On Wed, Nov 14, 2012 at 04:46:53PM +0100, Quentin Poirier wrote:
> http://anonscm.debian.org/viewvc/secure-testing/data/CPE/list?view=markup
> So? Would you be interested by a file like this?
I am very interested. I think we (as in Debian-project) should start using
CPEs. We probably need some k
Hello,
I apologize for the mistakes I will make, I am not a native.
Yesterday, I asked a question to the security team and they told me to
ask it here : (in short) Is there a file that bonds cpe ids to package
names?
I know this file exists :
http://anonscm.debian.org/viewvc/secure-testing
Hi!
john schrieb:
> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Especially from the point of view of ease of
> installation, ease of maintenance, quality of the tool, and ability to
> have it deliver really useful information t
that message you knew something was wrong).
>>
>> It required a bit of tuning to not report errors regularly, but once I
>> spent
>> that time it was fairly hands-off.
>
> One way to use Tripwire in conjunction with a slightly more modern and
> lightweight file-based ID
tuning to not report errors regularly, but once I
> > spent
> > that time it was fairly hands-off.
>
> One way to use Tripwire in conjunction with a slightly more modern and
> lightweight file-based IDS alongside it:
> http://linuxgazette.net/issue98/moen.html
>
>
On Wed, 2009-06-03 at 08:53 -0700, john wrote:
> On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha wrote:
> > I'm surprised more people aren't running tripwire or other IDS.
> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Esp
On Wed, Jun 3, 2009 at 5:53 PM, john wrote:
> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Especially from the point of view of ease of
> installation, ease of maintenance, quality of the tool, and ability to
> have it deli
but once I spent
> that time it was fairly hands-off.
One way to use Tripwire in conjunction with a slightly more modern and
lightweight file-based IDS alongside it:
http://linuxgazette.net/issue98/moen.html
(That article is not, however, a comparative review, which is apparently
what the origin
Remember, that a HIDS (host IDS) is just a detective control on the
host. It shows that you have been hacked, you will probably want a
good NIDS (network IDS) to see what attacks are being attempted over
the wire.
HIDS is good to quickly detect a compromise...
http://sourceforge.net
In <2be970b50906030853t29dfb90atd60089611f98e...@mail.gmail.com>, john
wrote:
>On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha wrote:
>> I'm surprised more people aren't running tripwire or other IDS.
>
>I'd be interested to hear some recommendations for IDS to
On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha wrote:
> I'm surprised more people aren't running tripwire or other IDS.
I'd be interested to hear some recommendations for IDS to run on
internet facing servers. Especially from the point of view of ease of
installation, ease of ma
Yes, it's a IDS I am looking for because I need an alarm when somebody
is doing what he/her is not supposed to do to a set of machines.
The thing with Honeynet is that they just sit there and hope sombody
will hack it.
But thanks, I have started the work on Snort and will deve
--On April 10, 2006 10:39:18 AM +0200 Lezgin Bakircioglu
<[EMAIL PROTECTED]> wrote:
Greetings to everybody in the security scene.
I have a question around the area IDS.
I am in a difficult situation, i need a IDS that shall support a
non-well-known protocol, is there any tip on any go
Greetings to everybody in the security scene.
I have a question around the area IDS.
I am in a difficult situation, i need a IDS that shall support a
non-well-known protocol, is there any tip on any good IDS that is easy
to dev a understanding for this protocol?
Any good docs/howto or guides
In honor of CAN to CVE switchover day, I've written a program that will
notice changes in the testing security teams's database of security
issues, and uses this to set/unset usertags (with
debian-security@lists.debian.org as the "user") in the BTS. So for any
CVE that we record as having a bug rep
mputer passwords are updated by the windows boxes
> regularly also applied when a user changes his password, so tell the IDS
> to ignore the ctime flag for that file.
If the passwords change, the contents of the file smbpasswd
changes. IIRC, that means the mtime changes. Now, even if
that
oxes
regularly also applied when a user changes his password, so tell the IDS
to ignore the ctime flag for that file.
>
> Thanks in advance,
> Albert
>
>
--
Regards,
Mirco 'meebey' Bauer
PGP-Key:
http://keyserver.noreply.org/pks/lookup?op=get&search=0xEEF946C8
-B
Hello, all!
Looking at how samhain was recommended as a pain-free
IDS here, I decided to give it a try. I never had
enough time to configure a IDS properly in the past.
Now samhain seems to work fine and does not appear to
be too difficult at the first sight. Thanks for the
recommendation
On Sun, Jun 26, 2005 at 05:22:27PM +0200, Filippo Giunchedi wrote:
> [sorry for crossposting, but this is relevant to both ML, please cc]
>
> Hi,
> while searching bugtraq for not-yet-fixed security bugs, I found out that
> there
> is no reliable way (apart from testing yourself) if a package has
[sorry for crossposting, but this is relevant to both ML, please cc]
Hi,
while searching bugtraq for not-yet-fixed security bugs, I found out that there
is no reliable way (apart from testing yourself) if a package has been patched
for a specific security advisory.
It would be fine to include as b
On Wed, 2005-01-12 at 16:57 +1100, Andrew Pollock wrote:
> Hi,
>
> I've done some cursory apt-cache searching, and nothing's jumped out at
> me...
>
> Is there software in Debian that will do something along the lines of a tail
> -f of a given logfile, looking for supplied regexs and do custom ac
On Wed, Jan 12, 2005 at 04:57:41PM +1100, Andrew Pollock wrote:
> Hi,
>
> I've done some cursory apt-cache searching, and nothing's jumped out at
> me...
Have you read this?
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-log-alerts
Logcheck is more or less the standard way
On Wednesday, 2005-01-12 at 16:57:41 +1100, Andrew Pollock wrote:
> Is there software in Debian that will do something along the lines of a tail
> -f of a given logfile, looking for supplied regexs and do custom actions on
> matches?
I'm using swatch. But swatch can only limit the number of actio
Hi,
I've done some cursory apt-cache searching, and nothing's jumped out at
me...
Is there software in Debian that will do something along the lines of a tail
-f of a given logfile, looking for supplied regexs and do custom actions on
matches?
I want to tarpit excessive SSH login failures.
rega
- Original Message -
From: "Andreas Barth" <[EMAIL PROTECTED]>
To:
Sent: Sunday, September 07, 2003 12:41 AM
Subject: php with different user ids under apache?
> Hi,
>
> what is the recommended approch to allow the usage of different user
> ids for php
- Original Message -
From: "Andreas Barth" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, September 07, 2003 12:41 AM
Subject: php with different user ids under apache?
> Hi,
>
> what is the recommended approch to allow the usage of different
Hi,
what is the recommended approch to allow the usage of different user
ids for php with apache?
- mod_php with apache means that the scripts are executed under
apaches uid, and suexec doesn't work.
- apache2 does not have php4 support (see
http://lists.debian.org/debian-devel/2003/d
Hi,
what is the recommended approch to allow the usage of different user
ids for php with apache?
- mod_php with apache means that the scripts are executed under
apaches uid, and suexec doesn't work.
- apache2 does not have php4 support (see
http://lists.debian.org/debian-devel/2003/d
All,
Thanks for the great response to this thread. I knew (at the time I
posted) such tactic (if not properly implemented/configured) could lead
to a denial of service attack, but I appreciate those who took the time
to point that out for everyone.
--
Phillip Hofmeister
PGP/GPG Key:
http://www
All,
Thanks for the great response to this thread. I knew (at the time I
posted) such tactic (if not properly implemented/configured) could lead
to a denial of service attack, but I appreciate those who took the time
to point that out for everyone.
--
Phillip Hofmeister
PGP/GPG Key:
http://www
are, of course, that you are re-inventing Prelude [1] right? (and
that is only one of the distributed IDS systems currently available with a
GPL license)
Friendly,
Javi
[1] http://prelude-ids.org
pgpPAQv7Hq6tc.pgp
Description: PGP signature
are, of course, that you are re-inventing Prelude [1] right? (and
that is only one of the distributed IDS systems currently available with a
GPL license)
Friendly,
Javi
[1] http://prelude-ids.org
pgp0.pgp
Description: PGP signature
On Tue, 01 Jul 2003 at 15:13:00 -0400, Matt Zimmerman wrote:
> On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote:
>
> > On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> > > Not really a good idea. Consider what happens when someone forges the IP
> > > addresses.
> >
>
On Tue, 01 Jul 2003 at 15:13:00 -0400, Matt Zimmerman wrote:
> On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote:
>
> > On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> > > Not really a good idea. Consider what happens when someone forges the IP
> > > addresses.
> >
>
On Tue, Jul 01, 2003 at 06:39:51PM +0200, Thomas Ritter wrote:
> If you want to start your own project, you'll have to guarantee _you_ can
> always login. Also, with dynamic IPs those rules should be outdated after
> some time.
That's one of the key issues. Many attacks come from dial up
blocks
On Tue, Jul 01, 2003 at 06:39:51PM +0200, Thomas Ritter wrote:
> If you want to start your own project, you'll have to guarantee _you_ can
> always login. Also, with dynamic IPs those rules should be outdated after
> some time.
That's one of the key issues. Many attacks come from dial up
blocks
On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote:
> On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> > Not really a good idea. Consider what happens when someone forges the IP
> > addresses.
>
> One can predefine trusted or other very important IP addresses which
> ca
On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote:
> On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> > Not really a good idea. Consider what happens when someone forges the IP
> > addresses.
>
> One can predefine trusted or other very important IP addresses which
> ca
Another problem seems to be that script kiddies aren't always doing recon
before they do an attack, it seems to be fairly common lately to just run
a series of scripted attacks against a range of IPs (so if you are
vulnerable, you could be exploited at the same time the IDS detects the
attack, if
> A daemon sits running in the background listening to a special device
> Are there any projects out there to do this right now. If not, is this
> a good idea? If it is who would be a person/group that would be
> qualified and have the time/interest to develop it.
Abacus Portsentry binds itself
Look snort 2.0.0 [1]
It's an Intrusion Detection System. Theres an Preprozessor for Snort called
'Guardian'[2] to do things like you want. But read the other answers in this
thread carefully!
Thomas Bechtold
[1] http://snort.org
[2] http://www.chaotic.org/guardian/
On Tuesday 01 July 2003 00:
On Martes, 1 de Julio de 2003 04:39, Matt Zimmerman wrote:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> > A daemon sits running in the background listening to a special device
> > (/dev) or an IPC which would originate from syslog-ng. This daemon
> > would then parse the
Another problem seems to be that script kiddies aren't always doing recon
before they do an attack, it seems to be fairly common lately to just run
a series of scripted attacks against a range of IPs (so if you are
vulnerable, you could be exploited at the same time the IDS detects the
attack, if
> A daemon sits running in the background listening to a special device
> Are there any projects out there to do this right now. If not, is this
> a good idea? If it is who would be a person/group that would be
> qualified and have the time/interest to develop it.
Abacus Portsentry binds itself
Look snort 2.0.0 [1]
It's an Intrusion Detection System. Theres an Preprozessor for Snort called
'Guardian'[2] to do things like you want. But read the other answers in this
thread carefully!
Thomas Bechtold
[1] http://snort.org
[2] http://www.chaotic.org/guardian/
On Tuesday 01 July 2003 00:
On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
>
> > A daemon sits running in the background listening to a special device
> > (/dev) or an IPC which would originate from syslog-ng. This daemon
> > would then pars
On Martes, 1 de Julio de 2003 04:39, Matt Zimmerman wrote:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> > A daemon sits running in the background listening to a special device
> > (/dev) or an IPC which would originate from syslog-ng. This daemon
> > would then parse the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Volker Tanger said:
> ...which is the official license to shoot yourself into the foot. What
> happens if I send you a forged, suspicious packet with source-IP equal
> to the IP address of your gateway router, your DNS server, your internal
> system(s
gt; system(s), ...
This is not necessarily a serious problem. In case of using Snort as an
IDS you can make it send alerts only for established TCP sessions. You
are right when you assume that a single IP packet with a spoofed source
address makes your system go nuts. However running snort with opt
On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
>
> > A daemon sits running in the background listening to a special device
> > (/dev) or an IPC which would originate from syslog-ng. This daemon
> > would then pars
Check out psad, which is similar to what you want (and I use it)...
You can see psad at http://www.cipherdyne.com/psad/, which is somehow related to
Bastille Linux http://www.bastille-linux.org/. Or just apt-get install psad.
--jordan
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Philli
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> A daemon sits running in the background listening to a special device
> (/dev) or an IPC which would originate from syslog-ng. This daemon
> would then parse the log and look for suspicious things. If it found
> something suspi
Hi,
There is an Intrusion Detection System(IDS) named Snort (http://www.snort.org)
There you can log to syslog, database, tcpdump-file,...
And there are some Preprozessors which can block 'bad' Traffic.
Snort can do much more. Read the FAQ
http://www.snort.org/docs/FAQ.txt
Thomas Be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Volker Tanger said:
> ...which is the official license to shoot yourself into the foot. What
> happens if I send you a forged, suspicious packet with source-IP equal
> to the IP address of your gateway router, your DNS server, your internal
> system(s
gt; system(s), ...
This is not necessarily a serious problem. In case of using Snort as an
IDS you can make it send alerts only for established TCP sessions. You
are right when you assume that a single IP packet with a spoofed source
address makes your system go nuts. However running snort with opt
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> A daemon sits running in the background listening to a special device
> (/dev) or an IPC which would originate from syslog-ng. This daemon
> would then parse the log and look for suspicious things. If it found
> something susp
Check out psad, which is similar to what you want (and I use it)...
You can see psad at http://www.cipherdyne.com/psad/, which is somehow related to
Bastille Linux http://www.bastille-linux.org/. Or just apt-get install psad.
--jordan
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Philli
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> A daemon sits running in the background listening to a special device
> (/dev) or an IPC which would originate from syslog-ng. This daemon
> would then parse the log and look for suspicious things. If it found
> something suspi
Hi,
There is an Intrusion Detection System(IDS) named Snort (http://www.snort.org)
There you can log to syslog, database, tcpdump-file,...
And there are some Preprozessors which can block 'bad' Traffic.
Snort can do much more. Read the FAQ
http://www.snort.org/docs/FAQ.txt
Thomas Be
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> A daemon sits running in the background listening to a special device
> (/dev) or an IPC which would originate from syslog-ng. This daemon
> would then parse the log and look for suspicious things. If it found
> something susp
Greetings!
On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister
<[EMAIL PROTECTED]> wrote:
> This daemon
> would then parse the log and look for suspicious things. If it found
> something suspicious it would use regular expression to grab out
> pertinent parts of the log (say the IP address) an
Greetings!
On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister
<[EMAIL PROTECTED]> wrote:
> This daemon
> would then parse the log and look for suspicious things. If it found
> something suspicious it would use regular expression to grab out
> pertinent parts of the log (say the IP address) an
Greets all,
A previous post spawned an idea of mine. I am not sure if there is a
project available for this or not. Here we go:
A daemon sits running in the background listening to a special device
(/dev) or an IPC which would originate from syslog-ng. This daemon
would then parse the log and
Greets all,
A previous post spawned an idea of mine. I am not sure if there is a
project available for this or not. Here we go:
A daemon sits running in the background listening to a special device
(/dev) or an IPC which would originate from syslog-ng. This daemon
would then parse the log and
s capability and mandatory ACLs
support in a linux multi-user environment.
there are pre-configured signatures for a multi-user environment, but
not signatures for network based attacks.
get snort from http://www.snort.org and the arachnids patterns from
http://www.whitehats.com for a network IDS
Hi,
Try this: http://www.lids.org/
- Original Message -
From: "Osvaldo Mundim Junior" <[EMAIL PROTECTED]>
To:
Sent: Monday, November 05, 2001 6:45 PM
Subject: IDS
> Hi,
>
> does anybody can tell me where can I get a Instrusion Detection System's
ba
s capability and mandatory ACLs
support in a linux multi-user environment.
there are pre-configured signatures for a multi-user environment, but
not signatures for network based attacks.
get snort from http://www.snort.org and the arachnids patterns from
http://www.whitehats.com for a network IDS
Hi,
Try this: http://www.lids.org/
- Original Message -
From: "Osvaldo Mundim Junior" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, November 05, 2001 6:45 PM
Subject: IDS
> Hi,
>
> does anybody can tell me where can I get a Instrusion Detect
On Mon, 5 Nov 2001, Osvaldo Mundim Junior wrote:
>Hi,
>
>does anybody can tell me where can I get a Instrusion Detection System's base?
>I need the signatures of attack...
Whitehats.com has a wonderful list for snort, but the new regime for snort
has a lot of whitehats' content in the additional
Hi,
does anybody can tell me where can I get a Instrusion Detection System's base?
I need the signatures of attack...
tks a lot...
--
___
Osvaldo
On Mon, 5 Nov 2001, Osvaldo Mundim Junior wrote:
>Hi,
>
>does anybody can tell me where can I get a Instrusion Detection System's base?
>I need the signatures of attack...
Whitehats.com has a wonderful list for snort, but the new regime for snort
has a lot of whitehats' content in the additiona
Hi,
does anybody can tell me where can I get a Instrusion Detection System's base?
I need the signatures of attack...
tks a lot...
--
___
Osvaldo
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Fri, Feb 09, 2001 at 03:59:02PM +0100, NDSoftware wrote:
> Where i can find a good IDS for Debian ?
I guess snort falls in to this category and it's already packaged:
apt-cache show snort
Package: snort
Priority: optional
Section: net
Installed-Size: 656
Maintainer: Christian Hammers
On Fre, Feb 09, 2001 at 03:59:02 +0100, NDSoftware wrote:
> Where i can find a good IDS for Debian ?
take a look at snort and the corresponding homepage. NFR isn't yet
packaged.
--
"Mine! Mine! It's all mine!"
-- Daffy Duck
Where i can find a good IDS for Debian ?
Thanks
Nicolas DEFFAYET, NDSoftware
http://www.ndsoftware.net - [EMAIL PROTECTED]
France: Tel +33 671887502 - Fax N/A
UK: Tel +44 8453348750 - Fax +44 8453348751
USA: Tel N/A - Fax N/A
---
Note: All HTML email sent to me can be deleted for security reasons.
On Fri, Feb 09, 2001 at 03:59:02PM +0100, NDSoftware wrote:
> Where i can find a good IDS for Debian ?
I guess snort falls in to this category and it's already packaged:
apt-cache show snort
Package: snort
Priority: optional
Section: net
Installed-Size: 656
Maintainer: Christian Hammers
On Fre, Feb 09, 2001 at 03:59:02 +0100, NDSoftware wrote:
> Where i can find a good IDS for Debian ?
take a look at snort and the corresponding homepage. NFR isn't yet
packaged.
--
"Mine! Mine! It's all mine!"
-- Daffy Duck
--
To UNSUBSCRIBE, email to [
Where i can find a good IDS for Debian ?
Thanks
Nicolas DEFFAYET, NDSoftware
http://www.ndsoftware.net - [EMAIL PROTECTED]
France: Tel +33 671887502 - Fax N/A
UK: Tel +44 8453348750 - Fax +44 8453348751
USA: Tel N/A - Fax N/A
---
Note: All HTML email sent to me can be deleted for security
78 matches
Mail list logo