[Dshield] For those that want to see what a Snort Sensor can see
areust at comcast.net
Thu Apr 8 15:04:50 GMT 2004
As I said it pretty much Vanilla "out of the box" with exception of chat.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
I have turned those on and find it interesting that overall it has been
I did see a round of lets "guess the users password" in the security log
I have found it interesting in that it reports
[snort] (http_inspect) BARE BYTE UNICODE ENCODING
which is a keep alive connection to Yahoo
length = 35
000 : 59 4D 53 47 00 0B 00 00 00 0F 00 8A 00 00 00 00 YMSG............
010 : 6F 7E 0B 00 30 C0 80 6F 6E 6C 79 31 6D 61 6D 6D o~..0..only1mamm
020 : 61 C0 80 a..
At 09:24 AM 4/8/2004 -0400, you wrote:
>Dammit, no kickass-porn yet, although it did sniff an aim login...
>Are you suppressing a bunch of rules?
>Mark Tombaugh <mtombaugh at alliedcc.com>
>Allied Computer Corporation <http://www.alliedcc.com>
>USiHOST, iNC <http://www.usihost.com>
>PGP: EB6CD591 Mark Tombaugh (Allied Computer Corporation)
> 5B45 859C 26F9 C12F FBCC 0831 3136 C806 EB6C D591
>list mailing list
>list at lists.dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list