Snort mailing list archives

RE: start using argus snort

From: חואן <juan () sarel co il>
Date: Tue, 22 Jul 2003 12:55:56 +0200


Hi !

I installed the argus quick install of snort ,in the menual it is written
that in order to start 
I need to issue the ./snort -v connamd i recieve: -bash: ./snort: No such
file or directory

why is that?

thanks

-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net]
Sent: Tuesday, July 22, 2003 5:30 AM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #3366 - 3 msgs


Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Viewing ACID set's off P..O..R..N rules ... (Jason Whitson)
   2. RE: Viewing ACID set's off P..O..R..N rules ... (Scott Renna)
   3. Re: Problem with test script for Cisco vulnerability (Bennett Todd)

--__--__--

Message: 1
From: "Jason Whitson" <jason () visionxtreme net>
To: "Scott Renna" <srenna () d-a-s com>, <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Viewing ACID set's off P..O..R..N rules ...
Date: Mon, 21 Jul 2003 16:12:41 -0500

So ...

/usr/local/bin/snort -U -d -D -c /etc/snort/snort.conf not \ 172.16.1.172:80
?

Because that didn't work. Do I surround my IP in ( ) ... ?


- Jason


----- Original Message -----
From: "Scott Renna" <srenna () d-a-s com>
To: "'Jason Whitson'" <jason () visionxtreme net>;
<snort-users () lists sourceforge net>
Sent: Monday, July 21, 2003 3:32 PM
Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ...

Try this from 7/8:

Bryan Irvine <bryan.irvine () kingcountyjournal com> writes:

Is there a way to get snort to skip over ip's?  I keep tripping the
porno alerts whenever I view someone elses porno log in acid.  I'd
like for it to not log my ip.


The easiest way is to do a bpf filter on the snort command line

snort <args> not \( host <ip> and port 80 \)
--
Chris Green <cmg () sourcefire com>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx



***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

***************************

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason
Whitson
Sent: Monday, July 21, 2003 4:24 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Viewing ACID set's off P..O..R..N rules ...


Well today I decided to turn on the P..O..R..N ruleset to see if anyone
here wan't working on ... work.

Much to my surprise, ACID "blew up" with Rule violations. This is great
and all but when I view the rule violations in the ACID console and
refresh to see the latest, all the rules that were listed get relisted
because I was viewing them!

Is there a way to exclude the machine I use to view the ACID console
from the rules? I would hate to have to explain the rule violationsfrom
my workstation. Even though the source IP is the box running snort ...

- Jason



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

Message: 2
From: "Scott Renna" <srenna () d-a-s com>
To: "'Jason Whitson'" <jason () visionxtreme net>,
   <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ...
Date: Mon, 21 Jul 2003 17:13:06 -0400

you forgot to add the word "host" before your IP


***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

*************************** 

-----Original Message-----
From: Jason Whitson [mailto:jason () visionxtreme net] 
Sent: Monday, July 21, 2003 5:13 PM
To: Scott Renna; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Viewing ACID set's off P..O..R..N rules ...


So ...

/usr/local/bin/snort -U -d -D -c /etc/snort/snort.conf not \
172.16.1.172:80 ?

Because that didn't work. Do I surround my IP in ( ) ... ?


- Jason


----- Original Message -----
From: "Scott Renna" <srenna () d-a-s com>
To: "'Jason Whitson'" <jason () visionxtreme net>;
<snort-users () lists sourceforge net>
Sent: Monday, July 21, 2003 3:32 PM
Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ...

Try this from 7/8:

Bryan Irvine <bryan.irvine () kingcountyjournal com> writes:

Is there a way to get snort to skip over ip's?  I keep tripping the 
porno alerts whenever I view someone elses porno log in acid.  I'd 
like for it to not log my ip.


The easiest way is to do a bpf filter on the snort command line

snort <args> not \( host <ip> and port 80 \)
--
Chris Green <cmg () sourcefire com>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx



***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

***************************

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason 
Whitson
Sent: Monday, July 21, 2003 4:24 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Viewing ACID set's off P..O..R..N rules ...


Well today I decided to turn on the P..O..R..N ruleset to see if 
anyone here wan't working on ... work.

Much to my surprise, ACID "blew up" with Rule violations. This is 
great and all but when I view the rule violations in the ACID console 
and refresh to see the latest, all the rules that were listed get 
relisted because I was viewing them!

Is there a way to exclude the machine I use to view the ACID console 
from the rules? I would hate to have to explain the rule 
violationsfrom my workstation. Even though the source IP is the box 
running snort ...

- Jason



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single 
machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual 
machines at the same time. Free trial click here: 
http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single 
machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual 
machines at the same time. Free trial click here: 
http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

Message: 3
Date: Mon, 21 Jul 2003 17:43:41 -0400
From: Bennett Todd <bet () rahul net>
To: CMartin () infosol com
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Problem with test script for Cisco vulnerability


--yVhtmJPUSI46BTXb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

2003-07-21T14:26:30 CMartin () infosol com:

I tried to implement this script to test my snort rules; however, it

appears

that I don't have hping in my /usr/local/sbin directory or not in my /sbin
directory.  I am running redhat v9.


As others have mentioned, download from <URL:http://www.hping.com/>
and build yourself. If you want an rpm install, I have a spec file
I'll be glad to pass you. It's trivial.

Also I get the following error when I try to run the script (sh
exploit.sh).

exploit.sh: line 8: syntax error near unexpected token `('
exploit.sh: line 8: `foreach protocol (53 55 77 103)'


The exploit script as posted was in tcsh, which has a different
syntax from sh.

But also an interesting note, my whole /usr/local/sbin is empty.


/usr/local is reserved for non-packaged software. rpms are normally
properly written to install into /usr/sbin, /usr/bin, and so forth.

-Bennett

--yVhtmJPUSI46BTXb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/HF6NHZWg9mCTffwRAk/JAKCy3T/XlSzhn1ddXuTfJ+tf0YVhGQCfSXbQ
+BQU2ebDI3BJTU81H6WxegU=
=PDRf
-----END PGP SIGNATURE-----

--yVhtmJPUSI46BTXb--



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: start using argus snort חואן (Jul 22)
- Re: RE: start using argus snort Dani?l Haslinger (Jul 22)
- RE: RE: start using argus snort Scott Renna (Jul 22)