gamelib-devel

Thread Start a new thread

Download

gamelib-devel@common-lisp.net

March 2007

1 participants
1 discussions

[gamelib-devel] update
by Karren Sulliver 04 Mar '07

04 Mar '07

Hello, I would like to include a rule when another is triggered, for example: If this rule is triggered: drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype: policy-violation; reference:url, www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306; rev:5;) I would like to also trigger this rule for n minutes/seconds: drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated";) I've looked at the tagging option for rules but I need to drop them, not just log them. Any ideas? http://www.webservertalk.com/archive251-2005-12-1314914.html http://lists.ibiblio.org/pipermail/cc-licenses/2006-December/004607.html http://www.webservertalk.com/archive251-2005-12-1309708.html http://lists.ibiblio.org/pipermail/cc-licenses/2006-December/004731.html http://lists.ibiblio.org/pipermail/cc-licenses/2004-June/000915.html http://9fans.net/archive/2005/04/4 http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004203.html http://lists.ibiblio.org/pipermail/cc-licenses/2005-March/001764.html http://www.webservertalk.com/archive251-2005-10-1221632.html http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004360.html http://lists.ibiblio.org/pipermail/cc-licenses/2006-October/004454.html http://9fans.net/archive/2005/04/251 http://lists.ibiblio.org/pipermail/cc-licenses/2007-January/004931.html http://lists.ibiblio.org/pipermail/cc-licenses/2005-March/001765.html http://lists.ibiblio.org/pipermail/cc-licenses/2007-January/004931.html http://root.cern.ch/root/roottalk/roottalk05/2994.html http://root.cern.ch/root/roottalk/roottalk05/2578.html http://root.cern.ch/root/roottalk/roottalk04/2681.html http://9fans.net/archive/2005/04/366 http://root.cern.ch/root/roottalk/roottalk05/2439.html http://root.cern.ch/root/roottalk/roottalk05/0505.html http://sourceforge.net/mailarchive/message.php?msg_id=8539894 http://sourceforge.net/mailarchive/forum.php?thread_id=5617912&forum_id=9566 http://lists.us.dell.com/pipermail/dkms-devel/2005-December/000417.html http://lists.us.dell.com/pipermail/dkms-devel/2005-March/000309.html http://www.webservertalk.com/archive251-2005-10-1222482.html Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts. The sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32). Sguil version 0.6.0 contains two significant differences from previous versions. The first difference is the use of the mysql MRG_MyISAM (MERGE) engine for the sancp, event, *hdr, and data tables. With the MERGE engine, it is possible to keep hundreds of millions of rows of data active and online and still be functional (queries to the DB are reasonably responsive). The use of MERGE and the associated schema makes backing up and restoring data amazingly simple and quick. The UPGRADE text in the sguil-0.6.0/doc directory of the source contains more detail as well as upgrade instructions. The second major change was to the sguil output plugin for barnyard (op_sguil) and the communications structure between the sensors and sguild. Op_sguil now uses tcl libraries and sends data via localhost to the sensor's agent. All communications between the sensor and sguild now flow thru sensor_agent. This means the mysql libraries are no longer needed on the sensors. Since barnyard does not need to be compiled with mysql support, op_sguil (barnyard) and mysql 4+ may be used together without any license conflicts. http://lists.us.dell.com/pipermail/dkms-devel/2005-December/000425.html http://lists.ibiblio.org/pipermail/cc-licenses/2005-December/003059.html http://comments.gmane.org/gmane.comp.java.junit.announce/110 http://9fans.net/archive/2006/08/6 http://9fans.net/archive/2005/03/82 http://9fans.net/archive/2006/08/146 http://blog.gmane.org/gmane.comp.java.junit.announce http://9fans.net/archive/2006/05/12 http://9fans.net/archive/2005/03/97 http://9fans.net/archive/2006/05/131 http://segate.sunet.se/cgi-bin/wa?A2=ind0409&L=handikapp&P=23681 http://www.tutorials-blog.com/plan9/plan9-26.html http://9fans.net/archive/2006/05/255 http://www.arcknowledge.com/gmane.comp.lang.c++.root/2004-09/threads.html http://www.webservertalk.com/archive251-2005-10-1236635.html http://news.gmane.org/group/gmane.comp.java.junit.announce/last=/force_load… http://9fans.net/archive/2006/05/274 http://marc.10east.com/?l=mysap-linux-general&r=1&b=200503&w=1 http://www.webservertalk.com/archive251-2005-9-1188388.html http://www.webservertalk.com/archive251-2004-9.html http://www.webservertalk.com/archive251-2005-9-1217604.html http://9fans.net/archive/2006/12/141 have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't seem to work as advertised. I have the following preprocessor line preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir /var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200, file-descriptor-mode I strace'd snort while downloading EICAR.COM and the klez virus from a remote HTTP server - the strace shows the daily.* files being loaded - which tells me ClamAV is being enabled - but nothing got detected. I even ran tcpdump on the same interface and can see the HTTP download - so it's definitely not a wiring issue either. I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created, opened,closed and unlinked - but no virus was detected. The summary that is outputted when snort exits shows zero alerts - and nothing shows up via the syslog or mysql output processors I use.

1 0