[Snort-users] Pulled Pork

Berk Gulenler gulenler at ...15881...
Wed Oct 31 03:13:28 EDT 2012


That's funny. :))

On 10/31/2012 03:13 AM, JJ Cummings wrote:
> alert ip any any -> any any (msg:"oh noes, your oinkmaster cron is the broken!!"; sid:666; rev:1;)
>
> Sent from the iRoad
>
> On Oct 30, 2012, at 18:49, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>> Now that's a funny idea. Ha!
>>
>> On Oct 30, 2012 6:28 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:
>>> On 10/30/2012 16:25, Joel Esler wrote:
>>>> On Oct 30, 2012, at 12:02 PM, waldo kitty wrote:
>>>>> On 10/30/2012 10:55, Joel Esler wrote:
>>>>>
>>>>>> We have the 15 minute delay in place, as there are some people who like to
>>>>>> download the entire ruleset every 5 seconds.
>>>>>
>>>>> i highly suspect that these are folks with bad cron entries... you'd think
>>>>> they'd be aware of the problem but obviously
>>>>>
>>>>> 1) they are not OR
>>>>> 2) they do not care OR
>>>>> 3) they are trying to cause problems ie: (d)dos anyone?
>>>>
>>>> I believe it's #1. They don't know the problem exists. I've written a few of
>>>> them, and a couple of them have corrected the issue, we have one who
>>>> acknowledged the problem and is going to fix it (don't know when),
>>>
>>> not trying to be nosy but this is out of how many unique oinkcodes abusing the
>>> services like this?
>>>
>>>> and some that haven't acknowledged at all.
>>>>
>>>> And some, whose emails just bounced.
>>>
>>> i'd bet that if those oinkcodes were disabled they'd wake up... or maybe feed
>>> them a "rules archive" with a file inside that states the problem, that their
>>> registered email address is no longer valid and why the code has been set to
>>> redirect to this non-rules archive ;)
>>>
>>> HA! or even a rule or rules that alerts on traffic and has a message that would
>>> point out to them the problem... if they are watching their snort output, that
>>> would definitely get their attention ;) ;) ;)
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>>
>> alert ip any any -> any any (msg:"oh noes, your oinkmaster cron is the
>> broken!!"; sid:666; rev:1;)
>>
>> Sent from the iRoad
>>
>> On Oct 30, 2012, at 18:49, Jeremy Hoel <jthoel at ...11827...
>> <mailto:jthoel at ...11827...>> wrote:
>>
>>> Now that's a funny idea. Ha!
>>>
>>> On Oct 30, 2012 6:28 PM, "waldo kitty" <wkitty42 at ...14940...
>>> <mailto:wkitty42 at ...14940...>> wrote:
>>>
>>>     On 10/30/2012 16:25, Joel Esler wrote:
>>>     > On Oct 30, 2012, at 12:02 PM, waldo kitty wrote:
>>>     >> On 10/30/2012 10:55, Joel Esler wrote:
>>>     >>
>>>     >>> We have the 15 minute delay in place, as there are some
>>>     people who like to
>>>     >>> download the entire ruleset every 5 seconds.
>>>     >>
>>>     >> i highly suspect that these are folks with bad cron entries...
>>>     you'd think
>>>     >> they'd be aware of the problem but obviously
>>>     >>
>>>     >> 1) they are not OR
>>>     >> 2) they do not care OR
>>>     >> 3) they are trying to cause problems ie: (d)dos anyone?
>>>     >
>>>     > I believe it's #1. They don't know the problem exists. I've
>>>     written a few of
>>>     > them, and a couple of them have corrected the issue, we have
>>>     one who
>>>     > acknowledged the problem and is going to fix it (don't know when),
>>>
>>>     not trying to be nosy but this is out of how many unique
>>>     oinkcodes abusing the
>>>     services like this?
>>>
>>>     > and some that haven't acknowledged at all.
>>>     >
>>>     > And some, whose emails just bounced.
>>>
>>>     i'd bet that if those oinkcodes were disabled they'd wake up...
>>>     or maybe feed
>>>     them a "rules archive" with a file inside that states the
>>>     problem, that their
>>>     registered email address is no longer valid and why the code has
>>>     been set to
>>>     redirect to this non-rules archive ;)
>>>
>>>     HA! or even a rule or rules that alerts on traffic and has a
>>>     message that would
>>>     point out to them the problem... if they are watching their snort
>>>     output, that
>>>     would definitely get their attention ;) ;) ;)
>>>
>>>     ------------------------------------------------------------------------------
>>>     Everyone hates slow websites. So do we.
>>>     Make your web apps faster with AppDynamics
>>>     Download AppDynamics Lite for free today:
>>>     http://p.sf.net/sfu/appdyn_sfd2d_oct
>>>     _______________________________________________
>>>     Snort-users mailing list
>>>     Snort-users at lists.sourceforge.net
>>>     <mailto:Snort-users at lists.sourceforge.net>
>>>     Go to this URL to change user options or unsubscribe:
>>>     https://lists.sourceforge.net/lists/listinfo/snort-users
>>>     Snort-users list archive:
>>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>>     Please visit http://blog.snort.org to stay current on all the
>>>     latest Snort news!
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> <mailto:Snort-users at lists.sourceforge.net>
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list