Site Network:

Home

Fastlog Update

Added the frequency of match to fastlog

http://snortattack.org/fastlog.tgz

Stay tuned!

 

ZeuS Tracker

  • English

Pubblichiamo il link per scaricare l'elenco dei domini e ip legati alle botnet Zeus.

https://zeustracker.abuse.ch/

Scarica qui le regole create adhoc!

http://www.snortattack.org/files/zeus.rules

 

Most Effective Malware-Related Snort Signatures

  • Italiano

Most effective malware infection detection Snort signatures as experienced by Malware Threat Center (mtc.sri.com)

http://mtc.sri.com/live_data/signatures/

-> Very interesting <-

Stay tuned!

 

fastlog

Visualizza i risultati di Snort con FastLog :

scarica il pacchetto http://www.snortattack.org/fastlog.tgz

# REQUIREMENTS :
#
# mysql > 5.0
# apache (any version)
# php > 4.0
# php module = php-db , php-mysql
# perl (any version)
# linux kernel 2.6.x
# Snort with fastlog enabled. (ex: snort -ieth0 -c /etc/snort/snort.conf -A fast -D)
#
# INSTALL :
#
# 1 - create database mysql and the permission :
#
# mysql -uroot -p -h localhost
# create db fastlog
# GRANT ALL PRIVILEGES ON fastlog.* TO user@localhost IDENTIFIED BY 'password';
#
# import database
#
# mysql -uroot -p fastlog < snort_faster.sql
#
# 2 - execute permission to ParseMyLine.pl :
#
# chown a+x ParseMyLine.pl
#
# 3 - edit ParseMyLine.pl :
#
# $database = "fastlog";
# $hostname = "127.0.0.1";
# $port = "3306";
# $username = "user";
# $password = "password";
# $FileName = "/var/log/snort/alert";
#
# 4 - edit conf.ini :
#
# db_host = "127.0.0.1"
# db_username = "user"
# db_password = "password"
# db_name = "fastlog"
#
# 5 - move ParseMyLine.pl to /usr/bin/ :
#
# mv ParseMyLine.pl /usr/bin/
#
# 6 - edit crontab, run every 5 minustes :
#
# crontab -e
#
# */5 * * * * /usr/bin/ParseMyLine.pl
#
# 7 - php page :
#
# locate your apache DocumentRoot or virtualhosts and create a directory for fastlog ex:
#
# mkdir /var/www/html/fastlog
# mv .htaccess /var/www/html/fastlog/
# mv *.php /var/www/html/fastlog/
# mv conf.ini /var/www/html/fastlog/
# mv favicon.ico /var/www/html/fastlog/
# mv css /var/www/html/fastlog/
#
# set apache permission (depend from your configuration)
#
# chown apache: /var/www/html/fastlog/ -R
#
#
#
# 8 - htpasswd (Optional but strongly recommanded):
#
# You should protect your fastlog webpage, ex insert in .htaccess:
#
# AuthName "Fastlog Area"
# AuthType Basic
# AuthUserFile /var/www/fastlog.htpasswd
# Require user fastlog
#
# and create the password file:
#
# htpasswd -c /var/www/fastlog.htpasswd fastlog
#
# 9 - point to the page :
#
# http://127.0.0.1/fastlog/
#

 

Bypass IDS

  • Italiano

breakingpointsystems.com say : "three way handshake is a lie!"

Link:

http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three...

http://malforge.com/node/20

This is a good and simple method to bypass the IDS

Snort answer quikly : add "require_3whs" to stream5 preprocessor

vulnerable :

preprocessor stream5_tcp: policy first, use_static_footprint_sizes

not vulnerable :

preprocessor stream5_tcp: policy first, use_static_footprint_sizes, require_3whs

Stay Tuned!