* Steve Kemp
| (Essentially apt-get + apt-cache for snort rules. Clearly packaging a
| single rule file within one package is a gross misuse of resources but
| it might be sufficient if they were signed and hosted somewhere
| sensible..)
They could all be packaged into a single package
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
[Short version: see the patch below.]
(after a few days w/o answers from Snort's maintainer)
Sander, any comments wrt to this patch? Please at least say wether you are
going to forward this to Snort maintainers or use it in
On Tue, Aug 26, 2003 at 01:29:31AM +0200, Javier Fernández-Sanguino Peña wrote:
[Short version: see the patch below.]
(after a few days w/o answers from Snort's maintainer)
Sander, any comments wrt to this patch? Please at least say wether you are
going to forward this to Snort maintainers
On Wed, Aug 27, 2003 at 05:47:12AM +0200, Josip Rodin wrote:
Well, _something_ threw dpkg off, because it doesn't always prompt
erroneously. Trouble is, we are never able to locate the culprit... :(
http://bugs.debian.org/108587
lists some situations where this can happen.
--
- mdz
On Wed, Aug 27, 2003 at 12:06:15AM -0400, Matt Zimmerman wrote:
Well, _something_ threw dpkg off, because it doesn't always prompt
erroneously. Trouble is, we are never able to locate the culprit... :(
http://bugs.debian.org/108587
lists some situations where this can happen.
Ah, so I
On Mon, Aug 25, 2003 at 02:17:51AM +1000, Anthony Towns wrote:
That's for Martin Schulze (Joey - Stable Release Manager) and/or the security
team to decide; not ftpmaster.
A quick scan of those bugs doesn't reveal anything which looks like a
security vulnerability, so this would seem to be
On Sun, Aug 24, 2003 at 03:57:45PM +0200, Sander Smeenk wrote:
I'm about to close 95153, 133049, 158040, 16, 170580, 173331, 176223,
135603, 161659, 165107, 165135, 165351, 171190, 172529, 173663, 174506,
174508, 174509, 192401, 193544, 101725, 122689, 159575, 165126, 182280,
and 189780
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
That's for Martin Schulze (Joey - Stable Release Manager) and/or the
security
team to decide; not ftpmaster.
A quick scan of those bugs doesn't reveal anything which looks like a
security vulnerability, so this would seem to be purely an
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
I'm about to close 95153, 133049, 158040, 16, 170580, 173331, 176223,
135603, 161659, 165107, 165135, 165351, 171190, 172529, 173663, 174506,
174508, 174509, 192401, 193544, 101725, 122689, 159575, 165126, 182280,
and 189780 with a nice
On Mon, 25 Aug 2003 09:24:41 +0200, Magnus Ekdahl [EMAIL PROTECTED]
wrote:
For users without an internet connection Marc Haber maintains the
clamav-data package which includes a static database. As well as the
clamav-getfiles package to update it from a computer with internet access.
And daily,
On Mon, Aug 25, 2003 at 09:04:08AM -0600, Jamin W. Collins wrote:
On Mon, Aug 25, 2003 at 10:19:55AM +0200, Sander Smeenk wrote:
We've been over this in debian-security before. I fixed the 1.8.4
package once, it got rejected, and I tried to have 2.0.x installed in
Stable, but ofcourse, you
On Mon, Aug 25, 2003 at 10:28:18AM +0200, Sander Smeenk wrote:
Quoting Josip Rodin ([EMAIL PROTECTED]):
Oh and it didn't even want to start properly -- and the init script wasn't
even so kind to tell me, I had to learn from syslog that
Aug 24 16:57:23 hostname snort: FATAL ERROR: Unable
On Sun, Aug 24, 2003 at 08:59:06AM -0600, Jamin W. Collins wrote:
On Sun, Aug 24, 2003 at 03:57:45PM +0200, Sander Smeenk wrote:
Before you object to this rather 'rude' bughandling, please keep in
mind that version 1.8.4 of snort, which is in stable, has 3 severe
security exploits,
On Mon, Aug 25, 2003 at 12:11:07PM -0400, Noah L. Meyerhans wrote:
No. New attacks represent security threats. Old attacks represent
curiosities, at best (i.e. have you seen any Redhat 6.2 rpc.statd attacks
lately?)
An intrusion detection system that can not detect known intrusions is not
On Tue, Aug 26, 2003 at 12:24:11AM +0200, Sander Smeenk wrote:
This problem only exists for snort packages that aren't going to be
updated, like the ones that reach stable. The unstable package is up to
date enough to have all correct rules, imho.
The other thing is, snort.org's people
On Mon, Aug 25, 2003 at 10:29:30AM +0200, Sander Smeenk wrote:
Quoting Jamin W. Collins ([EMAIL PROTECTED]):
Before you object to this rather 'rude' bughandling, please keep in
mind that version 1.8.4 of snort, which is in stable, has 3 severe
security exploits,
So, why hasn't a
On Tue, Aug 26, 2003 at 12:46:45AM +0200, Sander Smeenk wrote:
Let's first start by telling that my backported packages never made it
to security updates that every good stable user should have in their apt
sources. The DSA just pointed users who actually read it to my p.d.o.
site.
Would you
On Tue, Aug 26, 2003 at 11:40:10AM +0200, Sander Smeenk wrote:
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
What are these bugs exactly?
If i recall correctly, it was two memory allocation faults in the RPC
code, and one in the fragmented packet reassambly code.
I assumed that you were
On Tue, Aug 26, 2003 at 11:07:00AM -0400, Matt Zimmerman wrote:
On Mon, Aug 25, 2003 at 09:04:08AM -0600, Jamin W. Collins wrote:
Actually that's not true, as an example I refer you to SSH.
A stunning example of what a terrible idea it is to do this.
Never said it was a good idea, just
* Marc Haber ([EMAIL PROTECTED]) [030826 16:05]:
On Mon, 25 Aug 2003 09:24:41 +0200, Magnus Ekdahl [EMAIL PROTECTED]
wrote:
For users without an internet connection Marc Haber maintains the
clamav-data package which includes a static database. As well as the
clamav-getfiles package to
On Tue, 26 Aug 2003 16:10:36 +0200, Andreas Barth
[EMAIL PROTECTED] wrote:
* Marc Haber ([EMAIL PROTECTED]) [030826 16:05]:
And daily, untested packages are built automatically on gluck and are
aptable from
deb http://people.debian.org/~zugschlus/clamav-data/ /
Add a debconf-question about
Andreas Barth wrote:
* Marc Haber ([EMAIL PROTECTED]) [030826 16:05]:
deb http://people.debian.org/~zugschlus/clamav-data/ /
Add a debconf-question about adding this to sources.list?
Maybe README.Debian is better. In addition one might add a reference to
README.Debian to error messages
On Mon, Aug 25, 2003 at 11:00:06AM -0500, Adam Heath wrote:
I've upgraded to this version and it has required me to press y to
replace
modified conffiles in /etc/snort/rules/ about two dozen times, while I'm
pretty sure I never touched any of them. That's an pretty impressive
On Monday 25 August 2003 04:02, Noah L. Meyerhans wrote:
I can think off-hand of at least one other security related tool that
needs frequent updating of a ruleset: nessus. It is an active probing
clamav needs to update its virus definitons - it's exactly the same case
again.
-- vbi
--
Adrian von Bidder wrote:
On Monday 25 August 2003 04:02, Noah L. Meyerhans wrote:
I can think off-hand of at least one other security related tool that
needs frequent updating of a ruleset: nessus. It is an active probing
clamav needs to update its virus definitons - it's exactly the same case
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
'semi up to date'. Still a lot of people use the outdated and utterly
broken 1.8.4 release and complain. Although these complaints are correct,
Maybe because they are not aware of your backporting efforts.
And they never will be,
Quoting Josip Rodin ([EMAIL PROTECTED]):
[2] deb http:///people.debian.org/~ssmeenk/snort-stable-i386/ ./
~ Typo.
Oops.
I've upgraded to this version and it has required me to press y to replace
modified conffiles in /etc/snort/rules/ about two dozen times, while I'm
pretty
Quoting Josip Rodin ([EMAIL PROTECTED]):
Oh and it didn't even want to start properly -- and the init script wasn't
even so kind to tell me, I had to learn from syslog that
Aug 24 16:57:23 hostname snort: FATAL ERROR: Unable to open rules file:
../rules/bad-traffic.rules or
On Mon, Aug 25, 2003 at 10:25:28AM +0200, Sander Smeenk wrote:
I've upgraded to this version and it has required me to press y to replace
modified conffiles in /etc/snort/rules/ about two dozen times, while I'm
pretty sure I never touched any of them. That's an pretty impressive amount
of
Quoting Jamin W. Collins ([EMAIL PROTECTED]):
Before you object to this rather 'rude' bughandling, please keep in
mind that version 1.8.4 of snort, which is in stable, has 3 severe
security exploits,
So, why hasn't a security update been released for it?
There has been a DSA about Snort.
Quoting Josip Rodin ([EMAIL PROTECTED]):
I've upgraded to this version and it has required me to press y to replace
modified conffiles in /etc/snort/rules/ about two dozen times, while I'm
pretty sure I never touched any of them. That's an pretty impressive
amount
of annoyance you
On Sun, Aug 24, 2003 at 10:02:02PM -0400, Noah L. Meyerhans wrote:
I can think off-hand of at least one other security related tool that
needs frequent updating of a ruleset: nessus. It is an active probing
tool that scans a network for vulnerable systems. If it doesn't have a
current set of
Quoting Sander Smeenk ([EMAIL PROTECTED]):
Hi,
I'm about to close 95153, 133049, 158040, 16, 170580, 173331, 176223,
135603, 161659, 165107, 165135, 165351, 171190, 172529, 173663, 174506,
174508, 174509, 192401, 193544, 101725, 122689, 159575, 165126, 182280,
and 189780 with a nice
On Mon, Aug 25, 2003 at 10:19:55AM +0200, Sander Smeenk wrote:
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
(...)
It's annoying now, to see what bugs really are bugs, and what are bugs
You mean are bugs related to the latest version instead of really are
bugs.
filed against
On Sun, Aug 24, 2003 at 10:02:02PM -0400, Noah L. Meyerhans wrote:
I can think off-hand of at least one other security related tool that
needs frequent updating of a ruleset: nessus. It is an active probing
tool that scans a network for vulnerable systems. If it doesn't have a
current set
On Sun, Aug 24, 2003 at 07:32:10PM -0400, Noah L. Meyerhans wrote:
Snort depends on a set of rules to detect potentially malicious traffic.
Obviously this set of rules needs to be updates on a regular basis in
order to keep up with new security issues. The problem is that the
version of
On Mon, Aug 25, 2003 at 01:37:03PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
On Mon, Aug 25, 2003 at 10:19:55AM +0200, Sander Smeenk wrote:
We've been over this in debian-security before. I fixed the 1.8.4
package once, it got rejected, and I tried to have 2.0.x installed in
Stable, but
On Mon, Aug 25, 2003 at 10:19:55AM +0200, Sander Smeenk wrote:
The problem is that the buglist i'm having on snort now, consists of
mainly bugs filed on the stable package of snort, which has been long
solved in the later releases of snort that didn't make it in the
release of Debian.
So,
Sander Smeenk wrote:
I'm about to close 95153, 133049, 158040, 16, 170580, 173331, 176223,
135603, 161659, 165107, 165135, 165351, 171190, 172529, 173663, 174506,
174508, 174509, 192401, 193544, 101725, 122689, 159575, 165126, 182280,
and 189780 with a nice message telling that the bug was
On Mon, Aug 25, 2003 at 12:46:27PM +0100, Colin Watson wrote:
Considering the disaster that the openssh update to potato was, and the
bugs it caused, I'm not sure that that's a good example to bring up if
you're *advocating* upgrading a package to a new upstream version ...
Well, I was
On Mon, 25 Aug 2003, Josip Rodin wrote:
On Mon, Aug 25, 2003 at 10:25:28AM +0200, Sander Smeenk wrote:
I've upgraded to this version and it has required me to press y to replace
modified conffiles in /etc/snort/rules/ about two dozen times, while I'm
pretty sure I never touched any of
On Mon, Aug 25, 2003 at 01:56:40PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
That's not correct, it cannot detected _new_ potentially harmful traffic.
There's quite a lot of potentially harmful traffic (stable) snort can
detect. The fact that it's not up-to-date does not mean that it's
In response to several issues raised...
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=191105
Not having updated signatures is not an issue that should keep snort out
of stable as administrators may write their own signatures for snort.
Perhaps however a wishlist bug asking for a comment
On Tue, Aug 26, 2003 at 12:24:11AM +0200, Sander Smeenk wrote:
Really, the way to fix this package X needs data Y to be up-to-date is to:
a) separate data from the package (Nessus plugins are available in the
'nessus-plugins' package and can be updated separately, for example)
snort has
Quoting Javier Fernández-Sanguino Peña ([EMAIL PROTECTED]):
Thus, it can't detect potentially harmful traffic.
That's not correct, it cannot detected _new_ potentially harmful traffic.
There's quite a lot of potentially harmful traffic (stable) snort can
detect. The fact that it's not
Quoting Drew Scott Daniels ([EMAIL PROTECTED]):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 and bug 189267
say:
DSA 297 closes these bugs. It may be worth noting that potato was not
affected.
What other security issues are there?
Let's first start by telling that my
On Tue, Aug 26, 2003 at 12:46:45AM +0200, Sander Smeenk wrote:
Quoting Drew Scott Daniels ([EMAIL PROTECTED]):
Imho it's ok to close non-rc bugs on stable (main Debian developers do).
My rational is that we only fix RC bugs on stable.
It also has an 'archival' kind of function where people
Hi,
I'm about to close 95153, 133049, 158040, 16, 170580, 173331, 176223,
135603, 161659, 165107, 165135, 165351, 171190, 172529, 173663, 174506,
174508, 174509, 192401, 193544, 101725, 122689, 159575, 165126, 182280,
and 189780 with a nice message telling that the bug was reported on a
On Sun, Aug 24, 2003 at 03:57:45PM +0200, Sander Smeenk wrote:
Hi,
I'm about to close 95153, 133049, 158040, 16, 170580, 173331, 176223,
(...)
I object.
Instead I provide signed backported packages on p.d.o which I will keep
'semi up to date'. Still a lot of people use the outdated
Sander,
in principle, I agree that fixing those bugs by backporting patches is
not worth the effort, but let me suggest an alternative plan (which the
SRM will hate me for, so you should probably ask him before):
- Check which of those bugs are really fixed in the newest version
- Upload a
On Sun, Aug 24, 2003 at 03:57:45PM +0200, Sander Smeenk wrote:
Instead I provide signed backported packages on p.d.o which I will keep
'semi up to date'.
Before you object to this rather 'rude' bughandling, please keep in mind
that version 1.8.4 of snort, which is in stable, has 3 severe
On Sun, Aug 24, 2003 at 03:57:45PM +0200, Sander Smeenk wrote:
Before you object to this rather 'rude' bughandling, please keep in
mind that version 1.8.4 of snort, which is in stable, has 3 severe
security exploits,
So, why hasn't a security update been released for it?
--
Jamin W.
On Sun, Aug 24, 2003 at 04:51:08PM +0200, Josip Rodin wrote:
Instead I provide signed backported packages on p.d.o which I will keep
'semi up to date'.
Before you object to this rather 'rude' bughandling, please keep in mind
that version 1.8.4 of snort, which is in stable, has 3 severe
On Sun, Aug 24, 2003 at 04:39:58PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
Before you object to this rather 'rude' bughandling, please keep in mind
that version 1.8.4 of snort, which is in stable, has 3 severe security
exploits, and is completely outdated in catching crooks (rulefiles)
On Sun, Aug 24, 2003 at 08:59:06AM -0600, Jamin W. Collins wrote:
Before you object to this rather 'rude' bughandling, please keep in
mind that version 1.8.4 of snort, which is in stable, has 3 severe
security exploits,
So, why hasn't a security update been released for it?
Largely this
Noah L. Meyerhans [EMAIL PROTECTED] writes:
On Sun, Aug 24, 2003 at 08:59:06AM -0600, Jamin W. Collins wrote:
Before you object to this rather 'rude' bughandling, please keep in
mind that version 1.8.4 of snort, which is in stable, has 3 severe
security exploits,
So, why hasn't a
On Mon, Aug 25, 2003 at 01:33:37AM +0200, Goswin von Brederlow wrote:
Why don't you add an option to load newer rulesets and/or update
information to snort. Once a day/week/month snort you probe some url
for a signed ruleset or news file and report to the user about any
updates.
That way
On Mon, Aug 25, 2003 at 02:27:41AM +0100, Steve Kemp wrote:
(Essentially apt-get + apt-cache for snort rules. Clearly packaging a
single rule file within one package is a gross misuse of resources but
it might be sufficient if they were signed and hosted somewhere
sensible..)
Such a
58 matches
Mail list logo