[Snort-users] Tao of doing it right: Ignoring bad advice and doing it the Bilanoway!

Arseneault, Thomas (HQP) thomas.arseneault at ...13070...
Tue Feb 22 14:07:06 EST 2005

First off, just because the packets are kept in a db does not mean they
can be replayed. I'm assuming here that these are processed packets and
not raw (though it would be faster to stick raw packets in the DB then
processing them). Even if they are raw packets, if a hacker gets in far
enough to pull packets out of your DB he is in far enough to generate
his/her own set of attacks (again "assuming" proper DB security
practices)(come to think of it, he/she has already successfully attacked
you if he can reach your DB in the first place). 

As for your idea of printing out your packet logs and manually flipping
thru the pages, 1)even on a lightly loaded network, your talking
millions of packets equating to 10's of thousands of pages. 2)While the
fanfold paper industry would love you, but anyone else would be cursing
the idea of having to flip thru reams of paper or lugging around large
daily volumes to backtrack an attack that would be long done and over
with by the time you figure out what page to flip to. 3)How would you do
correlation on a thing like that? You'd have analysis's sitting behind
desks poking thru these volumes for day's on end trying to find evidence
of stealth scans while the crackers tramp merrily thru your network.

As for your "white-cracker friends at the IARC" they were probably
giggling at your idea rather than excited by it.

Tom Arseneault
Security Engineer

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Billy B.
Sent: Tuesday, February 22, 2005 12:52 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Tao of doing it right: Ignoring bad advice and
doing it the Bilanoway!

Hasta la hola, dudes!

The intrepid Bill Bilano here and I need some help with the Snorter... I
was reading up on the competition and was thinking about using them
instead of Snart until I started reading their stupid docs. But then it
is so cool, so I set out to see if Snorpt can do the same stuff that
this other thinger does...

See, at first I decided I would use this Squil IDS thing but that crazy
Russian guy that wrote down the docs said I needed to keep every packet
in a database (who has time for being a packet rat like that?) to make
sure I don't get hackered by the nerds! Well that makes a whole hell of
a lot of sense! If you keep them online in a database and you get hacked
then the hacker will be able to just copy and paste them packets and
whammo! Instant replay attack! Maybe I should I gift wrap them too? 
Smart thinking there you Bolshevik dundernuts! First Northcut drops his
drawers at SANS and now this Betjitch guy wants to pinch it off for the
hackers! His book should be called Tao of Network Reach-arounds!

Anyway, so I was thinking about what to do while working on trying to
get the air vent on the wall to point more at my face when I got my foot
caught on the mouse cable and I tripped and my USB memo-sticker went
flying down the air vent and my Shasta spilled all over my lunch! I had
to get it back because it had all my recipes on it as well as all the
SSL certificates for the bank so I jumped from my chair and took off
like a nut!

So, I went down into the basement to give a look see around to see about
finding it (the basement at the bank is a huge place with lots of dark
tunnels and empty rooms I almost expected to see Geraldo down there
poking his beak into something dumb again). Anyway, I found this one
room that had a garage door thingy and it was locked. So I got this
security guy (or so he says, he just hangs out down by the ladies room
in the lobby and he has a beater stick thing that shocks people, believe
me I know) and he unlocked the room and all I found were about fifty old
impact printers. Crapo!

So I was sitting on the throne Friday night and then this idea plopped
into my head! It was so good, that I called my white-cracker friends at
the IARC and they were so excited by my idea they just starting giggling
like school kids and hung up and then they probably went back to their
squirrels or whatever the hell it is they use to amuse themselves while
they do nothing all day long but expropriate my tax dollars. Anyway, I
thought that instead of keeping the packets in some stupid database
where they can get stolen, why not use these old printers to make harder
copies instead? Then, if something that smells like fish happens later,
I can get out the packet logs, turn to the correct page, scan in the
relevant packets, and use some OCR software to put them back into
something for the Snoart to look and parse through! So, these printers
really worked out greaty great good for me and that basement room became
my new glory hole for the entire weekend!

So, to make a long story better, I ordered up some fresh meat for the
grinder (some interns from the local community college you know those
people they are all destitute vagrants who think they can get smarter
than Bill by reading about how not to make babies in the workplace). So
I assigned these crappy interns to printer detail in the basement to
change paper and load ink - we get a ton of traffic on our OC3!

Does anyone else have interns working for them? Because these kids are
stupid! All they've done all day is complain about the noise and you
know what? I already was generous enough to buy them some earmuffs. One
of them already quit after only one day of this! Kids these days are
unreliable and only concerned about themselves. They don't understand
that they are hired to do a job... do they really think that I am going
to stand down there around all those noisy printers? Give moi a breaker!

Anyway... so now I am looking for some hot cool OCR software for *NIX to
work with my drum scanner so I can test my theory out... can anyone make
any recommendations?

P.S. My bloglog is still here <http://www.bilano.biz/> and you should
read it because it is the best!

Mr. Billy B. Bilano, MSCE, CCNA
Expert Sysadmin Since 2003!

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list