[Dshield] For those that want to see what a Snort Sensor can see

john beck jbeck80 at hotmail.com
Thu Apr 8 16:00:15 GMT 2004


Did you write the chat rule?  And are the rest of the rules from the 
snort.org site?

Thanks
John


>From: Al Reust <areust at comcast.net>
>Reply-To: General DShield Discussion List <list at lists.dshield.org>
>To: General DShield Discussion List <list at lists.dshield.org>
>Subject: Re: [Dshield] For those that want to see what a Snort Sensor can 
>see
>Date: Thu, 08 Apr 2004 08:04:50 -0700
>
>As I said it pretty much Vanilla "out of the box" with exception of 
>chat.rules
>
># include $RULE_PATH/shellcode.rules
># include $RULE_PATH/policy.rules
># include $RULE_PATH/porn.rules
># include $RULE_PATH/info.rules
># include $RULE_PATH/icmp-info.rules
># include $RULE_PATH/virus.rules
># include $RULE_PATH/chat.rules
># include $RULE_PATH/multimedia.rules
>
>I have turned those on and find it interesting that overall it has been 
>pretty quiet.
>
>I did see a round of lets "guess the users password" in the security log 
>last night
>
>I have found it interesting in that it reports
>[snort] (http_inspect) BARE BYTE UNICODE ENCODING
>
>which is a keep alive connection to Yahoo
>
>length = 35
>000 : 59 4D 53 47 00 0B 00 00 00 0F 00 8A 00 00 00 00 YMSG............
>010 : 6F 7E 0B 00 30 C0 80 6F 6E 6C 79 31 6D 61 6D 6D o~..0..only1mamm
>020 : 61 C0 80 a..
>
>
>
>At 09:24 AM 4/8/2004 -0400, you wrote:
>>Dammit, no kickass-porn yet, although it did sniff an aim login...
>>Are you suppressing a bunch of rules?
>>
>>--
>>Mark Tombaugh <mtombaugh at alliedcc.com>
>>Allied Computer Corporation <http://www.alliedcc.com>
>>USiHOST, iNC <http://www.usihost.com>
>>
>>PGP: EB6CD591 Mark Tombaugh (Allied Computer Corporation)
>>       5B45 859C 26F9 C12F FBCC  0831 3136 C806 EB6C D591
>>
>>_______________________________________________
>>list mailing list
>>list at lists.dshield.org
>>To change your subscription options (or unsubscribe), see: 
>>http://www.dshield.org/mailman/listinfo/list
>_______________________________________________
>list mailing list
>list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




More information about the list mailing list