Snort mailing list archives
Re: RE: Exchange 2000
From: twig les <twigles () yahoo com>
Date: Thu, 19 Dec 2002 15:14:17 -0800 (PST)
No, never done that. Off the top of my head that sounds like a terrible idea. A NIDS is only effective if it can keep up with the traffic on your network. If you are using Windows+Exchange then you would need a lot more horsepower. Also consider the security implications. The next round of zero-day Exchange exploits could get your IDS owned. Better to confiscate an old box (old nowadays seems to mean 700MHz) and throw redhat or freebsd on it per the guides. This isn't an OS war thing (dear god I don't want that yet again) but simply an overhead issue. --- Richard Lyons <lyonsrf () linxlogix com> wrote:
Has anyone dealt with putting Snort onto a Exchange 2000 box? Anything in particular that I would need to know, i.e., disable certain things initially before installation? Any help would greatly be appreciated! RL -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, December 19, 2002 12:51 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2600 - 9 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Barnyard/acid reconfigure question (Henning, David) 2. Ignorehosts still not working... (Marc Quibell) 3. ACID Graph Page (Gary Borgeson) 4. RE: Ignorehosts still not working... (Hicks, John) 5. RE: ACID Graph Page (Steve Halligan) 6. RE: DB ERROR (Luo, Philip) 7. Re: One question (Matt Kettler) 8. Redhat 8.0 and Snort...playing nice? (Madziarczyk, Jonathan) 9. RE: Clueless in Toronto (Rich Stryker) --__--__-- Message: 1 From: "Henning, David" <henningd () fortrex com> To: "'snort-users () lists sourceforge net' " <snort-users () lists sourceforge net> Date: Thu, 19 Dec 2002 09:01:38 -0500 Subject: RE: [Snort-users] Barnyard/acid reconfigure question Excellent explanation! Thank you! Dave -----Original Message----- From: Jens Krabbenhoeft Hi,What am I missing on how to assign this number andkeep it consistent? op_acid_db.c: /* if sensor id == 0, then we attempt attempt to determine it dynamically */ if(data->sensor_id == 0) { data->sensor_id = AcidDbGetSensorId(data); } And AcidDbGetSensorId does the following: "SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' " "AND filter='%s' AND detail='%u' AND encoding='0'", pv.hostname, pv.interface, pv.filter, op_data->detail) If it gets a sensor back, it uses that sensor_id, if not, it inserts the new sensor. So from the code, to keep it consistent, don't change the hostname / interface / filter and detail. Hope that helps, Jens BTW: It works for me. Changing any of these values inserts a new sensor, chaning nothing doesn't do anything to the sensor-table.
-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 2 From: "Marc Quibell" <mquibell () fbfs com> To: snort-users () lists sourceforge net Date: Thu, 19 Dec 2002 09:07:15 -0600 Subject: [Snort-users] Ignorehosts still not working... My snort cmd line is: /usr/local/bin/snort -o -q -i eth1 -c /usr/local/demarc/conf/snorteth1.conf My snorteth1.conf is as follows: var HOME_NET any var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET #var DNS_SERVERS $HOME_NET var DNS_SERVERS [207.108.40.xx,207.108.40.xxx] var HTTP_PORTS 80 var ORACLE_PORTS 1521 preprocessor defrag preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 preprocessor unidecode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor stream4: detect_scans, disable_evasion_alerts output database: log, mysql, user=snort_ike dbname=snortmaster password=ikeacc3s s host=192.168.45.111 sensor_name=ike.fbfs.com #BEGIN RULES: I cannot get it to ignore those two hosts. Suggestions? THanks. Marc --__--__-- Message: 3 From: Gary Borgeson <gborgeson () aecc com> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Thu, 19 Dec 2002 09:53:35 -0600 Subject: [Snort-users] ACID Graph Page This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C2A776.C9B929D0 Content-Type: text/plain
=== message truncated === ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Exchange 2000 Richard Lyons (Dec 19)
- Re: RE: Exchange 2000 twig les (Dec 19)
- <Possible follow-ups>
- Re: RE: Exchange 2000 aaron g (Dec 19)