Snort mailing list archives
Re: Snort-users digest, Vol 1 #1349 - 12 msgs
From: Suke Li <lisuke () infosec cs pku edu cn>
Date: Wed, 28 Nov 2001 12:52:34 +0800
snort-users-request, RSA is an algorithm based on a one-way direction of big number facterization funtion. There is no way for anyone who can use a public key to get the private key. SSL is based on RSA algrorithm. So, no IDS can decrypt the encrypted sessions in polynomial time. If the network traffic is heaven, how can you decrypt the sessions? That is impossible.
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Encrypted sessions (Mike Shaw) 2. Re: Encrypted sessions (Chr. v. Stuckrad) 3. Re: Encrypted sessions (Erek Adams) 4. Strange effect splitting 'alert' to 'redalert' + 'logalert' (Chr. v. Stuckrad) 5. Re: Encrypted sessions (Jason Haar) 6. RE: Encrypted sessions (Michael Aylor) 7. Encrypted sessions (Michael Scheidell) 8. Snort & ACID: WAS ([Snort-users] Encrypted sessions) (Ronneil Camara) 9. Snort 1.8 and RH 7.1 (D&D Jordan) 10. ARIS sensor 1.6 Beta RPM (Jensenne Roculan) 11. Next Update to spp_portscan (Stephen Shepherd) 12. mysql on win32 (Ali Zaree) --__--__-- Message: 1 Date: Tue, 27 Nov 2001 15:25:02 -0600 To: "Ronneil Camara" <ronneilc () remingtonltd com>, <snort-users () lists sourceforge net> From: Mike Shaw <mshaw () wwisp com> Subject: Re: [Snort-users] Encrypted sessions No network based IDS is going to be able to see a signature in an encrypted session of any kind. That goes for Snort or any commercial network IDS. If they could see encrypted traffic, so could any eavesdropper. The vendor may be trying to sell you a host based IDS/integrity checker, in which case it's apples and oranges. Host based and network based IDS are two different animals, and should be used to compliment not replace each other. The vendor could also be conveniently omitting that their own NIDS doesn't work with encrypted traffic. The ol' Jedi mind trick. -Mike At 02:53 PM 11/27/2001 -0600, Ronneil Camara wrote:How does snort deal with encrypted communication. Let say, I would to monitor https connection to my web server or we've got an encrypted connection to other mail server. Would snort know about those attacks? This is what the big vendor company mentioned to me about snort's weakness. Thanks. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list--__--__-- Message: 2 Date: Tue, 27 Nov 2001 22:25:31 +0100 From: "Chr. v. Stuckrad" <stucki () math fu-berlin de> To: Erek Adams <erek () theadamsfamily net> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Encrypted sessions Reply-To: stucki () math fu-berlin de On Tue, Nov 27, 2001 at 01:13:57PM -0800, Erek Adams wrote:*sigh* I just love marketing/sales techno-babble. Not!*grin* there is another problem with 'encryption': I've seen a thing like an IRC-Bot used as DDOS Command-Center and communicating via an encrypted stream to the hacked host... No chance to see anything, except if the key is already known.If it's encrypted traffic, to examine the traffic you would have to decode it.But how? If for example you would want to look for specific bad traffic (we had that with ssh1) and you want to find logins via ssh, you only get the fact, that there IS a connection, no contents (else ssh would be useless anyway). Stucki -- Christoph von Stuckrad * * | nickname | <stucki () math fu-berlin de> \ Freie Universitaet Berlin |/_* | 'stucki' | Tel(days):+49 30 838-75 459 | Fachbereich Mathematik, EDV |\ * | if online | Tel(else):+49 30 77 39 6600 | Arnimallee 2-6/14195 Berlin * * | on IRCnet | Fax(alle):+49 30 838-75454 / --__--__-- Message: 3 Date: Tue, 27 Nov 2001 13:30:44 -0800 (PST) From: Erek Adams <erek () theadamsfamily net> To: "Chr. v. Stuckrad" <stucki () math fu-berlin de> cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Encrypted sessions On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:*grin* there is another problem with 'encryption': I've seen a thing like an IRC-Bot used as DDOS Command-Center and communicating via an encrypted stream to the hacked host... No chance to see anything, except if the key is already known.Right! But I was (pardon the pun) 'keying off' on the fact it was 'our mailservers/webservers'. I made the assumption that they had they keys. :)But how? If for example you would want to look for specific bad traffic (we had that with ssh1) and you want to find logins via ssh, you only get the fact, that there IS a connection, no contents (else ssh would be useless anyway).Right again! If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13, then you've got a bit of a chance. :) But if it's something akin to ssh--Good luck. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- Message: 4 Date: Tue, 27 Nov 2001 22:43:22 +0100 From: "Chr. v. Stuckrad" <stucki () math fu-berlin de> To: snort-users () lists sourceforge net Reply-To: stucki () math fu-berlin de Subject: [Snort-users] Strange effect splitting 'alert' to 'redalert' + 'logalert' Hi! May be I did something which is not meant to be used this way(?): I wanted to have two levels of alerts and logs, so I decided to use the user-dfined 'ruletype's like: ------------------------------- snip ---------------------------- ruletype logalert { type alert output alert_syslog: LOG_LOCAL3 LOG_WARNING output alert_fast: /var/log/snort/logalert output log_tcpdump: /var/log/snort/snort.log.dump } ------------------------------- snip ---------------------------- The 'redalert' is similar but has an higher log facility and different filenames. Then I decided which rule (originally 'alert') will become 'redalert' or 'logalert', and if I did it correctly only those two kinds of rule do exist now. HERE Snort is: Version 1.8.3 (Build 87) has flexresponse but not yet databases and uses syslog so far. runs on LINUX (SuSE-7.2) on a routers mirror-port. What goes RIGHT is: syslog, alert_fast What goes WRONG is: output_tcpdup Is there a way to append instead of write from beginning of the file when snort restarts? (It seems to always begin from empty file). Somehow it seems as if not *every* alerting packet(contents) is logged, I often do not find a packet in those files, even if alert_fast did tell me it's from and to addresses... And besides this, portscans are logged to some other/own default file, which is acceptable so far :-) Any Ideas what I missed from 'snort.pdf' (may be it does nat explain something as of version *.3 and I'd rather read sources?) Thanks a lot, Stucki -- Christoph von Stuckrad * * | nickname | <stucki () math fu-berlin de> \ Freie Universitaet Berlin |/_* | 'stucki' | Tel(days):+49 30 838-75 459 | Fachbereich Mathematik, EDV |\ * | if online | Tel(else):+49 30 77 39 6600 | Arnimallee 2-6/14195 Berlin * * | on IRCnet | Fax(alle):+49 30 838-75454 / --__--__-- Message: 5 Date: Wed, 28 Nov 2001 10:55:41 +1300 From: Jason Haar <Jason.Haar () trimble co nz> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Encrypted sessions Organization: Trimble Navigation New Zealand Ltd. On Tue, Nov 27, 2001 at 01:13:57PM -0800, Erek Adams wrote:On Tue, 27 Nov 2001, Ronneil Camara wrote:How does snort deal with encrypted communication. Let say, I would to monitor https connection to my web server or we've got an encrypted connection to other mail server. Would snort know about those attacks?Anyone else got a better way to play with encryption? I'm looking for new ideas!Yup - don't encrypt it :-) Seriously, encryption is too hard to do on the fly - so MOVE THE PROBLEM. Terminate your SSL sessions on a reverse proxy (either commercial or Squid-2.5 for instance), and then it'll talk HTTP to the backend Web servers. Not only can your IDS detect attacks again, but you've moved an expensive task off your Web servers onto something specifically installed to do SSL... -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 --__--__-- Message: 6 From: Michael Aylor <maylor () swbanktx com> To: 'Erek Adams' <erek () theadamsfamily net>, "Chr. v. Stuckrad" <stucki () math fu-berlin de> Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Encrypted sessions Date: Tue, 27 Nov 2001 16:25:50 -0600 This is a multi-part message in MIME format. ------=_NextPart_000_0017_01C17760.2C68B570 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit That would be neat, if there was a way of telling snort about the existance of a private RSA key that it had read access to, so it could reverse engineer the public key exchange it was watching...am I oversimplifying? My understanding was that, if you had the private key (and presumably the password used to encrypt it), then you'd be able to decode any traffic using that key. Am I incorrect? Mike -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Tuesday, November 27, 2001 3:31 PM To: Chr. v. Stuckrad Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Encrypted sessions On Tue, 27 Nov 2001, Chr. v. Stuckrad wrote:*grin* there is another problem with 'encryption': I've seen a thing like an IRC-Bot used as DDOS Command-Center and communicating via an encrypted stream to the hacked host... No chance to see anything, except if the key is already known.Right! But I was (pardon the pun) 'keying off' on the fact it was 'our mailservers/webservers'. I made the assumption that they had they keys. :)But how? If for example you would want to look for specific badtraffic(we had that with ssh1) and you want to find logins via ssh, you only get the fact, that there IS a connection, no contents (else ssh wouldbeuseless anyway).Right again! If the 3l33t hax0r uses a l33t algorithm like, oh, ROTT13, then you've got a bit of a chance. :) But if it's something akin to ssh--Good luck. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------=_NextPart_000_0017_01C17760.2C68B570 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKCzCCAj0w ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d 6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix 3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR cZQwggNiMIICy6ADAgECAhAL2gsXwT+JjqsJdHq0zi4zMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIy MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zodyqdufBou5XZMUFweoFL uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIztW5UiE+HSr8Z2vkV6A+Hthzj zMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo4GwMIGtMA8GA1UdEwQIMAYBAf8CAQAw RwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUFBwIBFh93d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29t L3BjYTEuY3JsMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQECBQAD gYEAAn2eb0VLOKC43ulTZCG85Ewrjx7+kkCs2Ao5aqEyISwHm6tZ/tJiGn1VOLA3c9z0B2ZjYr3h U3BSh+eo2FLpWy2q4d7PrDFU1IsZyNgjqO8EKzJ9LBgcyHyJqC538kTRZQpNdLXu0xuSc3QuiTs1 E3LnQDGa07LEq+dWvovj+xUwggRgMIIDyaADAgECAhArLw20P4LwKH8hVdE8C31yMA0GCSqGSIb3 DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTAxMTExNjAwMDAw MFoXDTAyMDExNTIzNTk1OVowggEEMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMW VmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0 b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBO b3QgVmFsaWRhdGVkMScwJQYDVQQLEx5EaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQxEzAR BgNVBAMUCk1pa2UgQXlsb3IxIjAgBgkqhkiG9w0BCQEWE21heWxvckBzd2Jhbmt0eC5jb20wgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJFencYWRhCWVIFMBKJWt8AemLUvJGxsWJs8RljU/JhW A0HXcnSOF+Od6NTJ1LHq+MMp34eH4w7FOrmQok0gojHRa1pcuKaaV0GQvUxILt1ORWeXUgr1Pv19 idTW5j1X/5GtAcAMM3HVHdAS8pYjJZ60j8AYPBUVBqnmHw7OVxBhAgMBAAGjggEGMIIBAjAJBgNV HRMEAjAAMIGsBgNVHSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRw czovL3d3dy52ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4w AwIBARo9VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5 NyBWZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2Ny bC52ZXJpc2lnbi5jb20vY2xhc3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQCGiHS8GgLEy5WGPvZP 7HDJwjr0iFk5LhFnNcZNuMzpQRZvbT5UlddICEA/r6dSpx0YcqKRVPFXVgeFBBjmViJhs69JW5/+ UMrBTpPuv4f/Fi3+maLBxkcMzCNx/cVR1FF1y6c1tBBLGZs9p/7TsvUR4uh/CK/bUNYOKTY/w+6w NTGCAzgwggM0AgEBMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5 L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xh c3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhArLw20 P4LwKH8hVdE8C31yMAkGBSsOAwIaBQCgggGsMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTAxMTEyNzIyMjU0OFowIwYJKoZIhvcNAQkEMRYEFHcHlBK4GB+E2MlcATzK 0R+g99UBMFgGCSqGSIb3DQEJDzFLMEkwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsO AwIHMA0GCCqGSIb3DQMCAgEoMAcGBSsOAwIaMAoGCCqGSIb3DQIFMIHyBgkrBgEEAYI3EAQxgeQw geEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO ZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4g QnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2 aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCECsvDbQ/gvAofyFV0TwLfXIw DQYJKoZIhvcNAQEBBQAEgYBaL1/5VLve8yA5qAbZUd1gXif8dH/EsNkMjQk4a6k8saUUJwts8Snn KCHKfqSF2SXNI8bXs66gFA3pTrNtovSUdmXvIrrnPBIqQiHH7A67rY3nEocu/osgWGzwWibsYH7A KkZ2rmB4b6qTlVuofZB9ofOcWcoVpq0IAv193iVqsAAAAAAAAA== ------=_NextPart_000_0017_01C17760.2C68B570-- --__--__-- Message: 7 From: "Michael Scheidell" <scheidell () fdma com> To: <snort-users () lists sourceforge net> Cc: <ronneilc () remingtonltd com> Subject: [Snort-users] Encrypted sessions Date: Tue, 27 Nov 2001 17:49:55 -0500 Organization: Florida Datamation, Inc.Date: Tue, 27 Nov 2001 14:53:22 -0600 From: "Ronneil Camara" <ronneilc () remingtonltd com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Encrypted sessions How does snort deal with encrypted communication. Let say, I would to monitor https connection to my web server or we've got an encrypted connection to other mail server. Would snort know about those attacks? This is what the big vendor company mentioned to me about snort's weakness.And the 'big vendor' can decrypt encrypted sessions? or are they just blowing smoke? No, snort will not decrypt ssh or ssl sessions and I doubt 'big vendor' can either. --__--__-- Message: 8 Subject: Snort & ACID: WAS ([Snort-users] Encrypted sessions) Date: Tue, 27 Nov 2001 17:17:48 -0600 From: "Ronneil Camara" <ronneilc () remingtonltd com> To: <snort-users () lists sourceforge net> Thank you very much for all the responses. It was really helpful to me. Anyways, are there any issues with versions of Snort and ACID? I actually would like to try it tonight. Aside from demarc, are there any other good console web interfaces for snort? Thanks. Neil --__--__-- Message: 9 From: "D&D Jordan" <info () dndjordan com> To: <snort-users () lists sourceforge net> Date: Tue, 27 Nov 2001 15:35:35 -0800 Subject: [Snort-users] Snort 1.8 and RH 7.1 Greetings, I recently changed from my normal course of waiting for either source rpms or pre complied rpms to use version 1.8.2 I d/l the i386 rpm from snort.org d/l page and while everything installed okay, I have one error that is keeping snortd from loading. This is the problem. When I run "/etc/rc.d/init.d/snortd start" I get this "Starting snort: execvp: No such file or directory [FAILED]" Can anyone tell me what this means? Thanks, Don Jordan --__--__-- Message: 10 Date: Tue, 27 Nov 2001 16:43:54 -0700 (MST) From: Jensenne Roculan <jroculan () securityfocus com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] ARIS sensor 1.6 Beta RPM Hi there, For those who may be interested, SecurityFocus has released the ARIS sensor RPM which includes Snort 1.8.2, the default ruleset, and the newly released ARIS extractor 1.6. It is built on RedHat Linux 7.1 but should install properly on most other Linux distributions. It is available at: ARIS sensor 1.6 Beta http://aris.securityfocus.com/Download.asp To install this RPM, run : # rpm --install aris-sensor-1.6-beta.i386.rpm This will install the included programs in /usr/local/aris-sensor. Next, run the "install.pl" script within the aris-sensor directory to configure ARIS extractor to automatically upload your data. If you installed the previous version of the RPM, you must uninstall it, by running the following commands: # /etc/rc.d/init.d/snort stop # rpm --erase aris-sensor-1.0-beta The standalone version of ARIS extractor is also available at the URL above. Users of ARIS extractor 1.6 can now enable the automatic generation of daily summary reports. These reports, sent by email, give you an overview of the activity seen by your IDS over the previous 24 hour period. For an example of this report, see the following: http://aris.securityfocus.com/HELP/dailysummarysetup.htm Any questions or comments can be directed to aris-bugs () securityfocus com Thanks for your time. Cheers, Jensenne Roculan SecurityFocus - http://www.securityfocus.com ARIS - http://aris.securityfocus.com (403) 213-3939 ext. 229 --__--__-- Message: 11 Reply-To: <drew600_1999 () yahoo com> From: "Stephen Shepherd" <drew600_1999 () yahoo com> To: "Snort Users List \(E-mail\)" <snort-users () lists sourceforge net> Date: Tue, 27 Nov 2001 19:34:51 -0700 Subject: [Snort-users] Next Update to spp_portscan This is a multi-part message in MIME format. ------=_NextPart_000_0010_01C1777A.9BBACA70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Does anyone know when we might see and update to spp_portscan that will log into the snort DB in a structured format.� I poked around on the snort web site but I did not see any new news. � �Now that I have ACID up and running I am loving life but I sure would like to be able to mine the portscan data more effectively.� The current�unstructured logging is better than nothing but I want more... :-)� � � ------=_NextPart_000_0010_01C1777A.9BBACA70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR></HEAD> <BODY> <DIV><SPAN class=3D873413102-28112001><FONT face=3DArial size=3D2>Does = anyone know=20 when we might see and update to spp_portscan that will log into the = snort DB in=20 a structured format. I poked around on the snort web site but I = did not=20 see any new news.</FONT></SPAN></DIV> <DIV><SPAN class=3D873413102-28112001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D873413102-28112001><FONT face=3DArial = size=3D2> Now that I=20 have ACID up and running I am loving life but I sure would like to be = able to=20 mine the portscan data more effectively. The = current unstructured=20 logging is better than nothing but I want more... :-) = </FONT></SPAN></DIV> <DIV><SPAN class=3D873413102-28112001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D873413102-28112001></SPAN> </DIV></BODY></HTML> ------=_NextPart_000_0010_01C1777A.9BBACA70-- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com --__--__-- Message: 12 From: "Ali Zaree" <a_zaree () graffiti net> To: snort-users () lists sourceforge net Date: Wed, 28 Nov 2001 10:56:46 +0800 Subject: [Snort-users] mysql on win32 I just joined the mailing list, so I hope this question hasn't been asked/answered before. I looked through the archive and couldn't find anything about it: Is there a mysql version of snort 1.8.2 for Windows? I've got it working great for linux clients but when try the binary from the snort download page on a windows box I get: <snip>database: compiled support for ( ) database: configured to use mysql database: mysql support is not compiled in this copy....Fatal Error, Quitting..Thnx in advance, Ali Zaree -- _______________________________________________ Get your free email from http://www.graffiti.net Powered by Outblaze --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
致 礼! Suke Li lisuke () infosec cs pku edu cn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #1349 - 12 msgs Suke Li (Nov 27)
- Re: Re: Snort-users digest, Vol 1 #1349 - 12 msgs Ryan Russell (Nov 28)
- <Possible follow-ups>
- Re: Snort-users digest, Vol 1 #1349 - 12 msgs Suke Li (Nov 27)