[[techdocs:security]]
 
Trace: » a4c0f6ed2dbb15e8dbfbcf261531a1f6 » toread » 2007 » crops » linux » vmware » mythtv » ubuntu » windows » security
Table of Contents

Honeypots

Nepenthes

Nepenthes Notes

Anti-Virus

ClamAV notes

Malware Research

Malware research notes

Intrusion Detection

Snort

Dependencies on Ubuntu 8.04n: 

apt-get install libpcap0.8-dev libpcre3-dev flex bison
install http://code.google.com/p/libdnet/
install DAQ:  http://www.snort.org/downloads/801

Dependencies on Ubuntu 10.04: 

apt-get install libpcap0.8-dev libpcre3-dev flex bison zlib1g-dev
install http://code.google.com/p/libdnet/
install DAQ:  http://www.snort.org/downloads/801

Configure snort with –enable-zlib

Splunk

Configuring filter extractions for Snort

Name	 Type	 Extraction/Transform	 Owner	 App	 Sharing	 Status	Actions
syslog : EXTRACT-dip	 Inline	 \d+\.\d+\.\d+\.\d+(?:\:\d+)* -> (?<dip>\d+\.\d+\.\d+\.\d+)(?:\:\d+)*\s*$	
syslog : EXTRACT-dport	 Inline	 -> \d+\.\d+\.\d+\.\d+\:(?<dport>\d+)\s*$	
syslog : EXTRACT-gid	 Inline	 \[(?<gid>\d+)\:\d+\:\d+\]	
syslog : EXTRACT-sid	 Inline	 \[\d+\:(?<sid>\d+)\:\d+\]	
syslog : EXTRACT-signame	 Inline	 \[\d+\:\d+\:\d+\]\s*(?<signame>.+?)\s*\[Classification	
syslog : EXTRACT-sip	 Inline	 (?<sip>\d+\.\d+\.\d+\.\d+)(?:\:\d+)* -> \d+\.\d+\.\d+\.\d+(?:\:\d+)*\s*$	
syslog : EXTRACT-sport	 Inline	 \d+\.\d+\.\d+\.\d+\:(?<sport>\d+) ->
 
techdocs/security.txt · Last modified: 2011/06/23 16:24 by earnoth
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki