bsdjunkie
May 13th, 2003, 17:01
A new book is out on snort 2.0 and Syngress has a sample chapter up on using snort preprocessors like stream4 and frag2.

http://www.syngress.com/book_catalog/244_snort/sample.pdf


*edit* Just noticed, Syngress offers a download PDF version of book for half of cover price. $24.95.

Kernel_Killer
May 13th, 2003, 17:25
Very cool BSDjunkie!!!!!!! Everybody should have this IMO.

v902
May 13th, 2003, 20:58
Very cool BSDjunkie!!!!!!! Everybody should have this IMO.


Everyone who uses Snort that is ;)

Strog
May 13th, 2003, 23:35
Everyone who uses Snort that is

They make Snort for Windows too vlad. :twisted:

bsdjunkie
May 14th, 2003, 22:03
another decent security book. fictional stories on real life scenarios of hacking/social engineering... bought the pdf and read it today at work :P

http://www.syngress.com/catalog/sg_main.cfm?pid=2490

elmore
May 14th, 2003, 23:13
now that looks like a good book!

soup4you2
May 15th, 2003, 19:35
another decent security book. fictional stories on real life scenarios of hacking/social engineering... bought the pdf and read it today at work :P

http://www.syngress.com/catalog/sg_main.cfm?pid=2490

wanna share :D

by the way most people often slip up on the aspect of updating their snort rules.. so it's nice to run a daily script to do something like this:

[code:1:5d99d701a5]
cd /tmp
rm -rf rules
fetch http://www.snort.org/downloads/snortrules.tar.gz
tar -xzf snortrules.tar.gz
mv /tmp/rules/*.rules /usr/local/share/snort
echo
echo "Snort Rules Have been updated"
[/code:1:5d99d701a5]

bsdjunkie
May 21st, 2003, 16:42
For those of you who have not picked this book up yet, and use snort regularly, its definately worth a look at. The more advanced chapters on rule creation and preprocessors are very nice. I also never knew about dynamic rules that could be triggered from activate ones.

One example the book gives is:

activate tcp any any -> any 23 (activates: 23; msg:" Potential Telnet Login";)
dynamic tcp any any -> any 23 (activated_by: 23; count: 20;)

This will look for any traffic going to port 23 (telnet), spawn the dynamic rule and capture the next 20 packets of the session.


Another example of a user trying to su to root and logs 100 packets.

activate tcp any any -> any 23 (activates: 24; msg:" SU - Root Attempt";content:"su - root";)
dynamic tcp any any -> any 23 (activated by: 24; count: 100;)

BTW, i know the same type of thing can be done with TAG. Just wanted to point out kewl stuff...

alert tcp any any -> $HOME 23 (tag:host, 100, packets; msg:"Tagging telnet packets to gain auth credentials and executed cmds";)


=)

elmore
May 21st, 2003, 17:43
by the way most people often slip up on the aspect of updating their snort rules.. so it's nice to run a daily script to do something like this:
[code:1:1386a8fba3]
cd /tmp
rm -rf rules
fetch http://www.snort.org/downloads/snortrules.tar.gz
tar -xzf snortrules.tar.gz
mv /tmp/rules/*.rules /usr/local/share/snort
echo
echo "Snort Rules Have been updated"
[/code:1:1386a8fba3]

Unless of course you've edited your nids rules to remove things you don;t care about/want and/or have customized it by adding your own rules. I use a perl script that comes with snort. oinkmaster maybe. I had to hack it up a little but it seems to work well. newdupl.pl is another script. I've never really looked at it though. Just a thought :)

soup4you2
May 22nd, 2003, 13:34
i'll take a look at that.... normally i've just been adding to the script to grep out the info i want into a diffrent file.. kinda a tedious process perhaps the perl script is worth a look..

i've been meaning to learn perl.. i've recently gotten many pdf's on it.. just need to find the time and energy to learn it. (or should i say attempt to learn it.)

v902
May 23rd, 2003, 01:09
Everyone who uses Snort that is

They make Snort for Windows too vlad. :twisted:

Oh man, now I gotta sign up your adress for free AOL CDs for that.... :twisted:

Kernel_Killer
September 16th, 2003, 09:11
Did anyone else notice that the book has an upgrade policy? :D

bmk1st
September 25th, 2003, 09:11
Is this book pretty good for beginners too?

Kernel_Killer
September 25th, 2003, 21:11
Very good for anyone.