Snort mailing list archives
Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Thu, 6 Jan 2011 13:38:49 -0700
The home page (http://www.snortsam.net/) gives a succinct explanation of the idea behind it and how in general it works. I use it with Snort and some modified rules (ET has a whole set of rules with "fwsam") to generate automatic blocks on our Check Point firewall. Granted, it's not true IPS, but it adds another bit of protection while still permitting more IDS rules to be allowed, which I could not do if running in IPS mode. As you know, FPs can't be tolerated very well for HIPS. For instance: we have a couple of Windows RDP-accessible devices on which we don't permit administrative logins. If Snort rule 4060 triggers (POLICY RDP attempted administrator connection request), it will send a block message to the firewall and the IP that tried to connect as administrator is completely blocked from our network for 24 hours. This is done easily without actually modifying any rules by means of a "sid-block.map" file that has the rule number and how long to block correlated. I use the components of snortsam with other systems, too, so that certain events will trigger a firewall block, but those don't involve Snort so aren't really relevant. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, January 06, 2011 13:17 To: Castle, Shane; Jeff Kell Cc: snort-users () lists sourceforge net; snort-sigs () lists sourceforge net; snort-devel () lists sourceforge net Subject: Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 What features of SnortSam do you guys use now? (I don't know SnortSam, at all, so walk me through it) J On Jan 6, 2011, at 3:10 PM, Castle, Shane wrote:
Nope. Adding SnortSam to 2.8.6.1 fails owing to the use of autoconf/libtool releases in 2.8.6.1 later than supported on RH5. About ready to ditch RHEL completely for the IDS install but as I
wrote,
things are moving slow. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, January 06, 2011 12:51 To: Castle, Shane Cc: snort-users () lists sourceforge net;
snort-sigs () lists sourceforge net;
snort-devel () lists sourceforge net Subject: Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 I understand. We don't maintain the SnortSam mod, so I can't help you there. But
you
can upgrade to 2.8.6.1 if you can't go to 2.9.0.3. I understand that
is
a segment of users out there that are on RHEL5 and it has an older version of installed libpcap that people are having to recompile. J On Jan 6, 2011, at 2:47 PM, Castle, Shane wrote:I can't add the SnortSam mods to any release >2.8.6.0 on my RHEL5 install. Plans are in place to migrate either to RH6 or a different Linux distro so I can haz all the newer required components but itain'thappening very quickly (sigh). -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, January 06, 2011 12:37 To: Castle, Shane Cc: snort-users () lists sourceforge net;snort-sigs () lists sourceforge net;snort-devel () lists sourceforge net Subject: Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Why do you have to find a new OS? Using an old version of RH or something? Can't you use 2.8.6.1? J On Jan 6, 2011, at 2:31 PM, Castle, Shane wrote:Crap. Now I have to find a new OS. What, you couldn't wait another 6 months? -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, January 06, 2011 12:24 To: snort-users () lists sourceforge net;snort-sigs () lists sourceforge net;snort-devel () lists sourceforge net Subject: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 All-- I just put up a blog post about the newest rulepack update and theEOLof 2.8.6.0's support for VRT rules. Please review it at:
http://blog.snort.org/2011/01/vrt-rule-update-available-now-and-eol.html
Thanks! Joel Esler Manager, OpenSource Community
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0, (continued)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 waldo kitty (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Frank Knobbe (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Jeff Kell (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Castle, Shane (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Matthew Jonkman (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Will Metcalf (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Michael Scheidell (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 waldo kitty (Jan 28)
- Re: SnortSam Discussion was: RulePack update and End of Life of 2.8.6.0 Michael Scheidell (Jan 28)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Castle, Shane (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Castle, Shane (Jan 06)
- Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0 Jeff Kell (Jan 06)
- Re: RulePack update and End of Life of 2.8.6.0 Randal T. Rioux (Jan 06)