From luis.daniel.lucio at gmail.com Thu Apr 2 19:31:45 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Thu, 2 Apr 2009 18:31:45 -0600 Subject: [Snortsam-discussion] Snort3 Message-ID: <200904021831.46026.luis.daniel.lucio@gmail.com> Will SnortSAM support Snort3? From frank at snortsam.net Fri Apr 3 18:56:21 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 03 Apr 2009 18:56:21 -0500 Subject: [Snortsam-discussion] Snort3 In-Reply-To: <200904021831.46026.luis.daniel.lucio@gmail.com> References: <200904021831.46026.luis.daniel.lucio@gmail.com> Message-ID: <1238802981.4805.1.camel@localhost> On Thu, 2009-04-02 at 18:31 -0600, Luis Daniel Lucio Quiroz wrote: > Will SnortSAM support Snort3? Not currently. From mike-ward at utc.edu Mon Apr 13 14:36:34 2009 From: mike-ward at utc.edu (Michael Ward) Date: Mon, 13 Apr 2009 14:36:34 -0400 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 Message-ID: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> Hello, After downloading the latest snortsam plugin tarball, applying it to the lastest CVS of snort, and compiling (--with-mysql) I get the following make error spo_alert_fwsam.c:1295: warning: passing argument 2 of ?TwoFishDecrypt? from incompatible pointer type make[3]: *** [spo_alert_fwsam.o] Error 1 make[3]: Leaving directory `/root/snort/snort/src/output-plugins' make[2]: *** [all-recursive] Error 1 Searching Google told me to RegisterPlugin("fwsam", AlertFWsamOptionInit); to RegisterPlugin("fwsam", AlertFWsamOptionInit,OPT_TYPE_ACTION); in spo_alert_fwsam.c... still the same error... Anybody have any ideas? thanks mjw From cummingsj at gmail.com Mon Apr 13 14:39:42 2009 From: cummingsj at gmail.com (JJ Cummings) Date: Mon, 13 Apr 2009 12:39:42 -0600 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> Message-ID: <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> Might I suggest using a barnyard snortsam plugin rather than snort directly.. this way you can upgrade / modify your snort without having to patch it each time.. read more here: http://global-security.blogspot.com/search?q=snortsam JJC On Mon, Apr 13, 2009 at 12:36 PM, Michael Ward wrote: > > Hello, > > After downloading the latest snortsam plugin tarball, applying it to > the lastest CVS of snort, and compiling (--with-mysql) I get the > following make error > > spo_alert_fwsam.c:1295: warning: passing argument 2 of > ?TwoFishDecrypt? from incompatible pointer type > make[3]: *** [spo_alert_fwsam.o] Error 1 > make[3]: Leaving directory `/root/snort/snort/src/output-plugins' > make[2]: *** [all-recursive] Error 1 > > Searching Google told me to > > RegisterPlugin("fwsam", AlertFWsamOptionInit); > > to > > RegisterPlugin("fwsam", > AlertFWsamOptionInit,OPT_TYPE_ACTION); > > in spo_alert_fwsam.c... > > still the same error... > > Anybody have any ideas? > > thanks > > mjw > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090413/a2a67684/attachment.html From frank at snortsam.net Tue Apr 14 15:15:42 2009 From: frank at snortsam.net (Frank Knobbe) Date: Tue, 14 Apr 2009 14:15:42 -0500 Subject: [Snortsam-discussion] PF2 committed to CVS Message-ID: <1239736542.87464.43.camel@localhost> Greetings, I can't believe I missed Olaf Schreck's PF2 submission. It has now been committed to CVS, with the necessary tweaks to get it up-to-date with the plugin structure changes that occurred since then. That brings Snortsam to version 2.58. Please let me know if the PF2 addition causes problems anywhere. Thanks, Frank From frank at snortsam.net Tue Apr 14 15:12:05 2009 From: frank at snortsam.net (Frank Knobbe) Date: Tue, 14 Apr 2009 14:12:05 -0500 Subject: [Snortsam-discussion] [snortsam-discussion] snortsam on FreeBSD 6.0 In-Reply-To: <20051110140851.GA19606@syscall.de> References: <4371E65D.20004@asianetindia.com> <20051109151932.GA3187@syscall.de> <437234D9.3040609@asianetindia.com> <20051110140851.GA19606@syscall.de> Message-ID: <1239736325.87464.39.camel@localhost> Ahem.... The pf2 plugin submitted...uhm... 4 years ago, has now been committed to CVS. (It underwent extensive testing!) It compiles fine, but needs to be tested a bit. Regards, Frank On Thu, 2005-11-10 at 15:08 +0100, Olaf Schreck wrote: > > Pl send it along, I will test for FreeBSD. > > Please try the patch below. It is against stock snortsam 2.40, I run > it successfully with snort 2.4.3 on OpenBSD 3.8. > > Configure like this in snortsam.conf, no options needed: > > # new pf plugin instead of old one > #pf auto=0 log=0 [...] > pf2 > > The default anchorname is "snortsam", the default table names are > "blockin" and "blockout". You need to create the anchor, tables and > rules yourself, there is no "auto" funtionality. Excerpt from my pf.conf: > > anchor snortsam > load anchor snortsam from "/etc/pf.conf.snortsam" > > My /etc/pf.conf.snortsam: > > table persist > table persist > block in log quick from to any > block out log quick from any to From khurramjarral at gmail.com Tue Apr 21 23:40:57 2009 From: khurramjarral at gmail.com (khurram murad) Date: Wed, 22 Apr 2009 08:40:57 +0500 Subject: [Snortsam-discussion] snortsam with Cisco PIX 525 Message-ID: HI i m new to snortsam and snort also. i want to use snortsam for intrusion preventsion with Cisco PIX 525 firewall. Any Help will be greatly appreciated. i patched snort 2.8.0 and it is running without error. can anyone guide me what i have to do on firewall side to be able to block attacker ip. regards KM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090422/6fb81dd0/attachment.html From frank at snortsam.net Wed Apr 22 18:35:03 2009 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 22 Apr 2009 17:35:03 -0500 Subject: [Snortsam-discussion] snortsam with Cisco PIX 525 In-Reply-To: References: Message-ID: <1240439703.11435.10.camel@localhost> On Wed, 2009-04-22 at 08:40 +0500, khurram murad wrote: > HI > i m new to snortsam and snort also. i want to use snortsam for > intrusion preventsion with Cisco PIX 525 firewall. Any Help will be > greatly appreciated. i patched snort 2.8.0 and it is running without > error. can anyone guide me what i have to do on firewall side to be > able to block attacker ip. Nothing special to do on the PIX. Just configure Snortsam with the PIX plugin (see README.conf). Snortsam will log into the PIX and issue SHUN commands to block an IP. Regards, Frank From cunningpike at gmail.com Fri Apr 24 14:46:48 2009 From: cunningpike at gmail.com (CunningPike) Date: Fri, 24 Apr 2009 11:46:48 -0700 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> Message-ID: <1240598808.21623.1.camel@arodgers-panasonic> I would concur, except that in our experience, BY craps out too often for this to be a usable solution. YMMV. CP On Mon, 2009-04-13 at 12:39 -0600, JJ Cummings wrote: > Might I suggest using a barnyard snortsam plugin rather than snort > directly.. this way you can upgrade / modify your snort without having > to patch it each time.. > > read more here: http://global-security.blogspot.com/search?q=snortsam > > JJC > > On Mon, Apr 13, 2009 at 12:36 PM, Michael Ward > wrote: > > Hello, > > After downloading the latest snortsam plugin tarball, applying > it to > the lastest CVS of snort, and compiling (--with-mysql) I get > the > following make error > > spo_alert_fwsam.c:1295: warning: passing argument 2 of > ?TwoFishDecrypt? from incompatible pointer type > make[3]: *** [spo_alert_fwsam.o] Error 1 > make[3]: Leaving directory > `/root/snort/snort/src/output-plugins' > make[2]: *** [all-recursive] Error 1 > > Searching Google told me to > > RegisterPlugin("fwsam", AlertFWsamOptionInit); > > to > > RegisterPlugin("fwsam", > AlertFWsamOptionInit,OPT_TYPE_ACTION); > > in spo_alert_fwsam.c... > > still the same error... > > Anybody have any ideas? > > thanks > > mjw > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090424/1892cdd6/attachment.bin From cunningpike at gmail.com Fri Apr 24 14:48:15 2009 From: cunningpike at gmail.com (CunningPike) Date: Fri, 24 Apr 2009 11:48:15 -0700 Subject: [Snortsam-discussion] snortsam with Cisco PIX 525 In-Reply-To: <1240439703.11435.10.camel@localhost> References: <1240439703.11435.10.camel@localhost> Message-ID: <1240598895.21623.2.camel@arodgers-panasonic> Works great for us on the same setup - jump into #emerging-threats on freenode if you have any problems. CP On Wed, 2009-04-22 at 17:35 -0500, Frank Knobbe wrote: > On Wed, 2009-04-22 at 08:40 +0500, khurram murad wrote: > > HI > > i m new to snortsam and snort also. i want to use snortsam for > > intrusion preventsion with Cisco PIX 525 firewall. Any Help will be > > greatly appreciated. i patched snort 2.8.0 and it is running without > > error. can anyone guide me what i have to do on firewall side to be > > able to block attacker ip. > > Nothing special to do on the PIX. Just configure Snortsam with the PIX > plugin (see README.conf). Snortsam will log into the PIX and issue SHUN > commands to block an IP. > > Regards, > Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090424/59c7fb9e/attachment.bin From cummingsj at gmail.com Fri Apr 24 14:55:31 2009 From: cummingsj at gmail.com (JJ Cummings) Date: Fri, 24 Apr 2009 12:55:31 -0600 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <1240598808.21623.1.camel@arodgers-panasonic> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> <1240598808.21623.1.camel@arodgers-panasonic> Message-ID: <45A70457-4907-4455-88AD-E1E50F67A85F@gmail.com> Cough ** barnyard 2 ** cough Sent from the iRoad On Apr 24, 2009, at 12:46 PM, CunningPike wrote: > I would concur, except that in our experience, BY craps out too often > for this to be a usable solution. YMMV. > > CP > > On Mon, 2009-04-13 at 12:39 -0600, JJ Cummings wrote: >> Might I suggest using a barnyard snortsam plugin rather than snort >> directly.. this way you can upgrade / modify your snort without >> having >> to patch it each time.. >> >> read more here: http://global-security.blogspot.com/search?q=snortsam >> >> JJC >> >> On Mon, Apr 13, 2009 at 12:36 PM, Michael Ward >> wrote: >> >> Hello, >> >> After downloading the latest snortsam plugin tarball, applying >> it to >> the lastest CVS of snort, and compiling (--with-mysql) I get >> the >> following make error >> >> spo_alert_fwsam.c:1295: warning: passing argument 2 of >> ?TwoFishDecrypt? from incompatible pointer type >> make[3]: *** [spo_alert_fwsam.o] Error 1 >> make[3]: Leaving directory >> `/root/snort/snort/src/output-plugins' >> make[2]: *** [all-recursive] Error 1 >> >> Searching Google told me to >> >> RegisterPlugin("fwsam", AlertFWsamOptionInit); >> >> to >> >> RegisterPlugin("fwsam", >> AlertFWsamOptionInit,OPT_TYPE_ACTION); >> >> in spo_alert_fwsam.c... >> >> still the same error... >> >> Anybody have any ideas? >> >> thanks >> >> mjw >> >> _______________________________________________ >> Snortsam-discussion mailing list >> Snortsam-discussion at snortsam.net >> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion >> >> >> _______________________________________________ >> Snortsam-discussion mailing list >> Snortsam-discussion at snortsam.net >> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion From cummingsj at gmail.com Fri Apr 24 14:56:46 2009 From: cummingsj at gmail.com (JJ Cummings) Date: Fri, 24 Apr 2009 12:56:46 -0600 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <1240598808.21623.1.camel@arodgers-panasonic> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> <1240598808.21623.1.camel@arodgers-panasonic> Message-ID: <537396B2-B408-4604-B4FD-375BCDFC2C8D@gmail.com> Also, I have not had by crap out when talking to snortsam, just mysql... But that's a different issue! Sent from the iRoad On Apr 24, 2009, at 12:46 PM, CunningPike wrote: > I would concur, except that in our experience, BY craps out too often > for this to be a usable solution. YMMV. > > CP > > On Mon, 2009-04-13 at 12:39 -0600, JJ Cummings wrote: >> Might I suggest using a barnyard snortsam plugin rather than snort >> directly.. this way you can upgrade / modify your snort without >> having >> to patch it each time.. >> >> read more here: http://global-security.blogspot.com/search?q=snortsam >> >> JJC >> >> On Mon, Apr 13, 2009 at 12:36 PM, Michael Ward >> wrote: >> >> Hello, >> >> After downloading the latest snortsam plugin tarball, applying >> it to >> the lastest CVS of snort, and compiling (--with-mysql) I get >> the >> following make error >> >> spo_alert_fwsam.c:1295: warning: passing argument 2 of >> ?TwoFishDecrypt? from incompatible pointer type >> make[3]: *** [spo_alert_fwsam.o] Error 1 >> make[3]: Leaving directory >> `/root/snort/snort/src/output-plugins' >> make[2]: *** [all-recursive] Error 1 >> >> Searching Google told me to >> >> RegisterPlugin("fwsam", AlertFWsamOptionInit); >> >> to >> >> RegisterPlugin("fwsam", >> AlertFWsamOptionInit,OPT_TYPE_ACTION); >> >> in spo_alert_fwsam.c... >> >> still the same error... >> >> Anybody have any ideas? >> >> thanks >> >> mjw >> >> _______________________________________________ >> Snortsam-discussion mailing list >> Snortsam-discussion at snortsam.net >> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion >> >> >> _______________________________________________ >> Snortsam-discussion mailing list >> Snortsam-discussion at snortsam.net >> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion From cunningpike at gmail.com Fri Apr 24 15:03:52 2009 From: cunningpike at gmail.com (CunningPike) Date: Fri, 24 Apr 2009 12:03:52 -0700 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <537396B2-B408-4604-B4FD-375BCDFC2C8D@gmail.com> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> <1240598808.21623.1.camel@arodgers-panasonic> <537396B2-B408-4604-B4FD-375BCDFC2C8D@gmail.com> Message-ID: <1240599832.21623.5.camel@arodgers-panasonic> Yup - and one I have not yet been able to find a fix for. It made a brief appearance on the snort-users, but no concrete fix emerged. CP On Fri, 2009-04-24 at 12:56 -0600, JJ Cummings wrote: > Also, I have not had by crap out when talking to snortsam, just > mysql... But that's a different issue! > > Sent from the iRoad > > On Apr 24, 2009, at 12:46 PM, CunningPike wrote: > > > I would concur, except that in our experience, BY craps out too often > > for this to be a usable solution. YMMV. > > > > CP > > > > On Mon, 2009-04-13 at 12:39 -0600, JJ Cummings wrote: > >> Might I suggest using a barnyard snortsam plugin rather than snort > >> directly.. this way you can upgrade / modify your snort without > >> having > >> to patch it each time.. > >> > >> read more here: http://global-security.blogspot.com/search?q=snortsam > >> > >> JJC > >> > >> On Mon, Apr 13, 2009 at 12:36 PM, Michael Ward > >> wrote: > >> > >> Hello, > >> > >> After downloading the latest snortsam plugin tarball, applying > >> it to > >> the lastest CVS of snort, and compiling (--with-mysql) I get > >> the > >> following make error > >> > >> spo_alert_fwsam.c:1295: warning: passing argument 2 of > >> ?TwoFishDecrypt? from incompatible pointer type > >> make[3]: *** [spo_alert_fwsam.o] Error 1 > >> make[3]: Leaving directory > >> `/root/snort/snort/src/output-plugins' > >> make[2]: *** [all-recursive] Error 1 > >> > >> Searching Google told me to > >> > >> RegisterPlugin("fwsam", AlertFWsamOptionInit); > >> > >> to > >> > >> RegisterPlugin("fwsam", > >> AlertFWsamOptionInit,OPT_TYPE_ACTION); > >> > >> in spo_alert_fwsam.c... > >> > >> still the same error... > >> > >> Anybody have any ideas? > >> > >> thanks > >> > >> mjw > >> > >> _______________________________________________ > >> Snortsam-discussion mailing list > >> Snortsam-discussion at snortsam.net > >> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > >> > >> > >> _______________________________________________ > >> Snortsam-discussion mailing list > >> Snortsam-discussion at snortsam.net > >> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > _______________________________________________ > > Snortsam-discussion mailing list > > Snortsam-discussion at snortsam.net > > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090424/9262b87d/attachment.bin From jeff-kell at utc.edu Fri Apr 24 15:20:34 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 24 Apr 2009 15:20:34 -0400 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <1240599832.21623.5.camel@arodgers-panasonic> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> <1240598808.21623.1.camel@arodgers-panasonic> <537396B2-B408-4604-B4FD-375BCDFC2C8D@gmail.com> <1240599832.21623.5.camel@arodgers-panasonic> Message-ID: <49F21102.2090004@utc.edu> It would appear that getting a snortsam plugin for barnyard2, using unified format, would have the longest-term stability here. Has anyone tried integrating the old snortsam/barnyard plugin into barnyard2 yet? The snort 2.8.4 / rpc preprocessor / rules incompatibilities are "forcing our hand" in upgrading from our old 2.6/2.8 snortsam-patched model to something a little less manual-maintenance intensive on the upgrade steps. (Mike, my colleague, started this thread when we tried to get 2.8.4 to work with snortsam patch, which is still unsuccessful...) Jeff From jonkman at jonkmans.com Fri Apr 24 15:39:00 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 24 Apr 2009 15:39:00 -0400 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <49F21102.2090004@utc.edu> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> <1240598808.21623.1.camel@arodgers-panasonic> <537396B2-B408-4604-B4FD-375BCDFC2C8D@gmail.com> <1240599832.21623.5.camel@arodgers-panasonic> <49F21102.2090004@utc.edu> Message-ID: <49F21554.3020209@jonkmans.com> I fully agree. We should concentrate efforts on a barnyard2 patch. Possibly even get the original authors to integrate it. I'll try reaching out to them. Matt Jeff Kell wrote: > It would appear that getting a snortsam plugin for barnyard2, using > unified format, would have the longest-term stability here. > > Has anyone tried integrating the old snortsam/barnyard plugin into > barnyard2 yet? > > The snort 2.8.4 / rpc preprocessor / rules incompatibilities are > "forcing our hand" in upgrading from our old 2.6/2.8 snortsam-patched > model to something a little less manual-maintenance intensive on the > upgrade steps. > > (Mike, my colleague, started this thread when we tried to get 2.8.4 to > work with snortsam patch, which is still unsuccessful...) > > Jeff > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From frank at snortsam.net Fri Apr 24 17:37:10 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 24 Apr 2009 16:37:10 -0500 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <49F21554.3020209@jonkmans.com> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> <1240598808.21623.1.camel@arodgers-panasonic> <537396B2-B408-4604-B4FD-375BCDFC2C8D@gmail.com> <1240599832.21623.5.camel@arodgers-panasonic> <49F21102.2090004@utc.edu> <49F21554.3020209@jonkmans.com> Message-ID: <1240609030.69823.44.camel@localhost> On Fri, 2009-04-24 at 15:39 -0400, Matt Jonkman wrote: > I fully agree. We should concentrate efforts on a barnyard2 patch. > Possibly even get the original authors to integrate it. I'll try > reaching out to them. I already contacted firnsy () about that. He said: "That would be great. You can obtain the codebase from www.securixlive.com/barnyard2 " Go for it. But don't just use the BY1 plugin. You can use it as a reference, but I would certainly implement the enhancements of persistent connections. Should be too hard to rip that from the forwarder plugin and update BY2 with that. It would also be nice to update the Snort plugin with the newer packet version (15). However, it takes a bit of work. Use the forwarder plugin as an example. I'll likely be another month before I can take a look at that, so give it a shot yourself. Regards, Frank From frank at snortsam.net Fri Apr 24 18:35:58 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 24 Apr 2009 17:35:58 -0500 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <49F21554.3020209@jonkmans.com> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> <1240598808.21623.1.camel@arodgers-panasonic> <537396B2-B408-4604-B4FD-375BCDFC2C8D@gmail.com> <1240599832.21623.5.camel@arodgers-panasonic> <49F21102.2090004@utc.edu> <49F21554.3020209@jonkmans.com> Message-ID: <1240612558.97735.0.camel@localhost> On Fri, 2009-04-24 at 15:39 -0400, Matt Jonkman wrote: > I fully agree. We should concentrate efforts on a barnyard2 patch. > Possibly even get the original authors to integrate it. Oh, and as far as original authors of the BY plugin is concerned, that was me :) -Frank From jonkman at jonkmans.com Fri Apr 24 19:17:26 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Fri, 24 Apr 2009 19:17:26 -0400 Subject: [Snortsam-discussion] Snortsam plugin compile problems w/Snort 2.8.4 In-Reply-To: <1240612558.97735.0.camel@localhost> References: <660F086E-9D62-46B9-8925-96D47DB6F90E@utc.edu> <1c79c7b70904131139k6011591bpd8b4753b25765f85@mail.gmail.com> <1240598808.21623.1.camel@arodgers-panasonic> <537396B2-B408-4604-B4FD-375BCDFC2C8D@gmail.com> <1240599832.21623.5.camel@arodgers-panasonic> <49F21102.2090004@utc.edu> <49F21554.3020209@jonkmans.com> <1240612558.97735.0.camel@localhost> Message-ID: <49F24886.4000809@jonkmans.com> I meant the baryard2 guys. :) Frank Knobbe wrote: > On Fri, 2009-04-24 at 15:39 -0400, Matt Jonkman wrote: >> I fully agree. We should concentrate efforts on a barnyard2 patch. >> Possibly even get the original authors to integrate it. > > Oh, and as far as original authors of the BY plugin is concerned, that > was me :) > > -Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From tiago at giovanaz.com.br Wed Apr 29 16:23:45 2009 From: tiago at giovanaz.com.br (Tiago Giovanaz da Silva) Date: Wed, 29 Apr 2009 17:23:45 -0300 Subject: [Snortsam-discussion] Snortsam with preprocessor Message-ID: <1241036625.4005.84.camel@tgs-laptop> Hello, I'm new at list. Can I use the snortsam to block alerts from preprocessor? I need to use the Conficker preprocessor (http://mtc.sri.com/Conficker/contrib/plugin.html) Thank's, Tiago