Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[Snort-users] RE: Exchange 2000

0 views

Skip to first unread message

Richard Lyons

unread,

Dec 19, 2002, 5:01:15 PM12/19/02

Has anyone dealt with putting Snort onto a Exchange 2000 box? Anything
in particular that I would need to know, i.e., disable certain things
initially before installation? Any help would greatly be appreciated!

-----Original Message-----
From: snort-use...@lists.sourceforge.net
[mailto:snort-use...@lists.sourceforge.net]
Sent: Thursday, December 19, 2002 12:51 PM
To: snort...@lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #2600 - 9 msgs

Send Snort-users mailing list submissions to
snort...@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-use...@lists.sourceforge.net

You can reach the person managing the list at
snort-us...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."

Today's Topics:

1. RE: Barnyard/acid reconfigure question (Henning, David)
2. Ignorehosts still not working... (Marc Quibell)
3. ACID Graph Page (Gary Borgeson)
4. RE: Ignorehosts still not working... (Hicks, John)
5. RE: ACID Graph Page (Steve Halligan)
6. RE: DB ERROR (Luo, Philip)
7. Re: One question (Matt Kettler)
8. Redhat 8.0 and Snort...playing nice? (Madziarczyk, Jonathan)
9. RE: Clueless in Toronto (Rich Stryker)

--__--__--

Message: 1
From: "Henning, David" <henn...@fortrex.com>
To: "'snort...@lists.sourceforge.net' "
<snort...@lists.sourceforge.net>
Date: Thu, 19 Dec 2002 09:01:38 -0500
Subject: RE: [Snort-users] Barnyard/acid reconfigure question

Excellent explanation! Thank you!

Dave

-----Original Message-----
From: Jens Krabbenhoeft

Hi,

> What am I missing on how to assign this number and keep it consistent?

op_acid_db.c:

/* if sensor id == 0, then we attempt attempt to determine it
dynamically */
if(data->sensor_id == 0)
{
data->sensor_id = AcidDbGetSensorId(data);
}

And AcidDbGetSensorId does the following:

"SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' "
"AND filter='%s' AND detail='%u' AND encoding='0'", pv.hostname,
pv.interface, pv.filter, op_data->detail)

If it gets a sensor back, it uses that sensor_id, if not, it inserts the
new sensor.

So from the code, to keep it consistent, don't change the hostname /
interface / filter and detail.

Hope that helps,

Jens

BTW: It works for me. Changing any of these values inserts a new sensor,
chaning nothing doesn't do anything to the sensor-table.

--__--__--

Message: 2
From: "Marc Quibell" <mqui...@fbfs.com>
To: snort...@lists.sourceforge.net
Date: Thu, 19 Dec 2002 09:07:15 -0600
Subject: [Snort-users] Ignorehosts still not working...

My snort cmd line is:
/usr/local/bin/snort -o -q -i eth1 -c
/usr/local/demarc/conf/snorteth1.conf

My snorteth1.conf is as follows:
var HOME_NET any
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
#var DNS_SERVERS $HOME_NET
var DNS_SERVERS [207.108.40.xx,207.108.40.xxx]
var HTTP_PORTS 80
var ORACLE_PORTS 1521

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor stream4: detect_scans, disable_evasion_alerts

output database: log, mysql, user=snort_ike dbname=snortmaster
password=ikeacc3s
s host=192.168.45.111 sensor_name=ike.fbfs.com

#BEGIN RULES:

I cannot get it to ignore those two hosts. Suggestions?

THanks.

Marc

--__--__--

Message: 3
From: Gary Borgeson <gbor...@aecc.com>
To: "'snort...@lists.sourceforge.net'"
<snort...@lists.sourceforge.net>
Date: Thu, 19 Dec 2002 09:53:35 -0600
Subject: [Snort-users] ACID Graph Page

This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2A776.C9B929D0
Content-Type: text/plain

Does someone know what causes this?

, * * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University * (see
the
file 'acid_main.php' for license details) * * Purpose: displays form for
graphing */ echo '

'; echo '

'; echo 'Chart Title:
'; echo 'Chart Type: { chart type } Time (hour) vs. Number of Alerts
Time (day) vs. Number of Alerts Time (month) vs. Number of Alerts Src.
IP
address vs. Number of Alerts Dst. IP address vs. Number of Alerts Dst.
UDP
Port vs. Number of Alerts Src. UDP Port vs. Number of Alerts Dst. TCP
Port
vs. Number of Alerts Src. TCP Port vs. Number of Alerts Sig.
Classification vs. Number of Alerts Sensor vs. Number of Alerts '; //
Do
you need other periods? Simply add them! echo ' Chart Period: no
period
7 (a week) 24 (whole day) 168 (24x7)
'; echo ' Size: (width x height) x
'; echo ' Plot Margins: (left x right x top x bottom) x x x

'; echo ' Plot type: bar line pie '; echo '

Thanks, G

------_=_NextPart_001_01C2A776.C9B929D0
Content-Type: text/html

<html>

</head>

Does someone know what causes this?

,
<RO...@DANYLIW.COM>*
* Copyright (C) 2000, 2001, 2002 Carnegie Mellon
University *
(see the file 'acid_main.php' for license details) * * Purpose: displays
form
for graphing */ echo '

<form>

'; echo '

<table class=MsoNormalTable border=1 cellpadding=0 width="100%"
bgcolor="#CCCC99" style='width:100.0%;background:#CCCC99;border:outset
1.5pt'>
<tr>
<td style='padding:.75pt .75pt .75pt .75pt'>
'; echo 'Chart
Title:   <INPUT TYPE="TEXT" SIZE="60"
NAME="user_chart_title" VALUE="'.$user_chart_title.'"> 
'; echo 'Chart
Type:  <SELECT NAME="chart_type">
<OPTION SELECTED VALUE=" ">{ chart type }
<OPTION VALUE="1">Time (hour) vs. Number of Alerts
<OPTION VALUE="2">Time (day) vs. Number of Alerts
<OPTION VALUE="4">Time (month) vs. Number of Alerts
<OPTION VALUE="6">Src. IP address vs. Number of Alerts
<OPTION VALUE="7">Dst. IP address vs. Number of Alerts
<OPTION VALUE="8">Dst. UDP Port vs. Number of Alerts
<OPTION VALUE="10">Src. UDP Port vs. Number of Alerts
<OPTION VALUE="9">Dst. TCP Port vs. Number of Alerts
<OPTION VALUE="11">Src. TCP Port vs. Number of Alerts
<OPTION VALUE="12">Sig. Classification vs. Number of Alerts
<OPTION VALUE="13">Sensor vs. Number of Alerts
</SELECT>';
// Do you need other periods? Simply add them! echo
'  Chart Period:  <SELECT
NAME="chart_interval">
<OPTION SELECTED VALUE="0">no period
<OPTION VALUE="7">7 (a week)
<OPTION VALUE="24">24 (whole day)
<OPTION VALUE="168">168 (24x7)
</SELECT> 
'; echo '  Size: (width x
height)
 <INPUT TYPE="TEXT" SIZE="4" NAME="width" VALUE="'.$width.'">
 x  <INPUT TYPE="TEXT"
SIZE="4" NAME="height" VALUE="'.$height.'">
   
'; echo '  Plot Margins:
(left x
right x top x bottom)  <INPUT TYPE="TEXT" SIZE="4"
NAME="pmargin0" VALUE="'.$pmargin0.'">
 x  <INPUT
TYPE="TEXT" SIZE="4" NAME="pmargin1" VALUE="'.$pmargin1.'">
 x  <INPUT
TYPE="TEXT" SIZE="4" NAME="pmargin2" VALUE="'.$pmargin2.'">
 x  <INPUT
TYPE="TEXT" SIZE="4" NAME="pmargin3" VALUE="'.$pmargin3.'">
   
'; echo '  Plot
type:
   <INPUT TYPE="radio" NAME="chart_style" VALUE="bar"
?bar?).?
?.chk_check($chart_style,>bar    <INPUT TYPE="radio"
NAME="chart_style" VALUE="line"
?.chk_check($chart_style, ?line?).?>line    <INPUT
TYPE="radio" NAME="chart_style" VALUE="pie"
?.chk_check($chart_style, ?pie?).?>pie '; echo '
</td>
</tr>
</table>

</form>

Thanks, G

</div>

</body>

</html>

------_=_NextPart_001_01C2A776.C9B929D0--

--__--__--

Message: 4
From: "Hicks, John" <JHi...@JUSTICE.GC.CA>
To: 'Marc Quibell' <mqui...@fbfs.com>, "Snort Users (E-mail)"
<snort...@lists.sourceforge.net>
Subject: RE: [Snort-users] Ignorehosts still not working...
Date: Thu, 19 Dec 2002 11:25:23 -0500

add /32 for CIDR notation?
var DNS_SERVERS [207.108.40.xxx/32,207.108.40.xxx/32]

hth,
John

-----Original Message-----
From: Marc Quibell [mailto:mqui...@fbfs.com]
Sent: Thursday, December 19, 2002 10:07 AM
To: snort...@lists.sourceforge.net
Subject: [Snort-users] Ignorehosts still not working...

My snort cmd line is:
/usr/local/bin/snort -o -q -i eth1 -c
/usr/local/demarc/conf/snorteth1.conf

output database: log, mysql, user=snort_ike dbname=snortmaster
password=ikeacc3s
s host=192.168.45.111 sensor_name=ike.fbfs.com

#BEGIN RULES:

I cannot get it to ignore those two hosts. Suggestions?

THanks.

Marc

-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now! Before the Holidays pass you by.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--__--__--

Message: 5
From: Steve Halligan <gie...@geeksquad.com>
To: 'Gary Borgeson' <gbor...@aecc.com>,
"'snort...@lists.sourceforge.net'"
<snort...@lists.sourceforge.net>
Subject: RE: [Snort-users] ACID Graph Page
Date: Thu, 19 Dec 2002 10:31:49 -0600

Does someone know what causes this?

****cut*****

You are missing a ' somewhere at the end of an echo statement somewhere
near
the beginning of that mess.

-steve

--__--__--

Message: 6
From: "Luo, Philip" <Phili...@adp.com>
To: 'twig les' <twi...@yahoo.com>
Cc: snort...@lists.sourceforge.net
Subject: RE: [Snort-users] DB ERROR
Date: Thu, 19 Dec 2002 11:36:37 -0500

It still happens to me, especially when I looked at the detail of
alerts.

-----Original Message-----
From: twig les [mailto:twi...@yahoo.com]
Sent: Friday, December 13, 2002 1:05 PM
To: Steve Suehring; Luo, Philip
Cc: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] DB ERROR

Actually you may shed some light on it if you try:

mysql -h localhost -u snort -p snort
mysql -h 127.0.0.1 -u snort -p snort

--- Steve Suehring <sn...@braingia.org> wrote:
> Can you try doing something like this from the
> command-line:
>
> mysql -u snort -p snort
>
> Then see what error and/or error number you get.
>
> Also, from with the MySQL CLI (as root):
> show grants for snort@localhost;
> show grants for sn...@127.0.0.1;
>
> Steve
>
> On Fri, Dec 13, 2002 at 09:20:46AM -0500, Luo,
> Philip wrote:
> > I did, no luck. I modifies the hosts file too.
> >
> > -----Original Message-----
> > From: Jens Krabbenhoeft
> [mailto:tschenz-s...@noris.net]
> > Sent: Thursday, December 12, 2002 11:36 AM
> > To: snort...@lists.sourceforge.net
> > Subject: Re: [Snort-users] DB ERROR
> >
> > Hi,
> >
> > > grant INSERT,SELECT,CREATE,DELETE on snort.* to
> snort@localhost identified
> >
> ^^^^^^^^^
> > > Database ERROR:Database ERROR:Access denied for
> user: 'sn...@127.0.0.1' to
> >
> ^^^^^^^^^
> >
> > Try doing a grant for sn...@127.0.0.1
> >
> > HTH,
> > Jens
> >
> >
> >
>
-------------------------------------------------------
> > This sf.net email is sponsored by:
> > With Great Power, Comes Great Responsibility
> > Learn to use your power at OSDN's High Performance
> Computing Channel
> > http://hpc.devchannel.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort...@lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
>
-------------------------------------------------------
> > This sf.net email is sponsored by:
> > With Great Power, Comes Great Responsibility
> > Learn to use your power at OSDN's High Performance
> Computing Channel
> > http://hpc.devchannel.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort...@lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
-------------------------------------------------------
> This sf.net email is sponsored by:
> With Great Power, Comes Great Responsibility
> Learn to use your power at OSDN's High Performance
> Computing Channel
> http://hpc.devchannel.org/
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users

=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself

-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

--__--__--

Message: 7
Date: Thu, 19 Dec 2002 12:01:13 -0500
To: Carmelo Zubeldia <czub...@innovatd.com>,
snort...@lists.sourceforge.net
From: Matt Kettler <mket...@evi-inc.com>
Subject: Re: [Snort-users] One question

No, not a bridge, a router. However I suspect what you are calling a
"bridge" is really a router anyway.

A Bridge is a simple ethernet layer device that bridges 2 ethernet
segments
(ie: a switch with only 2 ports is a bridge), a router is an IP layer
device with multiple interfaces that routes IP packets between them. The

significant difference here is that some non-IP things like ARP don't
generally pass through a router (although they might be proxied by it),
but
any type ethernet packet can go through a bridge, provided the MAC
addresses dictate it is headed to the other side.

Since hogwash relies on IPTables for filtering, that filtering is IP
layer,
thus must happen on a system which routes at an IP layer. It can't
merely
be an ethernet layer bridge.

At 12:11 PM 12/19/2002 +0100, Carmelo Zubeldia wrote:
>Hi all,
>
>Run hogwash in a Bridge?
>
>Thxs
>--

--__--__--

Message: 8
Date: Thu, 19 Dec 2002 11:18:57 -0600
From: "Madziarczyk, Jonathan" <th...@cityofevanston.org>
To: <snort...@lists.sourceforge.net>
Subject: [Snort-users] Redhat 8.0 and Snort...playing nice?

This is a multi-part message in MIME format.

------_=_NextPart_001_01C2A782.B6B7C5D2
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hey all,=20
=20
So I've seen a couple of questions regarding RedHat 8 and Snort but
not a lot of answers....Does anyone have this combo working right now?
Were there problems you hadn't encountered in other installs?
=20
Thanks,
JonM

------_=_NextPart_001_01C2A782.B6B7C5D2
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:fileli...@01C2A750.6C02A490">

<style>

</style>

</head>

Hey all, <o:p></o:p>

<o:p> </o:p>

So =
I’ve
seen a couple of questions regarding RedHat
=
8 and
Snort but not a lot of answers….Does anyone have this combo =
working right
now?  Were there problems =
you hadn’t
encountered in other installs?<o:p></o:p>

<o:p> </o:p>

Thanks,<o:p></o:p>

JonM<f
o=
nt
size=3D2 face=3DArial><o:p></o:p></
p=
>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C2A782.B6B7C5D2--

--__--__--

Message: 9
Subject: RE: [Snort-users] Clueless in Toronto
Date: Thu, 19 Dec 2002 12:50:11 -0500
From: "Rich Stryker" <rstr...@virtuallearning.net>
To: "SnortUsers (E-mail)" <snort...@lists.sourceforge.net.>

Is there any reason that you can think of as to why my SNORT, when set =
to log to a binary file, would die after a few seconds or a minute or =
two? And why the binary file that is created can't be read by SNORT =
afterwards like the SNORT document says it can?

Thanks,

Rich

-----Original Message-----
From: Joel Healy [mailto:Joel....@amphenderson.co.nz]
Sent: Wednesday, December 18, 2002 2:48 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto

Hi Rich,

Ok... When you run snort you will need to tell it where it's =
configuration
file is unless you have it in the default location and i don't know =
where
that is on a W2K box. Have a read what command line options (check out
http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.1) you can =
pass
to it as it sounds like you are using the -l command to create packets =
logs
which is in affect creating the IP address subfolders, but for a fairly
vanilla installation you could run it as "snort -c =
C:\mypath\snort.conf",
your snort.conf should be where your rules are.

So the next step is to edit your snort.conf file (check out
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5) and =
configure
one of the output plugins.. for example for your alert.ids file..
output alert_fast: alert.ids

A best practise configurtion is to configure snort to use the unified =
output
plugin
output alert_unified: snort.alert

which writes out the alerts in a binary format that is much quicker than
=
any
of the other plugins.. then use barnyard to read the file and output the
alert.. it can output in any of ways snort can. That allows snort (or
hogwash) to keep up with quite high traffic throughput.

anyway hope that helps.

cheers

joel

-----Original Message-----
From: Rich Stryker [mailto:rstr...@virtuallearning.net]
Sent: Thursday, December 19, 2002 7:43 AM
To: SnortUsers (E-mail)
Subject: RE: [Snort-users] Clueless in Toronto

Great Thanks Keith!

Got it. I understand now why that is. Switches will broadcast only once
until they know which port to send traffic out of.=20
This would mean I would miss just about everything except for the =
broadcasts
and multicasts. Whereas a hub is in constant broadcast mode since it
shouldn't have the ability to have a MAC table...right?

Assuming I am correct can you or anyone else now help me with =
SNORTSNARF?
When I followed the instructions from Silicon Defense, for installing =
SNORT
on a W2K machine with IIS, SNORT created an alert.ids file. I setup =
SNORT to
run as a service but I didn't get anything, no logs etc. When SNORT runs
from the command line it doesn't write to the alert.ids but creates sub
folders for every IP address it finds, which I have read to mean that is
=
the
default setting.

Any suggestions on how I can get the logs to be put into the alert.ids =
and
thereby allowing me to get SNORTSNARF to work?

-----Original Message-----
From: Knight, Ric [mailto:RKn...@TUC.ca]
Sent: Wednesday, December 18, 2002 1:28 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto
Importance: Low

Rich,=20

If you only have dumb switches, then get a hub. Force all traffic you =
want
to monitor through the hub. You only need one interface on the SNORT box
=
to
monitor traffic. If you want to use switches, you need to enable port
spanning so that one switch port receives att the traffic on the switch
=
and
then plug snort into that port.

Crude text diagram...
=20
Snort
||
\/
Router <----> Hub <-------> firewall

=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Ric Knight
Network Engineer
TransUnion Canada
170 Jackson St. E.=20
Hamilton Ontario, L8N 1L4
(905) 525-9013 x6212

-----Original Message-----
From: Rich Stryker [mailto:rstr...@virtuallearning.net]
Sent: December 18, 2002 11:32 AM
To: snort...@lists.sourceforge.net
Subject: [Snort-users] Clueless in Toronto

Hi,

I have installed SNORT 1.8x on a W2K Server. No service packs as yet =
because
i am just testing the waters with it. There are 2 NICs.=20

I can seem to figure out how to implement it now that it is running. I
figure I will put it behind my firewall. But how do i force traffic to =
go
through one NIC on the server and out through the other? Do i even need
=
to
do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing =
but
it only tracked the local computer's traffic and nothing else.=20

I have SNORTSNARF installed to see the reports but when I seem to have =
SNORT
running I can't find the log files. I want SNORT setup for NIDS.

All help is greatly appreciated.

Thanks,

Rich

-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
(This e-mail message and any accompanying attachments may contain
information that is confidential and subject to legal privilege. If you
=
are
not the intended recipient, do not read, use, disseminate, distribute or
copy this message or attachments. If you have received this message in
error, please delete the message and, if convenient, inform the sender =
as
soon as possible.)

--__--__--

_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users

End of Snort-users Digest

twig les

unread,

Dec 19, 2002, 7:03:12 PM12/19/02

No, never done that. Off the top of my head that
sounds like a terrible idea. A NIDS is only effective
if it can keep up with the traffic on your network.
If you are using Windows+Exchange then you would need
a lot more horsepower. Also consider the security
implications. The next round of zero-day Exchange
exploits could get your IDS owned.

Better to confiscate an old box (old nowadays seems to
mean 700MHz) and throw redhat or freebsd on it per the
guides. This isn't an OS war thing (dear god I don't
want that yet again) but simply an overhead issue.

=== message truncated ===

=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

aaron g

unread,

Dec 20, 2002, 2:18:18 AM12/20/02

Not to be snide, but perhaps you are mistake as to snort's intrustion detection purpose? Snort is a network IDS, not a host IDS.

-aarong

> font-family:Arial'>

>
> style='font-size:10.0pt;
> font-family:Arial'>Does someone know what causes this?
>
> style='font-size:10.0pt;

> font-family:Arial'>

>
> ,
> <RO...@DANYLIW.COM>*
> * Copyright (C) 2000, 2001, 2002 Carnegie Mellon
> University *
> (see the file 'acid_main.php' for license details) * * Purpose: displays
> form
> for graphing */ echo ' 
>
> <form>
>
> style='font-size:
> 12.0pt'>'; echo ' 
>
> <table class=MsoNormalTable border=1 cellpadding=0 width="100%"
> bgcolor="#CCCC99" style='width:100.0%;background:#CCCC99;border:outset
> 1.5pt'>
> <tr>
> <td style='padding:.75pt .75pt .75pt .75pt'>
> style='font-size:12.0pt'>'; echo ' style='font-weight:bold'>Chart

> Title: <INPUT TYPE="TEXT" SIZE="60"

> NAME="user_chart_title" VALUE="'.$user_chart_title.'"> 
> '; echo 'Chart

> Type: <SELECT NAME="chart_type">

> <OPTION SELECTED VALUE=" ">{ chart type }
> <OPTION VALUE="1">Time (hour) vs. Number of Alerts
> <OPTION VALUE="2">Time (day) vs. Number of Alerts
> <OPTION VALUE="4">Time (month) vs. Number of Alerts
> <OPTION VALUE="6">Src. IP address vs. Number of Alerts
> <OPTION VALUE="7">Dst. IP address vs. Number of Alerts
> <OPTION VALUE="8">Dst. UDP Port vs. Number of Alerts
> <OPTION VALUE="10">Src. UDP Port vs. Number of Alerts
> <OPTION VALUE="9">Dst. TCP Port vs. Number of Alerts
> <OPTION VALUE="11">Src. TCP Port vs. Number of Alerts
> <OPTION VALUE="12">Sig. Classification vs. Number of Alerts
> <OPTION VALUE="13">Sensor vs. Number of Alerts
> </SELECT>';
> // Do you need other periods? Simply add them! echo

> ' style='font-weight:bold'>Chart Period: <SELECT

> NAME="chart_interval">
> <OPTION SELECTED VALUE="0">no period
> <OPTION VALUE="7">7 (a week)
> <OPTION VALUE="24">24 (whole day)
> <OPTION VALUE="168">168 (24x7)
> </SELECT>

> '; echo ' Size: (width x
> height)

> <INPUT TYPE="TEXT" SIZE="4" NAME="width" VALUE="'.$width.'">

> style='font-weight:bold'>x <INPUT TYPE="TEXT"

> SIZE="4" NAME="height" VALUE="'.$height.'">

> 
> '; echo ' Plot Margins:
> (left x
> right x top x bottom) <INPUT TYPE="TEXT" SIZE="4"
> NAME="pmargin0" VALUE="'.$pmargin0.'">
> x <INPUT

> TYPE="TEXT" SIZE="4" NAME="pmargin1" VALUE="'.$pmargin1.'">

> x <INPUT

> TYPE="TEXT" SIZE="4" NAME="pmargin2" VALUE="'.$pmargin2.'">

> x <INPUT

> TYPE="TEXT" SIZE="4" NAME="pmargin3" VALUE="'.$pmargin3.'">

> 
> '; echo ' Plot
> type:

> <INPUT TYPE="radio" NAME="chart_style" VALUE="bar"
> ?bar?).?

> ?.chk_check($chart_style,>bar <INPUT TYPE="radio"
> NAME="chart_style" VALUE="line"
> ?.chk_check($chart_style, ?line?).?>line <INPUT

> TYPE="radio" NAME="chart_style" VALUE="pie"
> ?.chk_check($chart_style, ?pie?).?>pie '; echo '
> </td>
> </tr>
> </table>
>
> </form>
>
> style='font-size:10.0pt;

> font-family:Arial'>

>
> style='font-size:10.0pt;

> font-family:Arial'>

>
> style='font-size:10.0pt;
> font-family:Arial'>Thanks, G
>
> </div>
>
> </body>
>
> </html>
>
> ------_=_NextPart_001_01C2A776.C9B929D0--
>
>
> --__--__--
>
> Message: 4
> From: "Hicks, John" <JHi...@JUSTICE.GC.CA>
> To: 'Marc Quibell' <mqui...@fbfs.com>, "Snort Users (E-mail)"
> <snort...@lists.sourceforge.net>
> Subject: RE: [Snort-users] Ignorehosts still not working...
> Date: Thu, 19 Dec 2002 11:25:23 -0500
>
> add /32 for CIDR notation?
> var DNS_SERVERS [207.108.40.xxx/32,207.108.40.xxx/32]
>
> hth,
> John
>
> -----Original Message-----
> From: Marc Quibell [mailto:mqui...@fbfs.com]
> Sent: Thursday, December 19, 2002 10:07 AM
> To: snort...@lists.sourceforge.net

> -------------------------------------------------------
> This SF.NET email is sponsored by: Geek Gift Procrastinating?
> Get the perfect geek gift now! Before the Holidays pass you by.
> T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>

> > > -----Original Message-----
> > > From: Jens Krabbenhoeft

> > [mailto:tschenz-s...@noris.net]
> > > Sent: Thursday, December 12, 2002 11:36 AM
> > > To: snort...@lists.sourceforge.net
> > > Subject: Re: [Snort-users] DB ERROR
> > >
> > > Hi,
> > >
> > > > grant INSERT,SELECT,CREATE,DELETE on snort.* to
> > snort@localhost identified
> > >
> > ^^^^^^^^^
> > > > Database ERROR:Database ERROR:Access denied for
> > user: 'sn...@127.0.0.1' to
> > >
> > ^^^^^^^^^
> > >
> > > Try doing a grant for sn...@127.0.0.1
> > >
> > > HTH,
> > > Jens
> > >
> > >
> > >
> >
> -------------------------------------------------------
> > > This sf.net email is sponsored by:
> > > With Great Power, Comes Great Responsibility
> > > Learn to use your power at OSDN's High Performance
> > Computing Channel
> > > http://hpc.devchannel.org/

> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort...@lists.sourceforge.net
> > > Go to this URL to change user options or
> > unsubscribe:
> > >
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > >
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > >
> >

> -------------------------------------------------------
> > > This sf.net email is sponsored by:
> > > With Great Power, Comes Great Responsibility
> > > Learn to use your power at OSDN's High Performance
> > Computing Channel
> > > http://hpc.devchannel.org/

> -------------------------------------------------------
> > This sf.net email is sponsored by:
> > With Great Power, Comes Great Responsibility
> > Learn to use your power at OSDN's High Performance
> > Computing Channel
> > http://hpc.devchannel.org/

> > _______________________________________________
> > Snort-users mailing list
> > Snort...@lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>

> =====
> -----------------------------------------------------------
> If you give a man a fish, he can eat for a day
> If you bludgeon him to death, you can eat the fish yourself
>
> -----------------------------------------------------------
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
>

> font-family:Arial'><o:p> </o:p>

>
> style=3D'font-size:10.0pt;

> font-family:Arial'> So =
> I’ve

> seen a couple of questions regarding RedHat
> =
> 8 and

> Snort but not a lot of answers….Does anyone have this combo =
> working right
> now? Were there problems =
> you hadn’t
> encountered in other installs?<o:p></o:p>

>
> style=3D'font-size:10.0pt;

> font-family:Arial'><o:p> </o:p>

> -------------------------------------------------------
> This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
> Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
> MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
> T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:

> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
> (This e-mail message and any accompanying attachments may contain
> information that is confidential and subject to legal privilege. If you
> =
> are
> not the intended recipient, do not read, use, disseminate, distribute or
> copy this message or attachments. If you have received this message in
> error, please delete the message and, if convenient, inform the sender =
> as
> soon as possible.)
>
>
>
> --__--__--
>

> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net

> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest
>
>

--
_______________________________________________
Get your free email from http://mymail.operamail.com

0 new messages