[Dshield] For those that want to see what a Snort Sensor can see

Al Reust areust at comcast.net
Thu Apr 8 15:04:50 GMT 2004


As I said it pretty much Vanilla "out of the box" with exception of chat.rules

# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules

I have turned those on and find it interesting that overall it has been 
pretty quiet.

I did see a round of lets "guess the users password" in the security log 
last night

I have found it interesting in that it reports
[snort] (http_inspect) BARE BYTE UNICODE ENCODING

which is a keep alive connection to Yahoo

length = 35
000 : 59 4D 53 47 00 0B 00 00 00 0F 00 8A 00 00 00 00 YMSG............
010 : 6F 7E 0B 00 30 C0 80 6F 6E 6C 79 31 6D 61 6D 6D o~..0..only1mamm
020 : 61 C0 80 a..



At 09:24 AM 4/8/2004 -0400, you wrote:
>Dammit, no kickass-porn yet, although it did sniff an aim login...
>Are you suppressing a bunch of rules?
>
>--
>Mark Tombaugh <mtombaugh at alliedcc.com>
>Allied Computer Corporation <http://www.alliedcc.com>
>USiHOST, iNC <http://www.usihost.com>
>
>PGP: EB6CD591 Mark Tombaugh (Allied Computer Corporation)
>       5B45 859C 26F9 C12F FBCC  0831 3136 C806 EB6C D591
>
>_______________________________________________
>list mailing list
>list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list