Re: iptables with a linux bridge
On Wed, 28 Nov 2001, Fran?ois Bayart wrote: > I've installed a linux bridge with 2.4.14 kernel and the bridge-utils packages Did you include the netfilter patch ? http://bridge.sourceforge.net/download.html remember to exclude the netfilter debug option. > That correctly works but now I would like create some filtering rules and I > try with iptables and it doesn't work > ex, just drop the icmp : The three chains you are looking for are prerouting forward postrouting. /usr/share/doc/bridge-utils/FIREWALL.IPTABLES Hopes this puts you on the wright track. With regards Jigal -- Trracer_: Je moet natuurlijk wat inleveren voor het privilege om voor dth te blijven werken. ontslagen worden bij cistron is eigenlijk ook een soort promotie :) -
Re: iptables with a linux bridge
On Wed, 28 Nov 2001, Fran?ois Bayart wrote: > I've installed a linux bridge with 2.4.14 kernel and the bridge-utils packages Did you include the netfilter patch ? http://bridge.sourceforge.net/download.html remember to exclude the netfilter debug option. > That correctly works but now I would like create some filtering rules and I try with >iptables and it doesn't work > ex, just drop the icmp : The three chains you are looking for are prerouting forward postrouting. /usr/share/doc/bridge-utils/FIREWALL.IPTABLES Hopes this puts you on the wright track. With regards Jigal -- Trracer_: Je moet natuurlijk wat inleveren voor het privilege om voor dth te blijven werken. ontslagen worden bij cistron is eigenlijk ook een soort promotie :) - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
On Wed, 07 Nov 2001, jigal wrote: > Here you find a reference to the vuln, fixed. > http://www.debian.org/security/2001/dsa-027 I am sorry I found by reading it again it doesn't mention it. But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138.html The previous mail in the thread references to: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Which is the vuln in question. You could however grab the source of ssh from the unstable tree and compile it yourself. Regards, Jigal -- In short, his argument is that Holland, Germany and France (the biggest critic of Echelon) are bigger buggers of their own citizens than the Anglo-Saxon nations they're so paranoid about. -
Re: Which ssh should I have?
On Wed, 07 Nov 2001, Ville Uski wrote: > The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. > > I have understood that the crc32 bug was already found in February so I > find it hard to believe that it's not already fixed on debian (I'm > running woody on a laptop PC). I should have all the security fixes > installed on my system (there is this security.debian.org line on my > sources.list file). Here you find a reference to the vuln, fixed. http://www.debian.org/security/2001/dsa-027 greets Jigal -- Gelukkig is het met de links radicalen goed afgelopen. Het zijn nu wethouders, kamerleden, burgemeesters. -
Re: Which ssh should I have?
On Wed, 07 Nov 2001, jigal wrote: > Here you find a reference to the vuln, fixed. > http://www.debian.org/security/2001/dsa-027 I am sorry I found by reading it again it doesn't mention it. But I found this in the archives of the security mailinglist: http://lists.debian.org/debian-security/2001/debian-security-200102/msg00138.html The previous mail in the thread references to: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Which is the vuln in question. You could however grab the source of ssh from the unstable tree and compile it yourself. Regards, Jigal -- In short, his argument is that Holland, Germany and France (the biggest critic of Echelon) are bigger buggers of their own citizens than the Anglo-Saxon nations they're so paranoid about. - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Which ssh should I have?
On Wed, 07 Nov 2001, Ville Uski wrote: > The ssh package I currently have is ssh_1.2.3-9.3_i386.deb. > > I have understood that the crc32 bug was already found in February so I > find it hard to believe that it's not already fixed on debian (I'm > running woody on a laptop PC). I should have all the security fixes > installed on my system (there is this security.debian.org line on my > sources.list file). Here you find a reference to the vuln, fixed. http://www.debian.org/security/2001/dsa-027 greets Jigal -- Gelukkig is het met de links radicalen goed afgelopen. Het zijn nu wethouders, kamerleden, burgemeesters. - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: snort rules (Was: Attack alert from snort)
On Thu, 12 Jul 2001, Martin Domig wrote: > Hello > > As I am using snort I keep getting many warnings in my logfiles which I > don't know what they mean. For example the following entry: > > Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon > Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25 Again you might want to check out the rule itself and the stream/packet content. Some rules are prone to false positives. > This tells me that someone is doing funny stuff to my mailserver (I keep > getting those all the time), but I don't know what is causing this entry > and how "dangerous" this "attack" is. Is there any resource where I can > search for snort warnings (those IDSxxx codes) and look up more information > about a single snort rule? You can check out these IDS(\d+) at www.whitehats.com where you can also find new rules and updates to older ones. greets Jigal -- I can run [EMAIL PROTECTED] with total impunity! FORTY-TWO ! - cerebro
Re: snort rules (Was: Attack alert from snort)
On Thu, 12 Jul 2001, Martin Domig wrote: > Hello > > As I am using snort I keep getting many warnings in my logfiles which I > don't know what they mean. For example the following entry: > > Jul 11 01:17:46 keeper snort[6079]: IDS266 - CAN-1999-0261 - SMTP Chameleon > Overflow: xxx.xxx.xxx.xxx:44772 -> yyy.yyy.yyy.yyy:25 Again you might want to check out the rule itself and the stream/packet content. Some rules are prone to false positives. > This tells me that someone is doing funny stuff to my mailserver (I keep > getting those all the time), but I don't know what is causing this entry > and how "dangerous" this "attack" is. Is there any resource where I can > search for snort warnings (those IDSxxx codes) and look up more information > about a single snort rule? You can check out these IDS(\d+) at www.whitehats.com where you can also find new rules and updates to older ones. greets Jigal -- I can run SETI@HOME with total impunity! FORTY-TWO ! - cerebro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Attack alert from snort
On Fri, 06 Jul 2001, Philippe Clérié wrote: > I got the following from snort : > > Active System Attack Alerts > =-=-=-=-=-=-=-=-=-=-=-=-=-= > Jul 6 07:48:19 canopus snort[3884]: spp_http_decode: IIS Unicode > attack detected: 128.95.75.153:1647 -> 208.52.11.121:80 > > Active System Attack Alerts > =-=-=-=-=-=-=-=-=-=-=-=-=-= > Jul 6 05:36:39 canopus snort[526]: spp_http_decode: IIS Unicode > attack detected: 204.253.198.48:61383 -> 216.136.172.167:80 > > The bottom one particularly worries me as that seems to come from my > system. Should I worry? If so how do I go about getting out of > trouble? You might want to check the payload of the packets and verify whether this is a genuine positive. You might be dealing with a false positive here. greets Jigal -- In short, his argument is that Holland, Germany and France (the biggest critic of Echelon) are bigger buggers of their own citizens than the Anglo-Saxon nations they're so paranoid about. -
Re: Attack alert from snort
On Fri, 06 Jul 2001, Philippe Clérié wrote: > I got the following from snort : > > Active System Attack Alerts > =-=-=-=-=-=-=-=-=-=-=-=-=-= > Jul 6 07:48:19 canopus snort[3884]: spp_http_decode: IIS Unicode > attack detected: 128.95.75.153:1647 -> 208.52.11.121:80 > > Active System Attack Alerts > =-=-=-=-=-=-=-=-=-=-=-=-=-= > Jul 6 05:36:39 canopus snort[526]: spp_http_decode: IIS Unicode > attack detected: 204.253.198.48:61383 -> 216.136.172.167:80 > > The bottom one particularly worries me as that seems to come from my > system. Should I worry? If so how do I go about getting out of > trouble? You might want to check the payload of the packets and verify whether this is a genuine positive. You might be dealing with a false positive here. greets Jigal -- In short, his argument is that Holland, Germany and France (the biggest critic of Echelon) are bigger buggers of their own citizens than the Anglo-Saxon nations they're so paranoid about. - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]