Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: NC A. <NC_...@ku...> - 2003-06-20 13:20:31
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forescout ( http://www.forescout.com/index.html) sells a product that works with commercial firewall and IPS vendors. It detects all kinds of scans and returns dummy server information. Then any traffic to these dummy servers can be filtered. You can replace the dummy server addresses with your honeypot(s). I agree this would be a great feature to snort and I have copied the snort-inline list. Best regards ray On Friday 16 May 2003 02:48 pm, Jon Baer wrote: > It would be nice to have an intelligent version of Snort to be able to do > this :-) Im also interested in an answer, if you get it please pass along. > Thanks. > > - Jon > > ----- Original Message ----- > From: "Andrew Elmore" <and...@cy...> > To: <sec...@se...> > Sent: Friday, May 16, 2003 7:38 AM > Subject: attack redirection > > > Hey guys, > I'm looking for some program to redirect an attack on my web server > to a honeypot. Maybe triggered by number of hits in a given time or by > certain requests. Does such a thing exist? Where can I get it? Or would I > have to write some kind of script? > Thanks for your help. > > Andy > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register > Now! > --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > --------------------------------------------------------------------------- >- > > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register > Now! --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > --------------------------------------------------------------------------- >- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+x9DGzejBliQ3SdsRAtjzAKDugolpgwe8l44CH0tfnE3YURjS/QCfQEyl Kdg7j0zoQ6Z0Z3WhNWezH5M= =UOcy -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: NC A. <NC_...@ku...> - 2003-06-20 13:20:28
|
On Sun, 18 May 2003, Ray Stirbei wrote: > > Forescout ( http://www.forescout.com/index.html) sells a product that works > with commercial firewall and IPS vendors. It detects all kinds of scans and > returns dummy server information. Then any traffic to these dummy servers can > be filtered. You can replace the dummy server addresses with your > honeypot(s). > > I agree this would be a great feature to snort and I have copied the > snort-inline list. > Best regards > > I'm looking for some program to redirect an attack on my web server > > to a honeypot. Maybe triggered by number of hits in a given time or by > > certain requests. Does such a thing exist? Where can I get it? Or would I > > have to write some kind of script? There is already something similar to this, called Bait-n-Switch. While very beta, you may want to check it out. http://violating.us/projects/baitnswitch/ lance --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Gordon M. <gor...@fa...> - 2003-06-20 13:01:26
|
Sorry should have mentioned I am running snort_inline-2.0.0-1, when you try to start it, it always says starting in IDS mode, there does not appear to be a switch for inline mode. -----Original Message----- From: Gordon McDowall [mailto:gor...@fa...] Sent: 20 June 2003 13:55 To: 'sno...@li...' Subject: [Snort-inline-users] rule load error Hi I need help with m snort_inline config, I have set up a server with snort inline and I think I have done everything required in order to get it working, when I try and run snort_inline with any drop rules I get the error Unknown rule type: drop Does anyone have any clues as to what might be the problem here. Thanks Gordon McDowall ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Gordon M. <gor...@fa...> - 2003-06-20 12:54:55
|
Hi I need help with m snort_inline config, I have set up a server with snort inline and I think I have done everything required in order to get it working, when I try and run snort_inline with any drop rules I get the error Unknown rule type: drop Does anyone have any clues as to what might be the problem here. Thanks Gordon McDowall |
|
From: Christian K. <Chr...@ku...> - 2003-06-20 10:18:34
|
Snat and dnat rule keywords have been on my to do list for inline snort for a long time. When used in a rule, snat or dnat would allow you to do source or destination routing (via iptables) when a rule is triggered. This would allow you to redirect interesting stuff to a honeypot. Jed On Sunday, May 18, 2003, at 06:42 PM, Lance Spitzner wrote: > On Sun, 18 May 2003, Ray Stirbei wrote: > >> >> Forescout ( http://www.forescout.com/index.html) sells a product that >> works >> with commercial firewall and IPS vendors. It detects all kinds of >> scans and >> returns dummy server information. Then any traffic to these dummy >> servers can >> be filtered. You can replace the dummy server addresses with your >> honeypot(s). >> >> I agree this would be a great feature to snort and I have copied the >> snort-inline list. >> Best regards > >>> I'm looking for some program to redirect an attack on my web >>> server >>> to a honeypot. Maybe triggered by number of hits in a given time or >>> by >>> certain requests. Does such a thing exist? Where can I get it? Or >>> would I >>> have to write some kind of script? > > There is already something similar to this, called Bait-n-Switch. > While very beta, you may want to check it out. > > http://violating.us/projects/baitnswitch/ > > lance > > > > ------------------------------------------------------- > This SF.net email is sponsored by: If flattening out C++ or Java > code to make your application fit in a relational database is painful, > don't do it! Check out ObjectStore. Now part of Progress Software. > http://www.objectstore.net/sourceforge > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Christian K. <Chr...@ku...> - 2003-06-20 10:18:23
|
On Sun, 18 May 2003, Ray Stirbei wrote: > > Forescout ( http://www.forescout.com/index.html) sells a product that works > with commercial firewall and IPS vendors. It detects all kinds of scans and > returns dummy server information. Then any traffic to these dummy servers can > be filtered. You can replace the dummy server addresses with your > honeypot(s). > > I agree this would be a great feature to snort and I have copied the > snort-inline list. > Best regards > > I'm looking for some program to redirect an attack on my web server > > to a honeypot. Maybe triggered by number of hits in a given time or by > > certain requests. Does such a thing exist? Where can I get it? Or would I > > have to write some kind of script? There is already something similar to this, called Bait-n-Switch. While very beta, you may want to check it out. http://violating.us/projects/baitnswitch/ lance --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Christian K. <Chr...@ku...> - 2003-06-20 10:18:20
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forescout ( http://www.forescout.com/index.html) sells a product that works with commercial firewall and IPS vendors. It detects all kinds of scans and returns dummy server information. Then any traffic to these dummy servers can be filtered. You can replace the dummy server addresses with your honeypot(s). I agree this would be a great feature to snort and I have copied the snort-inline list. Best regards ray On Friday 16 May 2003 02:48 pm, Jon Baer wrote: > It would be nice to have an intelligent version of Snort to be able to do > this :-) Im also interested in an answer, if you get it please pass along. > Thanks. > > - Jon > > ----- Original Message ----- > From: "Andrew Elmore" <and...@cy...> > To: <sec...@se...> > Sent: Friday, May 16, 2003 7:38 AM > Subject: attack redirection > > > Hey guys, > I'm looking for some program to redirect an attack on my web server > to a honeypot. Maybe triggered by number of hits in a given time or by > certain requests. Does such a thing exist? Where can I get it? Or would I > have to write some kind of script? > Thanks for your help. > > Andy > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register > Now! > --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > --------------------------------------------------------------------------- >- > > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register > Now! --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > --------------------------------------------------------------------------- >- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+x9DGzejBliQ3SdsRAtjzAKDugolpgwe8l44CH0tfnE3YURjS/QCfQEyl Kdg7j0zoQ6Z0Z3WhNWezH5M= =UOcy -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Willi W. <Wil...@ma...> - 2003-06-20 10:11:21
|
Snat and dnat rule keywords have been on my to do list for inline snort for a long time. When used in a rule, snat or dnat would allow you to do source or destination routing (via iptables) when a rule is triggered. This would allow you to redirect interesting stuff to a honeypot. Jed On Sunday, May 18, 2003, at 06:42 PM, Lance Spitzner wrote: > On Sun, 18 May 2003, Ray Stirbei wrote: > >> >> Forescout ( http://www.forescout.com/index.html) sells a product that >> works >> with commercial firewall and IPS vendors. It detects all kinds of >> scans and >> returns dummy server information. Then any traffic to these dummy >> servers can >> be filtered. You can replace the dummy server addresses with your >> honeypot(s). >> >> I agree this would be a great feature to snort and I have copied the >> snort-inline list. >> Best regards > >>> I'm looking for some program to redirect an attack on my web >>> server >>> to a honeypot. Maybe triggered by number of hits in a given time or >>> by >>> certain requests. Does such a thing exist? Where can I get it? Or >>> would I >>> have to write some kind of script? > > There is already something similar to this, called Bait-n-Switch. > While very beta, you may want to check it out. > > http://violating.us/projects/baitnswitch/ > > lance > > > > ------------------------------------------------------- > This SF.net email is sponsored by: If flattening out C++ or Java > code to make your application fit in a relational database is painful, > don't do it! Check out ObjectStore. Now part of Progress Software. > http://www.objectstore.net/sourceforge > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Willi W. <Wil...@ma...> - 2003-06-20 09:51:07
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forescout ( http://www.forescout.com/index.html) sells a product that works with commercial firewall and IPS vendors. It detects all kinds of scans and returns dummy server information. Then any traffic to these dummy servers can be filtered. You can replace the dummy server addresses with your honeypot(s). I agree this would be a great feature to snort and I have copied the snort-inline list. Best regards ray On Friday 16 May 2003 02:48 pm, Jon Baer wrote: > It would be nice to have an intelligent version of Snort to be able to do > this :-) Im also interested in an answer, if you get it please pass along. > Thanks. > > - Jon > > ----- Original Message ----- > From: "Andrew Elmore" <and...@cy...> > To: <sec...@se...> > Sent: Friday, May 16, 2003 7:38 AM > Subject: attack redirection > > > Hey guys, > I'm looking for some program to redirect an attack on my web server > to a honeypot. Maybe triggered by number of hits in a given time or by > certain requests. Does such a thing exist? Where can I get it? Or would I > have to write some kind of script? > Thanks for your help. > > Andy > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register > Now! > --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > --------------------------------------------------------------------------- >- > > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register > Now! --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > --------------------------------------------------------------------------- >- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+x9DGzejBliQ3SdsRAtjzAKDugolpgwe8l44CH0tfnE3YURjS/QCfQEyl Kdg7j0zoQ6Z0Z3WhNWezH5M= =UOcy -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Willi W. <Wil...@ma...> - 2003-06-20 09:51:04
|
On Sun, 18 May 2003, Ray Stirbei wrote: > > Forescout ( http://www.forescout.com/index.html) sells a product that works > with commercial firewall and IPS vendors. It detects all kinds of scans and > returns dummy server information. Then any traffic to these dummy servers can > be filtered. You can replace the dummy server addresses with your > honeypot(s). > > I agree this would be a great feature to snort and I have copied the > snort-inline list. > Best regards > > I'm looking for some program to redirect an attack on my web server > > to a honeypot. Maybe triggered by number of hits in a given time or by > > certain requests. Does such a thing exist? Where can I get it? Or would I > > have to write some kind of script? There is already something similar to this, called Bait-n-Switch. While very beta, you may want to check it out. http://violating.us/projects/baitnswitch/ lance --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Willi W. <Wil...@ma...> - 2003-06-20 09:44:56
|
Snat and dnat rule keywords have been on my to do list for inline snort for a long time. When used in a rule, snat or dnat would allow you to do source or destination routing (via iptables) when a rule is triggered. This would allow you to redirect interesting stuff to a honeypot. Jed On Sunday, May 18, 2003, at 06:42 PM, Lance Spitzner wrote: > On Sun, 18 May 2003, Ray Stirbei wrote: > >> >> Forescout ( http://www.forescout.com/index.html) sells a product that >> works >> with commercial firewall and IPS vendors. It detects all kinds of >> scans and >> returns dummy server information. Then any traffic to these dummy >> servers can >> be filtered. You can replace the dummy server addresses with your >> honeypot(s). >> >> I agree this would be a great feature to snort and I have copied the >> snort-inline list. >> Best regards > >>> I'm looking for some program to redirect an attack on my web >>> server >>> to a honeypot. Maybe triggered by number of hits in a given time or >>> by >>> certain requests. Does such a thing exist? Where can I get it? Or >>> would I >>> have to write some kind of script? > > There is already something similar to this, called Bait-n-Switch. > While very beta, you may want to check it out. > > http://violating.us/projects/baitnswitch/ > > lance > > > > ------------------------------------------------------- > This SF.net email is sponsored by: If flattening out C++ or Java > code to make your application fit in a relational database is painful, > don't do it! Check out ObjectStore. Now part of Progress Software. > http://www.objectstore.net/sourceforge > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Willi W. <Wil...@ma...> - 2003-06-20 09:44:55
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forescout ( http://www.forescout.com/index.html) sells a product that works with commercial firewall and IPS vendors. It detects all kinds of scans and returns dummy server information. Then any traffic to these dummy servers can be filtered. You can replace the dummy server addresses with your honeypot(s). I agree this would be a great feature to snort and I have copied the snort-inline list. Best regards ray On Friday 16 May 2003 02:48 pm, Jon Baer wrote: > It would be nice to have an intelligent version of Snort to be able to do > this :-) Im also interested in an answer, if you get it please pass along. > Thanks. > > - Jon > > ----- Original Message ----- > From: "Andrew Elmore" <and...@cy...> > To: <sec...@se...> > Sent: Friday, May 16, 2003 7:38 AM > Subject: attack redirection > > > Hey guys, > I'm looking for some program to redirect an attack on my web server > to a honeypot. Maybe triggered by number of hits in a given time or by > certain requests. Does such a thing exist? Where can I get it? Or would I > have to write some kind of script? > Thanks for your help. > > Andy > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register > Now! > --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > --------------------------------------------------------------------------- >- > > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not To! > > Vigilar's industry leading curriculum includes: Security +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & more! Register > Now! --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > --------------------------------------------------------------------------- >- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+x9DGzejBliQ3SdsRAtjzAKDugolpgwe8l44CH0tfnE3YURjS/QCfQEyl Kdg7j0zoQ6Z0Z3WhNWezH5M= =UOcy -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Willi W. <Wil...@ma...> - 2003-06-20 09:44:53
|
On Sun, 18 May 2003, Ray Stirbei wrote: > > Forescout ( http://www.forescout.com/index.html) sells a product that works > with commercial firewall and IPS vendors. It detects all kinds of scans and > returns dummy server information. Then any traffic to these dummy servers can > be filtered. You can replace the dummy server addresses with your > honeypot(s). > > I agree this would be a great feature to snort and I have copied the > snort-inline list. > Best regards > > I'm looking for some program to redirect an attack on my web server > > to a honeypot. Maybe triggered by number of hits in a given time or by > > certain requests. Does such a thing exist? Where can I get it? Or would I > > have to write some kind of script? There is already something similar to this, called Bait-n-Switch. While very beta, you may want to check it out. http://violating.us/projects/baitnswitch/ lance --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- |
|
From: Lia T. <ltr...@op...> - 2003-06-17 21:04:10
|
Hi, I have been examining the honeynet.org and I have downloaded their Tool Kit for snort_inline. I have IPTABLES and snort_inline running fine, but before I can do anything with them together I know I need to customize the rc.firewall script. I am having several problems doing this: * I am planning to use a snort_inline box between our actual firewall and our LAN. Clearly then. we are not actually going to have a honeypot. Consequently, I do not know why I would still need to run rc.firewall in either bridge or in nat mode. Any thoughts? * An offshoot of that issue is, if we don't need to run in nat or bridge mode, can I comment out those and other irrelevent things in the "not user editable" section of rc.firewall, i.e. sebek, nat mode, bridge mode stuff?? Any thoughts or suggestions are most appreciated! Sincerely, Lia Treffman Optivel, Inc. |
|
From: Thomas S. <ti...@ge...> - 2003-06-08 10:31:36
|
Greetings, I am sitting with the following problem and I hope someone can assist me with the following: (PS I am running RedHat 9.0 as OS) I installed snort-2.0.0 from source, I created my own rule that looks as follows and this is the only rule that I have active: alert tcp any any -> any any (content:"monkey"; logto:"monkey.log"; msg:"Monkey Alert";) This works beautifully and it logs the packets in the file I am pointing it to. So what I did now is I took the binary from the inline snort_inline-2.0.0.1 and I copied it over the snort binary. (I hope this is right, I tried compiling it from source and I was getting the same results) Then I restarted my service it, starts up nicely. I do my test it logs perfectly, letting me know the binary works. Next I add the #iptables -A OUTPUT -p tcp --dport 80 -j QUEUE and I edit the init script and I changed the options to be -DQ .... and now it does not log any more or drop it if I change the rules files alert to drop. Thank you -- Warm Regards Thomas I. Switala GENOTRIBE - sensible complexity |
|
From: Rob M. <rv...@ca...> - 2003-06-05 01:01:14
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > When I tried to ./configure snort-inline, first it demanded that I have > libpcap. Does that make sense? Try: ./configure libpcap is requried for two reasons. One, it can still be used as snort (which requires libpcap) and two, it uses pcap to dump to binary files if binary output is selected > Next, when I tried to ./configure snort-inline, it claimed that it could > not find libnet: > checking for "libnet.h Version 1.x.x" ... ./configure: libnet-config: > command not found make sure you are using verion 1.0.x of libnet. > Where am I supposed to put the Libnet-latest directory so that > snort_inline can find it? default location should be good. if not, use ./configure --with-libnet-includes=<libnet include directory> - --with-libnet-libraries=<libipq library directory> Rob -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPt6WRvnAyY+9KLjdEQLOyQCgwR8Vec/E006Oei9lPIzKWHhfRu8AoJVG Gm8KQuj63MV12ddm4IiSlz2R =8n6Q -----END PGP SIGNATURE----- |
|
From: Lia T. <ltr...@op...> - 2003-06-05 00:36:46
|
When I tried to ./configure snort-inline, first it demanded that I have libpcap. Does that make sense? Next, when I tried to ./configure snort-inline, it claimed that it could not find libnet: checking for "libnet.h Version 1.x.x" ... ./configure: libnet-config: command not found Where am I supposed to put the Libnet-latest directory so that snort_inline can find it? Thanks! Lia |
|
From: Rob M. <rv...@ca...> - 2003-06-03 00:14:10
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Whoops... Seems the documentation has not caught up to the source :-). The snort_inline package found at snort-inline.sf.net is configured to look for everything it needs by default. Therefore, all you should have to do is: ./configure make make install Let me know if you are still having problems. Rob On Mon, 2 Jun 2003, Lia Treffman wrote: > Hi, > In the configure script that comes with the snort_inline-2.0.0-1 > version, it has the line --disable-inline libipq should not be used > with snort_inline. > > In the installation instructions I ran across and have been working > from, I am instructed to run the line: > ./configure --prefix=/usr/src/snort --enable-inline > > Help!! What do I do? > > Lia Treffman > Optivel, Inc. > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: eBay > Get office equipment for less on eBay! > http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPtvnpfnAyY+9KLjdEQIpGgCg4sBXhbzMoyIfWlKEsjRjlj2dugIAoIFO bhJ1Hthg0AbLUUEfHqlmcvqk =Hd7w -----END PGP SIGNATURE----- |
|
From: Lia T. <ltr...@op...> - 2003-06-02 23:26:42
|
Hi, In the configure script that comes with the snort_inline-2.0.0-1 version, it has the line --disable-inline libipq should not be used with snort_inline. In the installation instructions I ran across and have been working from, I am instructed to run the line: ./configure --prefix=/usr/src/snort --enable-inline Help!! What do I do? Lia Treffman Optivel, Inc. |
|
From: Rob M. <rv...@ca...> - 2003-05-28 00:45:25
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes. This is telling you that snort_inline has not been able to establish a connection with the ip_queue kernel module. This is how snort_inline communicates with iptables. Simply do: insmod ip_queue and try again. Also, if you want to send packets to snort_inline use the iptables -j QUEUE target. For example, if I want to send all web traffic entering my box to snort_inline: iptables -A INPUT -p tcp --dport 80 -j QUEUE snort_inline -Qc /etc/snort_inline/snort_inline.conf Hope this helps, Rob On Tue, 27 May 2003, Lia Treffman wrote: > Hi, > I'm trying to set up Snort_inline, and I am getting the error message: > InitInline: : failed to send netlink message: unable to connect > Has anybody else run into this?? Any ideas what it means? > Thanks! > Lia Treffman > Optivel, Inc. > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: ObjectStore. > If flattening out C++ or Java code to make your application fit in a > relational database is painful, don't do it! Check out ObjectStore. > Now part of Progress Software. http://www.objectstore.net/sourceforge > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPtQFufnAyY+9KLjdEQLSxQCgjGUO4v2khuUqzfxyix3k++zuTeMAnjm5 G8oq0Zx6QNtTud5Ohd01ymLs =F3qz -----END PGP SIGNATURE----- |
|
From: Lia T. <ltr...@op...> - 2003-05-27 21:29:53
|
Hi, I'm trying to set up Snort_inline, and I am getting the error message: InitInline: : failed to send netlink message: unable to connect Has anybody else run into this?? Any ideas what it means? Thanks! Lia Treffman Optivel, Inc. |
|
From: <DAN...@ao...> - 2003-05-21 08:29:48
|
I think that this is possible by using the divert command. Here are some links to the ipfw pages. http://www.freebsd.org/cgi/man.cgi?query=divert&sektion=4&apropos=0&manpath=FreeBSD+4.8-RELEASE http://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8 Danny |
|
From: Jed H. <jh...@ni...> - 2003-05-19 14:57:00
|
Snat and dnat rule keywords have been on my to do list for inline snort for a long time. When used in a rule, snat or dnat would allow you to do source or destination routing (via iptables) when a rule is triggered. This would allow you to redirect interesting stuff to a honeypot. Jed On Sunday, May 18, 2003, at 06:42 PM, Lance Spitzner wrote: > On Sun, 18 May 2003, Ray Stirbei wrote: > >> >> Forescout ( http://www.forescout.com/index.html) sells a product that >> works >> with commercial firewall and IPS vendors. It detects all kinds of >> scans and >> returns dummy server information. Then any traffic to these dummy >> servers can >> be filtered. You can replace the dummy server addresses with your >> honeypot(s). >> >> I agree this would be a great feature to snort and I have copied the >> snort-inline list. >> Best regards > >>> I'm looking for some program to redirect an attack on my web >>> server >>> to a honeypot. Maybe triggered by number of hits in a given time or >>> by >>> certain requests. Does such a thing exist? Where can I get it? Or >>> would I >>> have to write some kind of script? > > There is already something similar to this, called Bait-n-Switch. > While very beta, you may want to check it out. > > http://violating.us/projects/baitnswitch/ > > lance > > > > ------------------------------------------------------- > This SF.net email is sponsored by: If flattening out C++ or Java > code to make your application fit in a relational database is painful, > don't do it! Check out ObjectStore. Now part of Progress Software. > http://www.objectstore.net/sourceforge > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Lance S. <la...@ho...> - 2003-05-19 00:42:16
|
On Sun, 18 May 2003, Ray Stirbei wrote: > > Forescout ( http://www.forescout.com/index.html) sells a product that works > with commercial firewall and IPS vendors. It detects all kinds of scans and > returns dummy server information. Then any traffic to these dummy servers can > be filtered. You can replace the dummy server addresses with your > honeypot(s). > > I agree this would be a great feature to snort and I have copied the > snort-inline list. > Best regards > > I'm looking for some program to redirect an attack on my web server > > to a honeypot. Maybe triggered by number of hits in a given time or by > > certain requests. Does such a thing exist? Where can I get it? Or would I > > have to write some kind of script? There is already something similar to this, called Bait-n-Switch. While very beta, you may want to check it out. http://violating.us/projects/baitnswitch/ lance |
|
From: Rob M. <rv...@ca...> - 2003-05-18 23:32:31
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At this time the answer is no. snort_inline gets its packets from iptables via the ip_queue module. This modules copies each packet from kernel space to userspace so snort_inline can make a routing decision. If ipfw has the ability of sending a packet from kernel space to userspace so an external application can make the accept or drop decision, let me know and I'll start working on it. Thanks Rob On Sun, 18 May 2003 DAN...@ao... wrote: > Hello, > > I am trying to find out if it is possible to run snort-inline on a > freebsd box? > And if so how would you configure ipfw to forward traffic to snort-inline? > > I have looked on some other mailing lists which seem to mention that it is > possible, but not how to go about doing it. > > Thanks > > Danny > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPsgV/vnAyY+9KLjdEQIlgQCg9d/jRyvo8UAGhiJCloi16P1h16sAnAzz iR+UixtRmzNZ4v87yFnWFekq =UF1j -----END PGP SIGNATURE----- |
133 messages has been excluded from this view by a project administrator.
