[Snort-users] RE: Snort-users digest, Vol 1 #3309 - 9 msgs

Christian Tortorich ctorto1 at ...9576...
Fri Jun 27 19:26:06 EDT 2003


I have recently installed snort with snortcenter and the ACID management
console on a dual pIII 500 system with a gig of ram and pretty good network
cards (Intel gigabit and 100 Mb). The box is acting as a bridge and im
filtering the incoming traffic with IPCHAINS. Im interested in both whats
going on on the inside (!) and the outside of my network. This is an
excellent tool. I have 2 quick questions

1) When snort reports that packets are dropped, should I take that to mean
that they are dropped on the floor or just that Snort couldt look at them
fast enough so it skipped them? I want to montior traffic, but not at the
expense of packet loss.

2)I have a LAN on one side of this box with about 100 clients and a
connection to a gig E backbone on the other side. Is my snort box
configuration reasonable? Should I be droppping packets consistently?

Regards
Chris Tortorich
ctorto1atlsudotedu


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
snort-users-request at lists.sourceforge.net
Sent: Friday, June 27, 2003 5:52 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #3309 - 9 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: RE: Snort-users digest, Vol 1 #3302 - 13 msgs (Rodrigo Goya)
   2. RE: encrypt barnyard connections (Hutchinson, Andrew)
   3. RE: Snort problem (Faiz Ahmad Shuja)
   4. sid=1042 IIS view source via translate header (Everist, Benjamin S.
(NASWI))
   5. RE: Snort problem (Michael Steele)
   6. Re: Snort problem (Matt Kettler)
   7. Re[2]: [Snort-users] Cisco Catalyst - SNORT (Lukasz Bromirski)
   8. snortcenter 1.0RC1 (Todd Holloway)
   9. Re: re: Pass Rule question (Erek Adams)

--__--__--

Message: 1
Date: Fri, 27 Jun 2003 10:25:58 -0500
From: Rodrigo Goya <lucent at ...9564...>
To: edward.hawkins at ...9405..., snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] RE: Snort-users digest, Vol 1 #3302 - 13 msgs


Hhhmm.. hope this is what you were asking for:

Go to Resources -> Variables -> View Variables

Edit "HOME_NET", change the value and click on "Duplicate"

Now you have more than one HOME_NET defined.

Go to Sensor Config -> Variable Selection

Pick the sensor you want, activate the new HOME_NET.

Then just push your new rules to the sensor and reaload it.

Cheers,
Rodrigo

On Thu, Jun 26, 2003 at 12:22:55PM -0400, edward.hawkins at ...9405... wrote:
> How is Home_Net defined when using SnortCenter.
>
> I have installed acid and snortcenter and based on the install process how
> do you specifically define your home_net in snortcenter?  I know how to
> manually do it but how do you do it in snortcenter?
>


--__--__--

Message: 2
Subject: RE: [Snort-users] encrypt barnyard connections
Date: Fri, 27 Jun 2003 10:38:41 -0500
From: "Hutchinson, Andrew" <andrew.hutchinson at ...759...>
To: "Joerg Weber" <j.weber at ...8292...>,
	"SnortUsers" <snort-users at lists.sourceforge.net>

You could do that, or...

<ShamelessPostgreSQLPlug>

you could use PostgreSQL, compiled with the --with-openssl option, and
use ssl natively and bypass stunnel altogether.  The PostgreSQL
installation/configuration documentation explain how to set this up.

</ShamelessPosgreSQLPlug>



:-)

Andrew

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856


> -----Original Message-----
> From: Joerg Weber [mailto:j.weber at ...8292...]=20
> Sent: Friday, June 27, 2003 6:31 AM
> To: SnortUsers
> Subject: Re: [Snort-users] encrypt barnyard connections
>=20
>=20
> Hi,
>=20
>=20
> > i would to encrypt the barnyard connection to the the mysql=20
> database.
> > -is this possible over stunnel?
> This works just fine for me without any issues.
> You can run Stunnel with certificates and strict cert checking.
>=20
> On the snort-box do something like
> stunnel -c -d 127.0.0.1:3306 -r mysql-server-here:3307 -s stunnel -g
> stunnel
>=20
> and on the remote mysql box
> /usr/sbin/stunnel -p /usr/share/ssl/stunnel/server.pem -P/tmp/ -d 3307
> -r 127.0.01:3306 -s stunnel -g stunnel
>=20
> or, with strict cert checking, something like this on the client
> /usr/sbin/stunnel -c -d 127.0.01:3306 -r=20
> mysql-server-here:3307 -v 3 -A
> /usr/share/ssl/stunnel/server.cert -p=20
> /usr/share/ssl/stunnel/client.pem
> -P /var/run/stunnel.pid -s stunnel -g stunnel
>=20
> on the remote mysql box
> /usr/sbin/stunnel -A /usr/share/ssl/stunnel/all.cert -p
> /usr/share/ssl/stunnel/server.pem -d 3307 -r 127.0.0.1:3306 -v 3 -P
> /var/run/stunnel.pid -s stunnel -g stunnel
>=20
> Now, if you distribute the proper certs to the client and the server,
> your connection is ssl-encrypted and connections are allowed with the
> proper certs only.
>=20
> Works like a charm for me.
>=20
> Oh, it's very possible I goofed up on the pasted lines, you=20
> gotta check
> the parameters of course ;)
>=20
> Cheers!
>=20
> --=20
> Joerg Weber
> Network Security
>=20
> infoServe GmbH
> Nell-Breuning-Allee 6
> D-66115 Saarbruecken
>=20
> T: (0681) 8 80 08 - 0
> F: (0681) 8 80 08 - 59
> www.infos.de
> E: j.weber at ...8292...
>=20


--__--__--

Message: 3
From: "Faiz Ahmad Shuja" <faizshuja at ...5849...>
To: <mshultz at ...9571...>,
	<snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Snort problem
Date: Fri, 27 Jun 2003 20:45:43 +0500

Try looking into IDScenter and Eagle X from Engage Security.

http://www.engagesecurity.com/

You can find here the options you looking for.


Regards,
Faiz

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
mshultz at ...9571...
Sent: Friday, June 27, 2003 2:41 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort problem


Hello.  I'm not sure if this is a support mailing list but hopefully
someone could help me out.

I am relativly new to Snort and it looks very decent for what I need it
to do.  I am running snort on a win32 machine.  My problem is that I
need snort to send either an email, which doesn't look possible as I am
not a programmer, or an SMB message to a selected workstation.  My
problem is that SMB doesn't seem to be compiled into the windows
binaries and there doesn't seem to be another way to configure it
without the 'configure' executable.  Any help would be appreciated.

Mike.



--__--__--

Message: 4
From: "Everist, Benjamin S. (NASWI)" <EveristB at ...8190...>
To: snort-users at lists.sourceforge.net
Date: Fri, 27 Jun 2003 09:02:21 -0700
Subject: [Snort-users] sid=1042 IIS view source via translate header

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C33CC5.7E278950
Content-Type: text/plain;
	charset="iso-8859-1"

Has anyone seen anything like this before?  It doesnt look like the
translate:
f vuln [0], except that it contains the translate: f header.  The long
string
of gobbley-gook after the auth: negotiate looks suspicious to me, but what
do I know?  I looked through the IIS 'sploits at bugtraq and didnt see
anything
that matches.  Is this valid traffic?

000 : 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31   OPTIONS / HTTP/1
010 : 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66   .1..translate: f
020 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69   ..User-Agent: Mi
030 : 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D   crosoft-WebDAV-M
040 : 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30   iniRedir/5.1.260
050 : 30 0D 0A 48 6F 73 74 3A 20 xx xx xx xx xx xx xx   0..Host: xxxxxxx
060 : xx xx xx xx xx xx xx 0D 0A 41 75 74 68 6F 72 69   xxxxxxx..Authori
070 : 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 61 74   zation: Negotiat
080 : 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 44 41 41   e TlRMTVNTUAADAA
090 : 41 41 47 41 41 59 41 47 6F 41 41 41 41 59 41 42   AAGAAYAGoAAAAYAB
0a0 : 67 41 67 67 41 41 41 41 67 41 43 41 42 41 41 41   gAggAAAAgACABAAA
0b0 : 41 41 47 67 41 61 41 45 67 41 41 41 41 49 41 41   AAGgAaAEgAAAAIAA
0c0 : 67 41 59 67 41 41 41 41 41 41 41 41 43 61 41 41   gAYgAAAAAAAACaAA
0d0 : 41 41 42 59 4B 49 6F 46 67 41 56 51 42 4D 41 46   AABYKIoFgAVQBMAF
0e0 : 55 41 51 51 42 6B 41 47 30 41 61 51 42 75 41 47   UAQQBkAG0AaQBuAG
0f0 : 6B 41 63 77 42 30 41 48 49 41 59 51 42 30 41 47   kAcwB0AHIAYQB0AG
100 : 38 41 63 67 42 59 41 46 55 41 54 41 42 56 41 50   8AcgBYAFUATABVAP
110 : 70 59 77 6F 45 2F 62 77 42 37 41 41 41 41 41 41   pYwoE/bwB7AAAAAA
120 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4E   AAAAAAAAAAAAAAAN
130 : 7A 66 74 72 6F 7A 31 69 4A 6E 69 50 6D 34 33 4F   zftroz1iJniPm43O
140 : 77 79 62 63 75 6B 61 55 53 66 53 46 64 45 43 67   wybcukaUSfSFdECg
150 : 3D 3D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20   ==..Connection:
160 : 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74   Keep-Alive..Cont
170 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 0D   ent-Length: 0...
180 : 0A


[0] http://www.securityfocus.com/bid/1578/discussion/

------_=_NextPart_001_01C33CC5.7E278950
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>sid=3D1042 IIS view source via translate header</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Has anyone seen anything like this before?  It =
doesnt look like the translate:</FONT>
<BR><FONT SIZE=3D2>f vuln [0], except that it contains the translate: f =
header.  The long string</FONT>
<BR><FONT SIZE=3D2>of gobbley-gook after the auth: negotiate looks =
suspicious to me, but what</FONT>
<BR><FONT SIZE=3D2>do I know?  I looked through the IIS 'sploits =
at bugtraq and didnt see anything</FONT>
<BR><FONT SIZE=3D2>that matches.  Is this valid traffic?  =
</FONT>
</P>

<P><FONT SIZE=3D2>000 : 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F =
31   OPTIONS / HTTP/1</FONT>
<BR><FONT SIZE=3D2>010 : 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 =
66   .1..translate: f</FONT>
<BR><FONT SIZE=3D2>020 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D =
69   ..User-Agent: Mi</FONT>
<BR><FONT SIZE=3D2>030 : 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D =
4D   crosoft-WebDAV-M</FONT>
<BR><FONT SIZE=3D2>040 : 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 =
30   iniRedir/5.1.260</FONT>
<BR><FONT SIZE=3D2>050 : 30 0D 0A 48 6F 73 74 3A 20 xx xx xx xx xx xx =
xx   0..Host: xxxxxxx</FONT>
<BR><FONT SIZE=3D2>060 : xx xx xx xx xx xx xx 0D 0A 41 75 74 68 6F 72 =
69   xxxxxxx..Authori</FONT>
<BR><FONT SIZE=3D2>070 : 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 61 =
74   zation: Negotiat</FONT>
<BR><FONT SIZE=3D2>080 : 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 44 41 =
41   e TlRMTVNTUAADAA</FONT>
<BR><FONT SIZE=3D2>090 : 41 41 47 41 41 59 41 47 6F 41 41 41 41 59 41 =
42   AAGAAYAGoAAAAYAB</FONT>
<BR><FONT SIZE=3D2>0a0 : 67 41 67 67 41 41 41 41 67 41 43 41 42 41 41 =
41   gAggAAAAgACABAAA</FONT>
<BR><FONT SIZE=3D2>0b0 : 41 41 47 67 41 61 41 45 67 41 41 41 41 49 41 =
41   AAGgAaAEgAAAAIAA</FONT>
<BR><FONT SIZE=3D2>0c0 : 67 41 59 67 41 41 41 41 41 41 41 41 43 61 41 =
41   gAYgAAAAAAAACaAA</FONT>
<BR><FONT SIZE=3D2>0d0 : 41 41 42 59 4B 49 6F 46 67 41 56 51 42 4D 41 =
46   AABYKIoFgAVQBMAF</FONT>
<BR><FONT SIZE=3D2>0e0 : 55 41 51 51 42 6B 41 47 30 41 61 51 42 75 41 =
47   UAQQBkAG0AaQBuAG</FONT>
<BR><FONT SIZE=3D2>0f0 : 6B 41 63 77 42 30 41 48 49 41 59 51 42 30 41 =
47   kAcwB0AHIAYQB0AG</FONT>
<BR><FONT SIZE=3D2>100 : 38 41 63 67 42 59 41 46 55 41 54 41 42 56 41 =
50   8AcgBYAFUATABVAP</FONT>
<BR><FONT SIZE=3D2>110 : 70 59 77 6F 45 2F 62 77 42 37 41 41 41 41 41 =
41   pYwoE/bwB7AAAAAA</FONT>
<BR><FONT SIZE=3D2>120 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 =
4E   AAAAAAAAAAAAAAAN</FONT>
<BR><FONT SIZE=3D2>130 : 7A 66 74 72 6F 7A 31 69 4A 6E 69 50 6D 34 33 =
4F   zftroz1iJniPm43O</FONT>
<BR><FONT SIZE=3D2>140 : 77 79 62 63 75 6B 61 55 53 66 53 46 64 45 43 =
67   wybcukaUSfSFdECg</FONT>
<BR><FONT SIZE=3D2>150 : 3D 3D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A =
20   =3D=3D..Connection: </FONT>
<BR><FONT SIZE=3D2>160 : 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E =
74   Keep-Alive..Cont</FONT>
<BR><FONT SIZE=3D2>170 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A =
0D   ent-Length: 0...</FONT>
<BR><FONT SIZE=3D2>180 : 0A    </FONT>
</P>
<BR>

<P><FONT SIZE=3D2>[0] <A =
HREF=3D"http://www.securityfocus.com/bid/1578/discussion/" =
TARGET=3D"_blank">http://www.securityfocus.com/bid/1578/discussion/</A><=
/FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C33CC5.7E278950--


--__--__--

Message: 5
From: "Michael Steele" <michaels at ...9077...>
To: <mshultz at ...9571...>,
	<snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Snort problem
Date: Fri, 27 Jun 2003 12:16:03 -0700

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C33CA5.E583B3F0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Mike,

=20

You can go to www.winsnort.com <http://www.winsnort.com/>  and go to the
Documentation section and check out the docs as it has a section on
installing Email support for Windows.

Cheers...

-Michael Steele
--
 System Engineer / Security Support Technician   =20
 mailto:michaels at ...9077...  =20
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
mshultz at ...9571...
Sent: Thursday, June 26, 2003 2:41 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort problem

=20

Hello.  I'm not sure if this is a support mailing list but hopefully =
someone
could help me out. =20

=20

I am relativly new to Snort and it looks very decent for what I need it =
to
do.  I am running snort on a win32 machine.  My problem is that I need =
snort
to send either an email, which doesn't look possible as I am not a
programmer, or an SMB message to a selected workstation.  My problem is =
that
SMB doesn't seem to be compiled into the windows binaries and there =
doesn't
seem to be another way to configure it without the 'configure' =
executable.
Any help would be appreciated.

=20

Mike.


------=_NextPart_000_0001_01C33CA5.E583B3F0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p
	{margin-right:0in;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle17
	{font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Mike,</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>You can go to <a
href=3D"http://www.winsnort.com/">www.winsnort.com</a> and go to the
Documentation section and check out the docs as it has a section on =
installing
Email support for Windows.</span></font></p>

<div>

<p style=3D'margin-bottom:12.0pt'><font size=3D2 color=3Dnavy =
face=3D"Times New Roman"><span
style=3D'font-size:10.0pt;color:navy'>Cheers...<br>
<br>
-Michael Steele<br>
--<br>
 System Engineer / Security Support =
Technician    <br>
 <a =
href=3D"mailto:michaels at ...9077...">mailto:michaels at ...9077...</a>&nb=
sp;  <br>
 Website: <a =
href=3D"http://www.winsnort.com">http://www.winsnort.com</a><br>
 Snort: Open Source Network IDS - <a =
href=3D"http://www.snort.org">http://www.snort.org</a></span></font></p>

</div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b>
snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] <b><span =
style=3D'font-weight:
bold'>On Behalf Of </span></b>mshultz at ...9571...<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, June 26, =
2003 2:41
PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b>
snort-users at lists.sourceforge.net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] =
Snort
problem</span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> </span></font></p>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Hello.  I'm not sure =
if this is
a support mailing list but hopefully someone could help me out.  =
</span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> </span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I am relativly new to Snort =
and it
looks very decent for what I need it to do.  I am running snort on =
a win32
machine.  My problem is that I need snort to send either an email, =
which
doesn't look possible as I am not a programmer, or an SMB message to a =
selected
workstation.  My problem is that SMB doesn't seem to be compiled =
into the
windows binaries and there doesn't seem to be another way to configure =
it without
the 'configure' executable.  Any help would be =
appreciated.</span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'> </span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Mike.</span></font></p>

</div>

</div>

</body>

</html>

------=_NextPart_000_0001_01C33CA5.E583B3F0--




--__--__--

Message: 6
Date: Fri, 27 Jun 2003 16:08:07 -0400
To: <mshultz at ...9571...>, <snort-users at lists.sourceforge.net>
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] Snort problem

At 05:41 PM 6/26/2003 -0400, mshultz at ...9571... wrote:
>Hello.  I'm not sure if this is a support mailing list but hopefully
>someone could help me out.
>
>I am relativly new to Snort and it looks very decent for what I need it to
>do.  I am running snort on a win32 machine.  My problem is that I need
>snort to send either an email, which doesn't look possible as I am not a
>programmer, or an SMB message to a selected workstation.  My problem is
>that SMB doesn't seem to be compiled into the windows binaries and there
>doesn't seem to be another way to configure it without the 'configure'
>executable.  Any help would be appreciated.
>
>Mike.

Well, sending an email from within snort is absolutely impossible, even if
you are a programmer. Snort needs to be very very very fast (ie: 1/1000th
of a second delay has a HUGE impact on performance). If it goes off and
generates network connections, launches programs, etc, it will miss a large
quantity of traffic, creating a very effective way for attackers to sneak
past your snort sensor by only generating one alert that causes email.

Really, I'd suggest using something like acid for your logging and alerting
needs if you're restricted to the win32 platform. Emails, smb alerts, etc
are really best done with an external program so that snort isn't wasting
time babysitting a network messaging protocol.








--__--__--

Message: 7
Date: Fri, 27 Jun 2003 22:23:36 +0200
From: Lukasz Bromirski <lbromirski at ...9575...>
Reply-To: Lukasz Bromirski <lbromirski at ...9575...>
Organization: mr0vka corpz
To: "'Snort-users at lists.sourceforge.net'"
<Snort-users at lists.sourceforge.net>
Subject: Re[2]: [Snort-users] Cisco Catalyst - SNORT

Hello,

RA> Most  current  switches  have  either 8 or 16 port chip sets.

That's quite correct.

RA> Someone  is  likely  to say that Cisco's mirroring (as an example onl=
y)
RA> functions  at  wire  speeds  even  on  gig  ports,  when  in fact the=
ir
RA> experience  involved other unknown conditions (such as port 1 to port=
 4
RA> on the same chip set) for which they have little/no real knowledge.

Well, the Catalyst 2950 and 3550 boxes for example do SPAN with wire-spee=
d,
regardless  of  which  port  is  actually  source  port,  and  which one =
is
destination port. However, Cisco states clearly, that highly oversubscrib=
ed
destination  port  can slow down source ports - which is logical because =
it
come  down  to  buffers  capacity.  With  Snort  installations  the  high=
ly
oversubscribed  situation  can  surface  quite  easily  (one  port sniffi=
ng
traffic other 23 or 47 ones for example).

RA> There  are  many  switches  on the market today that will do wire spe=
ed
RA> mirroring  on adjacent gig ports, but may drop packets between ports =
on
RA> different  chip  sets or differnet blades.

Indeed. It's just a question of detailed documentation available (includi=
ng
some architectural details), which most of the off-the-shelf switches lac=
k.

Just my 0,05PLN

--=20
=A3ukasz Bromirski                                lbromirski[at]mr0vka.eu=
.org
PGP key http://mr0vka.eu.org/pgp.asc                   http://mr0vka.eu.o=
rg
PGP finger               5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C=
49



--__--__--

Message: 8
Date: Fri, 27 Jun 2003 15:24:24 -0500
From: Todd Holloway <todd at ...4574...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snortcenter 1.0RC1


there are a few bugs with the snortcenter 1.0-RC1 that I'm experiencing...
is this program even "active"...I noticed the last update with 2002-05-14.


the most painful bug is I have to deactivate rules manually,
the select all works but the "do with selected" doesn't :(

it looks like a great product, but I don't know if
it's something I can show off to the boss, if it's a
year plus out of date.



todd

--
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in. We're computer professionals. We
cause accidents.

		Nathaniel Borenstein, inventor of MIME.


--__--__--

Message: 9
Date: Fri, 27 Jun 2003 18:51:09 -0400 (EDT)
From: Erek Adams <erek at ...950...>
To: Ciprian Badescu <ciprian.badescu at ...9292...>
cc: Erek Adams <erek at ...950...>, lindsay.hunt at ...9446...,
  snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] re: Pass Rule question

On Fri, 27 Jun 2003, Ciprian Badescu wrote:

> I also have the same problem:
>
> I've done the following modifications in scan.rules:
>
>
> pass tcp $EXTERNAL_NET any -> $HOME_NET 3128
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy
> attempt"; flags:S,12; classtype:attempted-recon; sid:618; rev:4;)
>
>
> and still got the alert in ACID (with last snort tarball from CVS).
>
> It's normal ?
> How can I use pass rules.

Just on the off chance...  Make sure you're using "-o" on the command
line.  If not pass rules be processed after alert rules.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest





More information about the Snort-users mailing list