Search:

Type: Posts; User: kcore; Keyword(s):

Page 1 of 2 1 2

Search: Search took 0.02 seconds.

  1. Replies
    18
    Views
    32,767

    oookay

    That's kinda like using a sledgehammer to tap in a nail...

    Shutting off all the alerts isn't really the answer, proper tuning is. Your global line should be configured to reflect the majority of...
  2. Replies
    1
    Views
    8,865

    Snort should output traffic in unified format. ...

    Snort should output traffic in unified format. Get Barnyard or FLOP to read the Unified files and work with it from there.
  3. Replies
    18
    Views
    32,767

    I understand what you are saying. The reason you...

    I understand what you are saying. The reason you are getting the alerts is because you do not have your http_inspect_server lines set. Therefore the Snort process has to say "ALL traffic in OR out...
  4. Thread: Snort Variables

    by kcore
    Replies
    7
    Views
    10,237

    Adding the variables to your snort.conf actually...

    Adding the variables to your snort.conf actually makes the engine faster. Despite what is said here.

    If Snort is watching all traffic, but it only has to run SQL rules against those IP's set in...
  5. Thread: Snortrules

    by kcore
    Replies
    2
    Views
    7,397

    They are still free, just don't sell them to...

    They are still free, just don't sell them to anyone else. That's basically it.

    The VRT rules are the best set over all the set. Beware though, the "CURRENT" set are basically... cvs rules. If...
  6. Thread: Snort VRT Rules

    by kcore
    Replies
    4
    Views
    9,232

    By downloading the rules, you are subject to the...

    By downloading the rules, you are subject to the license included with them.

    VRT rules, by far, are the most highly tested Snort rules out there. They are tested, created, and reviewed with the...
  7. Replies
    18
    Views
    32,767

    henry, What this means is that you need to...

    henry,

    What this means is that you need to make an entry for each of your http servers in your http_inspect_server configuration and tune each line to the specific webserver running at the IP....
  8. Replies
    10
    Views
    16,043

    Also, in case you guys didn't know. In Linux...

    Also, in case you guys didn't know.

    In Linux only... you can send a USR1 sig to the snort process and it will dump its current stats to your logging mechanism (/var/log/system.log or...
  9. Replies
    3
    Views
    6,514

    I totally agree. I used to work for a gov't...

    I totally agree. I used to work for a gov't agency that had port security turned on at every port. Every time we'd rearrange the office, or even plug in a laptop to test something, the port would...
  10. Replies
    10
    Views
    11,431

    I know what a limited account is. I wanted...

    I know what a limited account is. I wanted someone to tell me what limited was in their own words. A limited account is really a bad description. I can do almost the same amount of things with a...
  11. Replies
    22
    Views
    13,595

    You want to know "EVERYTHING"? That's a large...

    You want to know "EVERYTHING"? That's a large goal. Let me know when you get there.
  12. Replies
    15
    Views
    98,384

    You wrote a proxy scanner in vbs? ;) Crazy.

    You wrote a proxy scanner in vbs? ;)

    Crazy.
  13. Replies
    12
    Views
    13,418

    I've always been a fan of Checkpoint's firewall. ...

    I've always been a fan of Checkpoint's firewall. It's not bad.

    Definately place some sort of IDS/IPS on the interior side of your firewall (let the firewall do it's job, sniff what is getting...
  14. Replies
    5
    Views
    9,267

    I usually recommend to create a directory named...

    I usually recommend to create a directory named '/snort' on my drive, and place everything in there. Snort, Oinkmaster, barnyard, etc..

    Snort 2.6 does require alot more memory than it's...
  15. Replies
    10
    Views
    7,760

    Poll: you reimage your machine to refresh your demo...

    you reimage your machine to refresh your demo software?
  16. Thread: VPN Traffic ..

    by kcore
    Replies
    9
    Views
    6,857

    Is it my imagination ( i haven't used Windows in...

    Is it my imagination ( i haven't used Windows in about three years ), but see these couple lines?

    lsass.exe:824 UDP ULYSSES:4500 *:*
    lsass.exe:824 UDP ULYSSES:isakmp *:*

    Does the lsass.exe...
  17. Replies
    10
    Views
    11,431

    The obvious question... What do you mean by...

    The obvious question... What do you mean by 'limited account'
  18. Replies
    8
    Views
    6,801

    "Back in the day"(tm) I used to do initial...

    "Back in the day"(tm)

    I used to do initial forensics and network security for some 'interesting' networks. One time I got a call from a network admin telling me they had a cracked machine but...
  19. Replies
    20
    Views
    10,827

    I know there are tools to be able to...

    I know there are tools to be able to block/track/monitor USB device usage. IIRC, in the Windows registry, when a USB device is plugged in, it creates a key in the registry. (or elsewhere in the...
  20. Replies
    11
    Views
    10,615

    Ah. I must have misread. I was talking about...

    Ah. I must have misread. I was talking about Sniffing.. As opposed to tool discovery.

    Thanks
  21. Replies
    11
    Views
    10,615

    Before the first hop, yes. However, when your...

    Before the first hop, yes. However, when your packet crosses a routing device (firewall/router..) the mac is rewritten every hop with the mac of the routing device. So, if you were to sniff a...
  22. Replies
    4
    Views
    12,102

    Blade Software makes an IDS/IPS testing tool. ...

    Blade Software makes an IDS/IPS testing tool.

    However, the most important thing you can do for testing an IPS is full content. Just throwing a packet at the IPS with the exploit in it is...
  23. Replies
    11
    Views
    10,615

    Just remember that the layer 2 (mac) address is...

    Just remember that the layer 2 (mac) address is re-written inside of a packet at every hop. Therefore you must be before the first hop to get the mac address for the actual machine.
  24. Replies
    8
    Views
    12,648

    I've been writing Snort rules professionally for...

    I've been writing Snort rules professionally for over 6 years now. I'm not going to say who I work for, but you can probably guess.

    Feel free to shoot any Snort questions my direction, or Check...
  25. Thread: Problem with IE6

    by kcore
    Replies
    14
    Views
    8,922

    lmhosts file. Look at your lmhosts file as...

    lmhosts file.

    Look at your lmhosts file as well..

    it's like.. in \Windows\drivers\etc\

    or something like that. (can't remember the directory, I haven't used Windows in several years.
Results 1 to 25 of 37
Page 1 of 2 1 2