[Snort-users] Tao of doing it right: Ignoring bad advice and doing it the Bilanoway!

Sean Brown sblinux at ...9344...
Tue Feb 22 14:59:07 EST 2005


Don't feed the trolls.

----- Original Message -----
From: "Arseneault, Thomas (HQP)" <thomas.arseneault at ...13070...>
Date: Tuesday, February 22, 2005 3:06 pm
Subject: RE: [Snort-users] Tao of doing it right: Ignoring bad advice and doing it the Bilanoway!

> First off, just because the packets are kept in a db does not mean 
> theycan be replayed. I'm assuming here that these are processed 
> packets and
> not raw (though it would be faster to stick raw packets in the DB then
> processing them). Even if they are raw packets, if a hacker gets 
> in far
> enough to pull packets out of your DB he is in far enough to generate
> his/her own set of attacks (again "assuming" proper DB security
> practices)(come to think of it, he/she has already successfully 
> attackedyou if he can reach your DB in the first place). 
> 
> As for your idea of printing out your packet logs and manually 
> flippingthru the pages, 1)even on a lightly loaded network, your 
> talkingmillions of packets equating to 10's of thousands of pages. 
> 2)While the
> fanfold paper industry would love you, but anyone else would be 
> cursingthe idea of having to flip thru reams of paper or lugging 
> around large
> daily volumes to backtrack an attack that would be long done and over
> with by the time you figure out what page to flip to. 3)How would 
> you do
> correlation on a thing like that? You'd have analysis's sitting behind
> desks poking thru these volumes for day's on end trying to find 
> evidenceof stealth scans while the crackers tramp merrily thru 
> your network.
> 
> As for your "white-cracker friends at the IARC" they were probably
> giggling at your idea rather than excited by it.
> 
> Tom Arseneault
> Security Engineer
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [snort-users-admin at lists.sourceforge.net] On Behalf Of Billy B.
> Bilano
> Sent: Tuesday, February 22, 2005 12:52 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Tao of doing it right: Ignoring bad advice and
> doing it the Bilanoway!
> 
> Hasta la hola, dudes!
> 
> The intrepid Bill Bilano here and I need some help with the 
> Snorter... I
> was reading up on the competition and was thinking about using them
> instead of Snart until I started reading their stupid docs. But 
> then it
> is so cool, so I set out to see if Snorpt can do the same stuff that
> this other thinger does...
> 
> See, at first I decided I would use this Squil IDS thing but that 
> crazyRussian guy that wrote down the docs said I needed to keep 
> every packet
> in a database (who has time for being a packet rat like that?) to make
> sure I don't get hackered by the nerds! Well that makes a whole 
> hell of
> a lot of sense! If you keep them online in a database and you get 
> hackedthen the hacker will be able to just copy and paste them 
> packets and
> whammo! Instant replay attack! Maybe I should I gift wrap them 
> too? 
> Smart thinking there you Bolshevik dundernuts! First Northcut 
> drops his
> drawers at SANS and now this Betjitch guy wants to pinch it off 
> for the
> hackers! His book should be called Tao of Network Reach-arounds!
> 
> Anyway, so I was thinking about what to do while working on trying to
> get the air vent on the wall to point more at my face when I got 
> my foot
> caught on the mouse cable and I tripped and my USB memo-sticker went
> flying down the air vent and my Shasta spilled all over my lunch! 
> I had
> to get it back because it had all my recipes on it as well as all the
> SSL certificates for the bank so I jumped from my chair and took off
> like a nut!
> 
> So, I went down into the basement to give a look see around to see 
> aboutfinding it (the basement at the bank is a huge place with 
> lots of dark
> tunnels and empty rooms I almost expected to see Geraldo down there
> poking his beak into something dumb again). Anyway, I found this one
> room that had a garage door thingy and it was locked. So I got this
> security guy (or so he says, he just hangs out down by the ladies room
> in the lobby and he has a beater stick thing that shocks people, 
> believeme I know) and he unlocked the room and all I found were 
> about fifty old
> impact printers. Crapo!
> 
> So I was sitting on the throne Friday night and then this idea plopped
> into my head! It was so good, that I called my white-cracker 
> friends at
> the IARC and they were so excited by my idea they just starting 
> gigglinglike school kids and hung up and then they probably went 
> back to their
> squirrels or whatever the hell it is they use to amuse themselves 
> whilethey do nothing all day long but expropriate my tax dollars. 
> Anyway, I
> thought that instead of keeping the packets in some stupid database
> where they can get stolen, why not use these old printers to make 
> hardercopies instead? Then, if something that smells like fish 
> happens later,
> I can get out the packet logs, turn to the correct page, scan in the
> relevant packets, and use some OCR software to put them back into
> something for the Snoart to look and parse through! So, these printers
> really worked out greaty great good for me and that basement room 
> becamemy new glory hole for the entire weekend!
> 
> So, to make a long story better, I ordered up some fresh meat for the
> grinder (some interns from the local community college you know those
> people they are all destitute vagrants who think they can get smarter
> than Bill by reading about how not to make babies in the 
> workplace). So
> I assigned these crappy interns to printer detail in the basement to
> change paper and load ink - we get a ton of traffic on our OC3!
> 
> Does anyone else have interns working for them? Because these kids are
> stupid! All they've done all day is complain about the noise and you
> know what? I already was generous enough to buy them some 
> earmuffs. One
> of them already quit after only one day of this! Kids these days are
> unreliable and only concerned about themselves. They don't understand
> that they are hired to do a job... do they really think that I am 
> goingto stand down there around all those noisy printers? Give moi 
> a breaker!
> 
> Anyway... so now I am looking for some hot cool OCR software for 
> *NIX to
> work with my drum scanner so I can test my theory out... can 
> anyone make
> any recommendations?
> 
> P.S. My bloglog is still here <" 
> target="l">http://www.bilano.biz/> and you should
> read it because it is the best!
> 
> --
> Mr. Billy B. Bilano, MSCE, CCNA
> <" target="l">http://www.bilano.biz/>
> Expert Sysadmin Since 2003!
> 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.Discover which products truly live up to the hype. Start 
> reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.Discover which products truly live up to the hype. Start 
> reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&opÕick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list×ort-users
>





More information about the Snort-users mailing list