From frank at snortsam.net Mon Dec 15 19:48:45 2008 From: frank at snortsam.net (Frank Knobbe) Date: Mon, 15 Dec 2008 18:48:45 -0600 Subject: [Snortsam-discussion] Snortsam updates Message-ID: <1229388525.66265.39.camel@localhost> Greetings, A couple of updates have been committed to CVS which brings Snortsam to version 2.57: * Twofish: The fixes necessary to generate Twofish library code that is compatible between 32 and 64 bit systems, has finally been committed to CVS. Initial tests are very positive. Anyone that is using Snortsam on a 64 bit system is encouraged to try this fix. Likewise, if you are running Snort on a 64 bit system, copy the updated twofish.c and twofish.h files to the proper place in the Snort source after patching it. * Cisco Null Route: An error was introduced in April that caused Snortsam to log into the router, do its stuff, and log out, but not remember that it logged out. On the next block requests it assumed it was still logged in, and issued a block without logging in. That's been fixed. Please report any remaining issues with the Cisco Null Route plugin. * Mutexes on Windows: Some code clean-up that would exclude the pthread mutexes from a Windows compile. * makesnortsam.sh: Fixed an error where a plugin got left out during compilation under FreeBSD. I also received an updated iptables plugin (Thanks Luis) and will commit that shortly. Since I'm running out of time today, this will likely be committed tomorrow or in a couple days, depending how busy the day gets. I'll post a note when committed. Matt, could you please compile binaries for the platforms you compile for? Thanks! Frank From jonkman at jonkmans.com Mon Dec 15 22:08:46 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 15 Dec 2008 22:08:46 -0500 Subject: [Snortsam-discussion] Snortsam updates In-Reply-To: <1229388525.66265.39.camel@localhost> References: <1229388525.66265.39.camel@localhost> Message-ID: <49471BBE.7080804@jonkmans.com> If you're committing more tomorrow why don't we leave a new tarball until then? If you don't get to it tomorrow I'll make up a tarbal. Good by all? If anyone's anxious you can grab direct from cvs: http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/?cvsroot=snortsam Thanks Frank!! Matt Frank Knobbe wrote: > Greetings, > > A couple of updates have been committed to CVS which brings Snortsam to > version 2.57: > > * Twofish: The fixes necessary to generate Twofish library code that is > compatible between 32 and 64 bit systems, has finally been committed to > CVS. Initial tests are very positive. Anyone that is using Snortsam on a > 64 bit system is encouraged to try this fix. > > Likewise, if you are running Snort on a 64 bit system, copy the updated > twofish.c and twofish.h files to the proper place in the Snort source > after patching it. > > * Cisco Null Route: An error was introduced in April that caused > Snortsam to log into the router, do its stuff, and log out, but not > remember that it logged out. On the next block requests it assumed it > was still logged in, and issued a block without logging in. That's been > fixed. Please report any remaining issues with the Cisco Null Route > plugin. > > * Mutexes on Windows: Some code clean-up that would exclude the pthread > mutexes from a Windows compile. > > * makesnortsam.sh: Fixed an error where a plugin got left out during > compilation under FreeBSD. > > > I also received an updated iptables plugin (Thanks Luis) and will commit > that shortly. Since I'm running out of time today, this will likely be > committed tomorrow or in a couple days, depending how busy the day gets. > I'll post a note when committed. > > > Matt, could you please compile binaries for the platforms you compile > for? > > Thanks! > Frank > > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From mark.clift at usitek.com Tue Dec 16 11:19:08 2008 From: mark.clift at usitek.com (Mark Clift) Date: Tue, 16 Dec 2008 11:19:08 -0500 Subject: [Snortsam-discussion] ISA 2004/2006 Plugins In-Reply-To: References: Message-ID: <93B6573C4C01834A94F836F35EBB65BF0319BB@exchange01.USitek.local> The plugin does work, at least with 2.54. I have some additional revisions that I have not had time to finalize due to my work schedule. However I am vacationing through the holidays and beginning of next year. I will finalize, test with 2.57 and send in during that time. If you need some assistance in getting this working before early Jan please feel free to contact me off list and I will see what I can do. I do have a compiled working version in production both on ISA 2004 Std and 2006 EE and a basic readme for installation. Sorry for the lengthy delay in getting this done. Work has absorbed all of my free time. Thank you. Best Regards, Mark P. Clift, MCSE Vice President 716.447.7000 office 716.332.0060 direct 716.447.0880 fax mark.clift at usitek.com US itek, inc. 1720 Military Road, Suite 200 Buffalo, NY 14217 From: snortsam-discussion-bounces at snortsam.net [mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Chris McLeod Sent: Thursday, August 14, 2008 12:54 PM To: snortsam-discussion at snortsam.net Subject: [Snortsam-discussion] ISA 2004/2006 Plugins All I was perusing the archives of this list and found an post describing success using the snort-sam plugin for ISA 2004/2006. I am interested in getting any information I can about this (I believe .dll's and a readme were mentioned). The poster was Mark Clift and the entire email is listed below. Thanks in advance, Chris McLeod Network Services Manager City of Thornton 9500 Civic Center Drive (303) 538-7633 Hello All, It has been a long time since I have posted to this list but I have been watching for any question regarding the ISA 2004/2006 plugin. I have in the past worked on the ISA 2004 plug and wanted to give an update on it. The plugin I see is part of the current CVS 2.54 and I am happy to report that it still compiles without issue and the code is compatible with ISA 2006. All that is needed is to use the proper DLL when making. I have several Snort 2.8.0.2 compiled and running on several windows based IDSs (I know most probably cringe) communicating with SnortSam on both ISA 2004 and 2006 firewalls utilizing the latest CVS 2.54 build. Speaking of the public CVS the 2.54 version has a small typo in the file supporting ISA 2000 - ssp_isa.cpp. The path to the contrib folder has the path to the 2004 contrib subfolder path instead of the needed 2000 contrib folder path. Line 47 reads - #import "..\\contrib\\isa2004\\msfpccom.dll" no_namespace Should read - #import "..\\contrib\\isa2000\\msfpccom.dll" no_namespace I have some DLLs and built binaries and more importantly a README for the plugin I would like to share with the project. The current code remains the same (except adding an additional line for the 2006 contrib folder path) so no changes there. If Matt or Frank could let me know more about how to get those to you please let me know. I will continue to watch the list in case someone is interested in using the plugin and needs help. Thank you. Best Regards, Mark P. Clift 716.447.7000 office 716.332.0060 direct mark.clift at usitek.com DISCLAIMER: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20081216/7579bf4e/attachment-0001.html From frank at snortsam.net Wed Dec 17 17:29:00 2008 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 17 Dec 2008 16:29:00 -0600 Subject: [Snortsam-discussion] Modifications to IPtables plugin Message-ID: <1229552940.22227.19.camel@localhost> Seasons Greetings! I just committed the changes to the IPtables plugin that Luis Marichal has provided, which now allow the IPtables plugin to block on direction and specific connections. That brings the IPtables plugin to version 2.9. Matt, if you could please roll new binaries and tarballs, and update whatever download you provide, that would be great. Regards, Frank From jonkman at jonkmans.com Thu Dec 18 13:25:03 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Thu, 18 Dec 2008 13:25:03 -0500 Subject: [Snortsam-discussion] Modifications to IPtables plugin In-Reply-To: <1229552940.22227.19.camel@localhost> References: <1229552940.22227.19.camel@localhost> Message-ID: <494A957F.3040701@jonkmans.com> A new tarball is available: http://www.snortsam.net/files/snortsam/snortsam-src-2.57.tar.gz Enjoy! Happy Holidays! Thanks for the updates Frank. Matt Frank Knobbe wrote: > Seasons Greetings! > > I just committed the changes to the IPtables plugin that Luis Marichal > has provided, which now allow the IPtables plugin to block on direction > and specific connections. That brings the IPtables plugin to version > 2.9. > > Matt, if you could please roll new binaries and tarballs, and update > whatever download you provide, that would be great. > > Regards, > Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc