[Snort-users] RE: Snort-users digest, Vol 1 #4375 - 8 msgs

Takisha Harper TakishaHarper at ...10816...
Wed Jul 14 10:21:09 EDT 2004


Any of you guys know any people or consultants that can come in and assist
us with setting up Snort?

Thanks 

> -----Original Message-----
> From:	snort-users-request at lists.sourceforge.net
> [SMTP:snort-users-request at lists.sourceforge.net]
> Sent:	Wednesday, July 14, 2004 11:45 AM
> To:	snort-users at lists.sourceforge.net
> Subject:	Snort-users digest, Vol 1 #4375 - 8 msgs
> 
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> 	snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-users-admin at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> Today's Topics:
> 
>    1. RE: plz help (Harper, Patrick)
>    2. RE: plz help (Nick Duda)
>    3. problem with suppress... (Tobias Rice)
>    4. (http_inspect) NON-RFC HTTP DELIMITER issue
> (sjconsulting at ...549...)
>    5. Re: plz help (shashank.joshi at ...12070...)
>    6. Remote syslogging of snort (Paul Schmehl)
>    7. Re: NEWBIE: rule writing walkthru? (shashank.joshi at ...12070...)
>    8. Re: Alerts question (Scott Zawalski)
> 
> --__--__--
> 
> Message: 1
> From: "Harper, Patrick" <patrick.harper at ...11593...>
> To: "Chandana Bandara" <chandana at ...12108...>,
> 	<snort-users at lists.sourceforge.net>
> Date: Wed, 14 Jul 2004 08:15:00 -0500
> Subject: RE: [Snort-users] plz help
> 
> Do you have a rule for large ICMP enabled?  Try a vulnerability scanner,
> that should trigger some alerts for ya.  Or if you have the content:
> /etc/passwd  rule enabled just go to the IP of the snort box in a
> browser with /etc/passwd in the URL and you should get an alert. =20
> 
> When you say "how do I check this from other clients ?" are you talking
> about checking the traffic to and from the clients on your network?  If
> you are on a switched (a managed on) you need to set a span or monitor
> port depending on the brand of switch.  If you are on a dumb switch then
> you either need to use a tap or a small hub inline, taps work better in
> my opinion but hubs are cheaper.
> 
> Hope that helps
> 
> -----Original Message-----
> From: Chandana Bandara [mailto:chandana at ...12108...]=20
> Sent: Wednesday, July 14, 2004 6:19 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] plz help
> 
> hi ,=20
> =20
> I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on
> the browser.
> i used ping command with huge paccket sizes to that snort server. But
> there was no any alerts in the ACID.=20
> =20
> So tell me , how do i check this from other clients ?
> =20
> plz help
> =20
> thanx in advance
> chandana=20
> 
> 
> 
> 
> Disclaimer:
> This electronic message, including any attachments, is confidential and
> int=
> ended solely for use of the intended recipient(s). This message may
> contain=
>  information that is privileged or otherwise protected from disclosure by
> a=
> pplicable law. Any unauthorized disclosure, dissemination, use or
> reproduct=
> ion is strictly prohibited. If you have received this message in error,
> ple=
> ase delete it and notify the sender immediately.=20
> 
> 
> 
> 
> 
> --__--__--
> 
> Message: 2
> Subject: RE: [Snort-users] plz help
> Date: Wed, 14 Jul 2004 09:53:19 -0400
> From: "Nick Duda" <nduda at ...10466...>
> To: "Chandana Bandara" <chandana at ...12108...>,
> 	<snort-users at lists.sourceforge.net>
> 
> This is a multi-part message in MIME format.
> 
> ------_=_NextPart_001_01C469A9.EBC5DC3E
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> Nessus, Retina, NMAP....etc Anything that can do massive pen testing
> will make snort go crazy. Tools like these are required in a security
> pro's toolbox
> 
> =20
> 
>   _____ =20
> 
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Chandana
> Bandara
> Sent: Wednesday, July 14, 2004 7:19 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] plz help
> 
> =20
> 
> hi ,=20
> 
> =20
> 
> I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on
> the browser.
> 
> i used ping command with huge paccket sizes to that snort server. But
> there was no any alerts in the ACID.=20
> 
> =20
> 
> So tell me , how do i check this from other clients ?
> 
> =20
> 
> plz help
> 
> =20
> 
> thanx in advance
> 
> chandana=20
> 
> 
> ------_=_NextPart_001_01C469A9.EBC5DC3E
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
> xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
> 
> <head>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
> <!--[if !mso]>
> <style>
> v\:* {behavior:url(#default#VML);}
> o\:* {behavior:url(#default#VML);}
> w\:* {behavior:url(#default#VML);}
> .shape {behavior:url(#default#VML);}
> </style>
> <![endif]-->
> <style>
> <!--
>  /* Font Definitions */
>  @font-face
> 	{font-family:Tahoma;
> 	panose-1:2 11 6 4 3 5 4 4 2 4;}
>  /* Style Definitions */
>  p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> 	{color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{color:purple;
> 	text-decoration:underline;}
> span.EmailStyle17
> 	{mso-style-type:personal-reply;
> 	font-family:Arial;
> 	color:navy;}
> @page Section1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.25in 1.0in 1.25in;}
> div.Section1
> 	{page:Section1;}
> -->
> </style>
> <!--[if gte mso 9]><xml>
>  <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
>  <o:shapelayout v:ext=3D"edit">
>   <o:idmap v:ext=3D"edit" data=3D"1" />
>  </o:shapelayout></xml><![endif]-->
> </head>
> 
> <body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple>
> 
> <div class=3DSection1>
> 
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'>Nessus, Retina, NMAP….etc =
> Anything
> that can do massive pen testing will make snort go crazy. Tools like =
> these are
> required in a security pro’s toolbox<o:p></o:p></span></font></p>
> 
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
> 
> <div>
> 
> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
> size=3D3
> face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
> 
> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>
> 
> </span></font></div>
> 
> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
> style=3D'font-size:10.0pt;
> font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
> size=3D2
> face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>
> snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] <b><span =
> style=3D'font-weight:
> bold'>On Behalf Of </span></b>Chandana Bandara<br>
> <b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, July 14, =
> 2004
> 7:19 AM<br>
> <b><span style=3D'font-weight:bold'>To:</span></b> =
> snort-users at lists.sourceforge.net<br>
> <b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] =
> plz help</span></font><o:p></o:p></p>
> 
> </div>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'><o:p> </o:p></span></font></p>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>hi , </span></font><o:p></o:p></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> <o:p></o:p></span></font></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>I have installed snort perfectly in Red Hat Linux 9 =
> box.ACID
> url runs on the browser.</span></font><o:p></o:p></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>i used ping command with huge paccket sizes to that =
> snort
> server. But there was no any alerts in the ACID. =
> </span></font><o:p></o:p></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> <o:p></o:p></span></font></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>So tell me , how do i check this from other clients =
> ?</span></font><o:p></o:p></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> <o:p></o:p></span></font></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>plz help</span></font><o:p></o:p></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> <o:p></o:p></span></font></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>thanx in advance</span></font><o:p></o:p></p>
> 
> </div>
> 
> <div>
> 
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>chandana</span></font> <o:p></o:p></p>
> 
> </div>
> 
> </div>
> 
> </body>
> 
> </html>
> 
> ------_=_NextPart_001_01C469A9.EBC5DC3E--
> 
> 
> --__--__--
> 
> Message: 3
> Date: Wed, 14 Jul 2004 07:01:45 -0700
> From: Tobias Rice <rice at ...7669...>
> To: Graeme.Rider at ...12106...
> Cc: snort-users at lists.sourceforge.net
> Subject: [Snort-users] problem with suppress...
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Are you using the "-o" flag to change the rule testing order to
> Pass|Alert|Log?
> 
> Tobias
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFA9TzJRJX8S0T0CkURAgydAKCqv7UOaJ4eL4JOIPIW3jnGpPcTyQCfVWq6
> yHLh601GO7lWufmFYuCRXIE=
> =8xco
> -----END PGP SIGNATURE-----
> 
> 
> --__--__--
> 
> Message: 4
> Date: Wed, 14 Jul 2004 11:21:28 -0400
> From: sjconsulting at ...549...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] (http_inspect) NON-RFC HTTP DELIMITER issue
> 
> I am receiving this alert and I know this alert is being generated by
> someone streaming "Yahoo Shoutcast" on my net...would you consider this be
> a false positive?  Is there a way to turn this specifc inspection/alert
> off? I was reading through the http_inspect and I did not see where it was
> that allowed me to do this. I am running RH9, Snort 2.1.3. I f there is
> anything else that I need to post to help you folks help me, please let me
> know.
> 
> TIA.
> 
> ~SJC
> 
> 
> 
> --__--__--
> 
> Message: 5
> To: "Chandana Bandara" <chandana at ...12108...>
> Cc: snort-users at lists.sourceforge.net,
> 	snort-users-admin at lists.sourceforge.net
> Subject: Re: [Snort-users] plz help
> From: shashank.joshi at ...12070...
> Date: Wed, 14 Jul 2004 21:02:51 +0530
> 
> This is a multipart message in MIME format.
> ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f
> Content-Type: multipart/alternative; 
> 	boundary="=_alternative 00557DFC65256ED1_="
> 
> --=_alternative 00557DFC65256ED1_=
> Content-Type: text/plain; charset="US-ASCII"
> 
> u can get hold of nessus and scan ur snort host or any other box on the 
> intranet (the traffic should be visible to snort though) this can raise 
> thousands of alerts .
> 
> or if you are interested in only seeing some alerts in ACID, write a small
> 
> rule to catch all tcp traffic in "local.rules" file and restart snort. (be
> 
> sure to remove this rule once u r satisfied :) )
> 
> good luck!
> 
> 
> shashank
> 
> "it's difficult to improve perfection !"
> 
> 
> 
> 
> "Chandana Bandara" <chandana at ...12108...> 
> Sent by: snort-users-admin at lists.sourceforge.net
> 07/14/2004 04:49 PM
> 
> Please respond to
> "Chandana Bandara" <chandana at ...12108...>
> 
> 
> To
> <snort-users at lists.sourceforge.net>
> cc
> 
> Subject
> [Snort-users] plz help
> 
> 
> 
> 
> 
> 
> hi , 
>  
> I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on 
> the browser.
> i used ping command with huge paccket sizes to that snort server. But 
> there was no any alerts in the ACID. 
>  
> So tell me , how do i check this from other clients ?
>  
> plz help
>  
> thanx in advance
> chandana 
> ForwardSourceID:NT00005406 
> 
> --=_alternative 00557DFC65256ED1_=
> Content-Type: text/html; charset="US-ASCII"
> 
> 
> <br><font size=2 face="sans-serif">u can get hold of nessus and scan ur
> snort host or any other box on the intranet (the traffic should be visible
> to snort though) this can raise thousands of alerts .</font>
> <br>
> <br><font size=2 face="sans-serif">or if you are interested in only seeing
> some alerts in ACID, write a small rule to catch all tcp traffic in
> "local.rules"
> file and restart snort. (be sure to remove this rule once u r satisfied
> :) )</font>
> <br>
> <br><font size=2 face="sans-serif">good luck!</font>
> <br>
> <br>
> <br><font size=2 face="sans-serif">shashank</font>
> <br>
> <br><font size=2 face="sans-serif">"it's difficult to improve
> perfection
> !"</font>
> <br>
> <br>
> <br>
> <br>
> <table width=100%>
> <tr valign=top>
> <td width=40%><font size=1 face="sans-serif"><b>"Chandana
> Bandara"
> <chandana at ...12108...></b> </font>
> <br><font size=1 face="sans-serif">Sent by:
> snort-users-admin at lists.sourceforge.net</font>
> <p><font size=1 face="sans-serif">07/14/2004 04:49 PM</font>
> <br>
> <table border>
> <tr valign=top>
> <td bgcolor=white>
> <div align=center><font size=1 face="sans-serif">Please respond to<br>
> "Chandana Bandara"
> <chandana at ...12108...></font></div></table>
> <br>
> <td width=59%>
> <table width=100%>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">To</font></div>
> <td valign=top><font size=1
> face="sans-serif"><snort-users at lists.sourceforge.net></font>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">cc</font></div>
> <td valign=top>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">Subject</font></div>
> <td valign=top><font size=1 face="sans-serif">[Snort-users] plz
> help</font></table>
> <br>
> <table>
> <tr valign=top>
> <td>
> <td></table>
> <br></table>
> <br>
> <br>
> <br><font size=2 face="Arial">hi , </font>
> <br><font size=3> </font>
> <br><font size=2 face="Arial">I have installed snort perfectly in Red Hat
> Linux 9 box.ACID url runs on the browser.</font>
> <br><font size=2 face="Arial">i used ping command with huge paccket sizes
> to that snort server. But there was no any alerts in the ACID. </font>
> <br><font size=3> </font>
> <br><font size=2 face="Arial">So tell me , how do i check this from other
> clients ?</font>
> <br><font size=3> </font>
> <br><font size=2 face="Arial">plz help</font>
> <br><font size=3> </font>
> <br><font size=2 face="Arial">thanx in advance</font>
> <br><font size=2 face="Arial">chandana</font><font size=3> </font>
> <br><font size=2 color=white face="sans-serif">ForwardSourceID:NT00005406
>    </font>
> <br>
> --=_alternative 00557DFC65256ED1_=--
> 
> 
> ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> 	name="InterScan_Disclaimer.txt"
> Content-Disposition: attachment;
> 	filename="InterScan_Disclaimer.txt"
> 
> DISCLAIMER: The information contained in this message is intended only and
> solely for the addressed individual or entity indicated in this message
> and for the exclusive use of the said addressed individual or entity
> indicated in this message (or responsible for delivery
> of the message to such person) and may contain legally privileged and
> confidential information belonging to Tata Consultancy Services. It must
> not be printed, read, copied, disclosed, forwarded, distributed or used
> (in whatsoever manner) by any person other than the
> addressee. Unauthorized use, disclosure or copying is strictly prohibited
> and may constitute unlawful act and can possibly attract legal action,
> civil and/or criminal. The contents of this message need not necessarily
> reflect or endorse the views of Tata Consultancy Services
> on any subject matter. 
> Any action taken or omitted to be taken based on this message is entirely
> at your risk and neither the originator of this message nor Tata
> Consultancy Services takes any responsibility or liability towards the
> same. Opinions, conclusions and any other
> information contained in this message that do not relate to the official
> business of Tata Consultancy Services shall be understood as neither given
> nor endorsed by Tata Consultancy Services or any affiliate of Tata
> Consultancy Services. If you have received this message in error,
> you should destroy this message and may please notify the sender by
> e-mail. Thank you.
> 
> 
> ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f--
> 
> 
> 
> --__--__--
> 
> Message: 6
> Date: Wed, 14 Jul 2004 10:37:53 -0500
> From: Paul Schmehl <pauls at ...6838...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Remote syslogging of snort
> 
> I'm trying to set up snort to do remote sysloging.  So I put this line in 
> the snort.conf file:
> 
> output alert_syslog: local1.debug
> 
> But when I restart snort, I get this error message in /var/log/messages:
> 
>  WARNING /usr/local/etc/snort.conf (419) => Unrecognized syslog 
> facility/priority: local1.debug
> 
> Does snort not recognize the local logging facilities?  Or do I have a 
> syntax error?
> 
> (/etc/syslog.conf reads "local1.debug    @{sysloghost}
> 
> Sysloghost /etc/syslog.conf reads "local1.debug     /var/log/snort.log)
> 
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
> 
> 
> --__--__--
> 
> Message: 7
> To: wayne at ...12097...
> Cc: snort-users at lists.sourceforge.net,
> 	snort-users-admin at lists.sourceforge.net
> Subject: Re: [Snort-users] NEWBIE: rule writing walkthru?
> From: shashank.joshi at ...12070...
> Date: Wed, 14 Jul 2004 21:08:13 +0530
> 
> This is a multipart message in MIME format.
> ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5
> Content-Type: multipart/alternative; 
> 	boundary="=_alternative 0055FBD065256ED1_="
> 
> --=_alternative 0055FBD065256ED1_=
> Content-Type: text/plain; charset="US-ASCII"
> 
> Snort manual...nothing else required for rules info
> 
> Good luck!
> 
> Shashank
> 
> "It's difficult to improve perfection !"
> 
> 
> 
> "Wayne Fielder" <wayne at ...12097...> 
> Sent by: snort-users-admin at lists.sourceforge.net
> 07/13/2004 07:24 PM
> 
> Please respond to
> wayne at ...12097...
> 
> 
> To
> snort-users at lists.sourceforge.net
> cc
> 
> Subject
> [Snort-users] NEWBIE: rule writing walkthru?
> 
> 
> 
> 
> 
> 
> Greetings all,
> 
>     I'm brand new to Snort.  Know what it is capable of and want to play
> with it but I'm having trouble getting out of the blocks.  I'm reading
> through the docs and it seems pretty straight forward but I would like
> to find a walkthru/tutorial or something like that for rule writing.
> 
>     I'm wanting to use Snort as both an IDS AND a web usage monitor. 
> I'm working with a state agency and money is...well...there is no money
> to spend on a Netappliance machine or something of that ilk.  I was
> thinking that if Snort can detect intrusions it must also be able to do
> the web usage thing given the correct rule.
> 
> Wayne Fielder
> MCP, GSEC, GCIH pending
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> ForwardSourceID:NT0000534A 
> 
> --=_alternative 0055FBD065256ED1_=
> Content-Type: text/html; charset="US-ASCII"
> 
> 
> <br><font size=2 face="sans-serif">Snort manual...nothing else required
> for rules info</font>
> <br>
> <br><font size=2 face="sans-serif">Good luck!</font>
> <br>
> <br><font size=2 face="sans-serif">Shashank</font>
> <br>
> <br><font size=2 face="sans-serif">"It's difficult to improve
> perfection
> !"</font>
> <br>
> <br>
> <br>
> <table width=100%>
> <tr valign=top>
> <td width=40%><font size=1 face="sans-serif"><b>"Wayne Fielder"
> <wayne at ...12097...></b> </font>
> <br><font size=1 face="sans-serif">Sent by:
> snort-users-admin at lists.sourceforge.net</font>
> <p><font size=1 face="sans-serif">07/13/2004 07:24 PM</font>
> <br>
> <table border>
> <tr valign=top>
> <td bgcolor=white>
> <div align=center><font size=1 face="sans-serif">Please respond to<br>
> wayne at ...12097...</font></div></table>
> <br>
> <td width=59%>
> <table width=100%>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">To</font></div>
> <td valign=top><font size=1
> face="sans-serif">snort-users at lists.sourceforge.net</font>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">cc</font></div>
> <td valign=top>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">Subject</font></div>
> <td valign=top><font size=1 face="sans-serif">[Snort-users] NEWBIE: rule
> writing walkthru?</font></table>
> <br>
> <table>
> <tr valign=top>
> <td>
> <td></table>
> <br></table>
> <br>
> <br>
> <br><font size=2><tt>Greetings all,<br>
> <br>
>     I'm brand new to Snort.  Know what it is capable of
> and want to play<br>
> with it but I'm having trouble getting out of the blocks.  I'm
> reading<br>
> through the docs and it seems pretty straight forward but I would like<br>
> to find a walkthru/tutorial or something like that for rule writing.<br>
> <br>
>     I'm wanting to use Snort as both an IDS AND a web usage
> monitor.
> <br>
> I'm working with a state agency and money is...well...there is no
> money<br>
> to spend on a Netappliance machine or something of that ilk.  I
> was<br>
> thinking that if Snort can detect intrusions it must also be able to
> do<br>
> the web usage thing given the correct rule.<br>
> <br>
> Wayne Fielder<br>
> MCP, GSEC, GCIH pending<br>
> <br>
> <br>
> -------------------------------------------------------<br>
> This SF.Net email sponsored by Black Hat Briefings & Training.<br>
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - <br>
> digital self defense, top technical experts, no vendor pitches, <br>
> unmatched networking opportunities. Visit www.blackhat.com<br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> Snort-users at lists.sourceforge.net<br>
> Go to this URL to change user options or unsubscribe:<br>
> https://lists.sourceforge.net/lists/listinfo/snort-users<br>
> Snort-users list archive:<br>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users<br>
> </tt></font>
> <br><font size=2 color=white face="sans-serif">ForwardSourceID:NT0000534A
>    </font>
> <br>
> --=_alternative 0055FBD065256ED1_=--
> 
> 
> ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> 	name="InterScan_Disclaimer.txt"
> Content-Disposition: attachment;
> 	filename="InterScan_Disclaimer.txt"
> 
> DISCLAIMER: The information contained in this message is intended only and
> solely for the addressed individual or entity indicated in this message
> and for the exclusive use of the said addressed individual or entity
> indicated in this message (or responsible for delivery
> of the message to such person) and may contain legally privileged and
> confidential information belonging to Tata Consultancy Services. It must
> not be printed, read, copied, disclosed, forwarded, distributed or used
> (in whatsoever manner) by any person other than the
> addressee. Unauthorized use, disclosure or copying is strictly prohibited
> and may constitute unlawful act and can possibly attract legal action,
> civil and/or criminal. The contents of this message need not necessarily
> reflect or endorse the views of Tata Consultancy Services
> on any subject matter. 
> Any action taken or omitted to be taken based on this message is entirely
> at your risk and neither the originator of this message nor Tata
> Consultancy Services takes any responsibility or liability towards the
> same. Opinions, conclusions and any other
> information contained in this message that do not relate to the official
> business of Tata Consultancy Services shall be understood as neither given
> nor endorsed by Tata Consultancy Services or any affiliate of Tata
> Consultancy Services. If you have received this message in error,
> you should destroy this message and may please notify the sender by
> e-mail. Thank you.
> 
> 
> ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5--
> 
> 
> 
> --__--__--
> 
> Message: 8
> Date: Wed, 14 Jul 2004 08:40:38 -0700
> From: Scott Zawalski <scott.zawalski at ...5689...>
> To: Randy Ramsdell <rramsdel at ...5068...>
> CC: "'snort-users at lists.sourceforge.net'"
> <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Alerts question
> 
> If you are using the standard rule set then you should see some trips on 
> the readme.eml content:
> 
> Rules  1284 and 1290. 
> (http://www.snort.org/cgi-bin/sigs-search.cgi?sid=readme.eml)
> 
> As far as a specific CodeRed sid only 1256 applies for CodeRed v2 rule 
> and it looks for /root.exe uricontent
> (http://www.snort.org/snort-db/sid.html?sid=1256)
> 
> Scott
> 
> Randy Ramsdell wrote:
> 
> >
> > I have been getting scanned daily by a host that is infected with 
> > "code red". Obviously a web server is running on it and I went there 
> > and found the typical script trying to push "readme.eml."
> >
> > So, shouldn't snort catch this?
> >
> > I just need to know if it should without getting into specifics of my 
> > configuration.
> >
> > I read that snort should detect "code red" if you go the the sight, 
> > but I am not sure if this is true.
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by Black Hat Briefings & Training.
> > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> > self defense, top technical experts, no vendor pitches, unmatched 
> > networking opportunities. Visit www.blackhat.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest
> 
> 
Confidentiality Notices
The information contained in this transmission may include confidential
information and is intended for the personal and confidential use of the
named recipient only.  Such information may be protected by applicable State
and Federal laws from this disclosure or unauthorized use.  If the reader of
this transmission or any accompanying information is not the named
recipient, such reader is hereby notified that any disclosure, review,
discussion, copying, or taking any action in reliance on the contents of
this transmission is strictly prohibited.  If you have received this
transmission in error, please contact the sender immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040714/3ae08832/attachment.html>


More information about the Snort-users mailing list