Network Security: Detailed info on Re: [Snort-users] snort and squid

Subject:	Re: [Snort-users] snort and squid
Date:	Fri, 18 Jan 2008 20:17:40 +0100

From: "Seth" <sethsec@gmail.com>

Did you also add 3128 to the http_inspect preprocessor?  ie:
http_inspect_server: server default profile all ports {80 3128}


Yes. Here are the alerts that are logged:

(ftp_telnet) FTP command
(ftp_telnet) FTP traffic
(ftp_telnet) Invalid FTP
(http_inspect) NON-RFC DEFINED
(http_inspect) OVERSIZE CHUNK
(http_inspect) OVERSIZE REQUEST-URI
(http_inspect) U ENCODING
ICMP Destination Unreachable
ICMP PING *NIX
ICMP PING BSDtype
ICMP PING Windows
ICMP PING [**]
SHELLCODE x86 NOOP
SHELLCODE x86 inc

Thats all. No BPF filter, no threshold.

[root@proxy ~]# cat /usr/local/etc/snort/snort.conf | grep ^include
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/voip.rules
[root@proxy ~]# 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] snort and squid, Helmut Schneider Re: [Snort-users] snort and squid, Paul Melson Re: [Snort-users] snort and squid, Helmut Schneider Re: [Snort-users] snort and squid, Joel Esler Re: [Snort-users] snort and squid, Helmut Schneider Re: [Snort-users] snort and squid, Joel Esler Re: [Snort-users] snort and squid, Helmut Schneider Re: [Snort-users] snort and squid, Seth Re: [Snort-users] snort and squid, Helmut Schneider <=

Previous by Date:	Re: [Snort-users] snort and squid, Seth
Next by Date:	[Snort-users] Pear Install Problem, Rachid Abdelkhalak
Previous by Thread:	Re: [Snort-users] snort and squid, Seth
Next by Thread:	[Snort-users] Using antivirus with snort 2.8.x, carlopmart
Indexes:	[Date] [Thread] [Top] [All Lists]