[Snort-users] libpcap question?

Jason Costomiris jcostom at ...2019...
Sun Sep 15 14:51:02 EDT 2002

On Sun, Sep 15, 2002 at 03:16:14PM -0500, J. Craig Woods wrote:
: Yes and no. First, I am running my gateway/router machine with older
: mandrake version, LMDK7.2 (No thanks, I do not want to upgrade. Too much
: work has gone into this baby, i.e. some very extensive, manually
: created, ipchains rules, hand-crafted tripwire configuration with every
: file loaded, and many other cooker and "homemade" customizations). As I
: indicated, it is fully loaded with mysql components:

I can appreciate not wanting to upgrade..  I would, however, suggest you
consider dumping ipchains in favor of iptables.  After all, iptables is
stateful - you don't have to open up all ports >1024, just permit 
related and established connections.  Surely you can see the (significant)

: MySQL-devel-3.23.31-1.1mdk
: Still snort src (snort.org version) would not compile for me. As I
: indicated, it gave me some gibberish about not finding mysql-devel.
: Maybe a "case" problem, you think?

Absolutely.  After all, this is *nix.

: Here is a question for you, Jason: What is going on with your MTA?
: Evertime my mail server receives mail from you, I get alerts:

Seems like a false positive..

My tripwire report came up clean against verified signatures from RO
media...  I'm running postfix 1.1.11 with SASL and TLS support.  I'd
be interested in seeing a capture if you don't mind.  Seems rather

: (When posting to snort list, I have never understood the need to
: obfuscate IP addresses: they are all in the mail headers, right?)      

Sure, but who's obfuscating?

: Any thoughts on this alert?

Probably a false positive..  I used to see all kinds of crazy alerts
caused by data in a file being xfer'd via FTP..

Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.

More information about the Snort-users mailing list