Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[protege-discussion] update

Karren Sulliver karren.sulliver at
Sun Mar 4 05:12:56 PST 2007


I would like to include a rule when another is triggered, for example:

If this rule is triggered:
Malware Gator/Clarian Agent"; flow: to_server,established;
uricontent:"/gbsf/gd/ne/"; nocase; classtype:
policy-violation; reference:url,; sid: 2001306;

I would like to also trigger this rule for n minutes/seconds:
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)

I've looked at the tagging option for rules but I need to drop them, not
just log them.

Any ideas?

Sguil (pronounced sgweel) is built by network security analysts for
network security analysts. Sguil's main component is an intuitive GUI
that provides realtime events from snort/barnyard. It also includes
other components which facilitate the practice of Network Security
Monitoring and event driven analysis of IDS alerts. The sguil client
is written in tcl/tk and can be run on any operating system that
supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Sguil version 0.6.0 contains two significant differences from previous
versions. The first difference is the use of the mysql MRG_MyISAM
(MERGE) engine for the sancp, event, *hdr, and data tables. With the
MERGE engine, it is possible to keep hundreds of millions of rows of
data active and online and still be functional (queries to the DB are
reasonably responsive). The use of MERGE and the associated schema
makes backing up and restoring data amazingly simple and quick. The
UPGRADE text in the sguil-0.6.0/doc directory of the source contains
more detail as well as upgrade instructions.

The second major change was to the sguil output plugin for barnyard
(op_sguil) and the communications structure between the sensors and
sguild. Op_sguil now uses tcl libraries and sends data via localhost
to the sensor's agent. All communications between the sensor and
sguild now flow thru sensor_agent. This means the mysql libraries are
no longer needed on the sensors. Since barnyard does not need to be
compiled with mysql support, op_sguil (barnyard) and mysql 4+ may be
used together without any license conflicts.

 have just patched snort 2.3.3 with ClamAV-2.3.3-1.diff and it doesn't
seem to work as advertised. I have the following preprocessor line

preprocessor clamav: ports all !20 !22 !443, toclientonly, dbdir
/var/ftp/pub/tools/clamav-devel/share/clamav/, dbreload-time 43200,

I strace'd snort while downloading EICAR.COM and the klez virus from a
remote HTTP server - the strace shows the daily.* files being loaded -
which tells me ClamAV is being enabled - but nothing got detected. I
even ran tcpdump on the same interface and can see the HTTP download -
so it's definitely not a wiring issue either.

I can see tonnes of /tmp/snort_inline-clamav-XXXXXX files being created,
opened,closed and unlinked - but no virus was detected. The summary that
is outputted when snort exits shows zero alerts - and nothing shows up
via the syslog or mysql output processors I use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the protege-discussion mailing list