Menu
▾
▴
snort-inline-users
|
From: ikami <ik...@ya...> - 2006-05-07 01:11:31
|
Hi guys, Sorry for my english but I`m good on it. I just know to read in english and thus very badly. I have 2 weeks to finish a project and I don`t know how to do one thing. I have a network with 3 machines. 1) Router with snort and iptables, 2) Web server 3) honeypot. My problem is: I want to redirect all the malicious traffic to the honeypot insted of the web server. Searching for a solution on GOOGLE I found the snort_inline project. My doubt now is: Snort_inline can do this redirect? If yes any one can explain me how? Thanks --------------------------------- Yahoo! Search Imposto de Renda 2006: o prazo está acabando. Faça já a sua declaração no site da Receita Federal. |
|
From: Will M. <wil...@gm...> - 2006-05-07 03:53:11
|
download the tarball, look at the doc/README.INLINE in the source file. It discusses how to use bait-and-switch to accomplish this. Regards, Will On 5/6/06, ikami <ik...@ya...> wrote: > > Hi guys, > Sorry for my english but I`m good on it. I just know to read in english a= nd > thus very badly. > I have 2 weeks to finish a project and I don`t know how to do one thing. = I > have a network with 3 machines. 1) Router with snort and iptables, 2) Web > server 3) honeypot. > My problem is: I want to redirect all the malicious traffic to the honeyp= ot > insted of the web server. Searching for a solution on GOOGLE I found the > snort_inline project. My doubt now is: Snort_inline can do this redirect?= If > yes any one can explain me how? > > Thanks > > > > > ________________________________ > Yahoo! Search > Imposto de Renda 2006: o prazo est=E1 acabando. Fa=E7a j=E1 a sua declar= a=E7=E3o no > site da Receita Federal. > > |
|
From: ikami <ik...@ya...> - 2006-05-07 15:40:18
|
One question: Bait and Switch HoneyPot only works with snort.1.9.1? When I tried to install it (on step 3) it asks for the archive bns.diff. I write the path of the bns.diff and an ERRO occurs Copy of the ERRO: 1) Set Up Routing Tables. (**RUN ONCE PER MACHINE**) 2) Configuration 3) Patch Snort (ONLY AFTER OPTION 2) 4) Exit Your Choice: 3 Path to bns.diff (ie: /root/bns/snort/bns.diff) /usr/local/ids/bns/snort/bns.diff patching file src/Makefile.in Hunk #1 FAILED at 170. 1 out of 1 hunk FAILED -- saving rejects to file src/Makefile.in.rej patching file src/output-plugins/Makefile.am Hunk #1 FAILED at 9. 1 out of 1 hunk FAILED -- saving rejects to file src/output-plugins/Makefile.am.rej patching file src/output-plugins/Makefile.in Hunk #1 FAILED at 90. Hunk #2 FAILED at 106. 2 out of 2 hunks FAILED -- saving rejects to file src/output-plugins/Makefile.in.rej patching file src/output-plugins/spo_alert_bns.c patching file src/output-plugins/spo_alert_bns.h patching file src/plugbase.c Hunk #1 succeeded at 110 with fuzz 2 (offset 7 lines). Hunk #2 FAILED at 153. 1 out of 2 hunks FAILED -- saving rejects to file src/plugbase.c.rej done patching... exit or menu [e/m]: I am asking on version of snort because there is a directory called 'snort', where the bns.diff is located. In that directory ,snort, there is another direcrory called ' non-production' and inside of it are the following archives: bns-snort-1.9.0.diff bns-snort.1.9.1.diff spo_alert_bns.c spo_alert_bns.h I have the snort-2.4.4. Again, sorry for the errors of English. Thanks Will Metcalf <wil...@gm...> escreveu: download the tarball, look at the doc/README.INLINE in the source file. It discusses how to use bait-and-switch to accomplish this. Regards, Will On 5/6/06, ikami wrote: > > Hi guys, > Sorry for my english but I`m good on it. I just know to read in english and > thus very badly. > I have 2 weeks to finish a project and I don`t know how to do one thing. I > have a network with 3 machines. 1) Router with snort and iptables, 2) Web > server 3) honeypot. > My problem is: I want to redirect all the malicious traffic to the honeypot > insted of the web server. Searching for a solution on GOOGLE I found the > snort_inline project. My doubt now is: Snort_inline can do this redirect? If > yes any one can explain me how? > > Thanks > > > > > ________________________________ > Yahoo! Search > Imposto de Renda 2006: o prazo está acabando. Faça já a sua declaração no > site da Receita Federal. > > --------------------------------- Abra sua conta no Yahoo! Mail - 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. |
|
From: Will M. <wil...@gm...> - 2006-05-07 16:05:34
|
you shouldn't have to patch anything, just look at the README.INLINE. This functionality is already built into the snort_inline source code. The patch you are talking about is for the bns project from the violating.us guy's. You don't need to apply this patch you only need to download snort-inline-2.4.4-final and see the README.INLINE and the snort_inline.conf to see how to use bait-and-switch. download the source from http://snort-inline.sourceforge.net/download.html Regards, Will On 5/7/06, ikami <ik...@ya...> wrote: > > One question: Bait and Switch HoneyPot only works with snort.1.9.1? > When I tried to install it (on step 3) it asks for the archive bns.diff. = I > write the path of the bns.diff and an ERRO occurs > Copy of the ERRO: > > 1) Set Up Routing Tables. (**RUN ONCE PER MACHINE**) > 2) Configuration > 3) Patch Snort (ONLY AFTER OPTION 2) > 4) Exit > Your Choice: 3 > > Path to bns.diff (ie: /root/bns/snort/bns.diff) > /usr/local/ids/bns/snort/bns.diff > patching file src/Makefile.in > Hunk #1 FAILED at 170. > 1 out of 1 hunk FAILED -- saving rejects to file src/Makefile.in.rej > patching file src/output-plugins/Makefile.am > Hunk #1 FAILED at 9. > 1 out of 1 hunk FAILED -- saving rejects to file > src/output-plugins/Makefile.am.rej > patching file src/output-plugins/Makefile.in > Hunk #1 FAILED at 90. > Hunk #2 FAILED at 106. > 2 out of 2 hunks FAILED -- saving rejects to file > src/output-plugins/Makefile.in.rej > patching file src/output-plugins/spo_alert_bns.c > patching file src/output-plugins/spo_alert_bns.h > patching file src/plugbase.c > Hunk #1 succeeded at 110 with fuzz 2 (offset 7 lines). > Hunk #2 FAILED at 153. > 1 out of 2 hunks FAILED -- saving rejects to file src/plugbase.c.rej > done patching... > exit or menu [e/m]: > > I am asking on version of snort because there is a directory called 'snor= t', > where the bns.diff is located. In that directory ,snort, there is another > direcrory called ' non-production' and inside of it are the following > archives: > bns-snort-1.9.0.diff > bns-snort.1.9.1.diff > spo_alert_bns.c > spo_alert_bns.h > > I have the snort-2.4.4. > > Again, sorry for the errors of English. > > Thanks > > > Will Metcalf <wil...@gm...> escreveu: > > download the tarball, look at the doc/README.INLINE in the source > file. It discusses how to use bait-and-switch to accomplish this. > > Regards, > > Will > > On 5/6/06, ikami wrote: > > > > Hi guys, > > Sorry for my english but I`m good on it. I just know to read in english > and > > thus very badly. > > I have 2 weeks to finish a project and I don`t know how to do one thing= . I > > have a network with 3 machines. 1) Router with snort and iptables, 2) W= eb > > server 3) honeypot. > > My problem is: I want to redirect all the malicious traffic to the > honeypot > > insted of the web server. Searching for a solution on GOOGLE I found th= e > > snort_inline project. My doubt now is: Snort_inline can do this redirec= t? > If > > yes any one can explain me how? > > > > Thanks > > > > > > > > > > ________________________________ > > Yahoo! Search > > Imposto de Renda 2006: o prazo est=E1 acabando. Fa=E7a j=E1 a sua decla= ra=E7=E3o no > > site da Receita Federal. > > > > > > > > > ________________________________ > Abra sua conta no Yahoo! Mail - 1GB de espa=E7o, alertas de e-mail no ce= lular > e anti-spam realmente eficaz. > > |
|
From: ikami <ik...@ya...> - 2006-05-09 17:07:45
|
Hi Will, Thanks for the help. Now snort_inline is installed but it is not configured correctly yet. I`m still trying to configure it. My doubts now are: 1) I installed ACID and saw it shows the package payload. How can I write a rule that capture the payload and print it on ACID? 2) I want to simulate attacks against the apache service. For this, first is necessary to know how is the payload for a normal consultation. Somebody knows how can I do that? Can be a rule on SNORT_INLINE? 3) I downloaded the rule package from www.snort.org but the archive rule that more interested me was blank (web-attacks.rules). Do you know can I get rules that look for attacks against apache service? 4) Where can I get tools to do this attacks? (Attacks against apache service) Thanks a lot for the help! Íkami Will Metcalf <wil...@gm...> escreveu: you shouldn't have to patch anything, just look at the README.INLINE. This functionality is already built into the snort_inline source code. The patch you are talking about is for the bns project from the violating.us guy's. You don't need to apply this patch you only need to download snort-inline-2.4.4-final and see the README.INLINE and the snort_inline.conf to see how to use bait-and-switch. download the source from http://snort-inline.sourceforge.net/download.html Regards, Will On 5/7/06, ikami wrote: > > One question: Bait and Switch HoneyPot only works with snort.1.9.1? > When I tried to install it (on step 3) it asks for the archive bns.diff. I > write the path of the bns.diff and an ERRO occurs > Copy of the ERRO: > > 1) Set Up Routing Tables. (**RUN ONCE PER MACHINE**) > 2) Configuration > 3) Patch Snort (ONLY AFTER OPTION 2) > 4) Exit > Your Choice: 3 > > Path to bns.diff (ie: /root/bns/snort/bns.diff) > /usr/local/ids/bns/snort/bns.diff > patching file src/Makefile.in > Hunk #1 FAILED at 170. > 1 out of 1 hunk FAILED -- saving rejects to file src/Makefile.in.rej > patching file src/output-plugins/Makefile.am > Hunk #1 FAILED at 9. > 1 out of 1 hunk FAILED -- saving rejects to file > src/output-plugins/Makefile.am.rej > patching file src/output-plugins/Makefile.in > Hunk #1 FAILED at 90. > Hunk #2 FAILED at 106. > 2 out of 2 hunks FAILED -- saving rejects to file > src/output-plugins/Makefile.in.rej > patching file src/output-plugins/spo_alert_bns.c > patching file src/output-plugins/spo_alert_bns.h > patching file src/plugbase.c > Hunk #1 succeeded at 110 with fuzz 2 (offset 7 lines). > Hunk #2 FAILED at 153. > 1 out of 2 hunks FAILED -- saving rejects to file src/plugbase.c.rej > done patching... > exit or menu [e/m]: > > I am asking on version of snort because there is a directory called 'snort', > where the bns.diff is located. In that directory ,snort, there is another > direcrory called ' non-production' and inside of it are the following > archives: > bns-snort-1.9.0.diff > bns-snort.1.9.1.diff > spo_alert_bns.c > spo_alert_bns.h > > I have the snort-2.4.4. > > Again, sorry for the errors of English. > > Thanks > > > Will Metcalf escreveu: > > download the tarball, look at the doc/README.INLINE in the source > file. It discusses how to use bait-and-switch to accomplish this. > > Regards, > > Will > > On 5/6/06, ikami wrote: > > > > Hi guys, > > Sorry for my english but I`m good on it. I just know to read in english > and > > thus very badly. > > I have 2 weeks to finish a project and I don`t know how to do one thing. I > > have a network with 3 machines. 1) Router with snort and iptables, 2) Web > > server 3) honeypot. > > My problem is: I want to redirect all the malicious traffic to the > honeypot > > insted of the web server. Searching for a solution on GOOGLE I found the > > snort_inline project. My doubt now is: Snort_inline can do this redirect? > If > > yes any one can explain me how? > > > > Thanks > > > > > > > > > > ________________________________ > > Yahoo! Search > > Imposto de Renda 2006: o prazo está acabando. Faça já a sua declaração no > > site da Receita Federal. > > > > > > > > > ________________________________ > Abra sua conta no Yahoo! Mail - 1GB de espaço, alertas de e-mail no celular > e anti-spam realmente eficaz. > > --------------------------------- Abra sua conta no Yahoo! Mail - 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. |
|
From: Will M. <wil...@gm...> - 2006-05-09 23:16:32
|
On 5/9/06, ikami <ik...@ya...> wrote: > > Hi Will, > Thanks for the help. Now snort_inline is installed but it is not configur= ed > correctly yet. I`m still trying to configure it. > My doubts now are: > 1) I installed ACID and saw it shows the package payload. How can I write= a > rule that capture the payload and print it on ACID? I'm not sure what you mean... if you are logging and seeing packet payloads on alerts it will dump the payload for all alerts... You should really use BASE though.. > 2) I want to simulate attacks against the apache service. For this, first= is > necessary to know how is the payload for a normal consultation. Somebody > knows how can I do that? Can be a rule on SNORT_INLINE? Use Ethereal or tcpdump or some other sniffer. You could do this with snort rules but why would you want to? > 3) I downloaded the rule package from www.snort.org but the archive rule > that more interested me was blank (web-attacks.rules). Do you know can I = get > rules that look for attacks against apache service? shouldn't be blank?!? > 4) Where can I get tools to do this attacks? (Attacks against apache > service) try metasploit or milw0rm.com > Thanks a lot for the help! > > =CDkami > > > Will Metcalf <wil...@gm...> escreveu: > > you shouldn't have to patch anything, just look at the README.INLINE. > This functionality is already built into the snort_inline source code. > The patch you are talking about is for the bns project from the > violating.us guy's. You don't need to apply this patch you only need > to download snort-inline-2.4.4-final and see the README.INLINE and the > snort_inline.conf to see how to use bait-and-switch. > > download the source from > > http://snort-inline.sourceforge.net/download.html > > Regards, > > Will > > On 5/7/06, ikami wrote: > > > > One question: Bait and Switch HoneyPot only works with snort.1.9.1? > > When I tried to install it (on step 3) it asks for the archive bns.diff= . I > > write the path of the bns.diff and an ERRO occurs > > Copy of the ERRO: > > > > 1) Set Up Routing Tables. (**RUN ONCE PER MACHINE**) > > 2) Configuration > > 3) Patch Snort (ONLY AFTER OPTION 2) > > 4) Exit > > Your Choice: 3 > > > > Path to bns.diff (ie: /root/bns/snort/bns.diff) > > /usr/local/ids/bns/snort/bns.diff > > patching file src/Makefile.in > > Hunk #1 FAILED at 170. > > 1 out of 1 hunk FAILED -- saving rejects to file src/Makefile.in.rej > > patching file src/output-plugins/Makefile.am > > Hunk #1 FAILED at 9. > > 1 out of 1 hunk FAILED -- saving rejects to file > > src/output-plugins/Makefile.am.rej > > patching file src/output-plugins/Makefile.in > > Hunk #1 FAILED at 90. > > Hunk #2 FAILED at 106. > > 2 out of 2 hunks FAILED -- saving rejects to file > > src/output-plugins/Makefile.in.rej > > patching file src/output-plugins/spo_alert_bns.c > > patching file src/output-plugins/spo_alert_bns.h > > patching file src/plugbase.c > > Hunk #1 succeeded at 110 with fuzz 2 (offset 7 lines). > > Hunk #2 FAILED at 153. > > 1 out of 2 hunks FAILED -- saving rejects to file src/plugbase.c.rej > > done patching... > > exit or menu [e/m]: > > > > I am asking on version of snort because there is a directory called > 'snort', > > where the bns.diff is located. In that directory ,snort, there is anoth= er > > direcrory called ' non-production' and inside of it are the following > > archives: > > bns-snort-1.9.0.diff > > bns-snort.1.9.1.diff > > spo_alert_bns.c > > spo_alert_bns.h > > > > I have the snort-2.4.4. > > > > Again, sorry for the errors of English. > > > > Thanks > > > > > > Will Metcalf escreveu: > > > > > download the tarball, look at the doc/README.INLINE in the source > > file. It discusses how to use bait-and-switch to accomplish this. > > > > Regards, > > > > Will > > > > On 5/6/06, ikami wrote: > > > > > > Hi guys, > > > Sorry for my english but I`m good on it. I just know to read in engli= sh > > and > > > thus very badly. > > > I have 2 weeks to finish a project and I don`t know how to do one thi= ng. > I > > > have a network with 3 machines. 1) Router with snort and iptables, 2) > Web > > > server 3) honeypot. > > > My problem is: I want to redirect all the malicious traffic to the > > honeypot > > > insted of the web server. Searching for a solution on GOOGLE I found = the > > > snort_inline project. My doubt now is: Snort_inline can do this > redirect? > > If > > > yes any one can explain me how? > > > > > > Thanks > > > > > > > > > > > > > > > ________________________________ > > > Yahoo! Search > > > Imposto de Renda 2006: o prazo est=E1 acabando. Fa=E7a j=E1 a sua dec= lara=E7=E3o > no > > > site da Receita Federal. > > > > > > > > > > > > > > > > ________________________________ > > Abra sua conta no Yahoo! Mail - 1GB de espa=E7o, alertas de e-mail no > celular > > e anti-spam realmente eficaz. > > > > > > > > > ________________________________ > Abra sua conta no Yahoo! Mail - 1GB de espa=E7o, alertas de e-mail no ce= lular > e anti-spam realmente eficaz. > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X