[Snort-users] Snort-users Digest, Vol 46, Issue 32

Joel Esler joel.esler at ...14399...
Thu Mar 25 12:50:22 EDT 2010


The current version is 2.8.5.3, so I suggest a download and compile of that from the snort.org site according to the documentation.

You will also need to be running the 2.8 ruleset, so I suggest a download and use of that as well.


Joel

On Mar 25, 2010, at 12:06 PM, Tushar Modi wrote:

> I just found we are using version 2.6 not 2.4. I would like to know, how
> to update to newer version with latest signature.
> 
> Thanks
> 
> Tushar Modi
> Sr. Network Analyst
> JK Group Inc.
> work:(609) 799-7830 Ext. 13732
> Fax:(609)799-8019
> Integrated Solutions for Global Philanthropy
> 
> 
> -----Original Message-----
> From: snort-users-request at lists.sourceforge.net
> [mailto:snort-users-request at lists.sourceforge.net] 
> Sent: Wednesday, March 24, 2010 4:00 PM
> To: snort-users at lists.sourceforge.net
> Subject: Snort-users Digest, Vol 46, Issue 32
> 
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> 	snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-users-owner at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: How many ports is considered a portsweep/portscan?
>      (Nerijus Krukauskas)
>   2.  Tap and Hub (D. Hofstee)
>   3. Re: Tap and Hub (Nick Moore)
>   4. Re: snort information (Tushar Modi)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 24 Mar 2010 20:14:02 +0200
> From: Nerijus Krukauskas <nkrukauskas at ...11827...>
> Subject: Re: [Snort-users] How many ports is considered a
> 	portsweep/portscan?
> To: Joel Esler <joel.esler at ...14399...>
> Cc: "snort-users at lists.sourceforge.net"
> 	<snort-users at lists.sourceforge.net>
> Message-ID:
> 	<951e50da1003241114y414e3f84u5696e746286b46ba at ...11828...>
> Content-Type: text/plain; charset=UTF-8
> 
> On 2010-03-24, Joel Esler <joel.esler at ...14399...> wrote:
>> Ah. That makes sense. Tip: reply to all?
> 
> Hate this feature, when replying to mailing list post. In good old
> days :) the mailing list posts ALL had reply-to mapped to mailing
> list. Now it's different with each list... OK, this is starting to
> look like old man whining... Gotta stop it. :)
> 
> -- 
> http://nk99.org/
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 24 Mar 2010 20:14:09 +0100
> From: "D. Hofstee" <hofstee at ...11827...>
> Subject: [Snort-users]  Tap and Hub
> To: snort-users at lists.sourceforge.net
> Message-ID:
> 	<6b35b1711003241214rc4f8a98l194d4222c5277347 at ...11828...>
> Content-Type: text/plain; charset="utf-8"
> 
> ---------- Forwarded message ----------
> From: D. Hofstee <hofstee at ...11827...>
> Date: Wed, Mar 24, 2010 at 8:13 PM
> Subject: Re: [Snort-users] Tap and Hub
> To: Eoin Miller <eoin.miller at ...14586...>
> 
> 
> well, for the sake of being curious: how do people monitor inter-server
> traffic? A tap in front of the switch doesn't do the job.
> 
> bye,
> 
> David
> 
> 
> On Wed, Mar 24, 2010 at 7:11 PM, Eoin Miller <
> eoin.miller at ...14586...> wrote:
> 
>> Here is a good article/writeup about this:
>> http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html
>> 
>> -- Eoin
>> 
>> On 3/24/2010 4:12 PM, akos.daniel at ...14798... wrote:
>>> Hi,
>>> 
>>> What is the difference between a network hub and a network tap?
>>> Maybe a stupid question, but is there a "gigabit hub" on the market
> or
>> for
>>> gigabit should I look for a tap?
>>> (span port is not possible in my case...)
>>> Thanks for the info.
>>> 
>>> Akos
>>> 
>>> 
>>> 
>> 
> ------------------------------------------------------------------------
> ------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>> 
>> 
>> 
>> 
> ------------------------------------------------------------------------
> ------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> 
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0AS
> nort-users>list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 24 Mar 2010 14:17:56 -0500
> From: Nick Moore <nmoore at ...1935...>
> Subject: Re: [Snort-users] Tap and Hub
> To: "D. Hofstee" <hofstee at ...11827...>
> Cc: snort-users at lists.sourceforge.net
> Message-ID:
> 	<5c039a921003241217u3d040873ge9cc553037d677b0 at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> David,
> 
> That's why larger switches have the SPAN feature. In essence, it repeats
> the
> traffic of some or all the other switch ports out a designated port for
> sniffers or IDS sensors. Here's more info:
> 
> http://www.enterprisenetworkingplanet.com/nethub/article.php/3766701
> 
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note
> 09186a008015c612.shtml
> 
> 
> Nick
> 
> On Wed, Mar 24, 2010 at 2:14 PM, D. Hofstee <hofstee at ...11827...> wrote:
> 
>> 
>> 
>> ---------- Forwarded message ----------
>> From: D. Hofstee <hofstee at ...11827...>
>> Date: Wed, Mar 24, 2010 at 8:13 PM
>> Subject: Re: [Snort-users] Tap and Hub
>> To: Eoin Miller <eoin.miller at ...14586...>
>> 
>> 
>> well, for the sake of being curious: how do people monitor
> inter-server
>> traffic? A tap in front of the switch doesn't do the job.
>> 
>> bye,
>> 
>> David
>> 
>> 
>> On Wed, Mar 24, 2010 at 7:11 PM, Eoin Miller <
>> eoin.miller at ...14586...> wrote:
>> 
>>> Here is a good article/writeup about this:
>>> http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html
>>> 
>>> -- Eoin
>>> 
>>> On 3/24/2010 4:12 PM, akos.daniel at ...14798... wrote:
>>>> Hi,
>>>> 
>>>> What is the difference between a network hub and a network tap?
>>>> Maybe a stupid question, but is there a "gigabit hub" on the market
> or
>>> for
>>>> gigabit should I look for a tap?
>>>> (span port is not possible in my case...)
>>>> Thanks for the info.
>>>> 
>>>> Akos
>>>> 
>>>> 
>>>> 
>>> 
> ------------------------------------------------------------------------
> ------
>>>> Download Intel® Parallel Studio Eval
>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>> proactively, and fine-tune applications for parallel performance.
>>>> See why Intel Parallel Studio got high marks during beta.
>>>> http://p.sf.net/sfu/intel-sw-dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> 
>>> 
>>> 
>>> 
>>> 
> ------------------------------------------------------------------------
> ------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> 
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0AS
> nort-users>list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>> 
>> 
>> 
>> 
>> 
> ------------------------------------------------------------------------
> ------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> 
> 
> 
> -- 
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore at ...1935...
> IM    nickgmoore (Yahoo)
>      nickgmoore38 (AIM)
> 
>   ,,_
>  o"  )~   Sourcefire - The Creators of Snort
>   ''''
> 
> www.sourcefire.com         www.snort.org
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 4
> Date: Wed, 24 Mar 2010 15:47:22 -0400
> From: "Tushar Modi" <TusharM at ...14801...>
> Subject: Re: [Snort-users] snort information
> To: <snort-users at ...314...>
> Message-ID:
> 	
> <9DAE5CA10EF4154AA7927184AF08AAFC01FC6DDE at ...14802...>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi,
> 
> We are using older Snort 2.4 version and we would like to upgrade  it to
> 2.8 latest version. We are running older version in windows 2003 server.
> If you please send us information , how to upgrade to 2.8 in windows
> 2003 server. I downloaded current version from your web site but I
> really do not know how to upgrade and what is quickest method to upgrade
> to latest version.
> 
> 
> 
> I appreciate it, If you please provide us information so we can upgrade
> latest version with the current signature.
> 
> 
> 
> Thanks,
> 
> Tushar Modi
> 
> Sr. Network Analyst
> 
> JK Group Inc.
> 
> work:(609) 799-7830 Ext. 13732
> 
> Fax:(609)799-8019
> 
> Integrated Solutions for Global Philanthropy
> 
> 
> 
> From: Mike Guiterman [mailto:mguiterman at ...1935...] 
> Sent: Wednesday, March 24, 2010 3:41 PM
> To: Tushar Modi
> Subject: Re: snort information
> 
> 
> 
> Check out the set-up guides here:
> http://www.snort.org/docs/setup-guides/.  If you don't find one that
> matches to your platform you should ask the snort-users mailing list.
> Someone in the community may be able to provide guidance.
> 
> -mg
> 
> On Wed, Mar 24, 2010 at 3:31 PM, Tushar Modi <TusharM at ...14801...>
> wrote:
> 
> Hi Mike,
> 
> 
> 
> Thank you for this quick reply, we are running 2.4 so how can I upgrade
> it to 2.8. What is a process to upgrade current version. If you please
> provide us a doc. With where and how to upgrade it. I appreciate it.
> 
> 
> 
> Thanks,
> 
> Tushar Modi
> 
> Sr. Network Analyst
> 
> JK Group Inc.
> 
> work:(609) 799-7830 Ext. 13732
> 
> Fax:(609)799-8019
> 
> Integrated Solutions for Global Philanthropy
> 
> 
> 
> From: Mike Guiterman [mailto:mguiterman at ...1935...] 
> Sent: Wednesday, March 24, 2010 3:27 PM
> To: Tushar Modi
> Cc: snort-team at ...1935...
> Subject: Re: snort information
> 
> 
> 
> Hi Tushar,
> 
> You've got to upgrade your Snort Install.  Snort is currently at version
> 2.8.5.3.  Snort 2.4 hasn't been supported for quite some time.
> 
> Regards,
> 
> Mike
> 
> -- 
> Mike Guiterman
> Snort Community Manager
> Sourcefire, Inc.
> mguiterman at ...1935...
> 410.423.1930 (office)
> 703.400.4091 (mobile)
> 
> On Wed, Mar 24, 2010 at 3:23 PM, Tushar Modi <TusharM at ...14801...>
> wrote:
> 
> Hi,
> 
> 
> 
> We are using your snort IDS version 2.4 and we would like to update the
> signature with the current version. I appreciate it, if  you please
> provide us information to update the signature with the current version.
> 
> 
> 
> Thanks,
> 
> 
> 
> Tushar Modi
> 
> Sr. Network Analyst
> 
> JK Group Inc.
> 
> work:(609) 799-7830 Ext. 13732
> 
> Fax:(609)799-8019
> 
> Integrated Solutions for Global Philanthropy
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> ------------------------------------------------------------------------
> ------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> 
> ------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest, Vol 46, Issue 32
> *******************************************
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
http://blog.joelesler.net






More information about the Snort-users mailing list