RE: TRONS Module for NS 7.0

Tue, 23 Jul 2002 09:43:42 -0700 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

Hi there,

yes I have enabled it, it was really quite simple... I found out how to do from 
reading the knowledgebase at iss.

1. you create a rule file and put that text file on your sensor somewhere.
2. You go into the properties of the sensor from the workgroup manager, locate the 
sensor in the managed assets window, right click on it and select properties, on one 
of the tabs you see all the properties you can set, scroll down til you see trons 
enable and set that to true, then point the trons rules to the .rules file that you 
placed on the sensor in question. click ok.
3. that is it.

The only annoying thing that I found with creating snort rules for real secure is that 
you cannot use the NOT (!) operator when specifying addresses i.e.: ![192.168.1.0], 
this is really handy when creating rules.

Richard

-----Original Message-----
From: Stephen Cooper [mailto:[EMAIL PROTECTED]]
Sent: Monday, 22 July 2002 5:33 PM
To: [EMAIL PROTECTED]
Subject: TRONS Module for NS 7.0



TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

Hello,

Has anyone turned this on?

Would you be willing to share your experience on how one enables a
Snort ruleset to work with Realsecure?

Regards

Stephen


DISCLAIMER: Any e-mail messages from the Bank for International Settlements are sent 
in good faith, but shall not be binding nor construed as constituting any obligation 
on the part of the Bank.

CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which is 
intended only for the use of the recipient(s) named above. If you have received this 
communication in error, please notify the sender immediately via e-mail and return the 
entire message. Thank you for your assistance.




>From [EMAIL PROTECTED]  Tue Jul  9 10:23:55 2002
Return-Path: <[EMAIL PROTECTED]>
Received: from phoenix.iss.net (phoenix.iss.net [209.134.161.8])
        by email.iss.net (8.9.3+Sun/8.9.3) with ESMTP id KAA08461
        for <[EMAIL PROTECTED]>; Tue, 9 Jul 2002 10:23:54 -0400 (EDT)
Received: by phoenix.iss.net (Postfix)
        id 80DB11601C; Tue,  9 Jul 2002 10:23:54 -0400 (EDT)
Delivered-To: [EMAIL PROTECTED]
Received: from atla-mx1.iss.net (atla-mx1.iss.net [209.134.161.6])
        by phoenix.iss.net (Postfix) with ESMTP id 4AA5016002
        for <[EMAIL PROTECTED]>; Tue,  9 Jul 2002 10:23:54 -0400 (EDT)
Received: from wjbs0075xch.fl.wellspringres.com ([206.105.196.175])
        by atla-mx1.iss.net (8.12.2/8.12.2) with ESMTP id g69ENqro005074;
        Tue, 9 Jul 2002 10:23:52 -0400 (EDT)
Received: by wjbs0075xch.fl.wellspringres.com with Internet Mail Service (5.5.2655.55)
        id <N7QL2DMF>; Tue, 9 Jul 2002 10:17:10 -0400
Message-ID: <[EMAIL PROTECTED]>
From: "Ledet, Latricia" <[EMAIL PROTECTED]>
To: "'Eric Ballantyne'" <[EMAIL PROTECTED]>,
        rajesh vasudevan <[EMAIL PROTECTED]>,
        "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>,
        "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: RE: Is it worth keeping Http Shell signature in network sensors?
Date: Tue, 9 Jul 2002 10:21:05 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2655.55)
Content-Type: multipart/alternative;
        boundary="----_=_NextPart_001_01C22753.DC49FB40"
Status: RO
Content-Length: 5603
Lines: 183

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C22753.DC49FB40
Content-Type: text/plain;
        charset="iso-8859-1"

Has anyone had similar experiences with other HTTP signatures such as HTTP
ActiveX and HTTP Java?  These signatures flood our console, however, at
present, based on source and destination IPs, they appear non-threatening.

I would appreciate any input.  Thanks!

Latricia Ledet
Systems Security & Practices
TBO Division - CitiStreet


> -----Original Message-----
> From: Eric Ballantyne [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, June 28, 2002 10:19 AM
> To:   'Paul Van Gurp'; '[EMAIL PROTECTED]'; rajesh vasudevan
> Cc:   [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject:      RE: Is it worth keeping Http Shell signature in network
> sensors?
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
> problems!
> --------------------------------------------------------------------------
> --
>
> I have to agree with all of the comments listed below.  Even after trying
> several attempts at fine tuning both events, I have a 95%-99% false
> positive
> rate on both signatures.  Even after several upgrades and XPU's I haven't
> seen any improvement.
>
> -----Original Message-----
> From: Paul Van Gurp [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 27, 2002 6:26 AM
> To: '[EMAIL PROTECTED]'; rajesh vasudevan
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Is it worth keeping Http Shell signature in network
> sensors?
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
> problems!
> --------------------------------------------------------------------------
> --
>
> I also agree.  The HTTP_Shells and Cisco alert referred to below should be
> tuned or removed as they are false 99.99% of the time in my environment.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 26, 2002 1:42 PM
> To: rajesh vasudevan
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Is it worth keeping Http Shell signature in network
> sensors?
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
> problems!
> --------------------------------------------------------------------------
> --
>
> We've seen almost completely false positives here as well, especially
> related to Yahoo! (evidently some of their graphics files have a directory
> called "sh" in the path), and the Java problem is even more egregious.
>
> We have similar problems with the HTTP_Cisco_Catalyst_Exec signature and
> Amazon.com, since the signature triggers on any URL where the object
> starts
> with "/exec". Both of these signatures are overly broad IMO and should be
> tightened to reduce the false positive rate.
>
>
>
>
>
>                       "rajesh vasudevan"
>
>                       <rajeshvasudevan@h        To:       [EMAIL PROTECTED]
>
>                       otmail.com>               cc:
>
>                       Sent by:                  Subject:  Is it worth
> keeping Http Shell signature in network sensors?
>
>                       owner-issforum@iss
>
>                       .net
>
>
>
>
>
>                       06/25/2002 02:13
>
>                       AM
>
>
>
>
>
>
>
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
> problems!
> --------------------------------------------------------------------------
> --
>
>
> Hi,
>
> This is about HTTP_SHELL signature, which I feel not doing its function.
>
> This signature is capturing the traffic with URLs which contains "sh" or
> "java". Real secure gives an explanation to the event that this signature
> detects an  attempt to get shells to execute commands.
> But if the signature detects any URL with entries like
> "/docs/api/java/util/Date.html" as an attempt to invoke Shell interpreter,
> then it raises a serious concern  about the reliability of that signature.
> So far I couldn't find  a single attempt related to this event which seems
> to be a genuine one.
>
> I had gone through the mailing list archives also, I could see the same
> queries were raised before.. But nobody ( even ISS  Support) could give a
> clear explanation about this or any modification on this signature.
>
> I request you to give your feedbacks / experience on this signature, so
> that
> if this signature proves to be useless, then I need to remove it from the
> policy file and hence I can save a good amount of  hard disk space !!!
>
>
> Cheers
>
> Rajesh
>
>
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
>
>
>
>
>
>
>
>
>

------_=_NextPart_001_01C22753.DC49FB40
Content-Type: message/external-body; access-type=x-mutt-deleted;
        expiration="Tue, 23 Jul 2002 10:46:21 -0400"; length329

Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


------_=_NextPart_001_01C22753.DC49FB40--


--S520746AbSGQMcs=_/ams6eusosrv42.ams.ops.eu.uu.net--

Reply via email to