similar to: [louisk@bend.com: snort, postgres, bridge]

FYI Kris ----- Forwarded message from Kris Kennaway <kris@FreeBSD.org> ----- X-Original-To: kkenn@localhost Delivered-To: kkenn@localhost.obsecurity.org Delivered-To: kris@freebsd.org Delivered-To: ports-committers@freebsd.org From: Kris Kennaway <kris@FreeBSD.org> Date: Thu, 17 Apr 2003 14:45:03 -0700 (PDT) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org,

I figured that someone reading this list might want to take a look at the proceeding, considering that the version of Snort in FreeBSD ports -is- affected. -----Forwarded Message----- > From: CERT Advisory <cert-advisory@cert.org> > To: cert-advisory@cert.org > Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors > Date: 17 Apr 2003 11:30:47 -0400

Package: logcheck-database Hey, I created a logcheck ignore file for Snort with stuff I don't particularly want to see every day. The one line with the warning in it is questionable, so leave it in or out at your discretion. Also, my regex skills are not as good as they could be, so there are probably mistakes, or things that could be simplified more. Rules are below: ^\w{3} [

I've been prowling through the FreeBSD and Snort list archives in search of information on setting up snort on a FreeBSD bridge(4) that logs to a remote postgres box via a third interface (hme0) Snort is being started with the following command: /usr/local/bin/snort -A full -D -e -d -s -i fxp0 -c /usr /local/etc/snort.conf Where fxp0 and fxp1 are in the bridge output from sysctl:

Hi all, I appologise in advance if this is a little OT, but I am building a box that will serve as firewall and router for a small ''internet cafe / netcafe'' and am using CentOS... So here it is: What are the best tools to be used for keeping the potential script kiddies from ''harming the Internet'' :) ? I specifically want to be able to detect and prevent

I've read other posts on this, but can't figure out what I'm doing wrong. I have Suse 8.0, Samba 2.2.3a, and Win2k. Win2k Setup: workgroup = HOME_NET Host Name = Copernicus IP : 192.168.0.7 Subnet : 255.255.255.0 Def Gateway: 192.168.0.1 smb.conf (comments removed): ======================================================= [global] workgroup = HOME_NET netbios name = gallileo

Heya.. Yesterday someone "attacked" by box by connection to several ports.. In other words, a simple portscan.. yet, since my box has "log_in_vain" enabled, so it tries to log everything to /var/log/messages, since the logfile got full and the size went over 100K, it tried to rotate the log to save diskspace. (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due

On Sat, 29 May 2004 12:00:52 -0700 (PDT), <freebsd-security-request@freebsd.org> wrote: Hello ! Today i see in snort logs : [**] [1:528:4] BAD-TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 06/07-09:44:39.044590 127.0.0.1:80 -> 10.6.148.173:1566 TCP TTL:128 TOS:0x0 ID:577 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x75830001 Win: 0x0 TcpLen:

I have a dependency loop reported but I can not see how this can be: class monitor { class pulledpork ( $master) { exec { "/home/snort/bin/pulledpork -nc conf/$master/pp.conf": cwd => "/home/snort", subscribe => [File["/home/snort/conf/$master/pp"], File[ "/ home/snort/Rules/$master"] ], notify =>

Hi I am using puppet to mirror a directory of files, if any of these change then processes need to be restarted. class snort { package { ["snort", "perl-Archive-Tar", "barnyard2", "perl-libwww-perl", "perl- Crypt-SSLeay"]: ensure => present; } # package user{ "snort": managehome => true,

Ladies/Gents, /etc/init.d/snortd more snortd #!/bin/sh # Description: start up script for snort # chkconfig: 2345 40 60 # # Source function library. . /etc/rc.d/init.d/functions # case "$1" in # 'start') echo "Starting up Snort..." /prod/snort/bin/snort -c /prod/snort/etc/snort.conf -D -g snort -u snort -i eth0 -l /var/log/snort echo "Done." ;; #

Hi All, I am adding ip_queue module for snort inline IDS. I am using snort2.4.0 And iptables-1.3.4. Userspace Queuing(queue target) is enabled. It is built-in and not built as a module. The output of /proc/net/ip_queue is shown below: cat /proc/net/ip_queue> Peer PID : 0 Copy mode : 0 Copy range : 0 Queue length : 0 Queue max. length : 1024 IPTABLES 1.3.4 is

Hello, i use shorewall for a very long time (2 years or so) and i use it for nat and as firewall....i now use portsentrys to detect portscans but there is one problem...i use the HOWTO from the shorewall mailing list to make portsentry and shorewall work together....but there is one prob portscans get detected and a drop rule is added to shorewall for example shorewall drop 62.178.xxx.xx

I made an atempt to run snort_inline and shorewall on the same system but I could not get snort to see the packets. Maybe someone with a little more iptables knowledge could tell me what I''m doing wrong or if its possible to have the systems setup so that it places packets that the firewall would allow into QUEUE. After setting up and starting shorewall I then issue the following

Hi All, I am facing a problem when using ULOG daemon and SNORT (inline mode) with iptables. My set up is like this. 1. I need ULOG daemon to log firewall logs to MYSQL database. 2. I need SNORT in inline mode for intrusion prevention. Both can work fine induvidually with iptables. But ULOG daemon cannot work when SNORT is also running. Probably the reason is that snort also hooks to

--nextPart2699335.H7BBWTdPIb Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hello :) After upgrading recently from Woody to Sarge (which went fairly well) I now= =20 have trouble with logcheck. I have been unable to track down a solution. Logcheck runs perfectly through the week until Sunday when logrotate does

Plus I would like to let you know that it works like a charm. Snort can now see those packets. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Thibodeau, Jamie L. Sent: Wednesday, March 30, 2005 9:25 AM To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Shorewall and an inline

hello list, i''ve set up shorewall and snort inline on a linux box. it works, but snort only sees traffic from new connections. and this is because shorewall automatically generates rules to accept established and related connections. how can i force shorewall to queue everything, so that snort can scan the hole traffic like in IDS mode. The setup i have now is really simple, just 2 zones

Dear all, I''m setting up a new gateway for a small network (under 30 users)Gw will host the following services:shorewalldnsproxy i''m considering installing snort.can i do so on the same exact box ? is there any security risk of doing so ? box would have 4 ISPs and two internal interfaces. Any recommendation about the optimal setup of snort and shorewall (or if you suggest

Hi, I''m new to the list, but have been through the documentation, archives, etc. looking for more info... I''ve been using shorewall 1.3.14 for a few months now, has been working well from day one. I''m also using it with dshield (submitting logs and using the block list). I''m thinking of adding snort-inline to the mix (I run apache and postfix on the same box,