[Snort-users] "trons" Rules

Jeff Dell jdell at ...1095...
Fri Mar 1 04:56:09 EST 2002


If you check out Robert Grahams website, you will see that he talks
about BlackICE using snort Signatures..

<clip from http://robertgraham.com/pubs/ids/trons.html>

What is TRONS?
TRONS is an independent IDS subsystem in BlackICE that reads in
Snort-like signatures. TRONS is currently an unsupported feature. If you
contact tech support, they will know less about it than what's on this
webpage. TRONS has not been tested; bad stuff may happen if you use it. 



> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Lampe, John W.
> Sent: Friday, March 01, 2002 7:26 AM
> To: 'dr.kaos'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] "trons" Rules
> 
> 
> seems obvious to me...trons = snort (backwards).  
> 
> "imitation is the sincerest form of flattery" :-)
> 
> John Lampe
> 
> -----Original Message-----
> From: dr.kaos [mailto:dr.kaos at ...4970...]
> Sent: Friday, March 01, 2002 12:43 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] "trons" Rules
> 
> 
> Hmmmmm. Anbody else find this interesting?  trons, huh...
> 
> From BugTraq in a response re: missing blackice signatures and a 
> means by which to make blackice log certain attacks...
> 
> ./dr.k
> 
> [...snip...]
> 
> "I can't recommend you use this feature, but it may be interesting 
> for entertainment purposes. Add the following lines to the 
> "blackice.ini" file:
> 
> trons = enabled
> trons.rule = alert tcp any any -> any any (msg:"URG 
> Scan";flags:U;) trons.filename = 
> trons-needs-filename-even-if-dont-exist
> 
> I can't stress enough that this feature is unsupported and that 
> you can't get any help from us about this feature at this time. 
> However, you might find documentation somewhere on the net 
> :-). As a user, I added those lines and transmitted the 
> packet described in the NtWaK0 message, and BlackICE triggered on it."
> 
> Robert Graham
> Internet Security Systems
> 
> PS: I'll be putting up a small TRONS document up on my 
> personal website tomorrow. The link will be: 
> http://robertgraham.com/pubs/ids/trons.html
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list