Re: Opinion on SNORT

Subject: Re: Opinion on SNORT
From: Matt Carothers (matttelepath.com)
Date: Tue Dec 28 1999 - 17:26:03 CST

• Next message: jboleslibfungrp.com: "RE: war dialers, are they a current threat?"
• Previous message: Mikael Olsson: "An option-based implementation of SYN cookies?"
• In reply to: Coltrane Nyathi: "Opinion on SNORT"
• Reply: Matt Carothers: "Re: Opinion on SNORT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 22 Dec 1999, Coltrane Nyathi wrote:

> I 'll appreciate any comments on SNORT if anyone has ever used/tested it

I like snort. It's fast, useful, and easy to install and configure. Mind
you, it's not as robust as NFR or similar, but it serves for simple burgler
alarms and such.

As an example, I found a couple of compromised accounts on one of my machines
that had been logged into from somewhere in Croatia. After replacing the
login shells with Splotch [1], I invested the 60 seconds or so required to
add ...

alert tcp 161.53.0.0/16 any -> X.X.X.X/32 any (msg:"Incoming Croatian"; flags S;)
log tcp 161.53.0.0/16 any -> X.X.X.X/32 any
log udp 161.53.0.0/16 any -> X.X.X.X/32 any

... to my Snort rules. Now I'll get an "Incoming Croation" syslog message
and a log of the traffic with the application layer decode if any more wiley
Croatians connect.

- Matt

[1] http://www.frenzy.com/~crack/hornyfem

• Next message: jboleslibfungrp.com: "RE: war dialers, are they a current threat?"
• Previous message: Mikael Olsson: "An option-based implementation of SYN cookies?"
• In reply to: Coltrane Nyathi: "Opinion on SNORT"
• Reply: Matt Carothers: "Re: Opinion on SNORT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Wed Dec 29 1999 - 04:07:37 CST