Type: Posts; User: kcore; Keyword(s):
Search took 0.01 seconds.
January 5th, 2007, 04:52 PM
That's kinda like using a sledgehammer to tap in a nail...
Shutting off all the alerts isn't really the answer, proper tuning is. Your global line should be configured to reflect the majority of...
July 31st, 2006, 12:29 AM
Snort should output traffic in unified format. Get Barnyard or FLOP to read the Unified files and work with it from there.
July 31st, 2006, 12:27 AM
I understand what you are saying. The reason you are getting the alerts is because you do not have your http_inspect_server lines set. Therefore the Snort process has to say "ALL traffic in OR out...
July 31st, 2006, 12:23 AM
Adding the variables to your snort.conf actually makes the engine faster. Despite what is said here.
If Snort is watching all traffic, but it only has to run SQL rules against those IP's set in...
July 31st, 2006, 12:21 AM
They are still free, just don't sell them to anyone else. That's basically it.
The VRT rules are the best set over all the set. Beware though, the "CURRENT" set are basically... cvs rules. If...
July 31st, 2006, 12:19 AM
By downloading the rules, you are subject to the license included with them.
VRT rules, by far, are the most highly tested Snort rules out there. They are tested, created, and reviewed with the...
July 31st, 2006, 12:15 AM
What this means is that you need to make an entry for each of your http servers in your http_inspect_server configuration and tune each line to the specific webserver running at the IP....
July 19th, 2006, 02:31 PM
Also, in case you guys didn't know.
In Linux only... you can send a USR1 sig to the snort process and it will dump its current stats to your logging mechanism (/var/log/system.log or...
July 19th, 2006, 05:51 AM
I totally agree. I used to work for a gov't agency that had port security turned on at every port. Every time we'd rearrange the office, or even plug in a laptop to test something, the port would...
June 23rd, 2006, 03:30 PM
I know what a limited account is. I wanted someone to tell me what limited was in their own words. A limited account is really a bad description. I can do almost the same amount of things with a...
June 23rd, 2006, 02:38 PM
You want to know "EVERYTHING"? That's a large goal. Let me know when you get there.
June 21st, 2006, 02:49 PM
You wrote a proxy scanner in vbs? ;)
June 21st, 2006, 02:46 PM
I've always been a fan of Checkpoint's firewall. It's not bad.
Definately place some sort of IDS/IPS on the interior side of your firewall (let the firewall do it's job, sniff what is getting...
June 21st, 2006, 02:43 PM
I usually recommend to create a directory named '/snort' on my drive, and place everything in there. Snort, Oinkmaster, barnyard, etc..
Snort 2.6 does require alot more memory than it's...
June 21st, 2006, 02:34 PM
you reimage your machine to refresh your demo software?
June 21st, 2006, 02:31 PM
Is it my imagination ( i haven't used Windows in about three years ), but see these couple lines?
lsass.exe:824 UDP ULYSSES:4500 *:*
lsass.exe:824 UDP ULYSSES:isakmp *:*
Does the lsass.exe...
June 21st, 2006, 02:19 PM
The obvious question... What do you mean by 'limited account'
June 19th, 2006, 03:12 PM
"Back in the day"(tm)
I used to do initial forensics and network security for some 'interesting' networks. One time I got a call from a network admin telling me they had a cracked machine but...
June 19th, 2006, 03:07 PM
I know there are tools to be able to block/track/monitor USB device usage. IIRC, in the Windows registry, when a USB device is plugged in, it creates a key in the registry. (or elsewhere in the...
June 19th, 2006, 03:03 PM
Ah. I must have misread. I was talking about Sniffing.. As opposed to tool discovery.
June 18th, 2006, 03:56 PM
Before the first hop, yes. However, when your packet crosses a routing device (firewall/router..) the mac is rewritten every hop with the mac of the routing device. So, if you were to sniff a...
June 18th, 2006, 03:53 PM
Blade Software makes an IDS/IPS testing tool.
However, the most important thing you can do for testing an IPS is full content. Just throwing a packet at the IPS with the exploit in it is...
June 18th, 2006, 03:42 PM
Just remember that the layer 2 (mac) address is re-written inside of a packet at every hop. Therefore you must be before the first hop to get the mac address for the actual machine.
I've been writing Snort rules professionally for over 6 years now. I'm not going to say who I work for, but you can probably guess.
Feel free to shoot any Snort questions my direction, or Check...
January 25th, 2006, 01:32 AM
Look at your lmhosts file as well..
it's like.. in \Windows\drivers\etc\
or something like that. (can't remember the directory, I haven't used Windows in several years.