NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-07

[Snort-users] RE: Snort-users digest, Vol 1 #4375 - 8 msgs

From: Takisha Harper (TakishaHarperppom.com)
Date: Wed Jul 14 2004 - 12:13:00 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Any of you guys know any people or consultants that can come in and assist
us with setting up Snort?

Thanks

> -----Original Message-----
> From: snort-users-requestlists.sourceforge.net
> [SMTP:snort-users-requestlists.sourceforge.net]
> Sent: Wednesday, July 14, 2004 11:45 AM
> To: snort-userslists.sourceforge.net
> Subject: Snort-users digest, Vol 1 #4375 - 8 msgs
>
> Send Snort-users mailing list submissions to
> snort-userslists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-users-requestlists.sourceforge.net
>
> You can reach the person managing the list at
> snort-users-adminlists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
> 1. RE: plz help (Harper, Patrick)
> 2. RE: plz help (Nick Duda)
> 3. problem with suppress... (Tobias Rice)
> 4. (http_inspect) NON-RFC HTTP DELIMITER issue
> (sjconsultingoptonline.net)
> 5. Re: plz help (shashank.joshitcs.com)
> 6. Remote syslogging of snort (Paul Schmehl)
> 7. Re: NEWBIE: rule writing walkthru? (shashank.joshitcs.com)
> 8. Re: Alerts question (Scott Zawalski)
>
> --__--__--
>
> Message: 1
> From: "Harper, Patrick" <patrick.harperphns.com>
> To: "Chandana Bandara" <chandanadialogsl.net>,
> <snort-userslists.sourceforge.net>
> Date: Wed, 14 Jul 2004 08:15:00 -0500
> Subject: RE: [Snort-users] plz help
>
> Do you have a rule for large ICMP enabled? Try a vulnerability scanner,
> that should trigger some alerts for ya. Or if you have the content:
> /etc/passwd rule enabled just go to the IP of the snort box in a
> browser with /etc/passwd in the URL and you should get an alert. =20
>
> When you say "how do I check this from other clients ?" are you talking
> about checking the traffic to and from the clients on your network? If
> you are on a switched (a managed on) you need to set a span or monitor
> port depending on the brand of switch. If you are on a dumb switch then
> you either need to use a tap or a small hub inline, taps work better in
> my opinion but hubs are cheaper.
>
> Hope that helps
>
> -----Original Message-----
> From: Chandana Bandara [mailto:chandanadialogsl.net]=20
> Sent: Wednesday, July 14, 2004 6:19 AM
> To: snort-userslists.sourceforge.net
> Subject: [Snort-users] plz help
>
> hi ,=20
> =20
> I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on
> the browser.
> i used ping command with huge paccket sizes to that snort server. But
> there was no any alerts in the ACID.=20
> =20
> So tell me , how do i check this from other clients ?
> =20
> plz help
> =20
> thanx in advance
> chandana=20
>
>
>
>
> Disclaimer:
> This electronic message, including any attachments, is confidential and
> int=
> ended solely for use of the intended recipient(s). This message may
> contain=
> information that is privileged or otherwise protected from disclosure by
> a=
> pplicable law. Any unauthorized disclosure, dissemination, use or
> reproduct=
> ion is strictly prohibited. If you have received this message in error,
> ple=
> ase delete it and notify the sender immediately.=20
>
>
>
>
>
> --__--__--
>
> Message: 2
> Subject: RE: [Snort-users] plz help
> Date: Wed, 14 Jul 2004 09:53:19 -0400
> From: "Nick Duda" <ndudaVistaPrint.com>
> To: "Chandana Bandara" <chandanadialogsl.net>,
> <snort-userslists.sourceforge.net>
>
> This is a multi-part message in MIME format.
>
> ------_=_NextPart_001_01C469A9.EBC5DC3E
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> Nessus, Retina, NMAP....etc Anything that can do massive pen testing
> will make snort go crazy. Tools like these are required in a security
> pro's toolbox
>
> =20
>
> _____ =20
>
> From: snort-users-adminlists.sourceforge.net
> [mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Chandana
> Bandara
> Sent: Wednesday, July 14, 2004 7:19 AM
> To: snort-userslists.sourceforge.net
> Subject: [Snort-users] plz help
>
> =20
>
> hi ,=20
>
> =20
>
> I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on
> the browser.
>
> i used ping command with huge paccket sizes to that snort server. But
> there was no any alerts in the ACID.=20
>
> =20
>
> So tell me , how do i check this from other clients ?
>
> =20
>
> plz help
>
> =20
>
> thanx in advance
>
> chandana=20
>
>
> ------_=_NextPart_001_01C469A9.EBC5DC3E
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
> xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
>
> <head>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
> 
> <style>
> 
> </style>
> 
> </head>
>
> <body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple>
>
> <div class=3DSection1>
>
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'>Nessus, Retina, NMAP….etc =
> Anything
> that can do massive pen testing will make snort go crazy. Tools like =
> these are
> required in a security pro’s toolbox<o:p></o:p></span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
>
> <div>
>
> <div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
> size=3D3
> face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
>
> <hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>
>
> </span></font></div>
>
> <p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
> style=3D'font-size:10.0pt;
> font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
> size=3D2
> face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>
> snort-users-adminlists.sourceforge.net
> [mailto:snort-users-adminlists.sourceforge.net] <b><span =
> style=3D'font-weight:
> bold'>On Behalf Of </span></b>Chandana Bandara<br>
> <b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, July 14, =
> 2004
> 7:19 AM<br>
> <b><span style=3D'font-weight:bold'>To:</span></b> =
> snort-userslists.sourceforge.net<br>
> <b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] =
> plz help</span></font><o:p></o:p></p>
>
> </div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'><o:p> </o:p></span></font></p>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>hi , </span></font><o:p></o:p></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> <o:p></o:p></span></font></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>I have installed snort perfectly in Red Hat Linux 9 =
> box.ACID
> url runs on the browser.</span></font><o:p></o:p></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>i used ping command with huge paccket sizes to that =
> snort
> server. But there was no any alerts in the ACID. =
> </span></font><o:p></o:p></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> <o:p></o:p></span></font></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>So tell me , how do i check this from other clients =
> ?</span></font><o:p></o:p></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> <o:p></o:p></span></font></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>plz help</span></font><o:p></o:p></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'> <o:p></o:p></span></font></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>thanx in advance</span></font><o:p></o:p></p>
>
> </div>
>
> <div>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>chandana</span></font> <o:p></o:p></p>
>
> </div>
>
> </div>
>
> </body>
>
> </html>
>
> ------_=_NextPart_001_01C469A9.EBC5DC3E--
>
>
> --__--__--
>
> Message: 3
> Date: Wed, 14 Jul 2004 07:01:45 -0700
> From: Tobias Rice <riceup.edu>
> To: Graeme.Ridercolesmyer.com.au
> Cc: snort-userslists.sourceforge.net
> Subject: [Snort-users] problem with suppress...
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Are you using the "-o" flag to change the rule testing order to
> Pass|Alert|Log?
>
> Tobias
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFA9TzJRJX8S0T0CkURAgydAKCqv7UOaJ4eL4JOIPIW3jnGpPcTyQCfVWq6
> yHLh601GO7lWufmFYuCRXIE=
> =8xco
> -----END PGP SIGNATURE-----
>
>
> --__--__--
>
> Message: 4
> Date: Wed, 14 Jul 2004 11:21:28 -0400
> From: sjconsultingoptonline.net
> To: snort-userslists.sourceforge.net
> Subject: [Snort-users] (http_inspect) NON-RFC HTTP DELIMITER issue
>
> I am receiving this alert and I know this alert is being generated by
> someone streaming "Yahoo Shoutcast" on my net...would you consider this be
> a false positive? Is there a way to turn this specifc inspection/alert
> off? I was reading through the http_inspect and I did not see where it was
> that allowed me to do this. I am running RH9, Snort 2.1.3. I f there is
> anything else that I need to post to help you folks help me, please let me
> know.
>
> TIA.
>
> ~SJC
>
>
>
> --__--__--
>
> Message: 5
> To: "Chandana Bandara" <chandanadialogsl.net>
> Cc: snort-userslists.sourceforge.net,
> snort-users-adminlists.sourceforge.net
> Subject: Re: [Snort-users] plz help
> From: shashank.joshitcs.com
> Date: Wed, 14 Jul 2004 21:02:51 +0530
>
> This is a multipart message in MIME format.
> ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f
> Content-Type: multipart/alternative;
> boundary="=_alternative 00557DFC65256ED1_="
>
> --=_alternative 00557DFC65256ED1_=
> Content-Type: text/plain; charset="US-ASCII"
>
> u can get hold of nessus and scan ur snort host or any other box on the
> intranet (the traffic should be visible to snort though) this can raise
> thousands of alerts .
>
> or if you are interested in only seeing some alerts in ACID, write a small
>
> rule to catch all tcp traffic in "local.rules" file and restart snort. (be
>
> sure to remove this rule once u r satisfied :) )
>
> good luck!
>
>
> shashank
>
> "it's difficult to improve perfection !"
>
>
>
>
> "Chandana Bandara" <chandanadialogsl.net>
> Sent by: snort-users-adminlists.sourceforge.net
> 07/14/2004 04:49 PM
>
> Please respond to
> "Chandana Bandara" <chandanadialogsl.net>
>
>
> To
> <snort-userslists.sourceforge.net>
> cc
>
> Subject
> [Snort-users] plz help
>
>
>
>
>
>
> hi ,
>
> I have installed snort perfectly in Red Hat Linux 9 box.ACID url runs on
> the browser.
> i used ping command with huge paccket sizes to that snort server. But
> there was no any alerts in the ACID.
>
> So tell me , how do i check this from other clients ?
>
> plz help
>
> thanx in advance
> chandana
> ForwardSourceID:NT00005406
>
> --=_alternative 00557DFC65256ED1_=
> Content-Type: text/html; charset="US-ASCII"
>
>
> <br><font size=2 face="sans-serif">u can get hold of nessus and scan ur
> snort host or any other box on the intranet (the traffic should be visible
> to snort though) this can raise thousands of alerts .</font>
> <br>
> <br><font size=2 face="sans-serif">or if you are interested in only seeing
> some alerts in ACID, write a small rule to catch all tcp traffic in
> "local.rules"
> file and restart snort. (be sure to remove this rule once u r satisfied
> :) )</font>
> <br>
> <br><font size=2 face="sans-serif">good luck!</font>
> <br>
> <br>
> <br><font size=2 face="sans-serif">shashank</font>
> <br>
> <br><font size=2 face="sans-serif">"it's difficult to improve
> perfection
> !"</font>
> <br>
> <br>
> <br>
> <br>
> <table width=100%>
> <tr valign=top>
> <td width=40%><font size=1 face="sans-serif"><b>"Chandana
> Bandara"
> <chandanadialogsl.net></b> </font>
> <br><font size=1 face="sans-serif">Sent by:
> snort-users-adminlists.sourceforge.net</font>
> <p><font size=1 face="sans-serif">07/14/2004 04:49 PM</font>
> <br>
> <table border>
> <tr valign=top>
> <td bgcolor=white>
> <div align=center><font size=1 face="sans-serif">Please respond to<br>
> "Chandana Bandara"
> <chandanadialogsl.net></font></div></table>
> <br>
> <td width=59%>
> <table width=100%>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">To</font></div>
> <td valign=top><font size=1
> face="sans-serif"><snort-userslists.sourceforge.net></font>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">cc</font></div>
> <td valign=top>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">Subject</font></div>
> <td valign=top><font size=1 face="sans-serif">[Snort-users] plz
> help</font></table>
> <br>
> <table>
> <tr valign=top>
> <td>
> <td></table>
> <br></table>
> <br>
> <br>
> <br><font size=2 face="Arial">hi , </font>
> <br><font size=3> </font>
> <br><font size=2 face="Arial">I have installed snort perfectly in Red Hat
> Linux 9 box.ACID url runs on the browser.</font>
> <br><font size=2 face="Arial">i used ping command with huge paccket sizes
> to that snort server. But there was no any alerts in the ACID. </font>
> <br><font size=3> </font>
> <br><font size=2 face="Arial">So tell me , how do i check this from other
> clients ?</font>
> <br><font size=3> </font>
> <br><font size=2 face="Arial">plz help</font>
> <br><font size=3> </font>
> <br><font size=2 face="Arial">thanx in advance</font>
> <br><font size=2 face="Arial">chandana</font><font size=3> </font>
> <br><font size=2 color=white face="sans-serif">ForwardSourceID:NT00005406
>    </font>
> <br>
> --=_alternative 00557DFC65256ED1_=--
>
>
> ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> name="InterScan_Disclaimer.txt"
> Content-Disposition: attachment;
> filename="InterScan_Disclaimer.txt"
>
> DISCLAIMER: The information contained in this message is intended only and
> solely for the addressed individual or entity indicated in this message
> and for the exclusive use of the said addressed individual or entity
> indicated in this message (or responsible for delivery
> of the message to such person) and may contain legally privileged and
> confidential information belonging to Tata Consultancy Services. It must
> not be printed, read, copied, disclosed, forwarded, distributed or used
> (in whatsoever manner) by any person other than the
> addressee. Unauthorized use, disclosure or copying is strictly prohibited
> and may constitute unlawful act and can possibly attract legal action,
> civil and/or criminal. The contents of this message need not necessarily
> reflect or endorse the views of Tata Consultancy Services
> on any subject matter.
> Any action taken or omitted to be taken based on this message is entirely
> at your risk and neither the originator of this message nor Tata
> Consultancy Services takes any responsibility or liability towards the
> same. Opinions, conclusions and any other
> information contained in this message that do not relate to the official
> business of Tata Consultancy Services shall be understood as neither given
> nor endorsed by Tata Consultancy Services or any affiliate of Tata
> Consultancy Services. If you have received this message in error,
> you should destroy this message and may please notify the sender by
> e-mail. Thank you.
>
>
> ------=_NextPartTM-000-d388fd9f-1227-47d8-ae14-5281e6b11e0f--
>
>
>
> --__--__--
>
> Message: 6
> Date: Wed, 14 Jul 2004 10:37:53 -0500
> From: Paul Schmehl <paulsutdallas.edu>
> To: snort-userslists.sourceforge.net
> Subject: [Snort-users] Remote syslogging of snort
>
> I'm trying to set up snort to do remote sysloging. So I put this line in
> the snort.conf file:
>
> output alert_syslog: local1.debug
>
> But when I restart snort, I get this error message in /var/log/messages:
>
> WARNING /usr/local/etc/snort.conf (419) => Unrecognized syslog
> facility/priority: local1.debug
>
> Does snort not recognize the local logging facilities? Or do I have a
> syntax error?
>
> (/etc/syslog.conf reads "local1.debug {sysloghost}
>
> Sysloghost /etc/syslog.conf reads "local1.debug /var/log/snort.log)
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
>
>
> --__--__--
>
> Message: 7
> To: waynekentuckyregiments.org
> Cc: snort-userslists.sourceforge.net,
> snort-users-adminlists.sourceforge.net
> Subject: Re: [Snort-users] NEWBIE: rule writing walkthru?
> From: shashank.joshitcs.com
> Date: Wed, 14 Jul 2004 21:08:13 +0530
>
> This is a multipart message in MIME format.
> ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5
> Content-Type: multipart/alternative;
> boundary="=_alternative 0055FBD065256ED1_="
>
> --=_alternative 0055FBD065256ED1_=
> Content-Type: text/plain; charset="US-ASCII"
>
> Snort manual...nothing else required for rules info
>
> Good luck!
>
> Shashank
>
> "It's difficult to improve perfection !"
>
>
>
> "Wayne Fielder" <waynekentuckyregiments.org>
> Sent by: snort-users-adminlists.sourceforge.net
> 07/13/2004 07:24 PM
>
> Please respond to
> waynekentuckyregiments.org
>
>
> To
> snort-userslists.sourceforge.net
> cc
>
> Subject
> [Snort-users] NEWBIE: rule writing walkthru?
>
>
>
>
>
>
> Greetings all,
>
> I'm brand new to Snort. Know what it is capable of and want to play
> with it but I'm having trouble getting out of the blocks. I'm reading
> through the docs and it seems pretty straight forward but I would like
> to find a walkthru/tutorial or something like that for rule writing.
>
> I'm wanting to use Snort as both an IDS AND a web usage monitor.
> I'm working with a state agency and money is...well...there is no money
> to spend on a Netappliance machine or something of that ilk. I was
> thinking that if Snort can detect intrusions it must also be able to do
> the web usage thing given the correct rule.
>
> Wayne Fielder
> MCP, GSEC, GCIH pending
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ForwardSourceID:NT0000534A
>
> --=_alternative 0055FBD065256ED1_=
> Content-Type: text/html; charset="US-ASCII"
>
>
> <br><font size=2 face="sans-serif">Snort manual...nothing else required
> for rules info</font>
> <br>
> <br><font size=2 face="sans-serif">Good luck!</font>
> <br>
> <br><font size=2 face="sans-serif">Shashank</font>
> <br>
> <br><font size=2 face="sans-serif">"It's difficult to improve
> perfection
> !"</font>
> <br>
> <br>
> <br>
> <table width=100%>
> <tr valign=top>
> <td width=40%><font size=1 face="sans-serif"><b>"Wayne Fielder"
> <waynekentuckyregiments.org></b> </font>
> <br><font size=1 face="sans-serif">Sent by:
> snort-users-adminlists.sourceforge.net</font>
> <p><font size=1 face="sans-serif">07/13/2004 07:24 PM</font>
> <br>
> <table border>
> <tr valign=top>
> <td bgcolor=white>
> <div align=center><font size=1 face="sans-serif">Please respond to<br>
> waynekentuckyregiments.org</font></div></table>
> <br>
> <td width=59%>
> <table width=100%>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">To</font></div>
> <td valign=top><font size=1
> face="sans-serif">snort-userslists.sourceforge.net</font>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">cc</font></div>
> <td valign=top>
> <tr>
> <td>
> <div align=right><font size=1 face="sans-serif">Subject</font></div>
> <td valign=top><font size=1 face="sans-serif">[Snort-users] NEWBIE: rule
> writing walkthru?</font></table>
> <br>
> <table>
> <tr valign=top>
> <td>
> <td></table>
> <br></table>
> <br>
> <br>
> <br><font size=2><tt>Greetings all,<br>
> <br>
>    I'm brand new to Snort.  Know what it is capable of
> and want to play<br>
> with it but I'm having trouble getting out of the blocks.  I'm
> reading<br>
> through the docs and it seems pretty straight forward but I would like<br>
> to find a walkthru/tutorial or something like that for rule writing.<br>
> <br>
>    I'm wanting to use Snort as both an IDS AND a web usage
> monitor.
> <br>
> I'm working with a state agency and money is...well...there is no
> money<br>
> to spend on a Netappliance machine or something of that ilk.  I
> was<br>
> thinking that if Snort can detect intrusions it must also be able to
> do<br>
> the web usage thing given the correct rule.<br>
> <br>
> Wayne Fielder<br>
> MCP, GSEC, GCIH pending<br>
> <br>
> <br>
> -------------------------------------------------------<br>
> This SF.Net email sponsored by Black Hat Briefings & Training.<br>
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - <br>
> digital self defense, top technical experts, no vendor pitches, <br>
> unmatched networking opportunities. Visit www.blackhat.com<br>
> _______________________________________________<br>
> Snort-users mailing list<br>
> Snort-userslists.sourceforge.net<br>
> Go to this URL to change user options or unsubscribe:<br>
> https://lists.sourceforge.net/lists/listinfo/snort-users<br>
> Snort-users list archive:<br>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users<br>
> </tt></font>
> <br><font size=2 color=white face="sans-serif">ForwardSourceID:NT0000534A
>    </font>
> <br>
> --=_alternative 0055FBD065256ED1_=--
>
>
> ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> name="InterScan_Disclaimer.txt"
> Content-Disposition: attachment;
> filename="InterScan_Disclaimer.txt"
>
> DISCLAIMER: The information contained in this message is intended only and
> solely for the addressed individual or entity indicated in this message
> and for the exclusive use of the said addressed individual or entity
> indicated in this message (or responsible for delivery
> of the message to such person) and may contain legally privileged and
> confidential information belonging to Tata Consultancy Services. It must
> not be printed, read, copied, disclosed, forwarded, distributed or used
> (in whatsoever manner) by any person other than the
> addressee. Unauthorized use, disclosure or copying is strictly prohibited
> and may constitute unlawful act and can possibly attract legal action,
> civil and/or criminal. The contents of this message need not necessarily
> reflect or endorse the views of Tata Consultancy Services
> on any subject matter.
> Any action taken or omitted to be taken based on this message is entirely
> at your risk and neither the originator of this message nor Tata
> Consultancy Services takes any responsibility or liability towards the
> same. Opinions, conclusions and any other
> information contained in this message that do not relate to the official
> business of Tata Consultancy Services shall be understood as neither given
> nor endorsed by Tata Consultancy Services or any affiliate of Tata
> Consultancy Services. If you have received this message in error,
> you should destroy this message and may please notify the sender by
> e-mail. Thank you.
>
>
> ------=_NextPartTM-000-d65e43b2-5916-4bb3-bb5a-e55eb45de0d5--
>
>
>
> --__--__--
>
> Message: 8
> Date: Wed, 14 Jul 2004 08:40:38 -0700
> From: Scott Zawalski <scott.zawalskiweb.de>
> To: Randy Ramsdell <rramsdelcomcast.net>
> CC: "'snort-userslists.sourceforge.net'"
> <snort-userslists.sourceforge.net>
> Subject: Re: [Snort-users] Alerts question
>
> If you are using the standard rule set then you should see some trips on
> the readme.eml content:
>
> Rules 1284 and 1290.
> (http://www.snort.org/cgi-bin/sigs-search.cgi?sid=readme.eml)
>
> As far as a specific CodeRed sid only 1256 applies for CodeRed v2 rule
> and it looks for /root.exe uricontent
> (http://www.snort.org/snort-db/sid.html?sid=1256)
>
> Scott
>
> Randy Ramsdell wrote:
>
> >
> > I have been getting scanned daily by a host that is infected with
> > "code red". Obviously a web server is running on it and I went there
> > and found the typical script trying to push "readme.eml."
> >
> > So, shouldn't snort catch this?
> >
> > I just need to know if it should without getting into specifics of my
> > configuration.
> >
> > I read that snort should detect "code red" if you go the the sight,
> > but I am not sure if this is true.
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email sponsored by Black Hat Briefings & Training.
> > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital
> > self defense, top technical experts, no vendor pitches, unmatched
> > networking opportunities. Visit www.blackhat.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-userslists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest
>
>
Confidentiality Notices
The information contained in this transmission may include confidential
information and is intended for the personal and confidential use of the
named recipient only. Such information may be protected by applicable State
and Federal laws from this disclosure or unauthorized use. If the reader of
this transmission or any accompanying information is not the named
recipient, such reader is hereby notified that any disclosure, review,
discussion, copying, or taking any action in reliance on the contents of
this transmission is strictly prohibited. If you have received this
transmission in error, please contact the sender immediately.

-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]