You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Will M. <wil...@gm...> - 2005-06-16 03:53:17
|
find / -name libipq.h ./configure --enable-inline --with-libipq-includes=3D/usr/local/include(or whatever directory libipq.h is in) if you don't have libipq.h, install the iptables development package if one is available with your distribution and try again. Regards, Will On 6/15/05, Brower, Robert <br...@nu...> wrote: >=20 >=20 > I'm a linux and snort newbie and I'm having a problem getting snort-inlin= e > installed and hoping someone here can help out. >=20 > =20 >=20 > When running ./configure --enable-inline I receive the following error: >=20 > configure: error: libipq.h not found ... >=20 > =20 >=20 > Any ideas? >=20 > =20 >=20 > Thanks in advance >=20 > Robert G. Brower=20 > University of Pennsylvania=20 > School of Nursing=20 > Office of Technology and Information Systems=20 > Computer Lab Manager/Senior IT Support Specialist=20 > 420 Guardian Dr=20 > Philadelphia Pa, 19104=20 >=20 > |
From: Brower, R. <br...@nu...> - 2005-06-16 02:58:58
|
I'm a linux and snort newbie and I'm having a problem getting snort-inline installed and hoping someone here can help out. When running ./configure --enable-inline I receive the following error: configure: error: libipq.h not found ... Any ideas? Thanks in advance Robert G. Brower University of Pennsylvania School of Nursing Office of Technology and Information Systems Computer Lab Manager/Senior IT Support Specialist 420 Guardian Dr Philadelphia Pa, 19104 |
From: Nick R. <ni...@ro...> - 2005-06-13 23:38:31
|
On Thu, 9 Jun 2005, Adayadil Thomas wrote: > Greetings. > > Can anyone put some light on what SPARC_TWIDDLE means ? On SPARC systems, this is used to align the header on a 32-bit boundary. There have been errors related to this in the past, but I think they have been fixed since snort-2.0.0+ > > When creating memory for stream_pkt this is used. > > stream_pkt->pkth = calloc(sizeof(SnortPktHeader)+ > ETHERNET_HEADER_LEN + > SPARC_TWIDDLE + IP_MAXPACKET, > sizeof(char)); > Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
From: Will M. <wil...@gm...> - 2005-06-13 23:23:29
|
This is all we get out of ipqueue, so no it doesn't recognize vlans. Regards, Will typedef struct ipq_packet_msg { unsigned long packet_id; /* ID of queued packet */ unsigned long mark; /* Netfilter mark value */ long timestamp_sec; /* Packet arrival time (seconds) */ long timestamp_usec; /* Packet arrvial time (+useconds) = */ unsigned int hook; /* Netfilter hook we rode in on */ char indev_name[IFNAMSIZ]; /* Name of incoming interface */ char outdev_name[IFNAMSIZ]; /* Name of outgoing interface */ unsigned short hw_protocol; /* Hardware protocol (network order= ) */ unsigned short hw_type; /* Hardware type */ unsigned char hw_addrlen; /* Hardware address length */ unsigned char hw_addr[8]; /* Hardware address */ size_t data_len; /* Length of packet data */ unsigned char payload[0]; /* Optional packet data */ } ipq_packet_msg_t; On 6/13/05, Daniel Purcell <dpu...@ni...> wrote: > Snort Inline users, >=20 > I'm trying to add functionality to snort inline so that I can get vlan > information along with my alerts (if the packet has vlan information). > Has anyone tried to do this before? It seems like these changes go in > decode.c, but things like the DecodeEthPkt (which calls DecodeVlan) > aren't taken care of in the DecodeIptablesPkt function. Is that because > iptables does not send it the entire Ethernet frame, but just the IP > packet, so you lose Ethernet information in the process? If so, will I > have to implement a way to watch for an netfilter mark of some sort (and > set the mark in iptables or ebtables depending on what vlan it is on) to > base the vlan information on? >=20 > -Dan >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by: NEC IT Guy Games. How far can you sho= tput > a projector? How fast can you ride your desk chair down the office luge t= rack? > If you want to score the big prize, get to know the little guy. > Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=3D20 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
From: Daniel P. <dpu...@ni...> - 2005-06-13 23:15:17
|
Snort Inline users, I'm trying to add functionality to snort inline so that I can get vlan information along with my alerts (if the packet has vlan information). Has anyone tried to do this before? It seems like these changes go in decode.c, but things like the DecodeEthPkt (which calls DecodeVlan) aren't taken care of in the DecodeIptablesPkt function. Is that because iptables does not send it the entire Ethernet frame, but just the IP packet, so you lose Ethernet information in the process? If so, will I have to implement a way to watch for an netfilter mark of some sort (and set the mark in iptables or ebtables depending on what vlan it is on) to base the vlan information on? -Dan |
From: Bill W. <bw...@op...> - 2005-06-10 14:08:33
|
How to install Snort-Inline with ClamAV on Debian Sarge in Bridged Mode Objective: To install Snort-inline with ClamAV on a Debian Sarge PC, with updates on it own, and with dselecting almost all packages. Programs to get via dselect: * Oinkmaster * Bridge-utils * ClamAV - libclamav-dev, libclamav1, clamav, clamav-base, clamav-fresh, clamav-daemon, clamav-getfiles * Snort =96 We are going to cheat. We don't need Snort but, we need all the files that it depends on. So, choose Snort and accept all the dependencies and then dselect Snort. * Kernel 2.6.8 Download Snort with ClamAV http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/?root=3DSnort-Clamav and download the snort-2.3.3-clam.tar.bz2 from CVS. Save it to /var/tmp/snort The Install ./configure --enable-inline =96enable-clamav =96with-clamav-defire=3D/var/lib/clamav --with-libipq-includes=3D/usr/include/libipq The rest is all playing with the config files. Also, Thank you Will and Victor! |
From: Will M. <wil...@gm...> - 2005-06-09 22:01:01
|
Unless you are running a Sun box or HPUX this value is set to 0 so if you are running with the snort_inline feature set it does not apply to you. From spp_stream4.c /* We must twiddle to align the offset the ethernet header and align the IP header on solaris -- maybe this will work on HPUX too. */ Regards, Will On 6/9/05, Adayadil Thomas <ada...@gm...> wrote: > Greetings. >=20 > Can anyone put some light on what SPARC_TWIDDLE means ? >=20 > When creating memory for stream_pkt this is used. >=20 > stream_pkt->pkth =3D calloc(sizeof(SnortPktHeader)+ > ETHERNET_HEADER_LEN + > SPARC_TWIDDLE + IP_MAXPACKET, > sizeof(char)); >=20 >=20 > Thanks for the help. >=20 > -Thomas >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by: NEC IT Guy Games. How far can you sho= tput > a projector? How fast can you ride your desk chair down the office luge t= rack? > If you want to score the big prize, get to know the little guy. > Play to win an NEC 61" plasma display: http://www.necitguy.com/?r > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
From: Adayadil T. <ada...@gm...> - 2005-06-09 20:36:39
|
Greetings. Can anyone put some light on what SPARC_TWIDDLE means ? When creating memory for stream_pkt this is used. stream_pkt->pkth =3D calloc(sizeof(SnortPktHeader)+ ETHERNET_HEADER_LEN + SPARC_TWIDDLE + IP_MAXPACKET, sizeof(char)); Thanks for the help. -Thomas |
From: Bill W. <bw...@op...> - 2005-06-07 13:40:17
|
Thanks! That worked. Will Metcalf wrote: >In your oinkmaster.conf > >modifysid * "^alert" | "drop" > >then use disablesid to comment out your rules. > >disablesid 1201,485,620,2087,663 > >Regards, > >Will > >On 6/6/05, Bill Warren <bw...@op...> wrote: > > >>FI am trying to use Oinkmaster to keep my inline box up with the latest >>rules. >> >>So, I created a file and I put in it: >> >> #! /bin/sh >> >> oinkmaster -o /etc/snort_inline/rules -b >>/etc/snort_inline/rules/backup/ \-u >>http://www.bleedingsnort.com/bleeding.rules.tar.gz >> >> oinkmaster -o /etc/snort_inline/rules -b /etc/snort_inline/rules/backup/ >> >> cd /etc/snort_inline/rules >> ./convert.sh >> >> >>The convert.sh is something I got from www.honeynet.org to make all the >>rules turn into drop rules. Here is the main section: >> >>for x in `ls *.rules` >>do >> echo "Converting rule $p in $x to use the DROP command for >>bidirectional Honeynets" >> cat $x | sed -e "s/EXTERNAL_NET/HONEYNET/g" -e >>"s/HOME_NET/EXTERNAL_NET/g" \ >> -e "s/SMTP_SERVERS/EXTERNAL_NET/g" -e >>"s/HTTP_SERVERS/EXTERNAL_NET/g" \ >> -e "s/SQL_SERVERS/EXTERNAL_NET/g" -e >>"s/DNS_SERVERS/EXTERNAL_NET/g" \ >> -e "s/TELNET_SERVERS/EXTERNAL_NET/g" -e "s/alert /drop /g" \ >> -e "s/ -/ </g" > $TMP >> cat $TMP > $x >>done >> >> >>When I run oinkaster again it sees all the rules as wrong and all the >>rules that I have commented out are now uncommented. Does anybody have >>a better way of updating the rules? I am running in bridged mode. >> >>Thanks, >>Bill >> >> >> >> >> > > >------------------------------------------------------- >This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput >a projector? How fast can you ride your desk chair down the office luge track? >If you want to score the big prize, get to know the little guy. >Play to win an NEC 61" plasma display: http://www.necitguy.com/?r >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
From: Will M. <wil...@gm...> - 2005-06-06 21:08:42
|
In your oinkmaster.conf modifysid * "^alert" | "drop" then use disablesid to comment out your rules. disablesid 1201,485,620,2087,663 Regards, Will On 6/6/05, Bill Warren <bw...@op...> wrote: > FI am trying to use Oinkmaster to keep my inline box up with the latest > rules. >=20 > So, I created a file and I put in it: >=20 > #! /bin/sh >=20 > oinkmaster -o /etc/snort_inline/rules -b > /etc/snort_inline/rules/backup/ \-u > http://www.bleedingsnort.com/bleeding.rules.tar.gz >=20 > oinkmaster -o /etc/snort_inline/rules -b /etc/snort_inline/rules/back= up/ >=20 > cd /etc/snort_inline/rules > ./convert.sh >=20 >=20 > The convert.sh is something I got from www.honeynet.org to make all the > rules turn into drop rules. Here is the main section: >=20 > for x in `ls *.rules` > do > echo "Converting rule $p in $x to use the DROP command for > bidirectional Honeynets" > cat $x | sed -e "s/EXTERNAL_NET/HONEYNET/g" -e > "s/HOME_NET/EXTERNAL_NET/g" \ > -e "s/SMTP_SERVERS/EXTERNAL_NET/g" -e > "s/HTTP_SERVERS/EXTERNAL_NET/g" \ > -e "s/SQL_SERVERS/EXTERNAL_NET/g" -e > "s/DNS_SERVERS/EXTERNAL_NET/g" \ > -e "s/TELNET_SERVERS/EXTERNAL_NET/g" -e "s/alert /drop /g"= \ > -e "s/ -/ </g" > $TMP > cat $TMP > $x > done >=20 >=20 > When I run oinkaster again it sees all the rules as wrong and all the > rules that I have commented out are now uncommented. Does anybody have > a better way of updating the rules? I am running in bridged mode. >=20 > Thanks, > Bill >=20 >=20 > |
From: Bill W. <bw...@op...> - 2005-06-06 21:00:35
|
FI am trying to use Oinkmaster to keep my inline box up with the latest rules. So, I created a file and I put in it: #! /bin/sh oinkmaster -o /etc/snort_inline/rules -b /etc/snort_inline/rules/backup/ \-u http://www.bleedingsnort.com/bleeding.rules.tar.gz oinkmaster -o /etc/snort_inline/rules -b /etc/snort_inline/rules/backup/ cd /etc/snort_inline/rules ./convert.sh The convert.sh is something I got from www.honeynet.org to make all the rules turn into drop rules. Here is the main section: for x in `ls *.rules` do echo "Converting rule $p in $x to use the DROP command for bidirectional Honeynets" cat $x | sed -e "s/EXTERNAL_NET/HONEYNET/g" -e "s/HOME_NET/EXTERNAL_NET/g" \ -e "s/SMTP_SERVERS/EXTERNAL_NET/g" -e "s/HTTP_SERVERS/EXTERNAL_NET/g" \ -e "s/SQL_SERVERS/EXTERNAL_NET/g" -e "s/DNS_SERVERS/EXTERNAL_NET/g" \ -e "s/TELNET_SERVERS/EXTERNAL_NET/g" -e "s/alert /drop /g" \ -e "s/ -/ </g" > $TMP cat $TMP > $x done When I run oinkaster again it sees all the rules as wrong and all the rules that I have commented out are now uncommented. Does anybody have a better way of updating the rules? I am running in bridged mode. Thanks, Bill |
From: Will M. <wil...@gm...> - 2005-05-29 23:57:12
|
If you set -Q you don't need -i, so in other words don't use -i at all. Regards, Will On 5/29/05, Florin Andrei <fl...@an...> wrote: > On a system that's going to use snort-inline ONLY in inline mode, what's > the recommended setting for the interface (-i)? >=20 > "-i eth0" is a waste of CPU cycles, since I am only interested in the > inline stuff. > "-i none" is not accepted by snort. > "-i lo" is not really the good idea that it seems at first sight, since > this machine has significant traffic on lo. >=20 > Other ideas? >=20 > -- > Florin Andrei >=20 > http://florin.myip.org/ >=20 >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Yahoo. > Introducing Yahoo! Search Developer Network - Create apps using Yahoo! > Search APIs Find out how you can build Yahoo! directly into your own > Applications - visit http://developer.yahoo.net/?fr=3Doffad-ysdn-ostg-q22= 005 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
From: Florin A. <fl...@an...> - 2005-05-29 23:13:07
|
On a system that's going to use snort-inline ONLY in inline mode, what's the recommended setting for the interface (-i)? "-i eth0" is a waste of CPU cycles, since I am only interested in the inline stuff. "-i none" is not accepted by snort. "-i lo" is not really the good idea that it seems at first sight, since this machine has significant traffic on lo. Other ideas? -- Florin Andrei http://florin.myip.org/ |
From: Florin A. <fl...@an...> - 2005-05-29 23:02:32
|
On Wed, 2005-05-04 at 03:25 +0700, Ken Hilliard wrote: > BTW: do you have any recommendation about any open source HTTP > proxy/virus scanner. I'm going to check out SquidSafe but would like to > know what people in the Linux community are using. I do not use it, therefore I cannot recommend it, but I just saw this project and it looks interesting: http://www.server-side.de/ HAVP - HTTP AntiVirus proxy -- Florin Andrei http://florin.myip.org/ |
From: Nick R. <ni...@ro...> - 2005-05-29 04:38:26
|
Would any user of snort_inline be interested in using Route shunting to help eliviate attacks within your routed backbone? This would be an output(?) plugin within snort_inline. If anyone is interested, please let me know. Thanks. Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips |
From: Nick R. <ni...@ro...> - 2005-05-29 04:29:01
|
FYI, snort_inline(2.3.0-RC1) is officially in the FreeBSD ports collection. For you FreeBSD fans, you can now simply install snort_inline by: shell# cd /usr/ports/security/snort_inline && make install Cheers, Nick Rogness <ni...@ro...> - How many people here have telekenetic powers? Raise my hand. -Emo Philips ---------- Forwarded message ---------- Date: Sat, 28 May 2005 11:07:35 GMT From: Pav Lucistnik <pa...@Fr...> To: ni...@ro..., pa...@Fr..., fre...@Fr... Subject: Re: ports/81378: New port: security/snort_inline Synopsis: New port: security/snort_inline State-Changed-From-To: open->closed State-Changed-By: pav State-Changed-When: Sat May 28 11:07:28 GMT 2005 State-Changed-Why: New port added, thank you! http://www.freebsd.org/cgi/query-pr.cgi?pr=81378 |
From: Roland T. (SourceForge) <raz...@co...> - 2005-05-26 12:12:30
|
Bert van Leeuwen said: > The only alternative to the IPQ_COPY_PACKET mode is the IPQ_COPY_META > mode, which allows the userspace program to only access the metadata > of the packet (not very useful for content based filtering). > > It would be nice if there were an IPQ_MMAP_PACKET mode too, and, as you > mentioned, a mode where several packets can be batched at once to also > save thread context switches. Urk! You are quite right, it is copying to a user-allocated buffer and, I agree, an MMAP option would offer some performance an improvement. - Raz |
From: Bert v. L. <ber...@gm...> - 2005-05-26 10:12:52
|
On 5/26/05, Roland Turner (SourceForge) <raz...@co...> wrote= : >=20 >=20 > I'm not clear on what you mean by a "per-flow" rule. Snort's basic inline > operation is to examine each datagram that arrives to see whether it > matches any signatures ("rules") and pass it through if not. This is > neccessarily per-datagram; if it were to hold up traffic until all of a > "flow" had passed, it would disrupt the very communication that it's > trying to protect. I didn't mean that it should hold up traffic, but by "per-flow" rules I=20 meant things that maintain some sort of per flow state, e.g. the stream4=20 processor. However, I realise now that there are many rules/signatures that= =20 MUST operate on a per packet basis, since some attacks can also appear in= =20 datagrams that appear to be "mid-flow", so what I originally wanted to do i= s=20 probably impossible. I guess the only viable alternative currently is to=20 write the iptables rules in such a way that not all traffic goes to the=20 QUEUE, but certain IPs or ports are considered "safe" (e.g. for intra-site= =20 backups or DB replication or whatever) and bypass the QUEUE (and thus snort= =20 too), but this could be dangerous (and security through obscurity is no=20 security at all). > Is there perhaps a kind of IP_QUEUE mmap solution which will save cpu > > by not having to actually copy the packet from kernel to userspace? >=20 > I suspect that IP_QUEUE already does exactly this. The major performance > problem isn't data copying, it's the kernel-user-kernel roundtrip for > _each_ datagram. There is apparently work in progress to extend libipq > (and the corresponding kernel interface) to allow batches of datagrams to > be passed across in a single kernel-user transition. >=20 > I'm not too sure about this, but from what I can see, the packets ARE=20 actually physically copied from kernel memory to userspace memory, and this= =20 CAN have a measurable performance hit for a high speed network (e.g. gigE).= =20 Try writing a simple userspace program which simply copies 1500 bytes many= =20 times, you'll see what I mean.=20 If one looks at the libipq code in snort, it initialises the ipq by doing: ipq_set_mode(ipqh, IPQ_COPY_PACKET, PKT_BUFSIZE); and when it reads a packet, it needs to supply a user allocated buffer: ipq_read(ipqh, buf, PKT_BUFSIZE, 0); The packets are at least not copied back from userspace to kernel space=20 though, unless the packet content has been modified, in which case=20 ipq_set_verdict must be called with a non-null buf parameter. The only alternative to the IPQ_COPY_PACKET mode is the IPQ_COPY_META mode,= =20 which allows the userspace program to only access the metadata of the packe= t=20 (not very useful for content based filtering). It would be nice if there were an IPQ_MMAP_PACKET mode too, and, as you=20 mentioned, a mode where several packets can be batched at once to also save= =20 thread context switches. --=20 BvL |
From: Roland T. (SourceForge) <raz...@co...> - 2005-05-26 08:42:29
|
Bert van Leeuwen said: > Perhaps it is not possible with snort-inline, that is what I am trying > to determine. I was hoping the "per-flow" rules would somehow be able > to turn off after a while, e.g. after n bytes of content had been seen > etc., but I guess there will always be many "per packet" rules > checking for things like illegal IP fragments and IP header weirdness > etc. I'm not clear on what you mean by a "per-flow" rule. Snort's basic inline operation is to examine each datagram that arrives to see whether it matches any signatures ("rules") and pass it through if not. This is neccessarily per-datagram; if it were to hold up traffic until all of a "flow" had passed, it would disrupt the very communication that it's trying to protect. > Is there perhaps a kind of IP_QUEUE mmap solution which will save cpu > by not having to actually copy the packet from kernel to userspace? > (e.g. similar to mmap pcap where ring buffers in the kernel are mapped > to userspace directly) I suspect that IP_QUEUE already does exactly this. The major performance problem isn't data copying, it's the kernel-user-kernel roundtrip for _each_ datagram. There is apparently work in progress to extend libipq (and the corresponding kernel interface) to allow batches of datagrams to be passed across in a single kernel-user transition. - Raz |
From: Ken G. <ken...@ro...> - 2005-05-25 21:25:54
|
I have Roo installed here, the 138 release had some problems but 139 is looking promising. The frontend is nice, but I'm still having some issues with it all. Will Metcalf wrote: >I was meaning to say something about that!!!!! Congrats to Lance, >Rob, and the other Honeynet guy's on their Roo release. Walleye looks >very slick, I can't wait to play with the new release. > >Regards, > >Will > >On 5/25/05, Ken Garland <ken...@ro...> wrote: > > >>Is this not what the Honeywall project aims to accomplish? >> >>http://honeynet.org/tools/cdrom/ >> >>- Ken >> >>christiaan wrote: >> >> >> >>>Hi >>> >>>I have been researching Bridging firewalls with Intrusion Prevention >>>Systems [url]http://www.linuxsecure.de/index.php?action=90. >>> >>>At present are no easy to use GUI bridging firewall IPS Distros >>>available. I am interested in collaborating with other volunteers on >>>the development of a bridging IPS distro derived from IPCop as a >>>sub-project. >>> >>>If anyone is interested on collaborating on this project can they >>>please respond with their areas of expertise and interest? >>> >>>Chris >>> >>> >>>------------------------------------------------------- >>>SF.Net email is sponsored by: GoToMeeting - the easiest way to >>>collaborate >>>online with coworkers and clients while avoiding the high cost of >>>travel and >>>communications. There is no equipment to buy and you can meet as often as >>>you want. Try it >>>free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click >>>_______________________________________________ >>>Snort-inline-users mailing list >>>Sno...@li... >>>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>> >>> >> >>------------------------------------------------------- >>SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate >>online with coworkers and clients while avoiding the high cost of travel and >>communications. There is no equipment to buy and you can meet as often as >>you want. Try it free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > > >------------------------------------------------------- >SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate >online with coworkers and clients while avoiding the high cost of travel and >communications. There is no equipment to buy and you can meet as often as >you want. Try it free.http://ads.osdn.com/?ad_idt02&alloc_id135&op=click >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
From: Will M. <wil...@gm...> - 2005-05-25 20:42:49
|
I was meaning to say something about that!!!!! Congrats to Lance, Rob, and the other Honeynet guy's on their Roo release. Walleye looks very slick, I can't wait to play with the new release. Regards, Will On 5/25/05, Ken Garland <ken...@ro...> wrote: > Is this not what the Honeywall project aims to accomplish? >=20 > http://honeynet.org/tools/cdrom/ >=20 > - Ken >=20 > christiaan wrote: >=20 > > Hi > > > > I have been researching Bridging firewalls with Intrusion Prevention > > Systems [url]http://www.linuxsecure.de/index.php?action=3D90. > > > > At present are no easy to use GUI bridging firewall IPS Distros > > available. I am interested in collaborating with other volunteers on > > the development of a bridging IPS distro derived from IPCop as a > > sub-project. > > > > If anyone is interested on collaborating on this project can they > > please respond with their areas of expertise and interest? > > > > Chris > > > > > > ------------------------------------------------------- > > SF.Net email is sponsored by: GoToMeeting - the easiest way to > > collaborate > > online with coworkers and clients while avoiding the high cost of > > travel and > > communications. There is no equipment to buy and you can meet as often = as > > you want. Try it > > free.http://ads.osdn.com/?ad_id=3D7402&alloc_id=3D16135&op=3Dclick > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >=20 >=20 >=20 > ------------------------------------------------------- > SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborat= e > online with coworkers and clients while avoiding the high cost of travel = and > communications. There is no equipment to buy and you can meet as often as > you want. Try it free.http://ads.osdn.com/?ad_id=3D7402&alloc_id=3D16135&= op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
From: Ken G. <ken...@ro...> - 2005-05-25 19:43:02
|
Is this not what the Honeywall project aims to accomplish? http://honeynet.org/tools/cdrom/ - Ken christiaan wrote: > Hi > > I have been researching Bridging firewalls with Intrusion Prevention > Systems [url]http://www.linuxsecure.de/index.php?action=90. > > At present are no easy to use GUI bridging firewall IPS Distros > available. I am interested in collaborating with other volunteers on > the development of a bridging IPS distro derived from IPCop as a > sub-project. > > If anyone is interested on collaborating on this project can they > please respond with their areas of expertise and interest? > > Chris > > > ------------------------------------------------------- > SF.Net email is sponsored by: GoToMeeting - the easiest way to > collaborate > online with coworkers and clients while avoiding the high cost of > travel and > communications. There is no equipment to buy and you can meet as often as > you want. Try it > free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
From: Norwich U. - I. S. <in...@no...> - 2005-05-25 18:02:40
|
yes. The BES rules work great for alerting but the two based on "User-Agent\: Ares" and the GET request do not block the connection or downloading. I have not tested the uploading signiture, so I'm not sure how well that works. Jason Will Metcalf wrote: >Did you try? > >http://www.bleedingsnort.com/bleeding-p2p.rules > >On 5/25/05, Norwich University - Information Security ><in...@no...> wrote: > > >>Hi, >> >>I've been trying for about 4 days to write a rule to drop ares >>connections/downloads, but I'm having no success. >>Has anyone successfully written a rule to block ares? >> >>Thx, >>Jason >> >> >>------------------------------------------------------- >>SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate >>online with coworkers and clients while avoiding the high cost of travel and >>communications. There is no equipment to buy and you can meet as often as >>you want. Try it free.http://ads.osdn.com/?ad_id=7402&alloc_id=16135&op=click >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > > >------------------------------------------------------- >SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborate >online with coworkers and clients while avoiding the high cost of travel and >communications. There is no equipment to buy and you can meet as often as >you want. Try it free.http://ads.osdn.com/?ad_idt02&alloc_id135&op=click >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
From: christiaan <chr...@vi...> - 2005-05-25 18:02:03
|
Hi I have been researching Bridging firewalls with Intrusion Prevention Systems [url]http://www.linuxsecure.de/index.php?action=90. At present are no easy to use GUI bridging firewall IPS Distros available. I am interested in collaborating with other volunteers on the development of a bridging IPS distro derived from IPCop as a sub-project. If anyone is interested on collaborating on this project can they please respond with their areas of expertise and interest? Chris |
From: Will M. <wil...@gm...> - 2005-05-25 17:23:23
|
Did you try? http://www.bleedingsnort.com/bleeding-p2p.rules On 5/25/05, Norwich University - Information Security <in...@no...> wrote: > Hi, >=20 > I've been trying for about 4 days to write a rule to drop ares > connections/downloads, but I'm having no success. > Has anyone successfully written a rule to block ares? >=20 > Thx, > Jason >=20 >=20 > ------------------------------------------------------- > SF.Net email is sponsored by: GoToMeeting - the easiest way to collaborat= e > online with coworkers and clients while avoiding the high cost of travel = and > communications. There is no equipment to buy and you can meet as often as > you want. Try it free.http://ads.osdn.com/?ad_id=3D7402&alloc_id=3D16135&= op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |