Slashdot Mirror

← Back to Domains

Domain: snort.org

Stories and comments across the archive that link to snort.org.

Comments · 165

  1. Re:WRONG on all counts & eat your words by Bob+the+Super+Hamste · · Score: 1 · on You Don't Need an Antivirus (Except Microsoft's Built-in on Windows), Says Former Firefox Developer (ocallahan.org)

    See my subject & this link: No denying it /https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785b [slashdot.org] & it's FAR from a complete list (even though it shows 100's of router security + inefficiency issues).

    Your argument is so old and tired I get a /. 404 error, seriously I do. That said anyone who is using the factory provided firmware on a consumer router/firewall is dumb. OpenWRT or DDWRT are much better choices that offer better security and better options. Or if you prefer go and drop pfSense on some "powerful" but inexpensive hardware. As you will have a device like these between your computer and the internet I don't see how an argument about cost is an issue as you have your modem connected to the internet (DSL or Cable) and then either a router or firewall that your other gear sits behind. Depending on what hardware you have and layout your setup behind the router or firewall will vary greatly. * LMAO - again, that's you "networking menials" (that can't program their OWN solutions because you're limited) to a tee

    Not a millennial (I assume that it what you meant) by a long shot I do actually program and have through my employer contributed to a number of open source projects. You may have heard of a few of them.

    WRONG! I don't understand "layered-security"/"defense-in-depth"? I wrote guides on it that even GOT ME PAID https://www.google.com/search?... [google.com]

    Guess what I have contributed to guides on securing systems and am paid by my employer to do so when new versions and updates are sought. The difference is that what I have contributed to are respected and well known.

    Also it looks like you are a bit to copy/paste happy as I see you are getting frustrated and double posting (see above and below). You really should look into getting treatment for your ails as something does appear to be wrong.

  2. Fun/Sad Facts by Anonymous Coward · · Score: 3, Interesting · on Cisco To Acquire IoT Company Jasper For $1.4 Billion (thestack.com)

    Did you know that, as well as openDNS, Cisco has acquired and virtually abandoned:

    SpamCop.net - 2007
    Snort - 2013
    ClamAV - 2013

    All great projects when Cisco bought them and now circling the drain.

  3. Re:So? by Anonymous Coward · · Score: 0 · on Futures Trader Arrested For Causing 2010 'Flash Crash'

    https://snort.org/ ...On the off chance that you were joking less than 50%.

  4. Re:Undetectable Heartbleed bug? by Anonymous Coward · · Score: 0 · on Google Chrome Flaw Sets Your PC's Mic Live

    It's worth noting that the official Snort rules for detecting Heartbleed were broken for a while, until an update earlier *today*:

        snort.org

    And many of the early widely circulated IDS rules failed to detect a Heartbleed exploit if the TLS heartbeat exploit was done AFTER the start of encryption (including the widely circulated EmergingThreats signatures):

        heartleech

    Sometimes it's helpful to have those recorded packets sitting there on disk to rip over and analyze, in case you need to travel back in time a bit...

  5. Re:Time to fork Snort by Necroman · · Score: 1 · on Cisco To Acquire Sourcefire For $2.7 Billion

    Looks like they are going to be keeping their open source products open (ClamAV, Snort, and others).
    http://blog.sourcefire.com/Post/2013/07/23/1374581400-cisco--sourcefire--now-bigger-stronger-faster/

    Also, it looks like Snort is dual-license: http://www.snort.org/snort/license

  6. Snort by Archenoth · · Score: 1 · on Ask Slashdot: How To Best Setup a School Internet Filter?

    If you are looking for a free program to filter with... Snort does a good job. It is an IDS (Intrusion detection system), but it is flexible enough that it would work as a very good filter, allowing you to filter by keywords, domains, ports, have-at-you...

    You can combine that with lists of questionable content and you'd have yourself a pretty effective and versatile system.

    These kinds of rules are probably most relevant to your interests.
    http://comments.gmane.org/gmane.comp.security.ids.snort.general/33780

  7. Re:The Name by Anonymous Coward · · Score: 0 · on Gimp 2.8 Finally Released

    I work on a government healthcare account, a very large one. Our client nearly forced us to stop using Snort based on the name alone, an "unprofessional sounding" product.

  8. SnortSam by Anonymous Coward · · Score: 0 · on Ask Slashdot: FTP Server Honeypots?

    I imagine the default Snort rules would include an example of detecting repeated failed FTP connection attempts (brute force/dictionary attacks). Then SnortSam could block the offending IP address for as long as you like. This is assuming your FTP server is running a compatible firewall, etc.

  9. Re:It's a blah by rwa2 · · Score: 1 · on Ask Slashdot: Best Way To Leave My Router Open?

    this story

    Yeah, I read the arstechnica article a few days ago, and the comments there were much better than the ones here. Among the sentiments I enjoyed:

    • The media coverage of these handfuls of SWAT raids are mostly to scare everyone into securing their access points, because then it makes it easier for the feds to convict you when someone breaks into your wireless access point and downloads CP or something else they don't like. If you have an open access point, they can't really "prove" it was you. But if you have some kind of encryption going, then as far as the court is concerned it just *had* to be you doing the nasty, since you're the only one with the secret keys and there's no wai anyone could possibly break into it, as trivial as we know it is to do.
    • The police don't apologize for anything that might happen during a raid. As far as they're concerned, they can do no wrong. But they will get reprimanded by the courts for issuing too many "dynamic entry" warrants prematurely.
    • For my part, I think that if enough of us continue running open APs, the police will eventually have to find better ways to cooperate with us in their investigations. I don't really want to live in a world with no open and shared wifi (even though I have a cell phone with tethering and pretty fast HSDPA service, so I don't even need open wifi most of the time)

    To actually respond to the OP...

    • Set up a separate wifi router. Maybe look into something that can support OLSRd or something so you can get some kind of community mesh network going... this will particularly become important to have lots of people with OLSRd nodes if the government ever decides to use their internet kill switch for some silly reason.
    • Run that wifi through a spare wired computer with two NICs, so you can use wondershaper or something to limit the bandwidth going through it.
    • Some other good monitoring tools: NTOP (the web-based thing, though the other console ntop is also nice), to log and display traffic type and endpoints SNORT, to help alert if bad things are happening iftop is a good console thingy for showing you what is taking up bandwidth right now. Wireshark, for the times you feel evil and want to do some packet inspection / logging, though you probably don't want to run this all the time.

    Good luck and have fun, don't let the man keep you down! :P

  10. Wire Shark by NSN+A392-99-964-5927 · · Score: 1 · on Many Hackers Accidentally Send Their Code To Microsoft

    Disabling Error Reporting helps. Firing up wireshark shows up huge results checking in to Microsoft http://www.wireshark.org/ (formerly known as Ethereal) I have no need to tell Nix users about Snort and Acid http://www.snort.org/ or how microsoft has an epileptic fit if you run Cain and Able http://www.oxid.it/ Most hackers are not 31337 but idiots, My old friends at the the old place pulltheplug but now http://www.overthewire.org/ had root in less than 1 minute in a war game memorable war game. I really do not know what to say apart from do your own research, it is your own responsibility to protect yourself online but sadly some people are just not that smart. Be brave /.ers.I am not a hacker from Cult of the Cow.... Meow! :)

  11. Re:Snort's not dead... by X.25 · · Score: 0, Troll · on Is Open Source SNORT Dead?

    Here's the difference, Marty.

    When I go to SourceFire, I see plenty of ways for me to investimentise in my partneritude, but I can't for the life of me seem to find the source of your "open source" product.

    When I go to Suricata, the source link is right there on the front page.

    I know that using a brain is hard, so I am always willing to help.

    So, here is what you do:

    1) Go to http://www.snort.org/
    2) Click on "Download Snort" icon
    3) Download Snort

    Yeah, I know, it was hard.

  12. Re:Snort's not dead... by Martin+Blank · · Score: 1, Redundant · on Is Open Source SNORT Dead?

    That's because you went to the commercial site. Try going to the Snort site, and click on the big "Download Snort" link. I'll even provide the URL here:

    http://www.snort.org/snort-downloads

    It's right under the "Source" heading. Not really hard.

  13. Re:Snort's not dead... by rotide · · Score: 4, Informative · on Is Open Source SNORT Dead?

    Did you even look at the downloads page?:
    http://www.snort.org/snort-downloads

    Second link is "source".

    If you want the 3.0 source go to:
    http://www.snort.org/snort-downloads/snort-3-0/

    Maybe these weren't the sources you were looking for?

  14. Re:Snort's not dead... by rotide · · Score: 4, Informative · on Is Open Source SNORT Dead?

    Did you even look at the downloads page?:
    http://www.snort.org/snort-downloads

    Second link is "source".

    If you want the 3.0 source go to:
    http://www.snort.org/snort-downloads/snort-3-0/

    Maybe these weren't the sources you were looking for?

  15. Confusing Story Considering Snort's Activity by eldavojohn · · Score: 3, Interesting · on Is Open Source SNORT Dead?
    If you go to the page, 2.8.6-1 was released in April of this year. I guess that's a sign of recent life. Granted, 3.0 appears to be a year before that. I don't think competition between two open source projects is a bad thing. Hell, it's great for the end users. Roesch claims OISF's tool is way slower than SNORT. So let the two fight it out and reap the benefits.

    I think the most serious claim against SNORT came at the end of the article:

    "Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."

    If that's true, that is not cool. I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools. It's one of the reasons I'll consider Flex better than Silverlight but never will I consider it open source despite the SDK source being available. It's got vendor lockin associated with it.

  16. Confusing Story Considering Snort's Activity by eldavojohn · · Score: 3, Interesting · on Is Open Source SNORT Dead?
    If you go to the page, 2.8.6-1 was released in April of this year. I guess that's a sign of recent life. Granted, 3.0 appears to be a year before that. I don't think competition between two open source projects is a bad thing. Hell, it's great for the end users. Roesch claims OISF's tool is way slower than SNORT. So let the two fight it out and reap the benefits.

    I think the most serious claim against SNORT came at the end of the article:

    "Sourcefire controls the intellectual property and the update cycle for changes. They use the install base of Snort to market their commercial solutions," Stiennon says. "I am not saying that is a bad thing for Snort users but it is limiting to the overall development of threat mitigation technology from the open source community."

    If that's true, that is not cool. I hate it so much when I'm just trying install PDFCreator or some other GPL'd tool and part of the install process involves a default click box to also install Yahoo's toolbar in all my browsers. It's great to see companies back particular open source projects but I do not care for companies that take hold of the reigns and/or use it to propagate their own proprietary tools. It's one of the reasons I'll consider Flex better than Silverlight but never will I consider it open source despite the SDK source being available. It's got vendor lockin associated with it.

  17. Re:Malware detection software for Linux? by Ant+P. · · Score: 1 · on Sloppy Linux Admins Enable Slow Brute-Force Attacks

    http://www.snort.org/

  18. Block scripting in Adobe Acrobat Reader instead... by Anonymous Coward · · Score: 0 · on Attackers Infect Ads With Old Adobe Vulnerability

    "Blocking scripts isn't guaranteed to protect you from this kind of attack - by Phroggy (441) on Tuesday February 24, @11:39PM (#26978685) Homepage

    Correction: It is - but, it depends on WHERE (what app, specifically here) you blocking scripting @!

    (AND, in this case? It's better to do in Adobe Acrobat Reader, itself, vs. your webbrowsers in this case)

    SO... how to do that?

    See here, 1st post @ the top of this page:

    HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (&, beyond):

    http://www.tcmagazine.com/forums/index.php?s=c4108cb7c8260643f003b1737cc429e4&showtopic=2662&st=25&start=25

    ----

    SALIENT QUOTE/EXCERPT/DETAILS etc. et al:

    (HOW TO TURN OFF JAVASCRIPT USAGE IN ADOBE ACROBAT READER)

    1.) Use Adobe Acrobat's EDIT menu

    2.) PREFERENCES submenu

    3.) Javascript section (in left-hand side column of options)

    4.) & uncheck "Enable Acrobat Javascript" in the right-hand side option for that.

    ----

    THUS - By disabling scripting in Adobe Acrobat Reader, of most ANY (@ least recent) versions of it (&, I KNOW that versions 8 & 9 allow this, @ least)? You stall this type of attack, easily...

    ( &, no "chancing it" by ONLY using NoScript's DEFAULTS (which are NOT as "stringent" as it CAN be) or other means in a browser alone (though, layering those methods ontop of this one cannot hurt)).

    ----

    IMPORTANT NOTE/EDITING MY ORIGINAL POST I INTENDED TO PUT UP W/ SAID "WORK-AROUND" METHOD I PUT UP ABOVE:

    There IS a "home brewed patch" out there now, developed by a 3rd party via a HACKED DLL (filename -> AcroRdv9-Patch.zip -> http://www.snort.org/vrt/tools/AcroRdv9-Patch.zip ), for Adobe Acrobat 9 ONLY, but... he's also NOT guaranteeing it vs. other variants of THIS type of attack (run by Adobe's javascripting engines in Acrobat Reader), NOR, in earlier versions of Adobe Acrobat!

    HOWEVER - the method I am extolling?

    I, however/conversely, DO guarantee it works!

    (AND, should even w/ Adobe Acrobat Reader Browser plugins/addons if any, assuming they too, utilize said .DLL/lib's function calls, & odds are in today's "Document Centric Model" & Object-Oriented designs? It does because MOST coders, myself included?? Don't "reinvent the wheel" generally to save time & effort - we USE these prebuilt lib/dll function calls when possible... & HOPE there are no bugs, like this lib/dll has)

    Simply too, via the method noted above, & on THIS & other variants of this nature of attack (that exploit faults in Adobe Acrobat's native internal javascript parsing + processing methods) in this application, even in older models that support disabling of javascripting in Acrobat's .pdf extensioned (Windows) docs.

    STILL, the "ideal" thing to HOPE & wait for? A patch from Adobe, of course... not workarounds like this.

    APK

    P.S.=> See, it's ONLY that I had the benefit/advantage of seeing this one coming a LONG time ago (more than a year ago @ least), as well as attacks being used via Adobe Acrobat Reader in the past (like many of you no doubt ALSO have) before this instance of it happening...

    (& thus, I put up a SIMPLE method for anybody to utilize, in HOW to stall it @ THE SOURCE, above, more than 1 yr. ago wherever I posted that guide online in late 2007...)

    AND, guys? IT WORKS, because "IF YOU CANNOT GO INTO THE scripted KITCHEN, YOU CANNOT GET BURNED" type thinking... apk

  19. Re:Encryption? by cerberusss · · Score: 2, Informative · on New Tool Promises To Passively ldentify BitTorrent Files

    All it does is compare the encoded hash value in the Bittorrent header against a list of known illegal hashes. Hashes you have to program manually.

    That sounds exactly how Snort works.

    I guess if you had a bunch of hashes, you could put these in a configuration and basically have the described functionality.

    I've analyzed Snort more than 6 years ago and also remembered that it couldn't operate on more than 100Mbit. Might've been a change here and there, though.

  20. Re:Apply bayesian spam filtering? by atomic-penguin · · Score: 1 · on The Slow Bruteforce Botnet(s) May Be Learning

    This is sort of how Intrusion Prevention System (IPS) automatic blocking currently works, but not exactly as you describe. If you have an Intrusion Dectection System (IDS) like Snort, you can add on an IPS solution to take care of this. For example, there are SSH brute force detection rules in both, the official Snort and community Bleeding Edge rule sets. You can configure snort-inline to alter iptables rules dynamically, or use third party software, such as SnortSAM to automatically block the traffic at your edge firewalls.

    I personally prefer SnortSam to do the blocking. It is fairly easy, with SnortSAM, to set up a distributed network of trusted sensors and firewalls, which can alert one another to threats. The SnortSAM sensor-to-firewall messages are encrypted with TwoFish; it supports whitelisting to prevent Denial-of-Service attacks; you can specify the amount of time to block. You could also crank up threshold in Snort to prevent false positive blocking. However, the last time I used Snort I found that 5 failed SSH logins in 2 minutes, the default threshold for the SSH brute force rules, was dead on accurate.

  21. Re:For a good time, read his testimony by Not_Wiggins · · Score: 1 · on Safemedia's CEO Tells Congress He Can Stop P2P

    Errr... that description makes the "solution" look strikingly like an appliance with bridged ethernet connections (so, it can't be addressed directly) running snort with a rule set that targets P2P-type traffic, no?

  22. OSS Security - Too Little Too Late by BSDetector · · Score: 0 · on Vista Security — Too Little Too Late

    Wow!!! http://www.snort.org/docs/advisory-2007-02-19.html Hypocrites!!!

  23. Re:Remote, what about stealth installations by Anonymous Coward · · Score: 3, Insightful · on Remote Code Execution Hole Found In Snort

    Good point. This is also another reason to implement a passive only tap for your snort box. In that situation the worse case scenario is your sensor sniffs some traffic that causes it to get compromised and it stops working or at least not correctly. Even if somehow a worm gets injected into the system from this passive sniffing it can't go anywhere. Unless your dumb enough to have your IDS machines hooked up to your internal network via another NIC. Keep your IDS sensors passive and isolated!!!

  24. Snort - The Year Of The Pig by Anonymous Coward · · Score: 0 · on Chinese Hack Attacks on DoD Networks Coordinated

    Barely started reading article. Ain't finished yet but, I couldn't help think about what I saw over at Snort.Org I was looking up numbers today. Anyway, it's this funny graphic on the top left of the page. http://www.snort.org/images/home/snortorg_yearofth epig.jpg

    Year of the Pig. Today is the Chinese year of the pig. Is this some kind of demented geek humor? Now stop hacking government servers China. Bad China. Bad. And dear government, your security will improve, once you throw out and lift the security clearances of all that corruption, and bush shills who don't even know how to do the job they're in.

  25. Snort - The Year Of The Pig by Anonymous Coward · · Score: 0 · on Chinese Hack Attacks on DoD Networks Coordinated

    Barely started reading article. Ain't finished yet but, I couldn't help think about what I saw over at Snort.Org I was looking up numbers today. Anyway, it's this funny graphic on the top left of the page. http://www.snort.org/images/home/snortorg_yearofth epig.jpg

    Year of the Pig. Today is the Chinese year of the pig. Is this some kind of demented geek humor? Now stop hacking government servers China. Bad China. Bad. And dear government, your security will improve, once you throw out and lift the security clearances of all that corruption, and bush shills who don't even know how to do the job they're in.

  26. Re:Why wait? Get Snort today. by gbobeck · · Score: 2, Informative · on New Developments From Microsoft Research
    but snort does not run on windows, which is sorta their target OS....

    Actually, Snort will run on Windows.

    First, you need to install WinPcap, which is available at http://www.winpcap.org/.

    Next, you will have to download the Snort Windows binary at http://snort.org/dl/binaries/win32/.

    Finally, RTFSnortM and have fun.

    Its not all that hard to get going... I had to do a Snort install on a Windows box in order to work on a project in my Network Security class at Loyola University Chicago.
  27. Re:Why wait? Get Snort today. by m-wielgo · · Score: 2, Informative · on New Developments From Microsoft Research

    Sure it does!

    http://www.snort.org/dl/binaries/win32/
    http://www.winsnort.com/
    http://www.sans.org/resources/idfaq/snort.php

  28. Why wait? Get Snort today. by khasim · · Score: 3, Informative · on New Developments From Microsoft Research

    Microsoft is re-inventing "intrusion detection" and "packet analysis". Save yourself some stress and deploy Snort today.
    http://www.snort.org/

  29. Re:And if you use those codecs with MPlayer on Lin by element-o.p. · · Score: 3, Informative · on Viral Videos That Really Are Viral
    and there are no "automatic" tools to sweep it clean

    meh...not sure I entirely agree with you here, although I will concede that many Linux users don't know what tools are available and even less use those that are available on a regular basis.

    Tools that I use regularly to keep tabs on my boxen:
    1) http://www.chkrootkit.org/chkrootkit: can be run from cron to look for suspicious files and rootkit signatures;
    2) netstat -ep: to show what processes are using network connections;
    3) lsof: to show what files on your system are open, who opened them and with what process they were opened;
    4) http://www.tripwire.com/Tripwire or http://www.gecko-ak.org/Sentinel/my own, open-source, much less functional, still really in development Tripwire-like file system auditor: to check for changes in binaries, config files or anything else on your file system that you would like to keep tabs on;
    5) http://www.insecure.org/nmap: to remotely scan computers on your network for open ports, and to audit the services using these open ports;
    6) http://www.nessus.org/nessus: like nmap, only different;
    7) tcpdump/ethereal/wireshark: to monitor packets in or out of your computer;
    8) http://www.snort.org/snort: okay, I haven't (yet) used this one, but it's the open-source standard for IDS;
    9) http://www.bitdefender.com/bit defender: anti-virus for Linux--we had to use this once at work to remove a Windows virus that had infected our Samba shares (note: the Samba server wasn't infected, but the Windows machines that were mounting shares from the Samba server were--and they kept rewriting infected Windows executables to the server).

    So, no most of these aren't automatic, and most of these won't clean your Linux PC's, but there are a host of tools that you can use to detect problems on your Linux computers. And, if you're really paranoid, there are several vendors that provide anti-virus software, just like what you find on your Windows machines.
  30. Re:How long did it take you? by cuban321 · · Score: 3, Insightful · on Amazon Snooping Your Surfing For Targeted Ads?

    (Offtopic, but oh well I couldn't resist)

    You seem to have a lack of understanding about how the Internet works. I go through qwest to get to /.-- that doesn't mean qwest is "sniffing" my traffic. It simply means qwest is a provider who is peered with speakeasy (my ISP) and savvis (apparently Slashdots' provider).

    Do you really think the NSA wouldn't use transparent ethernet taps anyways? And do you really think the NSA would have all that traffic dumped back to "nsa.gov"?

  31. Sounds like a traditional IDS by isa-kuruption · · Score: 2, Interesting · on More Details of the NSA's Social Network Analysis

    Dismissing the legality and morality of doing this...

    Let's look how most Network Intrusion Detection Systems work today, including the OSS favorite Snort.

    We start off with a bunch if signatures. These signatures are analyzed against including network traffic. A signature is matched, an alert is sent out (syslog, mysql, whatever) and my little console displays the alert. I analyze, determine it's a "false alert". I try to tune it out, maybe, depending on frequency and annoyance, and continue on to the next (false?) alert. If the alert is deemed true, I determine if we were hacked or if something more serious is going on. Usually, I get other people involved.

    Sounds like the NSA's system is very similar to the job of our favorite IDS operator. In fact, it's exactly the same thing. Some softwatre looks for patterns in telephone network traffic. Once these patterns are found, they do a quick check (basic analysis) to confirm the pattern has matched. Then, the alert is passed on to a different team to investigate whether there is a more serious event or not.

    Are there false positives? Yes. Are there false negatives? Yes. Does this mean the method is ineffective? No. Does this mean it should be shut down? No. If it did, why am I, and thousands of others, getting paid for everyday?

  32. Teaching by PacketScan · · Score: 1 · on Feds Kill Check Point's Sourcefire Bid

    Will someone teach the government what "open sourse" and "oss" mean. Not the meaning of the words or letters but the Ideals.
    Don't let the government that ANYONE can "get this technology" by downloading the source code.
    http://www.snort.org/dl/
    Yikes.. looks like were too busy listening to Suzie Q's phone calls to Julie.

  33. Where is Snort? by kc0re · · Score: 1 · on Sysadmin Toolbox Top Ten

    Snort?
    http://www.snort.org/
    I'm surprised that's not on the list.

  34. But it is freely available to anybody by andy314159pi · · Score: 4, Informative · on Feds Kill Check Point's Sourcefire Bid
    But snort is freely available to anybody right now:

    http://www.snort.org/

  35. Re:Here are my top tools by Anonymous Coward · · Score: 0 · on Sysadmin Toolbox Top Ten

    And... Snort
    http://www.snort.org/

  36. Re:Misleading and ignorant? by Anonymous Coward · · Score: 0 · on U.S. Investigating Sale of Snort as Security Risk

    Actually. you are wrong

    sourcefire was founded by Marty Roesch (who, is a user here on slashdot and prolly just cringed at you writing that), marty wrote Snort. Sourcefire USES Snort in their devices.

    Look at it..
    http://www.snort.org/ 0wned by sourcefire
    http://www.sourcefire.com/ Powered by snort

  37. Re:IDS signatures by oasisbob · · Score: 1 · on Windows XP Flaw 'Extremely Serious'

    I work for the resnet of a public university with ~4000 on-campus students. I'm been testing these rules for the past day, and they're appearing reliable enough to tes them in conjuction with Snort's ability to tear down TCP connections by sending TCP reset packets. Snort does this by way of the flexresp post-detection option.

    So far, this is proving very effective at blocking WMF exploit files in the wild. Even if they are renamed with .doc, .jpg, etc extensions, the transfer will be reset once the signature matches.

  38. Cheap = ethereal and a hub by jgaynor · · Score: 4, Informative · on Network Monitoring Options?

    what cheap or free monitoring options are there available . . .

    If the network is the issue, the cheapest and simplest is a good laptop running Ethereal or Snort. Also pick up (or scrounge up) a dumb hub and if possible a fiber tap, since you're probably running in a mixed-media switched infrastructure (or maybe you're not - hence the problems :) ). If you want to get fancy you can buy span or rspan capable switches which will let you mirror traffic from individual ports or Vlans to a single management station port (in which case you can just use a desktop).

    This should go withot saying, but those packet captures will be useless unless you know WHERE each mac address is on the network. That said:

    1) maintain reliable L1/L2/L3 mappings
    2) Tag both ends of long cables and make sure all wallports are numbered, and
    3) beat the shit out of anyone who brings personal equipment in and plugs it in. It screws up your records and is probably less secure.

  39. Jaded article writer? Get a grip! by zoloto · · Score: 5, Insightful · on How Many Times Should We Pay For Our Software?


    There's just one problem. This perception of the software-as-services model is a jaundiced misrepresentation of the way that on-demand applications actually work. No on-demand customer pays simply for the privilege of accessing the software. They pay because the software delivers business results. And that simple distinction exposes once and for all the clay feet, the emperor's new clothes, of the traditional applications software industry. Their products don't actually work until they've been tweaked and customized by customers or partners, and therefore the licence of itself has no out-of-the-box value to the end user. Asking people to pay for the privilege of using the software isn't offering a service, it's taking a liberty. It's as much of a nonsense as asking a punter to pay a performance fee for whistling a copyrighted tune. If I'm paying a fee to watch a movie, listen to a song, or use an application, I expect to experience a professional, finished execution.

    True on-demand application vendors understand this. Conventional software vendors seem to think the world still owes them a living, just for bothering to write some software.

    This article sounds as if the guy was jaded from the start. His complaints are similar to those people who first scoffed at the notion of leasing a car instead of buying it. Some may consider it foolish, but some also see the benefits. In my experience you can lease a car for 12 months, have the "owner" of the car (or software) continually maintain it when it needs it.

    Don't read too deeply in on that analogy, please.

    But BOTHERING to write some software? By us Bothering to write some software you have some of the best software out there that's been used to secure most of the IT infrastructure the world runs on. Apache, The Linux Kernel, The Various BSD's, SQL Databases, Iptables, SNORT IDS software, OpenSSL, and many many more!

    This guy is just trolling. The article is slanted because he believes that once written, any bugs, flaws (as in it doesn't do this the _way_ it should for ME) should all be done for free simply because he or general consumers are greedy. To a point, bug fixes should be fixed like glaring security flaws that could be used to take over your computer (ala windows in general, yes I'm biased) or damage your information etc.

    But get real. If you paid ONCE for your anti-virus software and expected it to work flawlessly and capture all viruses, worms etc without having to pay extra every year to maintain that reliability you're just out of your mind. There is no incentive to keep something up for free especially in an evolving industry. One that evolves and almost 2-5 times the normal rate of other industries.

    Think of it this way. You pay a subscription service similar to that of an anti-virus vendor. Receive continual updates, bug fixes, serious flaws get fixed for an annual price. This ensures the developers can work and continue to live as well. Why not? If you don't pay for the next years license, you simply don't get major version upgrades (maybe a serious bug fix or service pack) or new "features".

    I'm not keen on the idea of keeping your apps on a server/central location, unless it's on my home network and I have the option to install it centrally or on each workstation. It's just foolish to do it that way. But this guy's "it's mine, I want it all forever" after a simple purchase doesn't cut it. Want that new fender or tires? They're better quality than the current tires you have, then pay for them. Don't expect it for free buddy.

    This guy really pissed me off. And I have a football game to watch.

  40. Open source network analysis tools by SgtChaireBourne · · Score: 1 · on Trying to Help a Troubled Network with Linux?
    What tools and methods are the best practice when trying to use Linux and Open Source to analyze and fix a network?
    These are some of the tools to consider, in no particular order:

    You'll have to read the descriptions to decide which ones to try.
  41. Snort is... by Viree · · Score: 2, Funny · on The Story of Snort

    probably one of the best tools ever developed for open-source / security community. I've got a bad feeling from this whole Check Point acquisition, especially with the major revamp in http://snort.org/. Thankfully there's still http://nessus.org/....wait. Fuck!

  42. What happens with the rule set development? by waldonova · · Score: 2, Interesting · on CheckPoint Acquires Snort

    I have snort running with BASE, for a nice NID management setup. Without the rules, not much will happen.
    There are currently three levels of access to rules, as seen at http://www.snort.org/rules/

    1. Anyone can get the rule set that is released with the latest version.
    2. People who pay the big bucks ($1,795/year) can get updated rule sets as soon as they are released.
    3. A third level sits in the middle; where if you register with sourcefire you can get the updated rules five days after they are released to the premium members.

    Martin, I am sure that "Check Point is very excited about continuing Sourcefire's involvement with the open source community!". I hope that doesn't mean that they are excited about getting fees for any and all rules from the open source community.

  43. Passive scanning? by Anonymous Coward · · Score: 1, Informative · on Worms Could Dodge Net traps

    If these are used solely for detecting, rather than taking action and blocking traffic, why on earth aren't they located passively? By that I mean a ethertap. rather than having a device sat on the line that responds to traffic.
     
    That would essentially make the device invisible - all you'd then have to do is have your network of passive detectors inform you when odd traffic passes through.

  44. Re:How about making server side only apps? by turkeywrap · · Score: 3, Informative · on Migrating IE Web Apps to Mozilla

    Well put, but you forgot one important note: end users can turn off Javascript, rendering any error checking done client-side worthless.

    Furthermore, malicious users can attack your site with handcrafted HTTP requests, so server-side security is of paramount importance. Here are a couple examples:

    http://www.snort.org/pub-bin/sigs.cgi?sid=1080

    http://www.securiteam.com/securitynews/6S00O1561M. html

    Here's the google search:
    http://www.google.com/search?hs=hNY&hl=en&lr=&safe =off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aof ficial&q=%22handcrafted+HTTP%22+request&btnG=Searc h

  45. Monitoring is expensive by Steeltoe · · Score: 3, Insightful · on Network Intrusion Detection and Prevention?
    While actively monitoring is always preferred, not everybody has the luxury of time to sit in front of the server monitoring every minor detail. Especially on projects for humanitarian organisations you do on your spare time. To be honest, some automation SHOULD be implemented, because a human is simply not a robot and will tire over time. The purpose of computing is exactly that - to alleviate humans of doing boring tasks.

    I set up my scripts so I am emailed ONLY on new activity not seen before. So I find ways to silence minor attacks/alerts which does not interest me in conjunction with finding automatic ways to react on attempts.

    I can recommend this setup:
    • Snort (Network packet sniffer)
      Enough is said about this. Absolutely needed, but useless without intervention. Oinkmaster is nice to use for automatic downloading of new rules.

    • Narc Firewall
      Perl script for iptables/ipchains. Fast and easy to set up, however any decent firewall will do. Narc allows for user-customization/hacking, which is a plus for those who wants to learn ipchains/iptables and do more advanced stuff than a GUI can offer. I like to fiddle with the rules myself for outgoing packets, which very few firewalls supports. It's nice to know your computer is not sending out traffic you don't know what is. By blocking everything outgoing by default, I will catch stuff in the logs and adjust the rules when I know what it is (not recommended while in production).

    • BlockIt (Perl script for reactive firewalling)
      Blocks hosts temporarily and permanently based on SSH-logs, snort-alerts and firewall-logs. Nice and easy to extend even if you don't know perl, but have patience to test alot. The maintainer is cool about accepting patches. Yes, you need a list of hosts to never block, and yes a dedicated cracker can spoof IP addresses to DOS you. However, I'll deal with that when somebody does just that. It depends how important your service is I guess.

    • Samhain (Rootkit and file change detection)
      I set up Samhain to email me of EVERY change in the root filesystem. However, I run Samhain with the silent option just after every upgrade at night. So upgrades are done automatically and silently without alerting me (Debian Stable - Sarge).

    • chkrootkit (Another rootkit checker)
      It's in the Debian-tree. Can't hurt to use more than one checker. This one is less spammy than Samhain and checks for other kinds of signatures in the system.


    This might seem much, but I consider it a bare minimum for an install I'm not going to watch over continuously. Running Linux doesn't make you secure, and even with all this, I know I'm still vulnerable to:

    A) Crackers hacking over time. Little by little they may do a portscan and find out enough to do a:

    B) Full-scale successful attack. Reactive firewalls just won't stop it, and then you're cracked.

    C) DOS. Automatic blocking based on IP and DSL-connection is just not enough to stop DOS and DDOS.

    However, with a hardware firewall in front, I feel a bit more secure.. ;*) All emails to root is forwarded to my email-account, cron-jobs and all, and believe me, with the pruning-job done, hardly any email is sent. Days can go without any emails, oh wait, maybe..... *shiver*

    One interesting project is a firewall based on snort: Hogwash. The project is in need of maintainers though. However the idea is cool: To block based on snort-alerts in real-time. This can actually be useful to block intrusions before they can do harm other than DDOSing. I for one will accept the increase in latency if it means my network is that much more secure. I really hope this one will take off one day.
  46. Re:Snort-Inline+IPTables+Scripts = Decent IPS by TCM · · Score: 1 · on Network Intrusion Detection and Prevention?

    As a followup, how does the port mirroring feature of smart switches compare to the passive Ethernet taps shown on snort.org?

  47. Re:Preferentially? by DJBigShow · · Score: 1 · on What is the Best Firewall for Servers?

    An IDS (Intrusion Detection System) is not meant for inline functionality and dropping packets. It is merely meant to detect attacks and log them by seeig copies of all packets such as using a mirror port of a switch. Some IDS applications (such as SNORT) also support plugins which can dynamically install firewall rules in a separate firewall (such as CISCO ACL's, iptables, etc) when an attack is detected.

    An IPS (Intrusion Prevention System) is an IDS system built to be placed inline with the capabilities of blocking attacks itself. SNORT also has some IPS (inline) functionality.

    Unless you install a firewall which contains application intelligence (such as Checkpoint), the firewall will not detect attacks such as zombies. The parent is right in stating that an IDS or IPS is best used for this functionality.


    -DJBS
  48. Re:A cheap box by jd · · Score: 1 · on What is the Best Firewall for Servers?
    Although I would advocate Linux for most things, OpenBSD and MirBSD are probably the best two systems out there for firewalling. (MirBSD is a blend of OpenBSD and FreeBSD, if I recall correctly.)


    You also want a Network Intrusion Detection System (NIDS). I suggest proactive, as you are under a known threat, rather than defending against potential attacks.


    I don't know of any cheap truly proactive NIDS systems, but Snort has the ability to carry out limited countermeasures. (There are plenty of people who would argue that NIDS should not be linked to a firewall or be otherwise proactive, but I personally think that it is impossible to have a thorough defence if you don't provide the system doing the guarding with the ability to see what they are guarding against.)


    Personally, I think the ideal is to have two firewalls with a proactive NIDS sitting between them. None of the three should trust the others. The reasoning for this is that you then only monitor inbound traffic that is potentially hostile, minus trivial threats. It is also easier on the NIDS, as the attempt to break the inner firewall will be "obviously" different from normal traffic.

  49. Net Squid by Door-opening+Fascist · · Score: 1 · on Handling Viruses in an Uncontrolled Network?

    We use Net Squid to do that. Essentially it's a PC acting as a transparent bridge sitting in the middle of the fiber uplink from each dorm. It uses a combination of Snort, Squid , and IPTables. If a computer starts misbehaving, it'll get added to a block list for 15 minutes, which will allow access only to a web page that downloads our site-liscensed copy of Sophos Antivirus.

  50. Re:You are in control! by courcoul · · Score: 4, Informative · on Handling Viruses in an Uncontrolled Network?
    Amen to that! Or, it just may be that his post is only the ceremonial position of "official scapegoat" that takes the fall when the poop really hits the propeller blades... Short recipe for the cure (provided he IS the admin):
    • Get an extra PC on the backbone of the network, so it can monitor all the traffic. Anything bigger than a x486 is good enough, say with 128MB or more of RAM.
    • Install OpenBSD ( http://www.openbsd.org/ ) on it (most hardened free OS around, so the hackers can't take you down so easily).
    • Install SNORT ( http://www.snort.org/ ) on it. Configure to work as a network IDS and keep it up to date with the latest vulnerability/virus plugins.
    • Once SNORT gets wind of an infected machine, set it to do one of three things:
      • If you have the tech skills to set it up, have SNORT block out the switch port where the offending PC is plugged in AND send you a message. When the owner cleans up their act, reactivate the port and restore connectivity.
      • Else, have SNORT send you a message with all the details and YOU do the port blocking, if you can. The rest proceeds as above.
      • Else, have SNORT send you a message so you can bitch whomever has the capability to block the port. The rest proceeds as above.
    • If your authority is so puny that you cannot do any of these things, you could resort to sending out a mail to all the rest of the users of the network, and letting them know who the miscreant screwing up their connectivity is, and let peer pressure do its thing...
    Good luck!