[Dshield] Snort 1.8

Peter Borner peter at borner.org.uk
Fri Oct 12 10:33:25 GMT 2001


Johannes,

Thanks for the link. I've downloaded the tarball, installed and
configured it. However, It still seems to skip over lines in my log file
that appear to be of interest. Maybe I'm just being paranoid. I've run
it with debug switched on and here is a sample of the output...

RSING: [**] [1:970:1] WEB-IIS multiple decode attempt [**]
SKIPPING: [**] [1:970:1] WEB-IIS multiple decode attempt [**]
PARSING: [Classification: Attempted User Privilege Gain] [Priority: 8]
SKIPPING: [Classification: Attempted User Privilege Gain] [Priority: 8]
PARSING: 10/12/01-06:26:03.276599 62.49.158.235:3592 -> 62.49.145.34:80
SKIPPING: 10/12/01-06:26:03.276599 62.49.158.235:3592 -> 62.49.145.34:80
PARSING: TCP TTL:126 TOS:0x0 ID:5441 IpLen:20 DgmLen:157 DF
SKIPPING: TCP TTL:126 TOS:0x0 ID:5441 IpLen:20 DgmLen:157 DF
PARSING: ***AP*** Seq: 0x9C9EB524  Ack: 0x5B237DE0  Win: 0x4470  TcpLen:
20
SKIPPING: ***AP*** Seq: 0x9C9EB524  Ack: 0x5B237DE0  Win: 0x4470
TcpLen: 20
PARSING: [Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]
SKIPPING: [Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

Unfortunately my knowledge of Perl is non existent so I can't look too
closely at the Perl script but it seems to me that the line:
10/12/01-06:26:03.276599 62.49.158.235:3592 -> 62.49.145.34:80
Should trigger the parser.

Any help you can give would be greatly appreciated.

TIA

Peter

-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at euclidian.com]
Sent: 12 October 2001 03:12
To: dshield at dshield.org
Subject: [Dshield] Snort 1.8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Thanks to Eric for reminding me. I posted the snort 1.8 client.
To download it directly:
http://www.dshield.org/clients/snort_dshield_18.tgz

it is build around the newer perl framework which allows for
source/target
ip filtering and a few other gadgets.



- --
- -------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection
System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7xlGNVOIizK5pIDMRAnjYAKDOtarMx9LWOvcbY69YNneq/zfQEQCg/XH1
8yO9MQaHwLldfrZ7GdcyyeQ=
=rVa4
-----END PGP SIGNATURE-----

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2295 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20011012/774a4853/smime.bin


More information about the list mailing list