Snort mailing list archives
Re: Problems with Snort and Postgresql
From: "Mario Alberto Soto Cordones" <mario_soto () compuall cl>
Date: Fri, 7 Feb 2003 13:09:03 -0300 (CLST)
Que versión de postgresql tienes.... el problema es que la base de datos no existe en el catalogo... dime cuales fueron los pasos que hiciste y te ayudaré ... Saludos desde chile. Mario
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. IDScenter 1.1 RC1 released! (Ueli Kistler) 2. Re: snort+mysql+acid (Dustin Decker) 3. Question about IP range syntax (Schmehl, Paul L) 4. Re: Handling of a 1 or 2 GB pipe? (Yaakov Yehudi) 5. Snort-inline segfault (Katriel Traum) 6. Problems with Snort and Postgresql (gbarreiro () equifax com br) 7. Re: Linux & Pcap ... :-( (Paul B. Poh) 8. Re: Linux & Pcap ... :-( (Lawrence Reed) 9. Re: Problems with Snort and Postgresql (Bamm Visscher) 10. WinPcap now supports Multiple Processors! (Erek Adams) 11. OT: SQL Diff tool (Erek Adams) 12. Re: Linux & Pcap ... :-( (Paul B. Poh) --__--__-- Message: 1 Date: Wed, 05 Feb 2003 00:13:12 +0100 From: Ueli Kistler <iuk () gmx ch> To: snort-users () lists sourceforge net, snort-announce () lists sourceforge net Subject: [Snort-users] IDScenter 1.1 RC1 released! Hello, IDScenter 1.1 RC1 is finally out! Check www.packx.net for more information What's new (short overview)? The rule editor, the ruleset management, the autoblock system and plugins (extract IP, TCP, UDP and ICMP which can be blocked with the sample plugin BlackICEv2.dll), bug fixes, support for -w option, corrected Stream4 option... and much more.. see the changelog when you downloaded the file ;) NOTE: I've released a 99% preconfigured IDS enivornment based on Snort and IDScenter. It uses Apache, MySQL, PHP, ACID (with jpgraph and adodb library preinstalled for PHP) and a little configuration tool (EagleXconfig). I will send out a separate announcement. What is IDScenter? ================== IDScenter is a configuration and and management tool for Snort IDS on Windows platforms. Download: www.packx.net Features ======== * Snort 1.9 / 1.8 / 1.7 support o easy access to all settings o Interface listing using WinPCAP * Snort service mode support o IDScenter takes over control of the Snort service * Snort configuration wizard o Variables o Preprocessor plugins o Output plugins o Rulesets * Ruleset editor: supports all Snort 1.9.1 rule options o Easily modify your rules o Import rules from files or websites into existant rulesets * AutoBlock plugins: write your own plugins (DLL) for your firewall o ISS NetworkICE BlackICE Defender plugin included (possibility to block IP's, TCP and UDP ports, set block duration) o Delphi framework included for fast writing new plugins for other firewalls o Prevents problems in plugins to propagate to IDscenter * Alert notification via e-mail, alarm sound or only visual notification o Possibilty to send the last # lines of your Snort log o Notification of attack is also possible with Snort logging to MySQL o Add attachments (e.x. the current process list generated by another program) * Test configuration feature: fast testing of your IDS configuration (Snort rule syntax checking etc.) * Monitoring: o Alert file monitoring (up to 10 files) o MySQL alert detection: allows centralized monitoring of all Snort sensors (e.x. if you have a Notebook with WLAN adapter you can be alerted whereever you are) * Log rotation (compressed archiving of log files) o Set log rotation period (day, week, month, interval) o Organisation of backup logs * Integrated log viewer o Log file viewer o XML log file viewer o HTML/website viewer (support for ACID, SnortSnarf, etc.) * Program execution possible if an attack was detected * .. and more! Regards, Eclipse eclipse () packx net --__--__-- Message: 2 Date: Tue, 4 Feb 2003 20:38:03 -0600 (CST) From: Dustin Decker <dustind () moon-lite com> To: Snort Users List <snort-users () lists sourceforge net> Subject: Re: [Snort-users] snort+mysql+acid On Tue, 4 Feb 2003, Alan McCarty wrote:I'd like to know if anyone has come up with a simple solution to centralized instant notification of alerts, other than logwatchers, etc.[snip]I imagine this has been considered, but is there a good reason why it hasn't been implemented in any way? It seems like an elegant add-on to what is so far a very solid IDS solution.One of the primary reasons might very well be the push vs. pull issue. Unless you have your signatures absolutely perfected, push based alerts such as you are describing here have an active life cycle of a couple of weeks. After that period of time, folks start to ignore them, particularly if a large percentage are turning out to be false positives. I've found that pull based solutions are more fruitful - although I conceed that it's good to be notified of the _really serious_ alerts ASAP. Just my $.02 Dustin -- *-----------------------------------* | Dustin Decker | | dustind () moon-lite com *-----------------------------------------* | http://www.dustindecker.com | He who knows nothing, knows nothing. | | Moon-Lite Computing | But he who knows he knows nothing knows | | 913.579.7117 | something. And he who knows someone | *-----------------------------| whose friend's wife's brother knows | | nothing, he knows something. Or some | | thing like that. | *-----------------------------------------* --__--__-- Message: 3 Date: Tue, 4 Feb 2003 22:18:37 -0600 From: "Schmehl, Paul L" <pauls () utdallas edu> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Question about IP range syntax With nmap, you can specify IP ranges like this: 111.1-43.0.1-220. When creating variables for snort, can you do the same thing? I'm writing some custom rules using flexresp, and I want to know if snort has this kind of flexibility. I am seeing a range of IPs that are extremely "busy" on our network, but I only want to put parts of a class B in the rule. I'd like to do something like this: var RST_HOSTS [x.1-22.x.x/16,x.x.x.x/32,x.x.x.x/24]. Is this possible? I'm reading the rules section of the user guide, but I don't see where this specific issue is addressed, and I don't want to assume that it's not possible. (We all know what assumptions do for you.) I understand how to use CIDR blocks, but that covers an entire network, and I only want to include parts of it. Rather than do this: [1.1.0.0/16,1.2.0.0/16] or this [1.1.1.0/24,1.1.2.0/24], I'd like to make one entry that covers several class B networks within a class A. I don't want to include the entire class A. Possible? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member=20 --__--__-- Message: 4 Date: Wed, 05 Feb 2003 08:24:55 +0200 To: edin.dizdarevic () interActive-Systems de From: Yaakov Yehudi <yehudi () tehila gov il> Subject: Re: [Snort-users] Handling of a 1 or 2 GB pipe? Cc: snort-users () lists sourceforge net, security () starfieldsw com I believe that the Snortfire version of Snort, is available in a configuration which will handle this about of traffic. At Friday 31/01/2003 15:00, Edin Dizdarevic wrote:Hi, Travis S. wrote:Snort-Users, I am considering using Snort to monitor traffic on a 1 Gbps internet link, so the combined throughput of the monitored traffic would be 2 Gbps. The average load is 1 Gbps (combined) and it wouldn't be surprising to see constant levels of above 1.5 Gbps. The most likely implementation will involve mirroring a switch port to receive the data. The network is over 60 subnets, with 50,000+ hosts. How well would Snort handle reviewing packets of such a link? I basically want to pick apart packets and examine a few key bytes to determine the application that is used to send the data. I'm not sure if it's possible to do this on-the-fly, or if it would be better to log the data and analyze from disk. Has anyone done similar things? Any comments on hardware requirements? Comments overall about the concept? Operating system suggestions (and version?)?We diskussed such problems a few weeks ago. IMHO the problem should be to capture that amount of data. No illusions about realtime- analyzing so much traffic. You will need to buffer it, at least to back up the traffic peaks. Btw: No IDS available can probably provide the performance you need.--__--__-- Message: 5 From: Katriel Traum <katriel () traum org il> To: snort-users () lists sourceforge net Date: Wed, 5 Feb 2003 08:48:26 +0000 Subject: [Snort-users] Snort-inline segfault =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello list, I've been trying to use snort as a GIDS with snort-inline. When trying to run snort in inline mode (-Q) along side with tcpdump loggin= g=20 (-b), I get a segfault (same goes when trying=20 output log_tcpdump: /var/log/snort/tcpdump.log) I've run it through "gdb", and found out that it segfaults at a function=20 called pcap_dump_open(), which after checking is the function that opens th= e=20 pcap dump file. When running snort-inline with only -b or only -Q, nothing happens. Has anyone seen or experienced something like this? Thanks, =2D --=20 +katriel =EB=FA=F8=E9=E0=EC+ pgp key: traum.org.il/gpg.asc =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+QM/dDWy+Hv/461sRAkKwAJ4+B0yqBmq8xGVD/6CPGPCh/HrHYwCgok7g 2+9FsDvalQ1GmvurcDBofYM=3D =3Drknp =2D----END PGP SIGNATURE----- --__--__-- Message: 6 To: snort-users () lists sourceforge net From: gbarreiro () equifax com br Date: Wed, 5 Feb 2003 07:47:12 -0200 Subject: [Snort-users] Problems with Snort and Postgresql Hi !!! I am installing Postgre SQL to use with Snort, and there is a problem. DB Postgresql Configuration: bahs-sh#: su - postgres (login with postgre user) bash-sh#: createuser snort --createdb (creating snort user for db acces= s) bahs-sh#: exit bash-sh#: psql template1 -U snort template1#: createdatabase snort (creating database for snort) template1#: \q Now, I will try to export the script with the next command: bash-sh#: psql - f create_postgresql snort When I confirm this command, I receive the answer: DATABASE SNORT DOES = NOT EXIST IN THE SYSTEM CATALOG How can I resolve this problem ? Thanks !!!!!!!! =20 =20 =20 Guilherme Antonio =20 Barreiro =20 =20 EQUIFAX DO BRASIL =20 =20 +55 11 3016-6196 =20 =20 gbarreiro () equifax com br=20 =20 =20 =20 ************************************************************* O sigilo desta mensagem =E9 protegido por lei. Se voc=EA a recebeu por = engano, queira apag=E1-la e informar-nos por e-mail endere=E7ado ao remetente. ************************************************************* The confidentiality of this message is protected by law. If you've rece= ived it in error, please delete it and inform us by e-mail addressed to its sender. ************************************************************* = --__--__-- Message: 7 Date: Wed, 05 Feb 2003 08:00:56 -0500 From: "Paul B. Poh" <paul () paulpoh com> To: Kevin Peuhkurinen <kevin.peuhkurinen () hepcoe com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Linux & Pcap ... :-( I did run into this issue a few months ago. I believe that this is actually a linux kernel feature. For newer 2.4.x (I think) kernels, Libpcap for linux will getsockopt() for PACKET_STATISTICS. In the kernel code, when PACKET_STATISTICS is processed in af_packet.c:packet_getsockopt(), the packet->stats structure is reset. If you want to hack the kernel, you can try commenting out the line: memset(&sk->protinfo.af_packet->stats, 0, sizeof(st)) in the function packet_getsockopt() in the file af_packet.c . I can't gurantee that this doesn't blow up anything or even work. Use at your own risk :-) I use a slightly different method to track stats. I actually like the fact that the stats are reset. Because then I can get interval information. (ie packets processes per x time interval). Kevin Peuhkurinen wrote:So I'm trying to make up a script that will show my bosses the daily stats dump resulting from a SIGUSR1 to Snort. Unfortunately, it appears that when Snort calls libpcap to get the its stats, libpcap thereafter resets them to zero. So, the next time I do a SIGUSR1, the 'breakdown by protocol' shows > 100% because Snort keeps track of the individual protocol stats but gets the percentage based on the numbers provided by libpcap. While this is clearly not necessarily a Snort problem since it only seems that the Linux version of libpcap behaves this way, it is equally obvious that this will not endear my choice of IDS to my bosses who are mickle suspicious of any software that does arrive with a license that grants the manufacturer exclusive access to the user's first born offspring while costing many thousands of dollars Does anyone have an solution for this - preferably a means to modify libpcap's behaviour and have it not reset the stats? If not, I'll just mess around with the Snort source and probably just take out the percentage displays. Thanks, Kevin ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--__--__-- Message: 8 Date: Wed, 05 Feb 2003 13:38:21 +0000 From: "Lawrence Reed" <Lawrence.Reed () noaa gov> To: Kevin Peuhkurinen <kevin.peuhkurinen () hepcoe com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Linux & Pcap ... :-( Kevin, Compile snort with the libpcap from Phil Wood. This works for me and improves performance as well ( ring buffer support). http://public.lanl.gov/cpw/ Kevin Peuhkurinen wrote:So I'm trying to make up a script that will show my bosses the daily stats dump resulting from a SIGUSR1 to Snort. Unfortunately, it appears that when Snort calls libpcap to get the its stats, libpcap thereafter resets them to zero. So, the next time I do a SIGUSR1, the 'breakdown by protocol' shows > 100% because Snort keeps track of the individual protocol stats but gets the percentage based on the numbers provided by libpcap. While this is clearly not necessarily a Snort problem since it only seems that the Linux version of libpcap behaves this way, it is equally obvious that this will not endear my choice of IDS to my bosses who are mickle suspicious of any software that does arrive with a license that grants the manufacturer exclusive access to the user's first born offspring while costing many thousands of dollars Does anyone have an solution for this - preferably a means to modify libpcap's behaviour and have it not reset the stats? If not, I'll just mess around with the Snort source and probably just take out the percentage displays. Thanks, Kevin ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Larry Reed Lawrence.Reed () noaa gov NOAA IT Security Office PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772 --__--__-- Message: 9 Date: Wed, 5 Feb 2003 07:52:52 -0600 From: Bamm Visscher <bamm () satx rr com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Problems with Snort and Postgresql Reply-To: bamm () satx rr com Can you validate that the snort DB does exist with the --list option or b= y issuing a '\l' from a psql prompt? Bammkkkk On Wed, Feb 05, 2003 at 07:47:12AM -0200, gbarreiro () equifax com br wrote:=20 Hi !!! =20 I am installing Postgre SQL to use with Snort, and there is a problem. =20 DB Postgresql Configuration: =20 bahs-sh#: su - postgres (login with postgre user) =20 bash-sh#: createuser snort --createdb (creating snort user for db acces=s)=20 bahs-sh#: exit =20 bash-sh#: psql template1 -U snort =20 template1#: createdatabase snort (creating database for snort) =20 template1#: \q =20 Now, I will try to export the script with the next command: =20 bash-sh#: psql - f create_postgresql snort =20 When I confirm this command, I receive the answer: DATABASE SNORT DOES =NOTEXIST IN THE SYSTEM CATALOG =20 =20 How can I resolve this problem ? =20 =20 Thanks !!!!!!!! =20 =20 =20 Guilherme Antonio =20 Barreiro =20 =20 EQUIFAX DO BRASIL =20 =20 +55 11 3016-6196 =20 =20 gbarreiro () equifax com br=20 =20 =20 =20 =20 =20 =20 =20 ************************************************************* O sigilo desta mensagem =E9 protegido por lei. Se voc=EA a recebeu por =engano,queira apag=E1-la e informar-nos por e-mail endere=E7ado ao remetente. ************************************************************* The confidentiality of this message is protected by law. If you've rece=ivedit in error, please delete it and inform us by e-mail addressed to its sender. ************************************************************* =20 =20 =20 =20 =20 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld http://www.vasoftware=.com_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users--__--__-- Message: 10 Date: Wed, 5 Feb 2003 09:15:07 -0500 (EST) From: Erek Adams <erek () snort org> To: Pig-A-Holics Anonymous <snort-users () lists sourceforge net> Subject: [Snort-users] WinPcap now supports Multiple Processors! I know there are a lot of folks using WinPcap on a MP box. Until now, they had to use the older 2.1 since the 2.3 version didn't support SMP. Check out this email! ------ Forwarded Message From: Luca Deri <deri () ntop org> Organization: ntop.org Date: Fri, 24 Jan 2003 09:49:59 +0100 To: winpcap-users () winpcap polito it, ntop <ntop () ntop org> Cc: mikem () tarix net, ethereal-users () ethereal com, snortadmin () sourcefire com, "Mike Schwarz" <ctek () ctek ch> Subject: Announce: WinPcap MP Support Dear all, we (Michel Montague and me) have just released a patch for running Winpcap 3.X on multiprocessor (MP) machines. This patch allows users to run winpcap-based applications such as ntop, nProbe, Ethereal and snort on MP machines under Windows. For more information about this topic please visit http://www.ntop.org/winpcap.html. We have tested the patch on Win2K. Please report us about other Windows versions. Have a lot of fun, Luca & Michel -- Luca Deri <deri () ntop org> http://luca.ntop.org/ Hacker: someone who loves to program and enjoys being clever about it - Richard Stallman ------ End of Forwarded Message Hope that helps someone! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 11 Date: Wed, 5 Feb 2003 09:19:31 -0500 (EST) From: Erek Adams <erek () snort org> To: Pig-A-Holics Anonymous <snort-users () lists sourceforge net> Subject: [Snort-users] OT: SQL Diff tool Something that someone may find useful: http://www.adeptsql.com/sql_compare_tool_overview.htm MS SQL and Interbase (and Firebird) are the only supported DB's right now, but they are planning to extend it to support others. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson --__--__-- Message: 12 Date: Wed, 05 Feb 2003 09:47:40 -0500 From: "Paul B. Poh" <paul () paulpoh com> To: Lawrence Reed <Lawrence.Reed () noaa gov> CC: Kevin Peuhkurinen <kevin.peuhkurinen () hepcoe com>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Linux & Pcap ... :-( Hi Lawrence, Did you happen to also install Phil's turbopacket patch? I was just looking at the patch and if I read the code properly, it looks like he replaces portions of packet_getsockopt() including the code that resets the packet stats structure. I'm guessing that it's probably the turbopacket patch as opposed to the modified libpcap that will cure Kevin's issue. :-) Paul. Lawrence Reed wrote:Kevin, Compile snort with the libpcap from Phil Wood. This works for me and improves performance as well ( ring buffer support). http://public.lanl.gov/cpw/ Kevin Peuhkurinen wrote:So I'm trying to make up a script that will show my bosses the daily stats dump resulting from a SIGUSR1 to Snort. Unfortunately, it appears that when Snort calls libpcap to get the its stats, libpcap thereafter resets them to zero. So, the next time I do a SIGUSR1, the 'breakdown by protocol' shows > 100% because Snort keeps track of the individual protocol stats but gets the percentage based on the numbers provided by libpcap.[snipped] --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with Snort and Postgresql gbarreiro (Feb 05)
- Re: Problems with Snort and Postgresql Bamm Visscher (Feb 05)
- <Possible follow-ups>
- Re: Problems with Snort and Postgresql gbarreiro (Feb 05)
- Re: Problems with Snort and Postgresql Bamm Visscher (Feb 05)
- Re: Problems with Snort and Postgresql Demetri Mouratis (Feb 05)
- Re: Problems with Snort and Postgresql gbarreiro (Feb 06)
- Re: Problems with Snort and Postgresql Mario Alberto Soto Cordones (Feb 07)
- Re: Problems with Snort and Postgresql Mario Alberto Soto Cordones (Feb 07)