[Snort-users] weird behaviour with Puresecure

Ryan Hill rhill at ...2446...
Mon May 6 14:53:03 EDT 2002


fyi, I've been working with a developer for a few weeks on an unrelated
issue but thought I would mention that the values passed to the validate
function inside the web gui are hard coded into the program.  for whatever
reason (probably a good one?! :), the developers have chosen not to pass the
actual arguments you may be using for your sensor (I'm using -o myself).

in addition, the validate function also doesn't correctly identify the
interface your sensor is using, so when you run validate, snort is going to
run the validation against your default interface, which may or may not be
the correct interface for the sensor you're testing.

both of these fixes/improvements can be added with a few more checks and
variables for commandline options, but seeing as I have about zero knowledge
of perl whatsoever, the issue may be more complicated than it appears on the
surface (there are a LOT of commandline options for snort :).

in Demarc's defense, they are very receptive and responsive towards feedback
and improvements in the program (IMHO), so if you have future suggestions,
please send them to suggest at ...5644...  you might also check out their
mailing list over at demarc.com.

regards,

Ryan Hill
Corporate Information Systems
TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com

> -----Original Message-----
> From: Omolayo Salako [mailto:OSalako at ...5295...] 
> Sent: Monday, May 06, 2002 1:43 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] weird behaviour with Puresecure
> 
> 
> Anyone else experiencing this problem. i have recently 
> upgraded to demarc
> 1.6 and wanted to pass some command line options to snort through
> Puresecure. i edited the psd.conf, which i beleive is the 
> equivalent of
> demarcd.conf in the old demarc. i put options in where it 
> says command line
> option to pass to snort. since the update has to be done by 
> Puresecure, went
> to the gui, and click on validate, it updates the rules quite 
> well, but i
> dont see my command line options, in the options it passed to 
> snort. i have
> poked through all the files under puresecure directory, but 
> could not find
> anyother file that might be controling the command line options. Any
> pointers would be appreciated
> 
> 
> thanx
>  
> 
> -----Original Message-----
> From: Vadim Pushkin [mailto:wiskbroom at ...125...]
> Sent: Monday, May 06, 2002 3:18 PM
> To: Noller2G at ...4290...; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Demarc (PureSecure)
> 
> 
> The one problem that I am having with Acid/Mysql
> is speed. If I were to use PureSecure, wouldn't
> I sill be going against the same slow MySQL server?
> 
> -mike
> 
> 
> >From: "Noller, Gregory" <Noller2G at ...4290...>
> >To: 
> >"'snort-users at lists.sourceforge.net'"<snort-users at ...635...
> eforge.net>
> >Subject: [Snort-users] Demarc (PureSecure)
> >Date: Fri, 3 May 2002 13:34:36 -0500
> >
> >I have been using Demarc 1.05 since October.  It was hard to 
> set up, but 
> >was
> >much better than Acid and such.
> >
> >Now they have released 1.06 and are calling it PureSecure.  
> Much better
> >setup script.  Easy in fact.
> >
> >Just want to let you know, if you have not tried 
> Demarc/PureSecuregive it a
> >shot.
> >
> >Just build you a new Linux 7.2 box, get a copy of the 
> software and run the
> >./configure script in the install directory.  You will need internet
> >visability because it goes out and downloads all the pieces.
> >
> >Once it's running, you'll need to update the rules from the 
> configure tab 
> >to
> >get the rules downloaded.
> >
> >Then sit back and watch.  Then you can edit your rules and 
> snort.conf file
> >from the configure tab.
> >
> >This software really works.
> >
> >I don't work for them, have never met them, and just wanted 
> to comment on
> >this product.
> >
> >Usual Disclaimers Apply
> >
> >Gregory Noller
> >Senior IT Security Technologist
> >Technology Risk Services
> >Koch Business Solutions, LP
> >Wichita, Kansas
> >(316) 828-7725
> >
> >
> >
> >_______________________________________________________________
> >
> >Have big pipes? SourceForge.net is looking for download 
> mirrors. We supply
> >the hardware. You get the recognition. Email Us: 
> bandwidth at ...382...
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
> 
> 
> _______________________________________________________________
> 
> Have big pipes? SourceForge.net is looking for download 
> mirrors. We supply
> the hardware. You get the recognition. Email Us: 
> bandwidth at ...382...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________________________
> 
> Have big pipes? SourceForge.net is looking for download 
> mirrors. We supply
> the hardware. You get the recognition. Email Us: 
> bandwidth at ...382...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list