[Snort-users] help

Lillebø Harald Sindre halil at ...11817...
Tue May 18 01:32:12 EDT 2004


 

	-----Opprinnelig melding----- 
	Fra: snort-users-admin at lists.sourceforge.net på vegne av snort-users-request at lists.sourceforge.net 
	Sendt: ty 18.05.04 05.07 
	Til: snort-users at lists.sourceforge.net 
	Kopi: 
	Emne: Snort-users digest, Vol 1 #4242 - 6 msgs
	
	

	Send Snort-users mailing list submissions to
	        snort-users at lists.sourceforge.net
	
	To subscribe or unsubscribe via the World Wide Web, visit
	        https://lists.sourceforge.net/lists/listinfo/snort-users
	or, via email, send a message with subject or body 'help' to
	        snort-users-request at lists.sourceforge.net
	
	You can reach the person managing the list at
	        snort-users-admin at lists.sourceforge.net
	
	When replying, please edit your Subject line so it is more specific
	than "Re: Contents of Snort-users digest..."
	
	
	Today's Topics:
	
	   1. question about snort... actually cvs (john greene)
	   2. Re: question about snort... actually cvs (Frank Knobbe)
	   3. Re: About virus.rules (Frank Knobbe)
	   4. Re: About virus.rules (Michael Sconzo)
	   5. Re: About virus.rules (Frank Knobbe)
	   6. Re: About virus.rules (Jason Haar)
	
	--__--__--
	
	Message: 1
	Date: Mon, 17 May 2004 13:24:14 -0700 (PDT)
	From: john greene <john_g123_12 at ...131...>
	To: snort-users at lists.sourceforge.net
	Subject: [Snort-users] question about snort... actually cvs
	
	cvs
	-d:pserver:anonymous at ...10961...:/cvsroot/snort
	login 
	cvs -z3
	-d:pserver:anonymous at ...10961...:/cvsroot/snort
	co snort 
	
	
	I am trying to download the source via cvs.
	
	What client software is required to access the pserver
	? what is the IP or domain name for this server ?
	
	
	
	
	       
	               
	__________________________________
	Do you Yahoo!?
	SBC Yahoo! - Internet access at a great low price.
	http://promo.yahoo.com/sbc/
	
	
	--__--__--
	
	Message: 2
	Subject: Re: [Snort-users] question about snort... actually cvs
	From: Frank Knobbe <frank at ...9761...>
	To: john greene <john_g123_12 at ...131...>
	Cc: snort-users at lists.sourceforge.net
	Date: Mon, 17 May 2004 16:01:26 -0500
	
	
	--=-knqvi37VfNMrS55ulI8L
	Content-Type: text/plain
	Content-Transfer-Encoding: quoted-printable
	
	On Mon, 2004-05-17 at 15:24, john greene wrote:
	> I am trying to download the source via cvs.
	>=20
	> What client software is required to access the pserver
	> ? what is the IP or domain name for this server ?
	
	Sounds you are using a Windows system. Check out http://www.wincvs.org
	for a good Windows CVS client. (If you were to use *nix, you would have
	a command line CVS client named... well... cvs. :)
	
	While you are at it, check out http://winmerge.sourceforge.net/ for easy
	comparing/diffing of files.
	
	Regards,
	Frank
	(part-time coffee-shop Revolutionary)
	
	
	--=-knqvi37VfNMrS55ulI8L
	Content-Type: application/pgp-signature; name=signature.asc
	Content-Description: This is a digitally signed message part
	
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v1.2.4 (FreeBSD)
	
	iD8DBQBAqSglJjGc5ftAw8wRApbTAJ4uyxLNj8mBnvFs0nGyn2UE9vc/MwCdEQpU
	4k+TvQ2my5iQtxjN0bf/0Ek=
	=W2lK
	-----END PGP SIGNATURE-----
	
	--=-knqvi37VfNMrS55ulI8L--
	
	
	
	--__--__--
	
	Message: 3
	Subject: Re: [Snort-users] About virus.rules
	From: Frank Knobbe <frank at ...9761...>
	To: Michael Sconzo <msconzo at ...5072...>
	Cc: snort-users at lists.sourceforge.net
	Date: Mon, 17 May 2004 16:09:41 -0500
	
	
	--=-93ms4uqJMa1NZtu2/IRm
	Content-Type: text/plain
	Content-Transfer-Encoding: quoted-printable
	
	On Mon, 2004-05-17 at 13:22, Michael Sconzo wrote:
	>  I volunteered some time ago, but never received a response.  So,
	>  I can only assume I'm either worthless or they aren't looking for
	>  a maintainer :)  I would hope the 2nd as they say the rules are
	>  going away and they don't care.
	
	No, actually... it's because you're worthless... hehe  ;)
	
	I think the issue is two-fold. For one, virus detection (and prevention)
	is probably better done on the host than on the network. Second, the
	signature list would have to be extensive, and up keep you add them
	daily. Look how quickly viruses are added to Norton. I think the
	virus.rules file would mushroom quickly to the point where Snort would
	drag too much.
	
	Your desktops/servers are a bit slower because of real-time virus
	detection. Imagine all that load resting on Snort. Performance would
	nose-dive.
	
	Personally, I'd rather see all file based viruses and such removed and
	dealt with by virus software. That said, however, I strongly vote for
	continuing to keep up with worms. Since worms are network based, Snort
	is better suited than host-based virus software.=20
	
	So basically, remove virus.rules or trim it to only to those that also
	spread through the network (hybrids), but create and maintain a
	worm.rules file.
	
	Regards,
	Frank
	(part-time coffee-shop rebel)
	
	
	--=-93ms4uqJMa1NZtu2/IRm
	Content-Type: application/pgp-signature; name=signature.asc
	Content-Description: This is a digitally signed message part
	
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v1.2.4 (FreeBSD)
	
	iD8DBQBAqSoVJjGc5ftAw8wRAgmNAKDO3Zh/VNOz0OKO02pbW1GAU0cWvgCg1taz
	f/JnmJ6ExNb+wBzX0k4Hzyk=
	=prhx
	-----END PGP SIGNATURE-----
	
	--=-93ms4uqJMa1NZtu2/IRm--
	
	
	
	--__--__--
	
	Message: 4
	Date: Mon, 17 May 2004 16:53:58 -0500
	From: Michael Sconzo <msconzo at ...5072...>
	To: Frank Knobbe <frank at ...9761...>
	Cc: snort-users at lists.sourceforge.net
	Subject: Re: [Snort-users] About virus.rules
	
	> No, actually... it's because you're worthless... hehe  ;)
	
	My worst fear has come true *cry*. :)
	
	> So basically, remove virus.rules or trim it to only to those that also
	> spread through the network (hybrids), but create and maintain a
	> worm.rules file.
	
	Similiar to what we do around here at TAMU for the 40+ snort boxes
	we have out in the wild.  I figued it would be a benefit to most
	people (especially .edu's) that are trying to be good 'net neighbors
	to everybody else, due to the nature of our user base. 
	
	I try to monitor the snort-sigs list and a few other places to try
	and keep up with worm rules, due to problems they cause around here.
	Figured it might be a good way to help give back...but oh well.
	
	I still wouldn't mind doing it offically or unoffically ...
	
	-=Mike
	
	--
	The New Testament offers the basis for modern computer coding theory,
	in the form of an affirmation of the binary number system.
	        But let your communication be Yea, yea; nay, nay: for
	        whatsoever is more than these cometh of evil.
	                -- Matthew 5:37
	
	
	--__--__--
	
	Message: 5
	Subject: Re: [Snort-users] About virus.rules
	From: Frank Knobbe <frank at ...9761...>
	To: Michael Sconzo <msconzo at ...5072...>
	Cc: snort-users at lists.sourceforge.net
	Date: Mon, 17 May 2004 18:38:36 -0500
	
	
	--=-cNxv9AeJNdSmWvY/8qwj
	Content-Type: text/plain
	Content-Transfer-Encoding: quoted-printable
	
	On Mon, 2004-05-17 at 16:53, Michael Sconzo wrote:
	> Similiar to what we do around here at TAMU for the 40+ snort boxes
	> we have out in the wild.  I figued it would be a benefit to most
	> people (especially .edu's) that are trying to be good 'net neighbors
	> to everybody else, due to the nature of our user base. =20
	>=20
	> I try to monitor the snort-sigs list and a few other places to try
	> and keep up with worm rules, due to problems they cause around here.
	> Figured it might be a good way to help give back...but oh well.
	
	Mike,
	
	I didn't mean to talk you out of it. But have you fully considered the
	effort-benefit factor? It sounds like you already have started to extend
	the virus.rules files in your .edu. How many rules do you have in there?
	Does it impact performance? Can you keep up? If so, what process do you
	have to add them?
	
	Don't get me wrong. I'm all for sharing. But there also has to be one
	standard -- the official Snort rule set.
	
	Perhaps you want to Matthew and James (see postings from end of April in
	Snort-sigs) to see if they want to include that in their custom rule
	base? Or you can set up a central virus.rules repository yourself or at
	SourceForge or wherever, so that you and other can share it. I think
	everyone should make their custom rules available. That's what
	snort-sigs is for. If you have a new virus sig rule, pass it on
	snort-sigs.
	
	As far a central repository for everyone, I don't think that is going to
	work. Everyone has different needs or configurations, and doesn't want
	to load the full set someone else might be using (especially with all
	those false-positive prone rules). But the lack of a central repo
	doesn't mean that we can't share.
	
	(I'm sorry if I'm not making sense.... had too much work and too little
	sleep lately...)
	
	Regards,
	Frank
	(sometime coffee-shop something)
	
	
	--=-cNxv9AeJNdSmWvY/8qwj
	Content-Type: application/pgp-signature; name=signature.asc
	Content-Description: This is a digitally signed message part
	
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v1.2.4 (FreeBSD)
	
	iD8DBQBAqUz7JjGc5ftAw8wRAvOuAKCu2XzeWd/4ckG7fZWyP/ED17kutACfbFY/
	CwLEXB8EdYpPJj6TCRqXHGQ=
	=vtXD
	-----END PGP SIGNATURE-----
	
	--=-cNxv9AeJNdSmWvY/8qwj--
	
	
	
	--__--__--
	
	Message: 6
	Date: Tue, 18 May 2004 12:58:52 +1200
	From: Jason Haar <Jason.Haar at ...294...>
	Organization: Trimble Navigation
	To:  snort-users at lists.sourceforge.net
	Subject: Re: [Snort-users] About virus.rules
	
	For my five cents I'd also like to trumpet the greatness of detecting
	worms instead of viruses.
	
	You are dead right: viruses are better dealt with by AV scanners, but
	worms...
	
	We have a world-wide installation of Snort, and it's primary use is in
	WAN worm detection. It didn't start out that way - but that's where it's
	ended up.
	
	Sasser, Blaster, etc may be supposed to trigger "standard" DCOM rules,
	but as the current Sasser DCOM vulnerability still isn't available
	within the "standard" 2.1 rules series, there's a lot of snort people
	who can't detect it (in fact I specifically moved to the CURRENT series
	for those rules). The worm-specific rules that appeared afterwards were
	much appreciated as a stop-gap measure.
	
	In general I think even "worm" sigs shouldn't be needed as more standard
	rules should also trigger (the worm had to break in someway), but in
	some cases only the dev track of rules can detect such things...
	
	(BTW: in case you were wondering, we trigger e-mail alerts on anything
	that has an internal source address to capture such things - and no, it
	can actually go weeks without triggering :-)
	
	
	--
	Cheers
	
	Jason Haar
	Information Security Manager, Trimble Navigation Ltd.
	Phone: +64 3 9635 377 Fax: +64 3 9635 417
	PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
	
	
	
	
	--__--__--
	
	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	https://lists.sourceforge.net/lists/listinfo/snort-users
	
	
	End of Snort-users Digest
	

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 14850 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040518/bdda4079/attachment.bin>


More information about the Snort-users mailing list