[Snort-users] RE: Snort-users digest, Vol 1 #4239 - 5 msgs

New Kabon nukabon at ...125...
Sat May 15 23:51:02 EDT 2004


any tools can be used to autodate the rules ?
thanks alot
New



>From: snort-users-request at lists.sourceforge.net
>Reply-To: snort-users at lists.sourceforge.net
>To: snort-users at lists.sourceforge.net
>Subject: Snort-users digest, Vol 1 #4239 - 5 msgs
>Date: Sat, 15 May 2004 20:07:24 -0700
>
>Send Snort-users mailing list submissions to
>	snort-users at lists.sourceforge.net
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.sourceforge.net/lists/listinfo/snort-users
>or, via email, send a message with subject or body 'help' to
>	snort-users-request at lists.sourceforge.net
>
>You can reach the person managing the list at
>	snort-users-admin at lists.sourceforge.net
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Snort-users digest..."
>
>
>Today's Topics:
>
>    1. RE: Administrativia: No advertising please (Kreimendahl, Chad J)
>    2. Oinkmaster v1.0 released. (=?iso-8859-1?Q?Andreas_=D6stling?=)
>    3. localhost alert (kev.p at ...1187...)
>    4. SnortDB-Extra Issues (Josh Berry)
>    5. attack classification (Marcin Laskowski)
>
>--__--__--
>
>Message: 1
>Subject: RE: [Snort-users] Administrativia: No advertising please
>Date: Fri, 14 May 2004 23:07:20 -0500
>From: "Kreimendahl, Chad J" <Chad.Kreimendahl at ...4716...>
>To: <snort-users at lists.sourceforge.net>
>
>
>I was bored, so I thought I'd just add something into this whole fire.
>
>A wise man once said:  "You taught me that not everything is stupid.
>Some things are gay."
>
>-----Original Message-----
>From: Martin Roesch [mailto:roesch at ...1935...]=20
>Sent: Friday, May 14, 2004 8:36 PM
>To: M. Jamil
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Administrativia: No advertising please
>
>On May 14, 2004, at 7:08 PM, M. Jamil wrote:
>
> > I don't really see a need for such a spectacle, nor a long winded rant
>
> > from Martin Roesch on the matter.
>
>If you've ever seen one of my rants then you'll know that what I posted=20
>was nowhere near a rant.  People were questioning whether vendors=20
>needed to adhere to the rules for etiquette that we've had for this=20
>list for years and I just wanted to assure them that they did in no=20
>uncertain terms.
>
> > There isn't really a need for all of you to jump down the sales lady's
>
> > throat for an accidental CC that she apologized for. On a side note,=20
> > I've taken a look at what they are doing over there and it all looks=20
> > pretty cool..  I might even consider it over Sourcefire and their=20
> > overpriced appliances.
>
>Be my guest.  I wasn't assessing the value of their solution, just=20
>pointing out that we don't like vendors advertising around here after=20
>Mr. Hines indicated that he thought that people should expect to be=20
>marketed to if they post to this list.
>
> > p.s.
> > If Martin Roesch and the others are so upset about the accidental CC=20
> > of the sales email, why don't you configure your list software to=20
> > disallow CCs or start moderating?
>
>We've thought about it from time to time and decided to let the list=20
>police itself due to the time constraints that most of the people who=20
>admin the Snort project are under.  The accidental CC wasn't what got=20
>me to post, that happens from time to time and I don't care all that=20
>much.  It *does* bother me when people say we should expect to see=20
>these sorts of thing because "it's the way the game is played", and=20
>that's what got me to respond.
>
>       -Marty
>
>--=20
>Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
>Sourcefire: Intelligent Security Monitoring
>roesch at ...1935... - http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: SourceForge.net Broadband
>Sign-up now for SourceForge Broadband and get the fastest
>6.0/768 connection for only $19.95/mo for the first 3 months!
>http://ads.osdn.com/?ad_id=3D2562&alloc_id=3D6184&op=3Dclick
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
>
>
>
>--__--__--
>
>Message: 2
>Date: Sat, 15 May 2004 10:53:58 +0200 (CEST)
>From: =?iso-8859-1?Q?Andreas_=D6stling?= <andreaso at ...236...>
>To: snort-users at lists.sourceforge.net,
>	snort-announce at lists.sourceforge.net
>Subject: [Snort-users] Oinkmaster v1.0 released.
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello,
>
>Oinkmaster v1.0 has been released.
>
>Download:
>http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-1.0.tar.gz?download

>
>MD5: 1140fb5484944691268579ca7fc83518
>
>PGP signature:
>http://oinkmaster.sourceforge.net/oinkmaster-1.0.tar.gz.asc
>
>For those who don't know, Oinkmaster is a simple tool to update/manage
>Snort signatures. The homepage is at http://oinkmaster.sourceforge.net/
>
>
>Changes from v0.9:
>
>o Default URL in distribution oinkmaster.conf is now
>   http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz. Don't
>   forget to change it if it's not the right one for your version
>   of Snort!
>o You can now set "rule_actions = ..." in oinkmaster.conf to tell
>   Oinkmaster what keywords are valid as the start of a Snort rule. Useful
>   if you create your own ruletypes and want those lines to be regarded as
>   rules instead of non-rule lines. If unset,
>   "alert|drop|log|pass|reject|sdrop|activate|dynamic" will be used
>   (same as before).
>o You can now run without external binaries if you have the required
>   Perl modules installed (Archive::Tar, IO::Zlib and LWP::UserAgent).
>   You can set use_external_bins to 0 or 1 in oinkmaster.conf to override
>   the default. 0 means to use the Perl modules, 1 means to use external
>   binaries. It's set to 0 by default on Win32 (since the required
>   Perl modules are already included in ActivePerl 5.8.1+), and 1 on other
>   systems (i.e. same behavior as before). This makes it much easier to
>   install Oinkmaster on Windows/ActivePerl. See the new default
>   oinkmaster.conf for more information.
>o A simple graphical multi-platform front-end to Oinkmaster written in
>   Perl/Tk is included in the contrib directory (oinkgui.pl).
>   See README.gui for more information. Screenshots are available on
>   Oinkmaster's homepage.
>o contrib/makesidex.pl has been rewritten to handle multi-line rules and
>   multiple rules directories. It will now also include the rule's "msg"
>   string as a comment on each disablesid line it prints. Usage syntax is
>   unchanged.
>o The other contrib scripts have been improved with misc feature updates
>   and small bug fixes as well. For example, addmsg.pl now handles
>   multiple rules directories just like the others. All scripts now give
>   a short description when run without arguments. Full descriptions can
>   still be found in contrib/README.contrib.
>o The new default oinkmaster.conf has been updated with more and better
>   examples (mostly "modifysid" stuff).
>o Slightly improved multi-line rule parsing.
>o Perl version is checked on startup and must be >= 5.6.1.
>o Permission on all rules files in the output directory that are subject
>   to become updated by Oinkmaster (i.e. files matching the "update_rules"
>   regexp and that are not ignore by a "skipfile") are now checked
>   before starting, so that we don't bail out in a middle of
>   execution if a copy of an updated file should fail because of
>   permission problem.
>o A manual page is now included which describes all the command
>   line options in detail.
>o Major documentation updates (INSTALL, README, README.win32, FAQ).
>o Many other improvements.
>
>/Andreas
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (OpenBSD)
>
>iD8DBQFApdZgytHlY5LIf/YRAmRhAJ0ZJ4AQmw2L4EdKj4mT/i1Vgvg9iACfceK+
>yBXMWha7bEyHlv4ZUUc86vc=
>=LrsS
>-----END PGP SIGNATURE-----
>
>
>--__--__--
>
>Message: 3
>From: kev.p at ...1187...
>To: snort-users at lists.sourceforge.net
>Date: Sat, 15 May 2004 16:22:34 +0000
>Subject: [Snort-users] localhost alert
>
>I need a rule so I can generate a simple alert on localhost to show 
someone how ACID works. I just started working with Snort so I would really 
appreciate the help.
>
>
>
>
>--__--__--
>
>Message: 4
>Date: Sat, 15 May 2004 12:30:00 -0500 (CDT)
>From: "Josh Berry" <josh.berry at ...10221...>
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] SnortDB-Extra Issues
>
>I recently loaded the snortdb-extra stuff to my database because I am
>working on my own analysis front-end and it seemed like some of the data
>was wrong.
>
>For instance, when the spp_stream4 preprocessor generates a SYN/FIN alert,
>it inserts the tcp_flags value into tcphdr as 3 as it should be.  But then
>looking up the value of 3 in the flags table shows 3 as being NULL packet
>with both of the reserved bits set.
>
>Am I just using this wrong or are the values wrong.
>
>
>Thanks
>
>
>--__--__--
>
>Message: 5
>From: "Marcin Laskowski" <cineklas at ...3879...>
>To: <snort-users at lists.sourceforge.net>
>Date: Sat, 15 May 2004 20:52:11 +0200
>Subject: [Snort-users] attack classification
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_00A8_01C43ABE.7EA694A0
>Content-Type: text/plain;
>	charset="iso-8859-2"
>Content-Transfer-Encoding: quoted-printable
>
>Hi all
>
>I need information about the classification of the attacks in Snort.=20
>Is there any parallel which says that for example XMAS Scan belongs to=20
>attempt-recon group? There`s no problem with extracting such information
>form rule files but it`s little boring. And what about the =
>preprocessors?
>How do they match attacks with groups?
>
>......................................
>Best Regards, Marcin
>
>
>
>e-mail:         mjl at ...11364...
>
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D        =20
>Windows jest 32 bitowym patchem na 16 bitowe GUI
>bazuj=B1cym na 8 bitowym systemie
>napisanym dla 4 bitowego processora
>przez 2 bitow=B1 firme
>o 1 bitowej kompetencji.
>
>------=_NextPart_000_00A8_01C43ABE.7EA694A0
>Content-Type: text/html;
>	charset="iso-8859-2"
>Content-Transfer-Encoding: quoted-printable
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><HTML><HEAD>
><META http-equiv=3DContent-Type content=3D"text/html; =
>charset=3Diso-8859-2">
><META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
><STYLE></STYLE>
></HEAD>
><BODY bgColor=3D#ffffff>
><DIV><FONT face=3DArial size=3D2>
><DIV><FONT face=3DArial size=3D2>Hi all</FONT></DIV>
><DIV><FONT face=3DArial size=3D2></FONT> </DIV>
><DIV><FONT face=3DArial size=3D2>I need information about the =
>classification of=20
></FONT><FONT face=3DArial size=3D2>the attacks in Snort. </FONT></DIV>
><DIV><FONT face=3DArial size=3D2>Is there any parallel which says =
></FONT><FONT=20
>face=3DArial size=3D2>that for example XMAS Scan belongs to =
></FONT></DIV>
><DIV><FONT face=3DArial size=3D2>attempt-recon group? There`s no problem =
>with=20
>extracting such information</FONT></DIV>
><DIV><FONT face=3DArial size=3D2>form rule files but it`s little boring. =
>And what=20
>about the preprocessors?</FONT></DIV>
><DIV><FONT face=3DArial size=3D2>How do they match attacks with =
>groups?</FONT></DIV>
><DIV><FONT face=3DArial size=3D2></FONT> </DIV>
><DIV><FONT face=3DArial =
>size=3D2>......................................<BR>Best=20
>Regards, Marcin</FONT></DIV>
><DIV> </DIV>
><DIV> </DIV>
><DIV> </DIV>
><DIV>e-mail:         <A=20
>href=3D"mailto:mjl at ...11364...">mjl at ...11364...</A></DIV>
><DIV> </DIV>
><DIV>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  &=
>nbsp;     =20
><BR>Windows jest 32 bitowym patchem na 16 bitowe GUI<BR>bazuj=B1cym na 8 =
>bitowym=20
>systemie<BR>napisanym dla 4 bitowego processora<BR>przez 2 bitow=B1 =
>firme<BR>o 1=20
>bitowej kompetencji.<BR></DIV></FONT></DIV></BODY></HTML>
>
>------=_NextPart_000_00A8_01C43ABE.7EA694A0--
>
>
>
>
>--__--__--
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
>End of Snort-users Digest

_________________________________________________________________
与联机的朋友进行交流,请使用 MSN Messenger:  http://messenger.msn.com/cn  





More information about the Snort-users mailing list