[Snort-users] Detecting FTP Hacks

Michael Pickert Michael.Pickert at ...2435...
Tue Mar 26 23:53:02 EST 2002


Hi,

is there any chance to get snort alerting me if someone access our ftp
server as user anonymous or when he is creating a dir named, lets say
tagged?

I tried a bit arround, but it doesn`t work, because snort isn`t able to
check ftp traffic.

Any ideas?

Thanks.

Michael Pickert
michael.pickert at ...2435...

>>> snort-users-request at lists.sourceforge.net 22.03.02 06:49:05 >>>
Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net 

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users 
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net 

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. ge iface snort (Christian Kuhtz)
   2. disabling portscan false alarms for a certain port (137)
(Steve.Evans at ...5369...)
   3. Re: How to install LibNetNT (SkatFiend at ...661...)
   4. Re: Generating SSHD Alerts (Scott Taylor)
   5. RE: Alert Based on MAC Address (Wirth, Jeff)
   6. Re: in or out this is the problem!! (Matt Kettler)
   7. Re: Linux Snort Stealth Interface Help Request (Chris Green)
   8. Re: Alert Based on MAC Address (Matt Kettler)
   9. RE: How to install LibNetNT (Michael Steele)
  10. Detecting source routing packets (Sheahan, Paul (PCLN-NW))
  11. Increasing Packet (Kevin L Pawloski)
  12. [Snort-users]Newbie needs help!! (lsd kuyeh)
  13. Re: portscans and ACID (Omar McKenzie)
  14. Re: MySQLOutput database & No logging (Omar McKenzie)

--__--__--

Message: 1
From: "Christian Kuhtz" <christian at ...4821...>
To: <snort-users at lists.sourceforge.net>
Date: Thu, 21 Mar 2002 11:46:38 -0500
Subject: [Snort-users] ge iface snort


hey there,

who around here has used snort on ge ifaces?  i'd like to swap some
experiences...

thanks,
chris




--__--__--

Message: 2
From: Steve.Evans at ...5369... 
To: snort-users at lists.sourceforge.net 
Date: Thu, 21 Mar 2002 11:15:26 -0700
Subject: [Snort-users] disabling portscan false alarms for a certain
port (137)

Hi all.

I'm getting the following :

Mar 21 10:01:03 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:07 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 3 connections across 3 hosts: TCP(0), UDP(3)
Mar 21 10:01:11 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Mar 21 10:01:15 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Mar 21 10:01:20 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:24 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:28 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)

Etc..

This node is not a DNS server.. and it's not the only node that I get
notified about.

The portscan.log looks like :

Mar 21 12:01:11 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:13 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:16 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:18 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:21 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:24 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:26 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:29 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:31 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:34 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:35 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:38 192.168.1.3:137 -> 192.168.1.130:137 UDP  

Etc..

Rather than ignoring all portscans from/to this host, I'd like to just
be
able to ignore portscans on UDP port 137 (netbios?)

Is there a way to do this with snort (Version 1.8.1-RELEASE (Build
74))?

Thanks!

Steve..

PS, please reply directly, I'm not on the mailing list..


--__--__--

Message: 3
From: SkatFiend at ...661... 
Date: Thu, 21 Mar 2002 16:47:10 EST
Subject: Re: [Snort-users] How to install LibNetNT
To: dr at ...381... 
CC: snort-users at lists.sourceforge.net 


--part1_c6.8825cc5.29cbaede_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Thanks for the help all. I did some clean up, updated to ACID b21, and
a 
scandisk to correct a few disk errors, bounced the box and up it came
without 
the memory error I was getting b4, go figure, don't know what the
problem 
was. I'm using a copy of LibNetNT from Eeye and it seems to be fine
now.

Maybe it was just having a bad hair day ;)

Thanks again, Cliff


> If you use the Win32 installer and select the flexresp option
> in the installer it will install libnetnt.dll along with snort,
> and you will be able to use flexresp.
> 
> I assume this is for use with snort since you asked the question in
> snort-users...
> 
> Otherwise libnetNT for use in a program by itself can
> be gotten from the port of it at:
> 
> http://www.eeye.com/html/Research/Tools/libnetnt.html 
> 
> cheers,
> --dr
> 
> On Tue, 19 Mar 2002 20:55:45 EST
> SkatFiend at ...661... wrote:
> 
> > Hi all,
> > 
> > Can someone point me in the right direction for install
instructions for 
> > LibNet on a Win2K box?????
> > 
> > Thanks, Cliff
> > 
> 
> 
> -- 
> --dr                  pgpkey: http://dragos.com/dr-dursec.asc 
>       CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - 
> http://cansecwest.com 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 


--part1_c6.8825cc5.29cbaede_boundary
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

<HTML><FONT FACE=arial,helvetica><FONT  SIZE=2 FAMILY="SANSSERIF"
FACE="Arial" LANG="0">Thanks for the help all. I did some clean up,
updated to ACID b21, and a scandisk to correct a few disk errors,
bounced the box and up it came without the memory error I was getting
b4, go figure, don't know what the problem was. I'm using a copy of
LibNetNT from Eeye and it seems to be fine now.<BR>
<BR>
Maybe it was just having a bad hair day ;)<BR>
<BR>
Thanks again, Cliff<BR>
<BR>
<BR>
<BLOCKQUOTE TYPE=CITE style="BORDER-LEFT: #0000ff 2px solid;
MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px">If you use the
Win32 installer and select the flexresp option<BR>
in the installer it will install libnetnt.dll along with snort,<BR>
and you will be able to use flexresp.<BR>
<BR>
I assume this is for use with snort since you asked the question
in<BR>
snort-users...<BR>
<BR>
Otherwise libnetNT for use in a program by itself can<BR>
be gotten from the port of it at:<BR>
<BR>
http://www.eeye.com/html/Research/Tools/libnetnt.html<BR>
<BR>
cheers,<BR>
--dr<BR>
<BR>
On Tue, 19 Mar 2002 20:55:45 EST<BR>
SkatFiend at ...661... wrote:<BR>
<BR>
> Hi all,<BR>
> <BR>
> Can someone point me in the right direction for install
instructions for <BR>
> LibNet on a Win2K box?????<BR>
> <BR>
> Thanks, Cliff<BR>
> <BR>
<BR>
<BR>
-- <BR>
--dr                 
pgpkey: http://draagos.com/dr-dursec.asc<BR>
      CanSecWest/core02 - May 1-3 2002 -
Vancouver B.C. - http://cansecwest.com<BR>
<BR>
<BR>
_______________________________________________<BR>
Snort-users mailing list<BR>
Snort-users at lists.sourceforge.net<BR>
Go to this URL to change user options or unsubscribe:<BR>
https://lists.sourceforge.net/lists/listinfo/snort-users<BR>
Snort-users list archive:<BR>
http://www.geocrawler.com/redir-sf.php3?list=snort-users<BR>
</BLOCKQUOTE><BR>
<BR>
</FONT></HTML>
--part1_c6.8825cc5.29cbaede_boundary--


--__--__--

Message: 4
From: "Scott Taylor" <scottt at ...4859...>
Date: Thu, 21 Mar 2002 14:15:40 -0800
To: kpawloski at ...5338... 
Subject: Re: [Snort-users] Generating SSHD Alerts
CC: snort-users at lists.sourceforge.net 

You can do this one: 
Add this line to your local.rules file.

alert tcp any any -> any any (msg:"TCP traffic";)




---- Begin Original Message ----

From: kpawloski at ...5338... 
Sent: Tue, 19 Mar 2002 21:06:53 GMT
To: Snort-users at lists.sourceforge.net 
Subject: [Snort-users] Generating SSHD Alerts


OK, so I'll admit this is a newbie related 
question.

Right now I have one snort sensor installed 
behind a heaving ACL'd network so traffic behind 
my firewall is rather quiet alert wise. How can 
I generate some alerts on my own to make sure my 
rules aren't whacked? I have a bastion box that 
I was thinking I can try and set off some false 
SSH alerts on my own. Any ideas?

Thanks in advance.

Kevin




_________________________________________________
_______________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for 
less!
Join Juno today! =A0For your FREE software, visit:
http://dl.www.juno.com/get/web/.

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or 
unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snor 
t-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3? 
list=3Dsnort-users


---- End Original Message ----



THERE IS ONLY ONE... 
SOCCER.COM, The Center of the Soccer Universe
http://www.soccer.com 


--__--__--

Message: 5
From: "Wirth, Jeff" <WirthJe at ...4876...>
To: "'Bamberger, Marc (M.A.)'" <mbamberg at ...5362...>,
        "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Alert Based on MAC Address
Date: Thu, 21 Mar 2002 17:47:14 -0500

> Am I misunderstanding the content keyword or is there another way to
accomplish this?

hmmm...I don't think snort in IDS mode can help you here.  The MAC
lives in
the link-level header and the content keyword looks in the packet
payload.
You may want to consider crafting something up with snort in sniffer
mode
(or tcpdump) using the filter option.

i.e. # snort -v ether host <Enter your MAC here> 

This would trigger output anytime snort came across a packet with the
MAC in
question.

Hope this helps..

- Jeff


--__--__--

Message: 6
Date: Thu, 21 Mar 2002 18:13:15 -0500
To: "Federico Lombardo" <egopfe at ...125...>,
   <snort-users at lists.sourceforge.net>
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] in or out this is the problem!!

Both interfaces should see the packet, unless the router that routes 
between your DMZ and your LAN does not allow them to pass, in which
case 
only the DMZ one will see the syn packet.

So if you want to see all syn's sent from the DMZ to the lan, watch on
the 
DMZ interface. If you want to see all syns sent from the DMZ which
actually 
get to the lan, watch on the lan interface.

If your router is properly configured only syn packets which are
explicitly 
allowed should make it from the DMZ to the LAN. Otherwise you don't
really 
have a very effective DMZ (one of the main points of having a DMZ is so

that a compromise of a machine there won't easily lead to a compromise
of 
your lan).


  I'd recommend adding rules to both snort sensors and comparing.



At 02:59 PM 3/21/2002 +0100, Federico Lombardo wrote:
>I've two interfaces.
>1) is the LAN interface
>2) is the DMZ interface
>Each interface has a snort sensor.
>
>if I want for example log syn packets from dmz to lan... where I must
put 
>this rules ?
>
>in the LAN interface or in the DMZ one ?



--__--__--

Message: 7
To: markgannon at ...5364... 
Cc: Snort-users at lists.sourceforge.net 
Subject: Re: [Snort-users] Linux Snort Stealth Interface Help Request
From: Chris Green <cmg at ...1935...>
Reply-To: snort-users at lists.sourceforge.net 
Date: Thu, 21 Mar 2002 18:33:54 -0500

"Mark Gannon" <markgannon at ...5364...> writes:

> Hello,
>
> I'm having difficulty implementing a stealth inteface per Snort FAQs
3.1 and
>
> 3.2 on a Linux (SuSE 7.3 with kernel 2.4.14) system using a regular
straight
>
> through cable.   I start snort and no traffic is displayed to stdout
even 
> though another interface on the same segment shows traffic via
tcpdump. 

> Eth1 is connected to a Netgear Dual Speed Hub (DS 106) that has a
link light
>

Is the traffic that you are monitoring at 10 or 100. You can't do
both. I really wish the Netgear 100bt-only hub was more popular
because thats the most common problem.
-- 
Chris Green <cmg at ...1935...>
Eschew obfuscation.



--__--__--

Message: 8
Date: Thu, 21 Mar 2002 18:39:40 -0500
To: "Bamberger, Marc (M.A.)" <mbamberg at ...5362...>,
   "'snort-users at lists.sourceforge.net'"	
<snort-users at lists.sourceforge.net>
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] Alert Based on MAC Address

As Jeff W already said, the content option of a rule looks at the 
application layer content, not the headers.

you might consider using tcpdump for this purpose:

tcpdump ether src <mac address>

or run arpwatch.

Snort is major overkill for only trying to catch packets with a single,

static feature of the header. Snort is designed for applying a few
hundred 
different test cases (including application layer content searches) to
each 
packet and logging matches. Tcpdump is designed for dumping packets
which 
match a relatively simple header content pattern. Choose your tool that

best fits the scope of your task.

At 03:34 PM 3/21/2002 -0500, Bamberger, Marc (M.A.) wrote:
>I'm interested in tracking a PC that keeps changing it's IP address by
it's
>MAC (Ethernet) address. I would like to write a rule that would alert
>whenever a certain MAC address appears in a packet.
>
>It looks like the content keyword only scans the data of the packet
and
>doesn't match against headers. Am I misunderstanding the content
keyword or
>is there another way to accomplish this?



--__--__--

Message: 9
From: "Michael Steele" <michaels at ...155...>
To: <snort-users at lists.sourceforge.net>
Cc: <SkatFiend at ...661...>
Subject: RE: [Snort-users] How to install LibNetNT
Date: Thu, 21 Mar 2002 16:14:27 -0800

Try here:

http://www.securitybugware.org/libnetnt/ 

I'd be more the happy to walk you through the install if you are
having
problems. If you already have your IDS setup and are just lacking this
part then there is no need to roll back and start all over.

I'm assuming that you are using FlexResp and if not then there is no
need for LibnetNT.dll to be installed.

- Michael Steele 

Hi all,

Can someone point me in the right direction for install instructions
for

LibNet on a Win2K box?????

Thanks, Cliff





--__--__--

Message: 10
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
To: "Snort List (E-mail)" <snort-users at lists.sourceforge.net>
Date: Thu, 21 Mar 2002 19:42:00 -0500
Subject: [Snort-users] Detecting source routing packets


Hello,

I'm looking to detect source routing packets and was wondering if
anyone
could assist with creating a Snort rule? I'm running Snort 1.9dev on
RHLinux7.0


Thanks!

Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan at ...2218... 




--__--__--

Message: 11
To: snort-users at lists.sourceforge.net 
Date: Thu, 21 Mar 2002 17:39:56 -0800
From: Kevin L Pawloski <kpawloski at ...5338...>
Subject: [Snort-users] Increasing Packet

I noticed that in both Acid and Demarc that for some Alerts only part
of
the packet is captured and reported in the payload. Is there any way
to
increase this size in Snort?

Thanks!

Kevin

________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
http://dl.www.juno.com/get/web/.


--__--__--

Message: 12
Date: Thu, 21 Mar 2002 17:56:26 -0800 (PST)
From: lsd kuyeh <kuyehdee at ...131...>
To: snort-users at lists.sourceforge.net 
Subject: [Snort-users] [Snort-users]Newbie needs help!!

Dear all users,

I shifted my SnortSnarf directory to my /var/log/snort
folder and I run snortsnarf as below and the following
message appears:

[root at ...5372... snort]# nice ./snortsnarf.pl alert
portscan.log
syntax error at ./snortsnarf.pl line 155, near "}"
Execution of ./snortsnarf.pl aborted due to
compilation errors.

Why is this error message appears?


Please give your opinion about this.

Regards,
Sean

__________________________________________________
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards«
http://movies.yahoo.com/ 


--__--__--

Message: 13
Reply-To: "Omar McKenzie" <omckenzi at ...4479...>
From: "Omar McKenzie" <omckenzi at ...4479...>
To: "Mike Macias" <mike.macias at ...5336...>,
   <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] portscans and ACID
Date: Fri, 22 Mar 2002 00:00:36 -0500
Organization: Omar McKenzie

This is a multi-part message in MIME format.

------=_NextPart_000_0173_01C1D134.981DF810
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

you don't need the first output statement
  ----- Original Message -----=20
  From: Mike Macias=20
  To: snort-users at lists.sourceforge.net=20 
  Sent: Tuesday, March 19, 2002 3:58 PM
  Subject: [Snort-users] portscans and ACID


  I've been looking through the snort users archive and found plenty of
=
documentation on how to get ACID to see portscans.  I've finally got =
things working, however I'm a little concerned about my solution.  In
=
snort.conf I have 2 output plugins specified:

  output database: log, mysql, user=3Dsnort password=3Dabcdef =
dbname=3Dsnort_db host=3Dlocalhost=20
  output database: alert, mysql, user=3Dsnort password=3Dabcdef =
dbname=3Dsnort_db host=3Dlocalhost (so that ACID can see portscans)

  Will having 2 outputs specified adversely affect any data in the
MySQL =
db?

------=_NextPart_000_0173_01C1D134.981DF810
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>you don't need the first output=20
statement</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Dmike.macias at ...5336... =
href=3D"mailto:mike.macias at ...5336...">Mike=20
  Macias</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
  title=3Dsnort-users at lists.sourceforge.net=20 
  =
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...635...=

eforge.net</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, March 19, 2002
=
3:58=20
  PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] =
portscans and=20
  ACID</DIV>
  <DIV><BR></DIV>
  <DIV><FONT face=3DArial size=3D2>I've been looking through the snort
=
users archive=20
  and found plenty of documentation on how to get ACID to see =
portscans. =20
  I've finally got things working, however I'm a little concerned about
=
my=20
  solution.  In snort.conf I have 2 output plugins =
specified:</FONT></DIV>
  <DIV> </DIV>
  <DIV><FONT face=3DArial size=3D2>output database: log, mysql, =
user=3Dsnort=20
  password=3Dabcdef dbname=3Dsnort_db host=3Dlocalhost <BR>output =
database: alert,=20
  mysql, user=3Dsnort password=3Dabcdef dbname=3Dsnort_db =
host=3Dlocalhost (so that ACID=20
  can see portscans)</FONT></DIV>
  <DIV> </DIV>
  <DIV><FONT face=3DArial size=3D2>Will having 2 outputs specified =
adversely affect=20
  any data in the MySQL db?</FONT></DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0173_01C1D134.981DF810--



--__--__--

Message: 14
Reply-To: "Omar McKenzie" <omckenzi at ...4479...>
From: "Omar McKenzie" <omckenzi at ...4479...>
To: "Ryan Swenson" <Ryan.Swenson at ...1448...>,
   <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] MySQLOutput database & No logging
Date: Fri, 22 Mar 2002 00:41:31 -0500
Organization: Omar McKenzie


----- Original Message -----
From: "Ryan Swenson" <Ryan.Swenson at ...1448...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, March 18, 2002 11:29 AM
Subject: [Snort-users] MySQLOutput database & No logging


>Hello,

>Does anyone know how to only output to a database and avoid any or all
file
output? I do not want any alert files or files in general.
Define only one output plugin in your snort.conf.  (database plugin)

>Can Multiple sensors report to a single database?
yes

>Has anyone tried writing a backend utility to manage the Database
itself.
That is perhaps if we develop a utility which can manage an IDS
database we
can >monitor for event correlation throughout a snort deployment of
several
sensors. When we for example see a bunch of useless IIS exploit
attempts
made on >Apache servers in our global sensor arrangement we can through
the
utility delete all such alerts single-handingly over a number of IDS
sensors
where the alerts >were found.
Take a look at ACID. It can delete alerts from the database and also
archive
to another database.

>I am writing such a utility in C/C++ and Java. Need Help (Anybody have
good
Select Statements & such???) Perhaps to the developer of the Database
Portion - >if I cannot make autojoins in Mysql what are my options.


>Why didn't they develop snort to alternatively output packets & layers
to a
Database and based on the incremental counter of the DB input perform
analysis with >the detection engine, and support modular filter
analysis to
support both IDS & Network Centric routines?

>EG: Use Snort's incredible decoding and libpcap development to show
not
only security but real in-depth analysis of network issues. Do this
within
context of a >MySQL or Oracle DB and toss the file output...!

Gruesse/ Kind Regards,
Ryan S.

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users 




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/snort-users 


End of Snort-users Digest





More information about the Snort-users mailing list