[Snort-users] RE: Snort-users digest, Vol 1 #4232 - 9 msgs

MOUTON Michael OF/UNPS michael.mouton at ...11801...
Thu May 13 10:00:16 EDT 2004


-----Message d'origine-----
De : snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]De la part de
snort-users-request at lists.sourceforge.net
Envoyé : jeudi 13 mai 2004 18:12
À : snort-users at lists.sourceforge.net
Objet : Snort-users digest, Vol 1 #4232 - 9 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. snort and firewall all in one machine (Peggy Kam)
   2. logging to a remote database with mudpit (Maetzky, Steffen (Extern))
   3. RE: snort and firewall all in one machine (Harper, Patrick)
   4. Re: snort and firewall all in one machine (Peggy Kam)
   5. RE: Snort but no alert (nyarlathothep at ...2470...)
   6. RE: logging to a remote database with mudpit (Lance Boon)
   7. Detecting SYN Floods (Sheahan, Paul)
   8. Re: snort and firewall all in one machine (Matt Kettler)
   9. display/log IPv6 traffic ? (Akolinare at ...158...)

--__--__--

Message: 1
Date: Thu, 13 May 2004 09:52:01 -0400
From: Peggy Kam <ppkam at ...11126...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort and firewall all in one machine

Hi,

I am currently running the firewall and snort within the same machine; 
and snort is having its detections before firewall blocks the packets.  
I would like to use snort to test if my firewall actually blocks the 
packets launched by attackers.  Would anyone give me some advice on how 
I could configure IDS to do its detections after the firewall blocks the 
packets by its rules?

Thanks in advance,
Peggy



--__--__--

Message: 2
From: "Maetzky, Steffen (Extern)" <Steffen.Maetzky at ...11508...>
To: "'Snort-users at lists.sourceforge.net'"
	 <Snort-users at lists.sourceforge.net>
Date: Thu, 13 May 2004 15:53:52 +0200
Subject: [Snort-users] logging to a remote database with mudpit

Hi,

I try to put data from a host to a mysql-database on a remote one with
mudpit
but I get the following error message:

	Host 'hostname' is not allowed to connect to this MySQL Server
	error initializing ".../mp_acid_out.so": retrying unrecognized
parameter "server"

On the remote-host I have given the grants:

	grant INSERT,SELECT on snort.* to snort identified by 'password';
	flush privileges;

On the local host I use (mudpit.conf):

	spool "/var/log/snort" {
		lock = "mysql"
		delete_processed
		user="root"
		output=".../mp_acid_out.so", "server <remote server ip>,
user snort, password <password>, database snort, interface eth1"
	}

I don't know what's going wrong.
Any ideas?

Thanks in advance,

Steffen


--__--__--

Message: 3
From: "Harper, Patrick" <patrick.harper at ...11593...>
To: "Peggy Kam" <ppkam at ...11126...>,
	<snort-users at lists.sourceforge.net>
Date: Thu, 13 May 2004 09:38:00 -0500
Subject: RE: [Snort-users] snort and firewall all in one machine

You need to have snort listening on your inside interface.  It uses
libpcap so it see's traffic at the same time as the firewall.


-----Original Message-----
From: Peggy Kam [mailto:ppkam at ...11126...]=20
Sent: Thursday, May 13, 2004 7:52 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort and firewall all in one machine

Hi,

I am currently running the firewall and snort within the same machine;
and snort is having its detections before firewall blocks the packets. =20
I would like to use snort to test if my firewall actually blocks the
packets launched by attackers.  Would anyone give me some advice on how
I could configure IDS to do its detections after the firewall blocks the
packets by its rules?

Thanks in advance,
Peggy



-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now
for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=3D2562&alloc_id=3D6184&op=3Dclick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users






Disclaimer:
This electronic message, including any attachments, is confidential and int=
ended solely for use of the intended recipient(s). This message may contain=
 information that is privileged or otherwise protected from disclosure by a=
pplicable law. Any unauthorized disclosure, dissemination, use or reproduct=
ion is strictly prohibited. If you have received this message in error, ple=
ase delete it and notify the sender immediately.=20





--__--__--

Message: 4
Date: Thu, 13 May 2004 10:55:04 -0400
From: Peggy Kam <ppkam at ...11126...>
To: "Harper, Patrick" <patrick.harper at ...11593...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort and firewall all in one machine

I have already set up snort to monitor the external and internal 
interfaces.  I have already opened my firewall and I already have the 
ips for int and ext interfaces under homenet, however, I could only see 
the packets coming in from the ext. interface, nothing was seen in the 
internal interface.  Please advice.

Thanks,
Peggy

Harper, Patrick wrote:

>You need to have snort listening on your inside interface.  It uses
>libpcap so it see's traffic at the same time as the firewall.
>
>
>-----Original Message-----
>From: Peggy Kam [mailto:ppkam at ...11126...] 
>Sent: Thursday, May 13, 2004 7:52 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] snort and firewall all in one machine
>
>Hi,
>
>I am currently running the firewall and snort within the same machine;
>and snort is having its detections before firewall blocks the packets.  
>I would like to use snort to test if my firewall actually blocks the
>packets launched by attackers.  Would anyone give me some advice on how
>I could configure IDS to do its detections after the firewall blocks the
>packets by its rules?
>
>Thanks in advance,
>Peggy
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now
>for SourceForge Broadband and get the fastest
>6.0/768 connection for only $19.95/mo for the first 3 months!
>http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
>Disclaimer:
>This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. 
>
>
>
>  
>



--__--__--

Message: 5
Date: Thu, 13 May 2004 17:08:42 +0200
Subject: RE: [Snort-users] Snort but no alert
From: "nyarlathothep\@libero\.it" <nyarlathothep at ...2470...>
To: "nduda" <nduda at ...10466...>
Cc: "snort-users" <snort-users at lists.sourceforge.net>

The rule path is correct, Snort says 1991 rules when it starts up...
=0D
=
I think that is something about the net configuration, even if I dont kno=
w what could be :(

If I use snort like a sniffer, snort -dev -i eth1 I=
l see lot and lot and lot of traffics!  eth1 is the interface 

WITHOUT=
 IP address connected to the switch. eth0 is connected to the inside netw=
ork 

All the traffic from the others subnets is sent to the IDS by the=
 switch... 

Snort works well when it was connected locally, it stops t=
o work when I connect the IDS to the switch, 

but the sensor sees the =
traffica but report only the rules I've posted,

Matteo

> Is the rul=
es path correct? /etc/snort/rules/xxxxx.rules , It seems the
> only rule=
s processing are the one statically assigned in the .conf file.
> I woul=
d cleanup/rework the conf file a bit.
> 
> In your snort startup script=
, are you listening on the correct
> interface? Try doing this:
> 
> /=
path/to/snort -i eth1 (then your other switches , like path to config
> =
file and such). What is the output?
> 
> -----Original Message-----
> =
From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admi=
n at lists.sourceforge.net] On Behalf Of
> nyarlathothep at ...2470...
> Sent:=
 Wednesday, May 12, 2004 11:02 AM
> To: snort-users
> Subject: [Snort-u=
sers] Snort but no alert
> 
> Hello everyone, 
> I'm still here with m=
y problem.
> I've a snort debian box that listen on an interface (eth1, =
without ip
> address)
> on the external net while is connected on eth0 =
to the internal net,
> interface
> that I use to read the data that Sno=
rt puts in the database.
> The problem that I dont receive rules alerts,=
 except for ICMP
> destination
> unreaceable, but only preprocessor ale=
rt, even when I try to scan the
> box with
> Nessus or NMap.
> I hope =
that someone could help me,
> 
> (ps I've attach my conf file, all the =
rules are sselected)
> 
> Thanks,
> 
> Matteo
> 
> SNORT.CONF
> =0D
=
> var HOME_NET 10.1.0.0/24
> var EXTERNAL_NET any
> var DNS_SERVERS $HO=
ME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var=
 SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVER=
S $HOME_NET
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE=
_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/24,64.12.25.0/24,64.12.26.1=
4/24,64.12.28.0/24,64.12.29.0/24,
> 64.12.161.0/24,64.12.163.0/24,205.18=
8.5.0/24,205.188.9.0/24]
> 
> var RULE_PATH /etc/snort/rules
> 
> pre=
processor flow: stats_interval 0 hash 2
> 
> preprocessor frag2
> prep=
rocessor stream4: disable_evasion_alerts detect_scans
> preprocessor str=
eam4_reassemble
> preprocessor http_inspect: global iis_unicode_map unic=
ode.map 1252
> preprocessor http_inspect_server: server default profile =
apache ports {
> 80 8080
> 8180 } oversize_dir_length 500
> 
> prepro=
cessor rpc_decode: 111 32771
> 
>  
> preprocessor bo   
>  
> 
>  =
                                         preprocessor telnet_decode
> =0D
=
>  
> 
>  
> 
>  
> 
>      preprocessor flow-portscan: talker-slid=
ing-scale-factor 0.50
> talker-fixed-threshold 30 talker-sliding-thresho=
ld 30
> talker-sliding-window 20
> talker-fixed-window 30 scoreboard-ro=
ws-talker 30000 server-watchnet
> $HOME_NET
> server-ignore-limit 200 s=
erver-rows 65535 server-learning-time 14400
> server-scanner-limit 4 sca=
nner-sliding-window 20
> scanner-sliding-scale-factor
> 0.50 scanner-fi=
xed-threshold 15 scanner-sliding-threshold 40
> scanner-fixed-window 15 =
scoreboard-rows-scanner 30000 src-ignore-net
> $HOME_NET
> dst-ignore-n=
et [10.0.0.0/30] alert-mode once output-mode msg
> tcp-penalties on  =0D
=
>  
> 
>  
> 
>  
> 
>                           
> 
> output dat=
abase: alert, postgresql, user=3Dpostgres dbname=3Dsnort
> host=3Dlocalh=
ost  
>                                           
> 
> include classi=
fication.config
> 
>                                                   =
            include
> reference.config
> 
>  
> 
>  
> 
>         =
                            
> 
> include $RULE_PATH/local.rules
> =0D
=
>                                                               include=0D
=
> $RULE_PATH/bad-traffic.rules
> 
>                                    =
                   include
> $RULE_PATH/exploit.rules
> ...
> 
> 
> =

> ALERT
> 
> [**] [1:485:2] ICMP Destination Unreachable (Communicati=
on
> Administratively
> Prohibited) [**]
> [Classification: Misc activ=
ity] [Priority: 3]
> 05/12-15:47:42.319644 193.207.171.97 -> 151.11.129.=
212
> ICMP TTL:247 TOS:0x20 ID:47996 IpLen:20 DgmLen:56
> Type:3  Code:=
13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
> PACKET FILTE=
RED
> ** ORIGINAL DATAGRAM DUMP:
> 151.11.129.212:135 -> 172.133.197.74=
:2249
> TCP TTL:254 TOS:0x40 ID:0 IpLen:20 DgmLen:40 DF
> Seq: 0x0  Ack=
: 0x0
> ** END OF DUMP
> 
> [**] [121:4:1] Portscan detected from 200.=
191.164.142 Talker(fixed: 30
> sliding:
> 30) Scanner(fixed: 0 sliding:=
 0) [**]
> 05/12-15:49:09.988413
> 
> [**] [121:4:1] Portscan detected=
 from 192.168.150.2 Talker(fixed: 2
> sliding: 30)
> Scanner(fixed: 0 s=
liding: 0) [**]
> 05/12-15:50:39.821253
> 
> [**] [121:4:1] Portscan d=
etected from 66.185.41.191 Talker(fixed: 30
> sliding:
> 30) Scanner(fi=
xed: 0 sliding: 0) [**]
> 05/12-15:52:53.437042
> 
> [**] [105:1:1] (s=
po_bo) Back Orifice Traffic detected [**]
> 05/12-15:53:38.001287 192.16=
8.150.2:53239 -> 213.178.220.130:31337
> UDP TTL:61 TOS:0x0 ID:22741 IpL=
en:20 DgmLen:46
> Len: 18
> 
> [**] [105:1:1] (spo_bo) Back Orifice Tr=
affic detected [**]
> 05/12-15:53:40.994216 192.168.150.2:53239 -> 213.1=
78.220.130:31337
> UDP TTL:61 TOS:0x0 ID:22742 IpLen:20 DgmLen:46
> Len=
: 18
> 
> [**] [121:4:1] Portscan detected from 210.95.44.31 Talker(fix=
ed: 30
> sliding: 30)
> Scanner(fixed: 0 sliding: 0) [**]
> 05/12-16:0=
7:01.105576
> 
> [**] [1:487:2] ICMP Destination Unreachable (Communica=
tion with
> Destination
> Network is Administratively Prohibited) [**]=0D
=
> [Classification: Misc activity] [Priority: 3]
> 05/12-16:07:27.486375 =
147.123.1.42 -> 213.178.220.1
> ICMP TTL:62 TOS:0x0 ID:41603 IpLen:20 Dg=
mLen:56
> Type:3  Code:9  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROH=
IBITED
> NETWORK
> FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 213.178.22=
0.1:53 -> 69.50.179.2:60369
> UDP TTL:61 TOS:0x0 ID:43291 IpLen:20 DgmLe=
n:199
> Len: 171
> ** END OF DUMP
> 
> [**] [1:487:2] ICMP Destinatio=
n Unreachable (Communication with
> Destination
> Network is Administra=
tively Prohibited) [**]
> [Classification: Misc activity] [Priority: 3]=0D
=
> 05/12-16:07:42.725148 147.123.1.42 -> 213.178.220.1
> ICMP TTL:62 TOS:=
0x0 ID:46666 IpLen:20 DgmLen:56
> Type:3  Code:9  DESTINATION UNREACHABL=
E: ADMINISTRATIVELY PROHIBITED
> NETWORK
> FILTERED
> ** ORIGINAL DATA=
GRAM DUMP:
> 213.178.220.1:53 -> 69.50.179.14:46007
> UDP TTL:61 TOS:0x=
0 ID:43292 IpLen:20 DgmLen:199
> Len: 171
> ** END OF DUMP
> 
> [**] =
[121:4:1] Portscan detected from 69.44.61.30 Talker(fixed: 30
> sliding:=
 30)
> Scanner(fixed: 0 sliding: 0) [**]
> 05/12-16:23:58.282652
> =0D
=
> [**] [121:4:1] Portscan detected from 151.11.129.54 Talker(fixed: 30=0D
=
> sliding:
> 30) Scanner(fixed: 0 sliding: 0) [**]
> 05/12-16:28:50.508=
095
> 
> 
> 
> 
> 
> 
> ------------------------------------------=
-------------
> This SF.Net email is sponsored by Sleepycat Software
> =
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
> =
deliver higher performing products faster, at low TCO.
> http://www.slee=
pycat.com/telcomwpreg.php?From=3Ddnemail3
> ____________________________=
___________________
> Snort-users mailing list
> Snort-users at ...4626...=
ceforge.net
> Go to this URL to change user options or unsubscribe:
> h=
ttps://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users li=
st archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dort-users=0D
=
> 
> 


-------------------------------
----------------------------=
---
------
Matteo Poropat
mailto:nyarlathothep at ...11798...
o.it
http://www=
.genhome.org
http://books.dreambook.co
m/mefistofele74/genhome.
html=0D
=
-------------------------------
-------------------------------
------



--__--__--

Message: 6
Subject: RE: [Snort-users] logging to a remote database with mudpit
Date: Thu, 13 May 2004 10:28:24 -0500
From: "Lance Boon" <lboon at ...11799...>
To: <snort-users at lists.sourceforge.net>

I'm confused now, you say you tried this from your remote host and it =
works, but trying the same from the other host failed??? Have you =
granted the "other" host privileges on the MySql server?

-----Original Message-----
From: Maetzky, Steffen (Extern) [mailto:Steffen.Maetzky at ...11508...]=20
Sent: Thursday, May 13, 2004 9:45 AM
To: Lance Boon
Subject: AW: [Snort-users] logging to a remote database with mudpit

Trying this from my remote host works.
Trying the same from the other host failed=20

-----Urspr=FCngliche Nachricht-----
Von: Lance Boon [mailto:lboon at ...11799...]=20
Gesendet: Donnerstag, 13. Mai 2004 16:24
An: Maetzky, Steffen (Extern)
Betreff: RE: [Snort-users] logging to a remote database with mudpit

Have you tried just logging into the mysql server from your remote host?
For example mysql -h192.168.1.1 -usnort -p snort Just substitute the ip =
I
put in there for your mysql server's ip.=20

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Maetzky,
Steffen (Extern)
Sent: Thursday, May 13, 2004 8:54 AM
To: 'Snort-users at lists.sourceforge.net'
Subject: [Snort-users] logging to a remote database with mudpit

Hi,

I try to put data from a host to a mysql-database on a remote one with
mudpit but I get the following error message:

	Host 'hostname' is not allowed to connect to this MySQL Server
	error initializing ".../mp_acid_out.so": retrying unrecognized
parameter "server"

On the remote-host I have given the grants:

	grant INSERT,SELECT on snort.* to snort identified by 'password';
	flush privileges;

On the local host I use (mudpit.conf):

	spool "/var/log/snort" {
		lock =3D "mysql"
		delete_processed
		user=3D"root"
		output=3D".../mp_acid_out.so", "server <remote server ip>,
user snort, password <password>, database snort, interface eth1"
	}

I don't know what's going wrong.
Any ideas?

Thanks in advance,

Steffen


-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now =
for
SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=3D2562&alloc_id=3D6184&op=3Dclick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users


--__--__--

Message: 7
Date: Thu, 13 May 2004 11:41:43 -0400
From: "Sheahan, Paul" <Paul.Sheahan at ...2218...>
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Detecting SYN Floods

This is a multi-part message in MIME format.

------_=_NextPart_001_01C43900.CA527138
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

=20

I would like to do both of the following with Snort:

=20

*	Detect a high number of SYNs from one source over a short period
of time
*	Detect a high number of requests for a web page over a short
period of time

=20

Just curious if anyone has found a good way to do this with Snort.

=20

Thanks


------_=_NextPart_001_01C43900.CA527138
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:1514298112;
	mso-list-type:hybrid;
	mso-list-template-ids:-1614804738 67698689 67698691 67698693 67698689 =
67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	font-family:Symbol;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I would like to do both of the following with =
Snort:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<ul style=3D'margin-top:0in' type=3Ddisc>
 <li class=3DMsoNormal style=3D'mso-list:l0 level1 lfo1'><font size=3D2 =
face=3DArial><span
     style=3D'font-size:10.0pt;font-family:Arial'>Detect a high number =
of SYNs from
     one source over a short period of =
time<o:p></o:p></span></font></li>
 <li class=3DMsoNormal style=3D'mso-list:l0 level1 lfo1'><font size=3D2 =
face=3DArial><span
     style=3D'font-size:10.0pt;font-family:Arial'>Detect a high number =
of
     requests for a web page over a short period of =
time<o:p></o:p></span></font></li>
</ul>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Just curious if anyone has found a good way to do =
this with
Snort.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thanks<o:p></o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C43900.CA527138--


--__--__--

Message: 8
Date: Thu, 13 May 2004 12:09:26 -0400
To: Peggy Kam <ppkam at ...11126...>, snort-users at lists.sourceforge.net
From: Matt Kettler <mkettler at ...4108...>
Subject: Re: [Snort-users] snort and firewall all in one machine

At 09:52 AM 5/13/2004, Peggy Kam wrote:
>I am currently running the firewall and snort within the same machine; and 
>snort is having its detections before firewall blocks the packets.
>I would like to use snort to test if my firewall actually blocks the 
>packets launched by attackers.  Would anyone give me some advice on how I 
>could configure IDS to do its detections after the firewall blocks the 
>packets by its rules?

You can get some of what you want by forcing the IDS to sniff the inside 
interface instead of the outside. Packets from the outside that were 
blocked will never make it to the inside.

However, there's no way for snort to detect "post firewall".. snort uses 
libpcap. Libpcap is fundamentally very low-level and picks up packets at a 
very low level off the ethernet driver, long before the TCP/IP stack gets them. 



--__--__--

Message: 9
Date: Thu, 13 May 2004 18:11:11 +0200 (MEST)
From: Akolinare at ...158...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] display/log IPv6 traffic ?

Hi,

I startet snort in a IPv6 network. The summary screen, displayed at exiting
snort display the correct number of IPv6 pakets but none of them are logged
in logfiles or displayed at the console (with -v).

Is it not possible to display/log IPv6 traffic with snort ?


I used the latest version 2.1.2.

regards

  Markus

-- 
"Sie haben neue Mails!" - Die GMX Toolbar informiert Sie beim Surfen!
Jetzt aktivieren unter http://www.gmx.net/info




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list