2 face=Arial><span
> style='font-size:10.0pt;
> font-family:Arial'> </span></font></p>
> 
> <p class=MsoNormal><font size=2 face=Arial><span
> style='font-size:10.0pt;
> font-family:Arial'>Does someone know what causes this?</span></font></p>
> 
> <p class=MsoNormal><font size=2 face=Arial><span
> style='font-size:10.0pt;
> font-family:Arial'> </span></font></p>
> 
> <p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>,
> <ROMAN at ...7809...>*
> * Copyright (C) 2000, 2001, 2002 </span></font>Carnegie Mellon
> University *
> (see the file 'acid_main.php' for license details) * * Purpose: displays
> form
> for graphing */ echo ' </p>
> 
> <form>
> 
> <p class=MsoNormal><font size=3 face="Times New Roman"><span
> style='font-size:
> 12.0pt'>'; echo ' </span></font></p>
> 
> <table class=MsoNormalTable border=1 cellpadding=0 width="100%"
>  bgcolor="#CCCC99" style='width:100.0%;background:#CCCC99;border:outset
> 1.5pt'>
>  <tr>
>   <td style='padding:.75pt .75pt .75pt .75pt'>
>   <p class=MsoNormal><font size=3 face="Times New Roman"><span
>   style='font-size:12.0pt'>'; echo '<b><span
> style='font-weight:bold'>Chart
>   Title:</span></b>   <INPUT TYPE="TEXT" SIZE="60"
> NAME="user_chart_title" VALUE="'.$user_chart_title.'"><br>
>   '; echo '<b><span style='font-weight:bold'>Chart
> Type:</span></b>  <SELECT NAME="chart_type">
> <OPTION SELECTED VALUE=" ">{ chart type }
> <OPTION VALUE="1">Time (hour) vs. Number of Alerts
> <OPTION VALUE="2">Time (day) vs. Number of Alerts
> <OPTION VALUE="4">Time (month) vs. Number of Alerts
> <OPTION VALUE="6">Src. IP address vs. Number of Alerts
> <OPTION VALUE="7">Dst. IP address vs. Number of Alerts
> <OPTION VALUE="8">Dst. UDP Port vs. Number of Alerts
> <OPTION VALUE="10">Src. UDP Port vs. Number of Alerts
> <OPTION VALUE="9">Dst. TCP Port vs. Number of Alerts
> <OPTION VALUE="11">Src. TCP Port vs. Number of Alerts
> <OPTION VALUE="12">Sig. Classification vs. Number of Alerts
> <OPTION VALUE="13">Sensor vs. Number of Alerts
> </SELECT>';
>   // Do you need other periods? Simply add them! echo
> '  <b><span
>   style='font-weight:bold'>Chart Period:</span></b>  <SELECT
> NAME="chart_interval">
> <OPTION SELECTED VALUE="0">no period
> <OPTION VALUE="7">7 (a week)
> <OPTION VALUE="24">24 (whole day)
> <OPTION VALUE="168">168 (24x7)
> </SELECT><br>
>   '; echo '  <b><span style='font-weight:bold'>Size: (width x
> height)</span></b>
>    <INPUT TYPE="TEXT" SIZE="4" NAME="width" VALUE="'.$width.'">
>  <b><span
>   style='font-weight:bold'>x</span></b>  <INPUT TYPE="TEXT"
> SIZE="4" NAME="height" VALUE="'.$height.'">
>     <br>
>   '; echo '  <b><span style='font-weight:bold'>Plot Margins:
> (left x
>   right x top x bottom)</span></b>  <INPUT TYPE="TEXT" SIZE="4"
> NAME="pmargin0" VALUE="'.$pmargin0.'">
>    <b><span style='font-weight:bold'>x</span></b>  <INPUT
> TYPE="TEXT" SIZE="4" NAME="pmargin1" VALUE="'.$pmargin1.'">
>    <b><span style='font-weight:bold'>x</span></b>  <INPUT
> TYPE="TEXT" SIZE="4" NAME="pmargin2" VALUE="'.$pmargin2.'">
>    <b><span style='font-weight:bold'>x</span></b>  <INPUT
> TYPE="TEXT" SIZE="4" NAME="pmargin3" VALUE="'.$pmargin3.'">
>     <br>
>   '; echo '  <b><span style='font-weight:bold'>Plot
> type:</span></b>
>      <INPUT TYPE="radio" NAME="chart_style" VALUE="bar"
> ?bar?).?
>   ?.chk_check($chart_style,>bar    <INPUT TYPE="radio"
> NAME="chart_style" VALUE="line"
>   ?.chk_check($chart_style, ?line?).?>line    <INPUT
> TYPE="radio" NAME="chart_style" VALUE="pie"
>   ?.chk_check($chart_style, ?pie?).?>pie '; echo '</span></font></p>
>   </td>
>  </tr>
> </table>
> 
> </form>
> 
> <p class=MsoNormal><font size=2 face=Arial><span
> style='font-size:10.0pt;
> font-family:Arial'> </span></font></p>
> 
> <p class=MsoNormal><font size=2 face=Arial><span
> style='font-size:10.0pt;
> font-family:Arial'> </span></font></p>
> 
> <p class=MsoNormal><font size=2 face=Arial><span
> style='font-size:10.0pt;
> font-family:Arial'>Thanks, G</span></font></p>
> 
> </div>
> 
> </body>
> 
> </html>
> 
> ------_=_NextPart_001_01C2A776.C9B929D0--
> 
> 
> --__--__--
> 
> Message: 4
> From: "Hicks, John" <JHicks at ...5857...>
> To: 'Marc Quibell' <mquibell at ...7759...>, "Snort Users (E-mail)"
> 	 <snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] Ignorehosts still not working...
> Date: Thu, 19 Dec 2002 11:25:23 -0500
> 
> add /32 for CIDR notation?
> var DNS_SERVERS [207.108.40.xxx/32,207.108.40.xxx/32]
> 
> hth,
> John
> 
> -----Original Message-----
> From: Marc Quibell [mailto:mquibell at ...7759...]
> Sent: Thursday, December 19, 2002 10:07 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Ignorehosts still not working...
> 
> 
> 
> 
> My snort cmd line is:
>  /usr/local/bin/snort -o -q -i eth1  -c
> /usr/local/demarc/conf/snorteth1.conf
> 
> My snorteth1.conf is as follows:
> var HOME_NET any
> var EXTERNAL_NET any
> var SMTP $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> #var DNS_SERVERS $HOME_NET
> var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
> var HTTP_PORTS 80
> var ORACLE_PORTS 1521
> 
> preprocessor defrag
> preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
> preprocessor unidecode: 80
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> preprocessor stream4: detect_scans, disable_evasion_alerts
> 
> output database: log, mysql, user=snort_ike dbname=snortmaster
> password=ikeacc3s
> s host=192.168.45.111 sensor_name=ike.fbfs.com
> 
> 
> #BEGIN RULES:
> 
> I cannot get it to ignore those two hosts. Suggestions?
> 
> THanks.
> 
> Marc
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: Geek Gift Procrastinating?
> Get the perfect geek gift now!  Before the Holidays pass you by.
> T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> --__--__--
> 
> Message: 5
> From: Steve Halligan <giermo at ...187...>
> To: 'Gary Borgeson' <gborgeson at ...7012...>,
> 	"'snort-users at lists.sourceforge.net'"
> <snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] ACID Graph Page
> Date: Thu, 19 Dec 2002 10:31:49 -0600
> 
> 
> Does someone know what causes this?
> 
> ****cut*****
> 
> 
> You are missing a ' somewhere at the end of an echo statement somewhere
> near
> the beginning of that mess.
> 
> 
> -steve
> 
> 
> 
> --__--__--
> 
> Message: 6
> From: "Luo, Philip" <Philip_Luo at ...4729...>
> To: 'twig les' <twigles at ...131...>
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] DB ERROR
> Date: Thu, 19 Dec 2002 11:36:37 -0500
> 
> It still happens to me, especially when I looked at the detail of
> alerts.
> 
> -----Original Message-----
> From: twig les [mailto:twigles at ...131...] 
> Sent: Friday, December 13, 2002 1:05 PM
> To: Steve Suehring; Luo, Philip
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] DB ERROR
> 
> Actually you may shed some light on it if you try:
> 
> mysql -h localhost -u snort -p snort
> mysql -h 127.0.0.1 -u snort -p snort
> 
> --- Steve Suehring <snort at ...7160...> wrote:
> > Can you try doing something like this from the
> > command-line:
> > 
> > mysql -u snort -p snort
> > 
> > Then see what error and/or error number you get.
> > 
> > Also, from with the MySQL CLI (as root):
> > show grants for snort at ...274...;
> > show grants for snort at ...263...;
> > 
> > Steve
> > 
> > On Fri, Dec 13, 2002 at 09:20:46AM -0500, Luo,
> > Philip wrote:
> > > I did, no luck. I modifies the hosts file too.
> > > 
> > > -----Original Message-----
> > > From: Jens Krabbenhoeft
> > [mailto:tschenz-snort-users at ...7018...] 
> > > Sent: Thursday, December 12, 2002 11:36 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] DB ERROR
> > > 
> > > Hi,
> > > 
> > > > grant INSERT,SELECT,CREATE,DELETE on snort.* to
> > snort at ...274... identified
> > >                                                   
> >      ^^^^^^^^^
> > > > Database ERROR:Database ERROR:Access denied for
> > user: 'snort at ...263...' to
> > >                                                   
> >             ^^^^^^^^^
> > > 
> > > Try doing a grant for snort at ...263...
> > > 
> > > HTH,
> > > 	Jens 
> > > 
> > > 
> > >
> >
> -------------------------------------------------------
> > > This sf.net email is sponsored by:
> > > With Great Power, Comes Great Responsibility 
> > > Learn to use your power at OSDN's High Performance
> > Computing Channel
> > > http://hpc.devchannel.org/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or
> > unsubscribe:
> > >
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > >
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > > 
> > > 
> > >
> >
> -------------------------------------------------------
> > > This sf.net email is sponsored by:
> > > With Great Power, Comes Great Responsibility 
> > > Learn to use your power at OSDN's High Performance
> > Computing Channel
> > > http://hpc.devchannel.org/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or
> > unsubscribe:
> > >
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > >
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> >
> -------------------------------------------------------
> > This sf.net email is sponsored by:
> > With Great Power, Comes Great Responsibility 
> > Learn to use your power at OSDN's High Performance
> > Computing Channel
> > http://hpc.devchannel.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> =====
> -----------------------------------------------------------
> If you give a man a fish, he can eat for a day
> If you bludgeon him to death, you can eat the fish yourself
> 
> -----------------------------------------------------------
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> 
> 
> 
> --__--__--
> 
> Message: 7
> Date: Thu, 19 Dec 2002 12:01:13 -0500
> To: Carmelo Zubeldia <czubeldia at ...7523...>,
>    snort-users at lists.sourceforge.net
> From: Matt Kettler <mkettler at ...4108...>
> Subject: Re: [Snort-users] One question
> 
> No, not a bridge, a router. However I suspect what you are calling a 
> "bridge" is really a router anyway.
> 
> A Bridge is a simple ethernet layer device that bridges 2 ethernet
> segments 
> (ie: a switch with only 2 ports is a bridge), a router is an IP layer 
> device with multiple interfaces that routes IP packets between them. The
> 
> significant difference here is that some non-IP things like ARP don't 
> generally pass through a router (although they might be proxied by it),
> but 
> any type ethernet packet can go through a bridge, provided the MAC 
> addresses dictate it is headed to the other side.
> 
> Since hogwash relies on IPTables for filtering, that filtering is IP
> layer, 
> thus must happen on a system which routes at an IP layer. It can't
> merely 
> be an ethernet layer bridge.
> 
> At 12:11 PM 12/19/2002 +0100, Carmelo Zubeldia wrote:
> >Hi all,
> >
> >Run hogwash in a Bridge?
> >
> >Thxs
> >--
> 
> 
> 
> --__--__--
> 
> Message: 8
> Date: Thu, 19 Dec 2002 11:18:57 -0600
> From: "Madziarczyk, Jonathan" <than at ...3657...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Redhat 8.0 and Snort...playing nice?
> 
> This is a multi-part message in MIME format.
> 
> ------_=_NextPart_001_01C2A782.B6B7C5D2
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> Hey all,=20
> =20
>   So I've seen a couple of questions regarding RedHat 8 and Snort but
> not a lot of answers....Does anyone have this combo working right now?
> Were there problems you hadn't encountered in other installs?
> =20
> Thanks,
> JonM
> 
> ------_=_NextPart_001_01C2A782.B6B7C5D2
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
> 
> <head>
> <meta http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DProgId content=3DWord.Document>
> <meta name=3DGenerator content=3D"Microsoft Word 10">
> <meta name=3DOriginator content=3D"Microsoft Word 10">
> <link rel=3DFile-List href=3D"cid:filelist.xml at ...7810...">
> <!--[if gte mso 9]><xml>
>  <o:OfficeDocumentSettings>
>   <o:DoNotRelyOnCSS/>
>  </o:OfficeDocumentSettings>
> </xml><![endif]--><!--[if gte mso 9]><xml>
>  <w:WordDocument>
>   <w:SpellingState>Clean</w:SpellingState>
>   <w:GrammarState>Clean</w:GrammarState>
>   <w:DocumentKind>DocumentEmail</w:DocumentKind>
>   <w:EnvelopeVis/>
>   <w:Compatibility>
>    <w:BreakWrappedTables/>
>    <w:SnapToGridInCell/>
>    <w:WrapTextWithPunct/>
>    <w:UseAsianBreakRules/>
>   </w:Compatibility>
>   <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
>  </w:WordDocument>
> </xml><![endif]-->
> <style>
> <!--
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{mso-style-parent:"";
> 	margin:0in;
> 	margin-bottom:.0001pt;
> 	mso-pagination:widow-orphan;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman";
> 	mso-fareast-font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> 	{color:blue;
> 	text-decoration:underline;
> 	text-underline:single;}
> a:visited, span.MsoHyperlinkFollowed
> 	{color:purple;
> 	text-decoration:underline;
> 	text-underline:single;}
> span.EmailStyle17
> 	{mso-style-type:personal-compose;
> 	mso-style-noshow:yes;
> 	mso-ansi-font-size:10.0pt;
> 	mso-bidi-font-size:10.0pt;
> 	font-family:Arial;
> 	mso-ascii-font-family:Arial;
> 	mso-hansi-font-family:Arial;
> 	mso-bidi-font-family:Arial;
> 	color:windowtext;}
> span.SpellE
> 	{mso-style-name:"";
> 	mso-spl-e:yes;}
> @page Section1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.25in 1.0in 1.25in;
> 	mso-header-margin:.5in;
> 	mso-footer-margin:.5in;
> 	mso-paper-source:0;}
> div.Section1
> 	{page:Section1;}
> -->
> </style>
> <!--[if gte mso 10]>
> <style>
>  /* Style Definitions */=20
>  table.MsoNormalTable
> 	{mso-style-name:"Table Normal";
> 	mso-tstyle-rowband-size:0;
> 	mso-tstyle-colband-size:0;
> 	mso-style-noshow:yes;
> 	mso-style-parent:"";
> 	mso-padding-alt:0in 5.4pt 0in 5.4pt;
> 	mso-para-margin:0in;
> 	mso-para-margin-bottom:.0001pt;
> 	mso-pagination:widow-orphan;
> 	font-size:10.0pt;
> 	font-family:"Times New Roman";}
> </style>
> <![endif]-->
> </head>
> 
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple =
> style=3D'tab-interval:.5in'>
> 
> <div class=3DSection1>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>Hey all, <o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'><o:p> </o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'><span style=3D'mso-spacerun:yes'>  </span>So =
> I’ve
> seen a couple of questions regarding <span class=3DSpellE>RedHat</span>
> =
> 8 and
> Snort but not a lot of answers
.Does anyone have this combo =
> working right
> now?<span style=3D'mso-spacerun:yes'>  </span>Were there problems =
> you hadn’t
> encountered in other installs?<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'><o:p> </o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>Thanks,<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><span class=3DSpellE><font size=3D2 =
> face=3DArial><span
> style=3D'font-size:10.0pt;font-family:Arial'>JonM</span></font></span><f
> o=
> nt
> size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></
> p=
> >
> 
> </div>
> 
> </body>
> 
> </html>
> =00
> ------_=_NextPart_001_01C2A782.B6B7C5D2--
> 
> 
> --__--__--
> 
> Message: 9
> Subject: RE: [Snort-users] Clueless in Toronto
> Date: Thu, 19 Dec 2002 12:50:11 -0500
> From: "Rich Stryker" <rstryker at ...7794...>
> To: "SnortUsers (E-mail)" <snort-users at ...314...>
> 
> Is there any reason that you can think of as to why my SNORT, when set =
> to log to a binary file, would die after a few seconds or a minute or =
> two? And why the binary file that is created can't be read by SNORT =
> afterwards like the SNORT document says it can?
> 
> Thanks,
> 
> Rich
> 
> -----Original Message-----
> From: Joel Healy [mailto:Joel.Healy at ...7405...]
> Sent: Wednesday, December 18, 2002 2:48 PM
> To: Rich Stryker
> Subject: RE: [Snort-users] Clueless in Toronto
> 
> 
> Hi Rich,
> 
> Ok... When you run snort you will need to tell it where it's =
> configuration
> file is unless you have it in the default location and i don't know =
> where
> that is on a W2K box.  Have a read what command line options (check out
> http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.1) you can =
> pass
> to it as it sounds like you are using the -l command to create packets =
> logs
> which is in affect creating the IP address subfolders, but for a fairly
> vanilla installation you could run it as "snort -c =
> C:\mypath\snort.conf",
> your snort.conf should be where your rules are.
> 
> So the next step is to edit your snort.conf file (check out
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5) and =
> configure
> one of the output plugins.. for example for your alert.ids file..
> 	output alert_fast: alert.ids
> 
> A best practise configurtion is to configure snort to use the unified =
> output
> plugin
> 	output alert_unified: snort.alert
> 
> which writes out the alerts in a binary format that is much quicker than
> =
> any
> of the other plugins.. then use barnyard to read the file and output the
> alert.. it can output in any of ways snort can.  That allows snort (or
> hogwash) to keep up with quite high traffic throughput.
> 
> anyway hope that helps.
> 
> cheers
> 
> joel
> 
> 
> -----Original Message-----
> From: Rich Stryker [mailto:rstryker at ...7794...]
> Sent: Thursday, December 19, 2002 7:43 AM
> To: SnortUsers (E-mail)
> Subject: RE: [Snort-users] Clueless in Toronto
> 
> 
> Great Thanks Keith!
> 
> Got it. I understand now why that is. Switches will broadcast only once
> until they know which port to send traffic out of.=20
> This would mean I would miss just about everything except for the =
> broadcasts
> and multicasts. Whereas a hub is in constant broadcast mode since it
> shouldn't have the ability to have a MAC table...right?
> 
> Assuming I am correct can you or anyone else now help me with =
> SNORTSNARF?
> When I followed the instructions from Silicon Defense, for installing =
> SNORT
> on a W2K machine with IIS, SNORT created an alert.ids file. I setup =
> SNORT to
> run as a service but I didn't get anything, no logs etc. When SNORT runs
> from the command line it doesn't write to the alert.ids but creates sub
> folders for every IP address it finds, which I have read to mean that is
> =
> the
> default setting.
> 
> Any suggestions on how I can get the logs to be put into the alert.ids =
> and
> thereby allowing me to get SNORTSNARF to work?
> 
> -----Original Message-----
> From: Knight, Ric [mailto:RKnight at ...7145...]
> Sent: Wednesday, December 18, 2002 1:28 PM
> To: Rich Stryker
> Subject: RE: [Snort-users] Clueless in Toronto
> Importance: Low
> 
> 
> Rich,=20
> 
> If you only have dumb switches, then get a hub. Force all traffic you =
> want
> to monitor through the hub. You only need one interface on the SNORT box
> =
> to
> monitor traffic. If you want to use switches, you need to enable port
> spanning so that one switch port receives att the traffic on the switch
> =
> and
> then plug snort into that port.
> 
> Crude text diagram...
>                   =20
>               Snort
>                ||
>                \/
> Router <----> Hub <-------> firewall
> 
> =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
> Ric Knight
> Network Engineer
> TransUnion Canada
> 170 Jackson St. E.=20
> Hamilton Ontario, L8N 1L4
> (905) 525-9013 x6212
> 
> 
> 
> -----Original Message-----
> From: Rich Stryker [mailto:rstryker at ...7794...]
> Sent: December 18, 2002 11:32 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Clueless in Toronto
> 
> 
> Hi,
> 
> I have installed SNORT 1.8x on a W2K Server. No service packs as yet =
> because
> i am just testing the waters with it. There are 2 NICs.=20
> 
> I can seem to figure out how to implement it now that it is running. I
> figure I will put it behind my firewall. But how do i force traffic to =
> go
> through one NIC on the server and out through the other? Do i even need
> =
> to
> do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing =
> but
> it only tracked the local computer's traffic and nothing else.=20
> 
> I have SNORTSNARF installed to see the reports but when I seem to have =
> SNORT
> running I can't find the log files. I want SNORT setup for NIDS.
> 
> All help is greatly appreciated.
> 
> Thanks,
> 
> Rich
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
> MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
> T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
> (This e-mail message and any accompanying attachments may contain
> information that is confidential and subject to legal privilege. If you
> =
> are
> not the intended recipient, do not read, use, disseminate, distribute or
> copy this message or attachments.  If you have received this message in
> error, please delete the message and, if convenient, inform the sender =
> as
> soon as possible.)
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: Geek Gift Procrastinating?
> Get the perfect geek gift now!  Before the Holidays pass you by.
> T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

    
-- 
_______________________________________________
Get your free email from http://mymail.operamail.com

Powered by Outblaze




More information about the Snort-users mailing list