Snort mailing list archives
RE: Snort-users digest, Vol 1 #4864 - 5 msgs
From: "Joe & Angie" <ajtamayo () cableone net>
Date: Tue, 25 Jan 2005 22:13:52 -0700
GET ME OUT OF THIS LIST -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-users-request () lists sourceforge net Sent: Tuesday, January 25, 2005 9:32 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #4864 - 5 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. A New White Paper - Baseline Analysis of Security Data (Orit Vidas) 2. Snort 2.3.0 Rulesets (Eric Hines) 3. RE: Windows Logon Failures (Bristol, Gary L.) 4. Re: php 5 - base error resolution? (Kevin Johnson) 5. streaming media detection (Paul Aviles) --__--__-- Message: 1 From: "Orit Vidas" <orit () securimine com> To: <snort-users () lists sourceforge net> Date: Tue, 25 Jan 2005 15:07:30 -0800 Subject: [Snort-users] A New White Paper - Baseline Analysis of Security Data This is a multi-part message in MIME format. ------=_NextPart_000_0041_01C502EF.977BF610 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Hello, A new white paper has been released by the Securimine Team. To download the white paper, go to http://www.securimine.com/product.html Title: Baseline Analysis of Security Data Abstract: Regardless of the development in the SIM (Security Information Management) area, there is still a huge problem with existing detection tools. Although these tools detect all the intrusions, they detect much more than that. This problem, known as false positives, is a big barrier for intrusion detection tools to cross before their deployment can be practical. To date, intrusion detection vendors, or more precisely security experts, are struggling with an inherent conflict and are sometimes forced to write less adequate detection rules just to reduce the number of false positives. In this paper we suggest a different approach for using data mining technology in the intrusion detection area. We claim that the best positioning for a data mining technology within an intrusion detection system is not as a detection engine, but rather as an analysis layer that will filter out the false positives. The ability of data mining technology to build behavioral models representing 'normal' behavior of data is most suitable to model the data generated by the intrusion detection engines. Best regards, The Securimine Team www.securimine.com <http://www.securimine.com/> ------=_NextPart_000_0041_01C502EF.977BF610 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:filelist.xml@01C502EF.96412C20"> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:SpellingState>Clean</w:SpellingState> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:ApplyBreakingRules/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:UseFELayout/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:SimSun; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:\5B8B\4F53; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0;} @font-face {font-family:Verdana; panose-1:2 11 6 4 3 5 4 4 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:536871559 0 0 0 415 0;} @font-face {font-family:"\@SimSun"; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:SimSun;} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} span.EmailStyle17 {mso-style-type:personal-compose; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Verdana; mso-ascii-font-family:Verdana; mso-hansi-font-family:Verdana; color:windowtext; font-weight:normal; font-style:normal; text-decoration:none; text-underline:none; text-decoration:none; text-line-through:none;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'>Hello,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'>A new white paper has been released by the = Securimine Team. To download the white paper, go to <a href=3D"http://www.securimine.com/product.html">http://www.securimine.com= /product.html</a><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'>Title: Baseline Analysis of Security = Data<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'>Abstract: Regardless of the development in the SIM (Security Information Management) area, there is still a huge problem = with existing detection tools. Although these tools detect all the = intrusions, they detect much more than that. This problem, known as false positives, is a = big barrier for intrusion detection tools to cross before their deployment = can be practical. To date, intrusion detection vendors, or more precisely = security experts, are struggling with an inherent conflict and are sometimes = forced to write less adequate detection rules just to reduce the number of false positives.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'>In this paper we suggest a different approach for = using data mining technology in the intrusion detection area. We claim that = the best positioning for a data mining technology within an intrusion detection = system is not as a detection engine, but rather as an analysis layer that will = filter out the false positives. The ability of data mining technology to build behavioral models representing ‘normal’ behavior of data is = most suitable to model the data generated by the intrusion detection = engines.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'>Best regards,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'>The Securimine Team<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DVerdana><span = style=3D'font-size:10.0pt; font-family:Verdana'><a = href=3D"http://www.securimine.com/">www.securimine.com</a><o:p></o:p></sp= an></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> </div> </body> </html> ------=_NextPart_000_0041_01C502EF.977BF610-- --__--__-- Message: 2 From: "Eric Hines" <eric.hines () appliedwatch com> To: <snort-users () lists sourceforge net> Date: Tue, 25 Jan 2005 17:15:59 -0600 Subject: [Snort-users] Snort 2.3.0 Rulesets Can anyone tell me when the snortrules-snapshot-2_3.tar.gz will be available now that 2.3.0 is officially released? Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, Inc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Eric Hines, GCIA, CISSP Toll Free: (877) 262-7593 CEO, President Direct: (877) 262-7593 x327 Applied Watch Technologies, Inc. Fax: (877) 262-7593 1134 N. Main St. Web: www.appliedwatch.com Algonquin, IL 60102 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Browserless Enterprise Snort Management is Finally Here" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= --__--__-- Message: 3 Subject: RE: [Snort-users] Windows Logon Failures Date: Tue, 25 Jan 2005 17:54:43 -0600 From: "Bristol, Gary L." <gbristol () ou edu> To: <kimhick () cfl rr com>, <snort-users () lists sourceforge net> In the event logs you might also find another event associated with this same logon failure which lists the sourece ip. Event ID: 529 EVENT # 270658 =20 EVENT LOG Security =20 EVENT TYPE Audit Failure =20 SOURCE Security =20 CATEGORY Logon/Logoff =20 EVENT ID 529 =20 USERNAME NT AUTHORITY\SYSTEM =20 -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of kimhick () cfl rr com Sent: Tuesday, January 25, 2005 10:14 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Windows Logon Failures We have a Window 2003 domain and we are see a lot of logon failures from apparently fictitious hosts. Here is an example from the event viewer: Event Type: Audit Failure Event Source: Security Event Category: Account Logon Event ID: 680 Date: 1/24/2005 Time: 10:26:33 AM User: SYSTEM Computer: DC1 Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: root Source Workstation: \\RYDER Error Code: 0xC0000064 In this case \\RYDER does not resolve through DNS or WINS so we don't know where these are coming from. We have snort up and running but what rules would we use that could give us an IP number on these hosts. Any help or advice would be appreciated. Thanks, Brian =09 ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users --__--__-- Message: 4 From: Kevin Johnson <kjohnson () secureideas net> To: mdpeters <michael.peters () lazarusalliance com> Cc: Snort Users <snort-users () lists sourceforge net>, twebster () daksoft com Date: Tue, 25 Jan 2005 19:05:31 -0500 Subject: [Snort-users] Re: php 5 - base error resolution? Hi- The fix to this issue is in CVS for BASE and was provided to us by Tim Rupp, one of our core developers. The "patch" below does not seem to fix the issue on any of our systems without breaking the flexibility of the application. If anyone is interested in the fix and do not want to run CVS code, they can visit the link below to view the changes. These changes work with the 1.0.1 release also. I would also like to comment that your line numbers are different because, as you explained in our phone call, you have removed all licensing and copyright information from the application. Thank you, Kevin Johnson ----------------- BASE Project Lead http://sourceforge.net/projects/secureideas http://base.secureideas.net The next step in IDS analysis! On Tue, 2005-01-25 at 17:30, mdpeters wrote:
Yes I did. I offered the solution to the BASE folks but never received
word
back. My line numbers will be different that everyone else's. Just look in
the following pages for these values and I think you should be good to go.
Here are the changes I made including the debugging code.
...snip...
Best regards, Michael D. Peters Director of Security Services CISSP
----- Original Message ----- From: <twebster () daksoft com> To: <michael.peters () lazarusalliance com> Sent: Tuesday, January 25, 2005 3:53 PM Subject: php 5 - base error resolution?Michael, On 12-27-2004 you sent a message to snort mailing list regarding the following error. Fatal error: Cannot use string offset as an array in = /usr/local/apache2/htdocs/includes/base_state_citems.inc.php on line 710 Did you ever get BASE to work with PHP 5? I am having the same problem? Do you have a solution? thanks, Tony Webster Daksoft (605) 721-2141 twebster @ daksoft.com
-- --__--__-- Message: 5 Date: Tue, 25 Jan 2005 23:22:22 -0500 From: "Paul Aviles" <paviles () adjoined com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] streaming media detection SXMgdGhlcmUgYSB3YXkgdG8gZGV0ZWN0IHBlb3BsZSBzdHJlYW1pbmcgbWVkaWEgb3IgbGlzdGVu aW5nIHRvIG11c2ljPyBXaXRoIG1vc3Qgb2YgdGhlbSB1c2luZyBwb3J0IDgwIEkgYW0gY3VyaW91 cyBhcyB0byB3aGF0IGFwcHJvYWNoIHRvIHVzZS4NCg0KQWxzbywgaXMgdGhlcmUgYSB3YXkgdG8g c2VuZCBhbiBlbWFpbCB1cG9uIGNlcnRhaW4gYWxlcnRzPw0KDQpUaGFua3MNCg0K --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #4864 - 5 msgs Joe & Angie (Jan 25)