Snort mailing list archives

Re: RE: Exchange 2000

From: twig les <twigles () yahoo com>
Date: Thu, 19 Dec 2002 15:14:17 -0800 (PST)

No, never done that.  Off the top of my head that
sounds like a terrible idea.  A NIDS is only effective
if it can keep up with the traffic on your network. 
If you are using Windows+Exchange then you would need
a lot more horsepower.  Also consider the security
implications.  The next round of zero-day Exchange
exploits could get your IDS owned.

Better to confiscate an old box (old nowadays seems to
mean 700MHz) and throw redhat or freebsd on it per the
guides.  This isn't an OS war thing (dear god I don't
want that yet again) but simply an overhead issue.


--- Richard Lyons <lyonsrf () linxlogix com> wrote:

Has anyone dealt with putting Snort onto a Exchange
2000 box?  Anything
in particular that I would need to know, i.e.,
disable certain things
initially before installation?  Any help would
greatly be appreciated!

RL

-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net] 
Sent: Thursday, December 19, 2002 12:51 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #2600 - 9 msgs

Send Snort-users mailing list submissions to
      snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web,
visit

https://lists.sourceforge.net/lists/listinfo/snort-users

or, via email, send a message with subject or body
'help' to
      snort-users-request () lists sourceforge net

You can reach the person managing the list at
      snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it
is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: Barnyard/acid reconfigure question
(Henning, David)
   2. Ignorehosts still not working... (Marc
Quibell)
   3. ACID Graph Page (Gary Borgeson)
   4. RE: Ignorehosts still not working... (Hicks,
John)
   5. RE: ACID Graph Page (Steve Halligan)
   6. RE: DB ERROR (Luo, Philip)
   7. Re: One question (Matt Kettler)
   8. Redhat 8.0 and Snort...playing nice?
(Madziarczyk, Jonathan)
   9. RE: Clueless in Toronto (Rich Stryker)

--__--__--

Message: 1
From: "Henning, David" <henningd () fortrex com>
To: "'snort-users () lists sourceforge net'   "
<snort-users () lists sourceforge net>
Date: Thu, 19 Dec 2002 09:01:38 -0500
Subject: RE: [Snort-users] Barnyard/acid reconfigure
question

Excellent explanation!  Thank you!

Dave

-----Original Message-----
From: Jens Krabbenhoeft

Hi,

What am I missing on how to assign this number and

keep it consistent?

op_acid_db.c:

  /* if sensor id == 0, then we attempt attempt to
determine it
dynamically */
  if(data->sensor_id == 0)
  {
      data->sensor_id = AcidDbGetSensorId(data);
  }

And AcidDbGetSensorId does the following:

  "SELECT sid FROM sensor WHERE hostname='%s' AND
interface='%s' "
  "AND filter='%s' AND detail='%u' AND
encoding='0'", pv.hostname,
  pv.interface, pv.filter, op_data->detail)

If it gets a sensor back, it uses that sensor_id, if
not, it inserts the
new sensor.

So from the code, to keep it consistent, don't
change the hostname /
interface / filter and detail.

Hope that helps,

      Jens

BTW: It works for me. Changing any of these values
inserts a new sensor,
chaning nothing doesn't do anything to the
sensor-table.

-------------------------------------------------------

This SF.NET email is sponsored by: Order your
Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control
Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,
 Smart Putty.
T H I N K G E E K . C O M      
http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

Message: 2
From: "Marc Quibell" <mquibell () fbfs com>
To: snort-users () lists sourceforge net
Date: Thu, 19 Dec 2002 09:07:15 -0600
Subject: [Snort-users] Ignorehosts still not
working...



My snort cmd line is:
 /usr/local/bin/snort -o -q -i eth1  -c
/usr/local/demarc/conf/snorteth1.conf

My snorteth1.conf is as follows:
var HOME_NET any
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
#var DNS_SERVERS $HOME_NET
var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
var HTTP_PORTS 80
var ORACLE_PORTS 1521

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110
143, maxbytes 16384
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor stream4: detect_scans,
disable_evasion_alerts

output database: log, mysql, user=snort_ike
dbname=snortmaster
password=ikeacc3s
s host=192.168.45.111 sensor_name=ike.fbfs.com


#BEGIN RULES:

I cannot get it to ignore those two hosts.
Suggestions?

THanks.

Marc




--__--__--

Message: 3
From: Gary Borgeson <gborgeson () aecc com>
To: "'snort-users () lists sourceforge net'"
       <snort-users () lists sourceforge net>
Date: Thu, 19 Dec 2002 09:53:35 -0600
Subject: [Snort-users] ACID Graph Page

This message is in MIME format. Since your mail
reader does not
understand
this format, some or all of this message may not be
legible.

------_=_NextPart_001_01C2A776.C9B929D0
Content-Type: text/plain

=== message truncated ===


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself                       
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Exchange 2000 Richard Lyons (Dec 19)
- Re: RE: Exchange 2000 twig les (Dec 19)
- <Possible follow-ups>
- Re: RE: Exchange 2000 aaron g (Dec 19)