[Snort-users] Re: Snort-users digest, Vol 1 #4982 - 10 msgs

James Affeld jamesaffeld at ...131...
Tue Mar 8 11:23:05 EST 2005


SANS requires an analysis paper from applicants for
its Intrusion Analyst certificate.  Those papers are a
tremendous resource for intrusion detection techniques
and analysis, especially the Honors papers.  In
addition, there are suggested papers for various tools
and techniques cited in their cert. prep. guide:

http://www.giac.org/practicals/guides/gcia.pdf Pages
4-6

Richard Bejtlich _Tao of Network Security Monitoring_
is a really good book.  It doesn't address Snort at
all, but looks at Bro and Prelude.  But IDS is only
one of 4 major types of data he covers.  I found it
incredibly useful if you are really doing this stuff. 


> Message: 3
> Date: Mon, 7 Mar 2005 10:38:24 -0500
> From: Craig W <codecraig at ...11827...>
> Reply-To: Craig W <codecraig at ...11827...>
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] New to the Group
> 
> Dennis suggested checking out Snort for Dummies.
> 
> I am still open for other suggestions as i am trying
> to learn about
> IDS's in general.
> 
> thanks
> 
> 
> On Mon, 7 Mar 2005 07:34:10 -0800, Reza
> <reza at ...13136...> wrote:
> > Hey, the answer wasn't posted to the mailing list,
> you mind letting me know
> > what was recommended? Thanks.
> > 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]
> On Behalf Of Craig W
> > Sent: Monday, March 07, 2005 6:42 AM
> > To: Snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] New to the Group
> > 
> > Thanks, I'll check that one out on my lunch break
> today (hopefully
> > Borders has that one in stock :)
> > 
> > On Mon, 7 Mar 2005 09:33:33 -0500, Dennis Propson
> <dpropson at ...5068...>
> > wrote:
> > > Until recently, I have not used a "Dummies" book
> in years, if ever.  Don't
> > > be embarrassed to order Snort for Dummies.  Just
> close your office door
> > > while perusing it.  Actually, it's a good way to
> get Snort up and running.
> > >
> > > Dennis
> > >
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > >
> [mailto:snort-users-admin at lists.sourceforge.net]On
> Behalf Of Craig W
> > > Sent: Monday, March 07, 2005 8:18 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] New to the Group
> > >
> > > Hi everyone,
> > >     I am researching IDS's and of course Snort
> is on the list of
> > > things to check out and explore.  I am curious
> if anyone can suggest
> > > any online articles, tutorials, and the like for
> someone like myself
> > > who wants to learn more about IDS's in general
> and about using Snort,
> > > programming and using snort, etc.
> > >
> > > Thanks in advance.
> > >
> > >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > > Discover which products truly live up to the
> hype. Start reading now.
> > >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or
> unsubscribe:
> > >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > 
> > --
> > 
> > http://www.codecraig.com
> > http://jroller.com/page/codecraig
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real users.
> > Discover which products truly live up to the hype.
> Start reading now.
> >
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> 
> 
> -- 
> 
> http://www.codecraig.com
> http://jroller.com/page/codecraig
> 
> 
> --__--__--
> 
> Message: 4
> Date: Mon, 7 Mar 2005 11:25:45 -0500
> From: Craig W <codecraig at ...11827...>
> Reply-To: Craig W <codecraig at ...11827...>
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] New to the Group
> 
> Thanks for the information, I will check that out as
> well.
> 
> 
> On Mon, 07 Mar 2005 10:45:29 -0500, Geffrey
> Vel=E1squez
> <gvelasquez at ...12923...> wrote:
> > Hi, I'm new too, if you would like to learn about
> programming
> > (preprocessors and output plugins) and Snort in
> deep you could buy Snort
> > 2.1 Intrusion Detection writen by  Andrew Baker,
> Jay Beale, Brian
> > Caswell, Mike Poore.  The howto is also a well
> source of information.
> >=20
> > Geffrey
> >=20
> > Craig W escribi=F3:
> >=20
> > >Dennis suggested checking out Snort for Dummies.
> > >
> > >I am still open for other suggestions as i am
> trying to learn about
> > >IDS's in general.
> > >
> > >thanks
> > >
> > >
> > >On Mon, 7 Mar 2005 07:34:10 -0800, Reza
> <reza at ...13136...> wrot=
> e:
> > >
> > >
> > >>Hey, the answer wasn't posted to the mailing
> list, you mind letting me =
> know
> > >>what was recommended? Thanks.
> > >>
> > >>-----Original Message-----
> > >>From: snort-users-admin at lists.sourceforge.net
> > >>[mailto:snort-users-admin at lists.sourceforge.net]
> On Behalf Of Craig W
> > >>Sent: Monday, March 07, 2005 6:42 AM
> > >>To: Snort-users at lists.sourceforge.net
> > >>Subject: Re: [Snort-users] New to the Group
> > >>
> > >>Thanks, I'll check that one out on my lunch
> break today (hopefully
> > >>Borders has that one in stock :)
> > >>
> > >>On Mon, 7 Mar 2005 09:33:33 -0500, Dennis
> Propson <dpropson at ...5068...=
> >
> > >>wrote:
> > >>
> > >>
> > >>>Until recently, I have not used a "Dummies"
> book in years, if ever.  D=
> on't
> > >>>be embarrassed to order Snort for Dummies. 
> Just close your office doo=
> r
> > >>>while perusing it.  Actually, it's a good way
> to get Snort up and runn=
> ing.
> > >>>
> > >>>Dennis
> > >>>
> > >>>-----Original Message-----
> > >>>From: snort-users-admin at lists.sourceforge.net
> >
>
>>>[mailto:snort-users-admin at lists.sourceforge.net]On
> Behalf Of Craig W
> > >>>Sent: Monday, March 07, 2005 8:18 AM
> > >>>To: snort-users at lists.sourceforge.net
> > >>>Subject: [Snort-users] New to the Group
> > >>>
> > >>>Hi everyone,
> > >>>    I am researching IDS's and of course Snort
> is on the list of
> > >>>things to check out and explore.  I am curious
> if anyone can suggest
> > >>>any online articles, tutorials, and the like
> for someone like myself
> > >>>who wants to learn more about IDS's in general
> and about using Snort,
> > >>>programming and using snort, etc.
> > >>>
> > >>>Thanks in advance.
> > >>>
> >
>
>>>-------------------------------------------------------
> > >>>SF email is sponsored by - The IT Product Guide
> > >>>Read honest & candid reviews on hundreds of IT
> Products from real user=
> s.
> > >>>Discover which products truly live up to the
> hype. Start reading now.
> >
>
>>>http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick
> > >>>_______________________________________________
> > >>>Snort-users mailing list
> > >>>Snort-users at lists.sourceforge.net
> > >>>Go to this URL to change user options or
> unsubscribe:
> >
>
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
> > >>>Snort-users list archive:
> >
>
>>>http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
> > >>>
> > >>>
> > >>>
> > >>>
> > >>--
> > >>
> > >>http://www.codecraig.com
> > >>http://jroller.com/page/codecraig
> > >>
> >
>
>>-------------------------------------------------------
> > >>SF email is sponsored by - The IT Product Guide
> > >>Read honest & candid reviews on hundreds of IT
> Products from real users=
> .
> > >>Discover which products truly live up to the
> hype. Start reading now.
> >
>
>>http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick
> > >>_______________________________________________
> > >>Snort-users mailing list
> > >>Snort-users at lists.sourceforge.net
> > >>Go to this URL to change user options or
> unsubscribe:
> >
>
>>https://lists.sourceforge.net/lists/listinfo/snort-users
> > >>Snort-users list archive:
> >
>
>>http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > >
> >=20
> >=20
> 
> 
> --=20
> 
> http://www.codecraig.com
> http://jroller.com/page/codecraig
> 
> 
> --__--__--
> 
> Message: 5
> Date: Mon, 7 Mar 2005 11:48:18 -0500
> From: Craig W <codecraig at ...11827...>
> Reply-To: Craig W <codecraig at ...11827...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort on windows
> 
> Can I run snort on windows?  If so, can someone tell
> me how?
> 
> Thanks.
> 
> 
> --__--__--
> 
> Message: 6
> Date: Mon, 7 Mar 2005 18:33:37 +0100 (CET)
> From: "Teva AVRIL" <teva.avril at ...13005...>
> To: snort-users at lists.sourceforge.net
> Reply-To: teva.avril at ...13005...
> Subject: [Snort-users] barnyard and acid
> 
> hi,
> 
> i have a 2-tier snort set up with snort and barnyard
> running on one
> box, and mysql/acid running on another.
> 
>  i have snort configured with the following options:
> 
> 
> snort.conf:
> 
> output log_unified: filename snort.unified.log,
> limit 128
> 
> 
> and barnyard.conf configured as follows:
> 
> config hostname: localhost
> config interface: eth0
> output alert_acid_db: mysql, database snort, server
> ids.domain.com , user
> snort, password snort
> output log_acid_db: mysql, database snort, server
> ids.domain.com , user
> snort, password snort , detail full
> 
> i run snort like:
> 
> /usr/local/bin/snort -c /etc/snort/snort.conf -i
> eth0 -D
> 
> and barnyard like:
> 
> /usr/local/bin/barnyard -c /etc/snort/barnyard.conf
> -p
> /etc/snort/classification.config -f
> snort.unified.log -g
> /etc/snort/rules/gen-msg.map -s
> etc/snort/rules/sid-msg.map
> -w /usr/local/snortlogs/barnyard.waldo
> 
> data appears in the db in almost all tables but
> nothing is showing
> up in ACID : all acid_* tables are empty. The sensor
> table isn't empty :
> there is one value (inserted by barnyard, not by me)
> which is :
> 
> sid    hostname     interface      filter    detail 
>  encoding   last_cid
>
---------------------------------------------------------------------------
> 1      sensor       eth0            NULL     1      
>   0             0
> 
> 
> anybody know why acid doesn't insert something in
> acid_* tables?
> 
> Thanks,
> 
> 
> 
> 
> --__--__--
> 
> Message: 7
> Date: Mon, 7 Mar 2005 11:53:27 -0500
> From: Craig W <codecraig at ...11827...>
> Reply-To: Craig W <codecraig at ...11827...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] snort on windows
> 
> duh, i found it...didnt see the "binaries" section
> in the download area.
> 
> thanks
> 
> 
> --__--__--
> 
> Message: 8
> Reply-To: <wfitzgerald at ...9307...>
> From: "William Fitzgerald" <wfitzgerald at ...9307...>
> To: "'Craig W'" <codecraig at ...11827...>,
> 	<snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] New to the Group
> Date: Mon, 7 Mar 2005 15:39:06 -0000
> 
> Try prelude (ids and honeypot capabilities) and see
> its documentation
> repository. Its free also. Snort can become a
> prelude sensor also.
> http://www.prelude-ids.org/
> 
> Regards,
> Will.
> 
> Mr.William M. Fitzgerald (MSc,BSc),
> Applied Researcher,
> Telecommunications Software & Systems Group,
> Waterford Institute of Technology,
> Cork Rd.
> Waterford.
> Office Ph: +353 51 302937
> Mobile Ph: +353 87 9527083
> Web: www.williamfitzgerald.org/
> 
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On
> Behalf Of Craig W
> Sent: 07 March 2005 15:38
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] New to the Group
> 
> 
> Dennis suggested checking out Snort for Dummies.
> 
> I am still open for other suggestions as i am trying
> to learn about
> IDS's in general.
> 
> thanks
> 
> 
> On Mon, 7 Mar 2005 07:34:10 -0800, Reza
> <reza at ...13136...>
> wrote:
> > Hey, the answer wasn't posted to the mailing list,
> you mind letting me
> 
> > know what was recommended? Thanks.
> > 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]
> On Behalf Of Craig W
> > Sent: Monday, March 07, 2005 6:42 AM
> > To: Snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] New to the Group
> > 
> > Thanks, I'll check that one out on my lunch break
> today (hopefully 
> > Borders has that one in stock :)
> > 
> > On Mon, 7 Mar 2005 09:33:33 -0500, Dennis Propson 
> > <dpropson at ...5068...>
> > wrote:
> > > Until recently, I have not used a "Dummies" book
> in years, if ever.
> 
> > > Don't be embarrassed to order Snort for Dummies.
>  Just close your 
> > > office door while perusing it.  Actually, it's a
> good way to get 
> > > Snort up and running.
> > >
> > > Dennis
> > >
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > >
> [mailto:snort-users-admin at lists.sourceforge.net]On
> Behalf Of Craig W
> > > Sent: Monday, March 07, 2005 8:18 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] New to the Group
> > >
> > > Hi everyone,
> > >     I am researching IDS's and of course Snort
> is on the list of 
> > > things to check out and explore.  I am curious
> if anyone can suggest
> 
> > > any online articles, tutorials, and the like for
> someone like myself
> 
> > > who wants to learn more about IDS's in general
> and about using 
> > > Snort, programming and using snort, etc.
> > >
> > > Thanks in advance.
> > >
> > >
>
-------------------------------------------------------
> > > SF email is sponsored by - The IT Product Guide
> > > Read honest & candid reviews on hundreds of IT
> Products from real 
> > > users. Discover which products truly live up to
> the hype. Start 
> > > reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or
> unsubscribe: 
> > >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive: 
> > >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > 
> > --
> > 
> > http://www.codecraig.com
> > http://jroller.com/page/codecraig
> > 
> >
>
-------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT
> Products from real 
> > users. Discover which products truly live up to
> the hype. Start 
> > reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe: 
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive: 
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> 
> 
> -- 
> 
> http://www.codecraig.com
> http://jroller.com/page/codecraig
> 
> 
>
-------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT
> Products from real users.
> Discover which products truly live up to the hype.
> Start reading now.
>
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> --__--__--
> 
> Message: 9
> From: Florin Andrei <florin at ...13138...>
> Reply-To: snort-users at lists.sourceforge.net
> To: snort-users at lists.sourceforge.net
> Date: Mon, 07 Mar 2005 10:08:54 -0800
> Subject: [Snort-users] fail open / fail close
> 
> When building a DYI IDS using Snort and off the
> shelf hardware, if the
> IDS is in-line, it will naturally enforce a
> fail-close policy if
> something goes wrong.
> But what if i want to tell the device to fail open?
> I'm not talking
> about sophisticated monitoring of the system health
> and switching to
> open state (although that would be nice, if
> possible), i'm talking about
> fail open if the power fails. Probably some kind of
> Ethernet hardware is
> required, but do you guys know any such hardware?
> Thanks,
> 
> -- 
> Florin Andrei
> 
> http://florin.myip.org/
> 
> 
> 
> --__--__--
> 
> Message: 10
> Date: Mon, 7 Mar 2005 13:14:41 -0500
> From: Craig W <codecraig at ...11827...>
> Reply-To: Craig W <codecraig at ...11827...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] pcap_loop error?
> 
> Ok, so I am running Snort 2.3.0 RC2 (on win xp pro)
> and i installed
> Win PCap 3.0.  When i run, snort -v at the command
> line...after about
> 30seconds i press Ctrl +C (to stop it) and I get the
> following
> message:
> 
> pcap_loop: read error: PacketReceivePacket failed
> Run time for packet processing was 30.54000 seconds
> 
> any idea why?
> 
> thanks
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the Snort-users mailing list