Thread: [Sguil-devel] [andrewbaker@users.sourceforge.net: [Barnyard-cvslist] CVS: barnyard - andrewbaker]
Status: Beta
Brought to you by:
bamm
From: Bamm V. <ba...@sa...> - 2004-03-06 15:43:43
|
Barnyard CVS HEAD now has the sguil plugin. No more patching! :) Bammkkkk ----- Forwarded message from "Andrew R. Baker" <and...@us...> ----- Date: Thu, 04 Mar 2004 20:34:33 -0800 From: "Andrew R. Baker" <and...@us...> Subject: [Barnyard-cvslist] CVS: barnyard - andrewbaker To: bar...@li... CVSROOT: /cvsroot/barnyard Module name: barnyard Changes by: and...@sc... 2004/03/04 20:34:33 Modified files: . : autoclean.sh configure.in src : barnyard.c src/output-plugins: Makefile.am op_plugbase.c Added files: src/output-plugins: op_sguil.c op_sguil.h Log message: * add output plugin for sguil (from Bamm Visscher) ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Barnyard-cvslist mailing list Bar...@li... https://lists.sourceforge.net/lists/listinfo/barnyard-cvslist ----- End forwarded message ----- |
From: Richard B. <tao...@co...> - 2004-03-07 18:33:45
|
Bamm Visscher wrote: >Barnyard CVS HEAD now has the sguil plugin. No more patching! :) > >Bammkkkk > > Excellent. I want to get the new Sguil install guide together before my Sys Admin magazine article arrives on news stands, so this will help. Who is going to CanSecWest at this point? I plan to work out how to get there this week. I'll probably take time off without pay and make my own travel arrangements. I've only been at my new job one week so it's too early to work a trip like this. :) Richard http://www.taosecurity.com |
From: David W. <dwi...@mi...> - 2004-03-08 07:47:14
|
Richard Bejtlich wrote: > Who is going to CanSecWest at this point? I plan to work out how to get > there this week. I'll probably take time off without pay and make my own > travel arrangements. I've only been at my new job one week so it's too > early to work a trip like this. :) I'll be there. -Dave Wilburn |
From: Bamm V. <ba...@sa...> - 2004-03-08 14:22:30
|
Steve and I are for sure. If you check out the CanSecWest community on orkut, you'll see a bunch of other attendees. Are you going to try to do a lightning talk? Bammkkkk On Sun, Mar 07, 2004 at 01:17:43PM -0500, Richard Bejtlich wrote: > Bamm Visscher wrote: > > >Barnyard CVS HEAD now has the sguil plugin. No more patching! :) > > > >Bammkkkk > > > > > Excellent. I want to get the new Sguil install guide together before my > Sys Admin magazine article arrives on news stands, so this will help. > > Who is going to CanSecWest at this point? I plan to work out how to get > there this week. I'll probably take time off without pay and make my own > travel arrangements. I've only been at my new job one week so it's too > early to work a trip like this. :) > > Richard > http://www.taosecurity.com |
From: Richard B. <tao...@co...> - 2004-03-08 14:26:21
|
Bamm Visscher wrote: >Steve and I are for sure. If you check out the CanSecWest community on orkut, you'll see a bunch of other attendees. Are you going to try to do a lightning talk? > >Bammkkkk > > > I wasn't going to sign up unless I knew I was going for sure. I should determine that this week. Richard |
From: John C. <joh...@me...> - 2004-03-11 10:51:21
|
Hello Bamm, Duplicate signature id's from different snort generators will cause conflicts with automation tools that rely on the signature_id. So I guess the question I am asking is whether you plan on dropping the 'signature_id' in preference to using the 'signature' field exclusively, or will there be support for generator id's in a future release of the sguildb? I'd like to see generator_id's supported, since it would also allow for easy integration of events from 'other' detection/event/alarm tools (snort, prelude, custom tools, etc.) Below is a glimpse from my event table for further contemplation Thanks, John select signature_id,signature from event group by signature_id limit 25; +--------------+-------------------------------------------------------- + | signature_id | signature | +--------------+-------------------------------------------------------- + | 1 | spp_bo: Back Orifice Traffic Detected | | 1 | spp_conversation: Bad IP protocol! | | 1 | spp_portscan: Portscan Detected | | 1 | spp_stream4: Stealth Activity Detected | | 2 | http_inspect: DOUBLE DECODING ATTACK | | 2 | spp_rpc_decode: Multiple Records in one packet | | 3 | http_inspect: U ENCODING | | 4 | http_inspect: BARE BYTE UNICODE ENCODING | | 4 | spp_rpc_decode: Incomplete RPC segment | | 7 | http_inspect: IIS UNICODE CODEPOINT ENCODING | | 12 | http_inspect: APACHE WHITESPACE (TAB) | | 13 | http_inspect: NON-RFC HTTP DELIMITER | | 13 | spp_stream4: SYN FIN Stealth Scan | | 15 | http_inspect: OVERSIZE REQUEST-URI DIRECTORY | | 15 | spp_stream4: TTL Evasion attempt | | 16 | http_inspect: OVERSIZE CHUNK ENCODING | | 46 | snort_decoder: TCP Data Offset is less than 5! | | 47 | snort_decoder: TCP Data Offset is longer than payload! | | 54 | snort_decoder: Tcp Options found with bad lengths | | 55 | snort_decoder: Truncated Tcp Options | | 95 | snort_decoder: Truncated UDP Header! | | 96 | snort_decoder: Invalid UDP header, length field < 8 | | 108 | snort_decoder: Unknown Datagram decoding problem! | | 230 | DDOS shaft client to handler | +--------------+-------------------------------------------------------- + |