Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:





/
snort logo
Snort Mailing List

Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

List Archives

Jan–MarApr–JunJul–SepOct–Dec
2012807418
20111399829660657
201086410008921152
2009352616423604
2008277264220278
2007218295379283
2006393476403333
20051684725777616
20041913180517291399
20033113303423072165
20022884250425702572
2001148830852640

Latest Posts

Bug in SSL preproc or doc update/clarification? Will Metcalf (May 23)
I was trying to come up with sigs to hit on a C&C that uses malformed
SSLv3 client hello followed by server data that does not contain an
SSL fatal alert of some kind. For the sake simplicity below is a rule
I would expect to match on the fatal alert from the server in response
to a malformed client hello. Based on documentation in the snort
manual it seems this rule should fire with default snort.conf but it
doesn't on 2.9.2.3....

Re: Snort and real-time alerting Jeremy Hoel (May 23)
Sguil can do auto email on some events only.. it can email by
category, priority or just sid..

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats....

Re: Snort and real-time alerting Lay, James (May 23)
Have the watching app look for specific things...perhaps only certain
classifications ("A Network Trojan was Detected") or something of the
like.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint...

Re: Snort and real-time alerting Jeronimo L. Cabral (May 23)
Something else: suppose I use logsurfer/swatch/logwatch to alert in
real time the Snorts events. Actually I have near 5 events per minute.

What is the criteria to take just a few number of critical events of
Snort ??? Because I have 20.000 signatures...

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat...

Re: Snort and real-time alerting Lay, James (May 23)
Hehe...whatever works :)

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: Snort and real-time alerting Jeronimo L. Cabral (May 23)
What about Swatch ??? Is it more appropriate ???

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: Snort and real-time alerting Lay, James (May 23)
Log to fast alert then use wots/logsurfer/logwatch to tail/watch the
file and email out. Assuming linux/BSD/OSX.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in...

Snort and real-time alerting Jeronimo L. Cabral (May 23)
Dear, I have a Snort 2.9 with Base running OK, but I need a real time
alerting mechanism via email if possible.

How can I do that ??? Any extra module to use in that way ???

Special thanks

JeLo

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond....

Re: New snort install question livio Ricciulli (May 22)
Good plan. Power supplies always go; it is not a question of if, it is a
question of when..

As a back of the envelope calculation. If you use PF_RING (to run 3-4
snort processes in parallel on you 3-4 hyperthreads), roughly, you will
be able to monitor 100-300 Mbps with ~6000 rules.
See www.*snort*.org/assets/186/*PF_RING*_*Snort*_Inline_Instructions.pdf

You are smart.. Internal monitoring can be challenging because of the
rule tuning...

Sourcefire VRT Certified Snort Rules Update 2012-05-22 Research (May 22)
Sourcefire VRT Certified Snort Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, botnet-cnc, chat, dos, exploit, file-identify, file-office,
file-other, file-pdf, indicator-compromise, indicator-obfuscation,
misc, oracle, policy-multimedia, policy-social, pua-p2p, pua-toolbars,
scada, server-mail, shellcode, specific-threats,...

Re: vendor list surfing Joel Esler (May 22)
Agreed. I keep a tight restriction even on our sales dept about advertising via the lists or information from the
lists.

I am going to make the option available to Snort users who want to hear more about Sourcefire products. But it will
never be via the mailing lists.

Of course. Lots of companies use Snort and the VRT Integrator License to put our product on their hardware. It all
depends on how they are using it.

Safemedia contacted me...

Re: Snort Stream5 Support Joel Esler (May 22)
Either call your test.rule from snort.conf with an include statement, or place the contents of your test.rule in the
bottom of snort.conf

I recommend the first option.

Re: Snort Stream5 Support Turnbough, Bradley E. (May 22)
Ah.... That would make sense. So then I can't consider my rules to be additive to what's in snort.conf already.
Bummer.....

Any way around that? I'd rather not place any configs in snort.conf.

From: Russ Combs [mailto:rcombs () sourcefire com]
Sent: Tuesday, May 22, 2012 10:31 AM
To: Turnbough, Bradley E.
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Stream5 Support

Looks like the conf you are...

Re: Snort Stream5 Support Russ Combs (May 22)
Looks like the conf you are telling snort to use is /tmp/test.rule which,
per your cat output, does not include the stream5 config, etc.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and...

subcribe Lawrence R. Hughes, Sr. (May 22)
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]