'Re: [Snort-users] Alert packet from Dark Web.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] Alert packet from Dark Web.
From:       Dave Osbourne <dave () osbourne ! uk ! eu ! org>
Date:       2020-03-23 15:20:27
Message-ID: c89e2fd8-38bc-596f-4161-5dc914b7e902 () osbourne ! uk ! eu ! org
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

Sorry I know that this doesn't help, but I just read this and in the 
moment of that's going on the world had a little laugh...

Presumably, Michael, you meant

"/...  would make life so much easier if they would just be RFC 
3514-compliant //*(;*///"

in which case LOL!

D

On 2020-03-23 14:44, Michael Altizer (mialtize) via Snort-users wrote:
> It would make life so much easier if they would just be RFC 
> 3514-compliant.
>
> On 3/22/20 12:36 PM, Joel Esler (jesler) via Snort-users wrote:
>> Largely I would say what you’re trying to do is rather impossible. 
>>  You need to identify /what/ you want to look for with a content 
>> match.  Looking for things from the “dark web” is just as big as 
>> looking for things on the “non-dark” web.
>>
>> Sent from my  iPad
>>
>>> On Mar 21, 2020, at 11:28, Junting Lai via Snort-users 
>>> <snort-users@lists.snort.org> wrote:
>>>
>>> Hi,
>>>
>>> Can I just write a tcp snort rules to alert the dark net traffic 
>>> which may come from Dark web? What should I really need to write in 
>>> “content” in the rule.
>>>
>>> Thanks in advance.
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.snort.org
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>>    To unsubscribe, send an email to:
>>> snort-users-leave@lists.snort.org
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest 
>>> Snort news!
>>>
>>> Please follow these rules: 
>>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> 	To unsubscribe, send an email to:
>> 	snort-users-leave@lists.snort.org
>>
>> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>>
>> Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> 	To unsubscribe, send an email to:
> 	snort-users-leave@lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

[Attachment #5 (text/html)]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Sorry I know that this doesn't help, but I just read this and in the
    moment of that's going on the world had a little laugh...<br>
    <br>
    Presumably, Michael, you meant <br>
    <br>
    "<font color="#0000ff"><i>...  would make life so much easier if
        they would just be RFC 3514-compliant </i><i><b><font \
size="+2">(;</font></b></i><i>  </i></font>"<br>
    <br>
    <div class="moz-cite-prefix">in which case LOL!<br>
      <br>
      D<br>
      <br>
      On 2020-03-23 14:44, Michael Altizer (mialtize) via Snort-users
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:56590ee5-f018-f884-d6b5-6baf21c21151@cisco.com">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <div class="moz-cite-prefix">It would make life so much easier if
        they would just be RFC 3514-compliant.<br>
      </div>
      <div class="moz-cite-prefix"><br>
      </div>
      <div class="moz-cite-prefix">On 3/22/20 12:36 PM, Joel Esler
        (jesler) via Snort-users wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:EBFD9615-293A-452A-95E9-A91E35842A11@cisco.com">
        Largely I would say what you’re trying to do is rather
        impossible.  You need to identify
        <i>what</i> you want to look for with a content match.  Looking
        for things from the “dark web” is just as big as looking for
        things on the “non-dark” web.<br>
        <br>
        <div dir="ltr">Sent from my <span style="background-color:
            rgba(255, 255, 255, 0);"> </span>iPad</div>
        <div dir="ltr"><br>
          <blockquote type="cite">On Mar 21, 2020, at 11:28, Junting Lai
            via Snort-users <a class="moz-txt-link-rfc2396E"
              href="mailto:snort-users@lists.snort.org"
              moz-do-not-send="true">
              &lt;snort-users@lists.snort.org&gt;</a> wrote:<br>
            <br>
          </blockquote>
        </div>
        <blockquote type="cite">
          <div dir="ltr"><span>Hi,</span><br>
            <span></span><br>
            <span>Can I just write a tcp snort rules to alert the dark
              net traffic which may come from Dark web? What should I
              really need to write in “content” in the rule.</span><br>
            <span></span><br>
            <span>Thanks in advance.</span><br>
            <span></span><br>
            <span></span><br>
            <span>_______________________________________________</span><br>
            <span>Snort-users mailing list</span><br>
            <span><a class="moz-txt-link-abbreviated"
                href="mailto:Snort-users@lists.snort.org"
                moz-do-not-send="true">Snort-users@lists.snort.org</a></span><br>
            <span>Go to this URL to change user options or unsubscribe:</span><br>
            <span><a class="moz-txt-link-freetext"
                href="https://lists.snort.org/mailman/listinfo/snort-users"
                moz-do-not-send="true">https://lists.snort.org/mailman/listinfo/snort-users</a></span><br>
  <span></span><br>
            <span>   To unsubscribe, send an email to:</span><br>
            <span>   <a class="moz-txt-link-abbreviated"
                href="mailto:snort-users-leave@lists.snort.org"
                moz-do-not-send="true">snort-users-leave@lists.snort.org</a></span><br>
  <span></span><br>
            <span>Please visit <a class="moz-txt-link-freetext"
                href="http://blog.snort.org" moz-do-not-send="true">
                http://blog.snort.org</a> to stay current on all the
              latest Snort news!</span><br>
            <span></span><br>
            <span>Please follow these rules: <a
                class="moz-txt-link-freetext"
                href="https://snort.org/faq/what-is-the-mailing-list-etiquette"
                moz-do-not-send="true">
                https://snort.org/faq/what-is-the-mailing-list-etiquette</a></span><br>
  </div>
        </blockquote>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <pre class="moz-quote-pre" \
wrap="">_______________________________________________ Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.snort.org" \
moz-do-not-send="true">Snort-users@lists.snort.org</a> Go to this URL to change user \
options or unsubscribe: <a class="moz-txt-link-freetext" \
href="https://lists.snort.org/mailman/listinfo/snort-users" \
moz-do-not-send="true">https://lists.snort.org/mailman/listinfo/snort-users</a>

	To unsubscribe, send an email to:
	<a class="moz-txt-link-abbreviated" href="mailto:snort-users-leave@lists.snort.org" \
moz-do-not-send="true">snort-users-leave@lists.snort.org</a>

Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org" \
moz-do-not-send="true">http://blog.snort.org</a> to stay current on all the latest \
Snort news!

Please follow these rules: <a class="moz-txt-link-freetext" \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette" \
moz-do-not-send="true">https://snort.org/faq/what-is-the-mailing-list-etiquette</a> \
</pre>  </blockquote>
      <p><br>
      </p>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" \
wrap="">_______________________________________________ Snort-users mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:Snort-users@lists.snort.org">Snort-users@lists.snort.org</a> Go to this \
URL to change user options or unsubscribe: <a class="moz-txt-link-freetext" \
href="https://lists.snort.org/mailman/listinfo/snort-users">https://lists.snort.org/mailman/listinfo/snort-users</a>

	To unsubscribe, send an email to:
	<a class="moz-txt-link-abbreviated" \
href="mailto:snort-users-leave@lists.snort.org">snort-users-leave@lists.snort.org</a>

Please visit <a class="moz-txt-link-freetext" \
href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the \
latest Snort news!

Please follow these rules: <a class="moz-txt-link-freetext" \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette">https://snort.org/faq/what-is-the-mailing-list-etiquette</a>
 </pre>
    </blockquote>
    <br>
  </body>
</html>

_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

	To unsubscribe, send an email to:
	snort-users-leave@lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

[prev in list] [next in list] [prev in thread] [next in thread] 