-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael, et. al,
Several reverse engineering and exploit development websites already
have discussions of details surrounding this vulnerability, a bit of
creating searching using Google will be helpful in your quest. Since
it's by no means a secret at this point, I'll mention that the
metasploit project has already developed some intelligence on the
vulnerability.
I'll remind the readers that this vulnerability is more similar to
the vulnerability leading to the Witty worm than the vulnerability
that lead to the Slammer worm. If a worm is developed to attack
vulnerable systems (i.e. if this vulnerability is 'wormable'), it
will likely be similar to Witty insofar as the Witty worm exploited a
protocol decoder bug.
Recall that the Witty worm exploited a vulnerability in the ICQ PAM
module of ISS's Black Ice sensor....
- -Jeff
P.S. Please don't hijack threads by replying to a message and
changing the subject. It confuses threading in some e-mail clients.
On Oct 20, 2005, at 7:39 AM, Michael Steele wrote:
I found this:
http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?
articleId=17230
2520
No mention on Snort.org or in the list.
Kindest regards,
Michael...
WINSNORT.com Management Team Member
--
Pick up your FREE Windows or UNIX Snort installation guides
mailto:support@winsnort.com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Igor
Belikov
Sent: Thursday, October 20, 2005 12:18 AM
To: snort-users@lists.sourceforge.net
Subject: Re[2]: [Snort-users] need help configuring snort + barnyard
Hello Chris,
Wednesday, October 19, 2005, 7:31:05 PM, you wrote:
CE> | I configured snort to write both alert and log files in
unified
CE> | format. But I can't configure barnyard properly to store in DB
CE> | detailed info about alerts.
CE> |
CE> | Barnyard "watch" alert files and stores info about alerts,
but I
CE> | need also store whole packets caused alert.
CE> It seems you don't need to have snort write both unified
files. All the
CE> required info seems to be in the unified "log" file, so this is
what you
CE> want barnyard to read. It's not at all clear to us what info
is in the
CE> unified "alert" file that's not *also* in the unified "log"
file. So we
CE> don't write a unified "alert" file at all.
It's sounds good, but I still can't configure snort + barnyard.
Last configs:
- snort:
output log_unified: filename snort.log, limit 128
- barnyard:
output log_acid_db: mysql, sensor_id 1, database snort, server
x.x.x.x, user
xxxxx, password xxxxx, detail full
In /log directory I see "snort.log.<timestamp>", "barnyard.waldo"
(with correct link to snort.log) and "alert" (with alerts produced by
snort).
Watching log files I see that barnyard works (link in waldo file
follows growing snort.log), but I don't get any new alerts in DB.
Using previous variant of configs (using unified alert) barnyard put
all alerts in DB.
Please, point me where I make mistake.
--
Best regards,
Igor mailto:ivb@is.ua
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads,
discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads,
discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- --
Custom packets with little to no money down.
http://nemesis.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFDV+lIEqr8+Gkj0/0RAr4TAJ4vvadnq5Dsa/W2n2CtKHquSVdZCQCgnIBY
zgJcaXK2rWTq0/mmq3kBMOQ=
=2/0G
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
