Snort mailing list archives
Re: Snort-users digest, Vol 1 #4982 - 10 msgs
From: James Affeld <jamesaffeld () yahoo com>
Date: Tue, 8 Mar 2005 11:21:58 -0800 (PST)
SANS requires an analysis paper from applicants for its Intrusion Analyst certificate. Those papers are a tremendous resource for intrusion detection techniques and analysis, especially the Honors papers. In addition, there are suggested papers for various tools and techniques cited in their cert. prep. guide: http://www.giac.org/practicals/guides/gcia.pdf Pages 4-6 Richard Bejtlich _Tao of Network Security Monitoring_ is a really good book. It doesn't address Snort at all, but looks at Bro and Prelude. But IDS is only one of 4 major types of data he covers. I found it incredibly useful if you are really doing this stuff.
Message: 3 Date: Mon, 7 Mar 2005 10:38:24 -0500 From: Craig W <codecraig () gmail com> Reply-To: Craig W <codecraig () gmail com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] New to the Group Dennis suggested checking out Snort for Dummies. I am still open for other suggestions as i am trying to learn about IDS's in general. thanks On Mon, 7 Mar 2005 07:34:10 -0800, Reza <reza () visionnethosting com> wrote:Hey, the answer wasn't posted to the mailing list,you mind letting me knowwhat was recommended? Thanks. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Craig WSent: Monday, March 07, 2005 6:42 AM To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] New to the Group Thanks, I'll check that one out on my lunch breaktoday (hopefullyBorders has that one in stock :) On Mon, 7 Mar 2005 09:33:33 -0500, Dennis Propson<dpropson () comcast net>wrote:Until recently, I have not used a "Dummies" bookin years, if ever. Don'tbe embarrassed to order Snort for Dummies. Justclose your office doorwhile perusing it. Actually, it's a good way toget Snort up and running.Dennis -----Original Message----- From: snort-users-admin () lists sourceforge net[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Craig WSent: Monday, March 07, 2005 8:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] New to the Group Hi everyone, I am researching IDS's and of course Snortis on the list ofthings to check out and explore. I am curiousif anyone can suggestany online articles, tutorials, and the like forsomeone like myselfwho wants to learn more about IDS's in generaland about using Snort,programming and using snort, etc. Thanks in advance.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of ITProducts from real users.Discover which products truly live up to thehype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://www.codecraig.com http://jroller.com/page/codecraig
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of ITProducts from real users.Discover which products truly live up to the hype.Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://www.codecraig.com http://jroller.com/page/codecraig --__--__-- Message: 4 Date: Mon, 7 Mar 2005 11:25:45 -0500 From: Craig W <codecraig () gmail com> Reply-To: Craig W <codecraig () gmail com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] New to the Group Thanks for the information, I will check that out as well. On Mon, 07 Mar 2005 10:45:29 -0500, Geffrey Vel=E1squez <gvelasquez () minag gob pe> wrote:Hi, I'm new too, if you would like to learn aboutprogramming(preprocessors and output plugins) and Snort indeep you could buy Snort2.1 Intrusion Detection writen by Andrew Baker,Jay Beale, BrianCaswell, Mike Poore. The howto is also a wellsource of information.=20 Geffrey =20 Craig W escribi=F3: =20Dennis suggested checking out Snort for Dummies. I am still open for other suggestions as i amtrying to learn aboutIDS's in general. thanks On Mon, 7 Mar 2005 07:34:10 -0800, Reza<reza () visionnethosting com> wrot= e:Hey, the answer wasn't posted to the mailinglist, you mind letting me = knowwhat was recommended? Thanks. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Craig WSent: Monday, March 07, 2005 6:42 AM To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] New to the Group Thanks, I'll check that one out on my lunchbreak today (hopefullyBorders has that one in stock :) On Mon, 7 Mar 2005 09:33:33 -0500, DennisPropson <dpropson () comcast net=wrote:Until recently, I have not used a "Dummies"book in years, if ever. D= on'tbe embarrassed to order Snort for Dummies.Just close your office doo= rwhile perusing it. Actually, it's a good wayto get Snort up and runn= ing.Dennis -----Original Message----- From: snort-users-admin () lists sourceforge net[mailto:snort-users-admin () lists sourceforge net]OnBehalf Of Craig WSent: Monday, March 07, 2005 8:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] New to the Group Hi everyone, I am researching IDS's and of course Snortis on the list ofthings to check out and explore. I am curiousif anyone can suggestany online articles, tutorials, and the likefor someone like myselfwho wants to learn more about IDS's in generaland about using Snort,programming and using snort, etc. Thanks in advance.-------------------------------------------------------SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of ITProducts from real user= s.Discover which products truly live up to thehype. Start reading now.http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users-- http://www.codecraig.com http://jroller.com/page/codecraig-------------------------------------------------------SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of ITProducts from real users= .Discover which products truly live up to thehype. Start reading now.http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20 =20--=20 http://www.codecraig.com http://jroller.com/page/codecraig --__--__-- Message: 5 Date: Mon, 7 Mar 2005 11:48:18 -0500 From: Craig W <codecraig () gmail com> Reply-To: Craig W <codecraig () gmail com> To: snort-users () lists sourceforge net Subject: [Snort-users] Snort on windows Can I run snort on windows? If so, can someone tell me how? Thanks. --__--__-- Message: 6 Date: Mon, 7 Mar 2005 18:33:37 +0100 (CET) From: "Teva AVRIL" <teva.avril () esigetel fr> To: snort-users () lists sourceforge net Reply-To: teva.avril () esigetel fr Subject: [Snort-users] barnyard and acid hi, i have a 2-tier snort set up with snort and barnyard running on one box, and mysql/acid running on another. i have snort configured with the following options: snort.conf: output log_unified: filename snort.unified.log, limit 128 and barnyard.conf configured as follows: config hostname: localhost config interface: eth0 output alert_acid_db: mysql, database snort, server ids.domain.com , user snort, password snort output log_acid_db: mysql, database snort, server ids.domain.com , user snort, password snort , detail full i run snort like: /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -D and barnyard like: /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -p /etc/snort/classification.config -f snort.unified.log -g /etc/snort/rules/gen-msg.map -s etc/snort/rules/sid-msg.map -w /usr/local/snortlogs/barnyard.waldo data appears in the db in almost all tables but nothing is showing up in ACID : all acid_* tables are empty. The sensor table isn't empty : there is one value (inserted by barnyard, not by me) which is : sid hostname interface filter detail encoding last_cid
---------------------------------------------------------------------------
1 sensor eth0 NULL 1 0 0 anybody know why acid doesn't insert something in acid_* tables? Thanks, --__--__-- Message: 7 Date: Mon, 7 Mar 2005 11:53:27 -0500 From: Craig W <codecraig () gmail com> Reply-To: Craig W <codecraig () gmail com> To: snort-users () lists sourceforge net Subject: [Snort-users] snort on windows duh, i found it...didnt see the "binaries" section in the download area. thanks --__--__-- Message: 8 Reply-To: <wfitzgerald () tssg org> From: "William Fitzgerald" <wfitzgerald () tssg org> To: "'Craig W'" <codecraig () gmail com>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] New to the Group Date: Mon, 7 Mar 2005 15:39:06 -0000 Try prelude (ids and honeypot capabilities) and see its documentation repository. Its free also. Snort can become a prelude sensor also. http://www.prelude-ids.org/ Regards, Will. Mr.William M. Fitzgerald (MSc,BSc), Applied Researcher, Telecommunications Software & Systems Group, Waterford Institute of Technology, Cork Rd. Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 Web: www.williamfitzgerald.org/ -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Craig W Sent: 07 March 2005 15:38 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] New to the Group Dennis suggested checking out Snort for Dummies. I am still open for other suggestions as i am trying to learn about IDS's in general. thanks On Mon, 7 Mar 2005 07:34:10 -0800, Reza <reza () visionnethosting com> wrote:Hey, the answer wasn't posted to the mailing list,you mind letting meknow what was recommended? Thanks. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Craig WSent: Monday, March 07, 2005 6:42 AM To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] New to the Group Thanks, I'll check that one out on my lunch breaktoday (hopefullyBorders has that one in stock :) On Mon, 7 Mar 2005 09:33:33 -0500, Dennis Propson <dpropson () comcast net> wrote:Until recently, I have not used a "Dummies" bookin years, if ever.Don't be embarrassed to order Snort for Dummies.Just close youroffice door while perusing it. Actually, it's agood way to getSnort up and running. Dennis -----Original Message----- From: snort-users-admin () lists sourceforge net[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Craig WSent: Monday, March 07, 2005 8:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] New to the Group Hi everyone, I am researching IDS's and of course Snortis on the list ofthings to check out and explore. I am curiousif anyone can suggestany online articles, tutorials, and the like forsomeone like myselfwho wants to learn more about IDS's in generaland about usingSnort, programming and using snort, etc. Thanks in advance.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of ITProducts from realusers. Discover which products truly live up tothe hype. Startreading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://www.codecraig.com http://jroller.com/page/codecraig
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of ITProducts from realusers. Discover which products truly live up tothe hype. Startreading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://www.codecraig.com http://jroller.com/page/codecraig
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 9 From: Florin Andrei <florin () andrei myip org> Reply-To: snort-users () lists sourceforge net To: snort-users () lists sourceforge net Date: Mon, 07 Mar 2005 10:08:54 -0800 Subject: [Snort-users] fail open / fail close When building a DYI IDS using Snort and off the shelf hardware, if the IDS is in-line, it will naturally enforce a fail-close policy if something goes wrong. But what if i want to tell the device to fail open? I'm not talking about sophisticated monitoring of the system health and switching to open state (although that would be nice, if possible), i'm talking about fail open if the power fails. Probably some kind of Ethernet hardware is required, but do you guys know any such hardware? Thanks, -- Florin Andrei http://florin.myip.org/ --__--__-- Message: 10 Date: Mon, 7 Mar 2005 13:14:41 -0500 From: Craig W <codecraig () gmail com> Reply-To: Craig W <codecraig () gmail com> To: snort-users () lists sourceforge net Subject: [Snort-users] pcap_loop error? Ok, so I am running Snort 2.3.0 RC2 (on win xp pro) and i installed Win PCap 3.0. When i run, snort -v at the command line...after about 30seconds i press Ctrl +C (to stop it) and I get the following message: pcap_loop: read error: PacketReceivePacket failed Run time for packet processing was 30.54000 seconds any idea why? thanks --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #4982 - 10 msgs James Affeld (Mar 08)