Re: flexresp and mysql

["Craig Mueller" <cmueller () alebra com>]

If you are installing on a FreeBSD 6.1X or later system - then you need 
libnet10-1.0.2a_1.  Get this from the BSD ports collection, or also 
installing snort_inline from sysinstall works.

Craig Mueller CISSP
Senior Consultant
Alebra Technologies
www.alebra.com


snort-users-request () lists sourceforge net wrote:
> Send Snort-users mailing list submissions to
>         snort-users () lists sourceforge net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request () lists sourceforge net
>
> You can reach the person managing the list at
>         snort-users-owner () lists sourceforge net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. flexresp and mysql (Jes?s G?lvez)
>    2. Re: flexresp and mysql (Todd Wease)
>    3. (portscan) Open Port: (Mark Rohrbeck)
>    4. Re: (portscan) Open Port: (Bamm Visscher)
>    5. snort v2.6 Win32 flex? (Rich Adamson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 7 Sep 2006 13:06:10 +0200 (CEST)
> From: Jes?s G?lvez <jesuxgalvez () yahoo es>
> Subject: [Snort-users] flexresp and mysql
> To: snort-users () lists sourceforge net
> Message-ID: <20060907110610.53088.qmail () web27107 mail ukl yahoo com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi, when I run configure  with flexresp and mysql options, configure give me error. 
>
> Then, I tried with flexresp2 and libdnet, but again i got the same result.
>
> checking for compress in -lz... yes
> checking dnet.h usability... yes
> checking dnet.h presence... yes
> checking for dnet.h... yes
> checking for eth_set in -ldnet... no
>
>    ERROR!  Libdnet header not found, go get it from
>    http://libdnet.sourceforge.net or use the --with-dnet-*
>    options, if you have it installed in an unusual place
>
>
> I run:
>
>
> ./configure  --prefix=/usr/local/snort \
>              --with-dnet-libraries=/usr/lib \
>              --with-dnet-includes=/usr/lib/include \
>              --with-mysql=/usr/local/mysql \
>              --enable-flexresp2
>
> all is in the correct directories.
>
> Any can help me? thanks.
>
>
>                 
> ---------------------------------
>
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y m?viles desde 1 c?ntimo por minuto.
> http://es.voice.yahoo.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060907/e1dbd317/attachment.html 
>
> ------------------------------
>
> Message: 2
> Date: Thu, 07 Sep 2006 10:27:27 -0400
> From: Todd Wease <twease () sourcefire com>
> Subject: Re: [Snort-users] flexresp and mysql
> To: snort-users () lists sourceforge net
> Message-ID: <1157639247.2569.15.camel () dhcp10-12 sfeng sourcefire com>
> Content-Type: text/plain
>
>   
> >              --with-dnet-includes=/usr/lib/include \
> >     
>
>
> Try --with-dnet-includes=/usr/include
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 7 Sep 2006 11:32:36 -0400
> From: Mark Rohrbeck <mark.rohrbeck () gmail com>
> Subject: [Snort-users] (portscan) Open Port:
> To: <Snort-users () lists sourceforge net>
> Message-ID: <000001c6d292$da790420$a029a8c0 () cuinterface com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi all,
>
>  
>
> I am getting thousands of these portscans (Below are 3 examples) They are
> basically all from my exchange server to different IP addresses mainly on
> port 25 I have noticed a few of 53 too.  They are all going to addresses on
> the internet and I am not sure if I should be concerned or not, they are
> happening continuously all through the day. 
>
>  
>
> If I can offer any more information please let me know, I would really like
> to get to the bottom of this, I have googled away and find similar posts but
> no answers.
>
>  
>
> When I click on the link to Snort it says 
>
>
> GEN:SID 
>
> 1:27 
>
>
> Message 
>
> Sorry, no such sid-gen (1:27) 
>
>  
>
>  
>
> Any help greatly appreciated.
>
>  
>
>  
>
>
>  #624-(3-21094)
> <http://localhost/base/base_qry_alert.php?submit=%23624-%283-21094%29&sort_o
> rder=time_d>  
>
> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
> Port: 25
>
> 2006-09-06 06:08:36 
>
> 192.168.41.129
> <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>  
>
> 67.15.52.7
> <http://localhost/base/base_stat_ipaddr.php?ip=67.15.52.7&netmask32>  
>
> Raw IP 
>
>
>
>
> #625-(3-21091)
> <http://localhost/base/base_qry_alert.php?submit=%23625-%283-21091%29&sort_o
> rder=time_d>  
>
> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
> Port: 25
>
> 2006-09-06 06:08:35 
>
> 192.168.41.129
> <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>  
>
> 70.84.128.20
> <http://localhost/base/base_stat_ipaddr.php?ip=70.84.128.20&netmask32>  
>
> Raw IP 
>
>
>
>
> #626-(3-21092)
> <http://localhost/base/base_qry_alert.php?submit=%23626-%283-21092%29&sort_o
> rder=time_d>  
>
> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
> Port: 25
>
> 2006-09-06 06:08:35 
>
> 192.168.41.129
> <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>  
>
> 67.15.143.14
> <http://localhost/base/base_stat_ipaddr.php?ip=67.15.143.14&netmask32>  
>
> Raw IP 
>
>  
>
>  
>
> Thanks
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060907/83c72c27/attachment.html 
>
> ------------------------------
>
> Message: 4
> Date: Thu, 7 Sep 2006 09:40:36 -0600
> From: "Bamm Visscher" <bamm.visscher () gmail com>
> Subject: Re: [Snort-users] (portscan) Open Port:
> To: "Mark Rohrbeck" <mark.rohrbeck () gmail com>
> Cc: Snort-users () lists sourceforge net
> Message-ID:
>         <27492850609070840p33d39e47wb636b1cc5d4a74fb () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> That's the sfportscan preprocessor [0]
>
> Bammkkkk
>
> [0] http://www.snort.org/docs/snort_htmanuals/htmanual_260/node11.html#SECTION00317000000000000000
>
>
>
> On 9/7/06, Mark Rohrbeck <mark.rohrbeck () gmail com> wrote:
>   
> > Hi all,
> >
> >
> >
> > I am getting thousands of these portscans (Below are 3 examples) They are basically all from my exchange server to 
> > different IP addresses mainly on port 25 I have noticed a few of 53 too.  They are all going to addresses on the 
> > internet and I am not sure if I should be concerned or not, they are happening continuously all through the day.
> >
> >
> >
> > If I can offer any more information please let me know, I would really like to get to the bottom of this, I have 
> > googled away and find similar posts but no answers.
> >
> >
> >
> > When I click on the link to Snort it says
> >
> >
> > GEN:SID
> >
> > 1:27
> >
> >
> > Message
> >
> > Sorry, no such   sid-gen (1:27)
> >
> >
> >
> >
> >
> > Any help greatly appreciated.
> > Thanks
> >     
>
>   

--
Craig Mueller CISSP
Senior Consultant
Alebra Technologies
www.alebra.com
612-436-8204

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users