Re: Snort-users Digest, Vol 28, Issue 4

[Viswanathan R <viswa_jang () yahoo com>]

Team

I am supposed to give a presentation about Lastes Snort, to my team.  Is there any Powerpoint presentation readymade 
for this, which covers all the aspect of Snort. 

Thanks in advance for pointing me to right place/giving presentation
Regards
Viswanathan R



--- On Mon, 9/15/08, snort-users-request () lists sourceforge net <snort-users-request () lists sourceforge net> wrote:

> From: snort-users-request () lists sourceforge net <snort-users-request () lists sourceforge net>
> Subject: Snort-users Digest, Vol 28, Issue 4
> To: snort-users () lists sourceforge net
> Date: Monday, September 15, 2008, 7:10 PM
> Send Snort-users mailing list submissions to
>       snort-users () lists sourceforge net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>       https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body
> 'help' to
>       snort-users-request () lists sourceforge net
>
> You can reach the person managing the list at
>       snort-users-owner () lists sourceforge net
>
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Deploying snorts on Mac OS 10.4 (Joel Esler)
>    2. Anybody know how to fix this error? (Tommy Cansanay)
>    3. Re: Anybody know how to fix this error? (Tommy
> Cansanay)
>    4. Snort on Leopard 10.5.4...getting there (James Lay)
>    5. Re: Snort on Leopard 10.5.4...getting there (James
> Lay)
>    6. Snort generates alerts when I use rsync to
> download      files
>       (carlopmart)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 10 Sep 2008 20:36:01 -0400
> From: Joel Esler <eslerj () gmail com>
> Subject: Re: [Snort-users] Deploying snorts on Mac OS 10.4
> To: Nix Hanwei <wannab78 () yahoo com sg>
> Cc: snort-users () lists sourceforge net
> Message-ID:
> <52B45494-7F98-4123-A926-5C7793B65387 () gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> Did you check out the readme that came with the Snort
> tarball, it has  
> some special compile instructions for OSX.  Check those
> out.
>
> Joel
>
> On Sep 10, 2008, at 8:24 PM, Nix Hanwei wrote:
>
> > Hi Gurus,
> >
> > I'm new to here.  I had encounter the following
> > problem while installing snorts.  Please assist me
> > here.
> >
> > When I hit ./configure on snort-2.8.3
> > I get the following error.
> >
> >   ERROR!  Libpcre header not found.
> >   Get it from http://www.pcre.org
> >
> > I went on to download pcre-7.8
> > When I hit ./configure on pcre-7.8, attached is the
> > config.log.  Please assist me here to install
> > snort-2.8.3.
> >
> > Thanks & Regards,
> > wannabe
> >
> >
> >
> >      New Email addresses available on Yahoo!
> > Get the Email name you&#39;ve always wanted on the
> new @ymail and  
> > @rocketmail.
> > Hurry before someone else does!
> > http://mail.promotions.yahoo.com/newdomains/sg/ 
> > < 
> > config 
> > .log 
> > >
> -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move
> Developer's  
> > challenge
> > Build the coolest Linux based applications with Moblin
> SDK & win  
> > great prizes
> > Grand prize is a trip for two to an Open Source event
> anywhere in  
> > the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Joel Esler
> ?  http://blog.joelesler.net
> ?  http://www.dearcupertino.com
> [m]
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Fri, 12 Sep 2008 15:39:18 -0400
> From: "Tommy Cansanay" <toortog () gmail com>
> Subject: [Snort-users] Anybody know how to fix this error?
> To: snort-users () lists sourceforge net
> Message-ID:
>       <f0bee75f0809121239g79303734w13ccd9f444557e1b () mail gmail com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I was updating rules, restarted and got this...
>
> FATAL ERROR: ***Rule--PortVar Parse error: (pos=4,error=not
> a number) >>ANY
> > >   ^
>
>
> Anybody run into this? Better yet, how to fix it?
>
> thanks
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Fri, 12 Sep 2008 16:44:07 -0400
> From: "Tommy Cansanay" <toortog () gmail com>
> Subject: Re: [Snort-users] Anybody know how to fix this
> error?
> To: "Paul Schmehl"
> <pschmehl_lists_nada () tx rr com>
> Cc: snort-users () lists sourceforge net
> Message-ID:
>       <f0bee75f0809121344l23b25554t1168b6db59f5364c () mail gmail com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> John,
>   Thank you for the suggestion. cat -v * (on the rules dir)
> didn't really
> help me much since it gave me a slew of entries that looked
> normal.
>
> Paul,
>    Obviously.. IT IS NOT OBVIOUS since I'm asking for
> help. I did not assign
> the PORTVAR variable with/to "ANY". I do the
> normal routine of pushing VRT
> rules that has worked before and I did not do anything
> special this time
> other than review and uncomment a few rules that the VRT
> team commented. I
> also did NOT modify the snort.conf, which I may add... the
> same snort.conf
> file (that's been working) that I've been using for
> a while now!
>
> Magic fix... removed previously tar'd dirs, untarred it
> again, and somehow
> it's good to go. Somehow something got corrupted and
> since doing an egrep
> for PORTVAR didn't show squat and I need the stuff to
> be up, I had to just
> redo the procedure and push each categorized rule[s] one at
> a time (hoping
> it will at least point me to a rule that was syntactically
> incorrect) --
> which fortunately it didn't.
>
> Thanks
>  Tom
>
> On Fri, Sep 12, 2008 at 4:09 PM, Paul Schmehl
> <pschmehl_lists () tx rr com>wrote:
>
> > --On Friday, September 12, 2008 3:39 PM -0400 Tommy
> Cansanay <
> > toortog () gmail com> wrote:
> >
> >
> > > I was updating rules, restarted and got this...
> > >
> > > FATAL ERROR: ***Rule--PortVar Parse error:
> (pos=4,error=not a number)
> > > > > ANY >>   ^
> > >
> > >
> > > Anybody run into this? Better yet, how to fix it?
> > It's pretty obvious, isn't it?  You can't
> use "ANY" as the value of
> > PORTVAR.  It must be a number or number, comma or dash
> separated.
> > Somewhere in the snort.conf file there is a line with
> the following:
> > PORTVAR = ANY
> >
> > That line is invalid.
> >
> > Paul Schmehl
> > As if it wasn't already obvious,
> > my opinions are my own and not
> > those of my employer.
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 4
> Date: Sat, 13 Sep 2008 07:56:04 -0600
> From: James Lay <jlay () slave-tothe-box net>
> Subject: [Snort-users] Snort on Leopard 10.5.4...getting
> there
> To: Snort <snort-users () lists sourceforge net>
> Message-ID: <C4F12294.39A48%jlay () slave-tothe-box net>
> Content-Type: text/plain; charset="iso-8859-1"
>
> So I?ve got snort 2.8.3 running right now on Leo 10.5.4
> (YaY).  Dynamic
> preprocessors tank with a Bus Error however.  Who do I send
> the crash log
> to?  Also, does anyone have a good plist startup file for
> snort on OS X?
> Everything works but the filter option (example:  ?ip and
> not host bleh?)
> doesn?t seem to get passed correctly to snort:
>
> Sep  9 19:51:30 slave-tothe-box snort[346]: FATAL ERROR:
> OpenPcap() FSM
> compilation failed: \n        illegal token:
> "\nPCAP command: "ip and not
> port 21746"
>
> Of course, running command line it works just fine (have I
> mentioned how
> much I loathe launchd?).
>
> Danke folks
>
> James
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 5
> Date: Sat, 13 Sep 2008 12:26:07 -0600
> From: James Lay <jlay () slave-tothe-box net>
> Subject: Re: [Snort-users] Snort on Leopard
> 10.5.4...getting there
> To: Martin Roesch <mroesch () sourcefire com>
> Message-ID: <E1Keapb-00007a-4B () mail sourceforge net>
> Content-Type: text/plain;     charset="US-ASCII"
>
>
>
>
> On 9/13/08 10:59 AM, "Martin Roesch"
> <mroesch () sourcefire com> wrote:
>
> > What's the command line and snort.conf file
> you're using with Snort
> > when it errors out?  If you look in the BUGS file that
> comes with the
> > source distro you'll see all the info we need and
> where to send it to
> > diagnose your problem.
> >
> > Marty
> >
> > On Sat, Sep 13, 2008 at 9:56 AM, James Lay
> <jlay () slave-tothe-box net> wrote:
> > > So I've got snort 2.8.3 running right now on
> Leo 10.5.4 (YaY).  Dynamic
> > > preprocessors tank with a Bus Error however.  Who
> do I send the crash log
> > > to?  Also, does anyone have a good plist startup
> file for snort on OS X?
> > >  Everything works but the filter option (example: 
> "ip and not host bleh")
> > > doesn't seem to get passed correctly to snort:
> > >
> > > Sep  9 19:51:30 slave-tothe-box snort[346]: FATAL
> ERROR: OpenPcap() FSM
> > > compilation failed: \n        illegal token:
> "\nPCAP command: "ip and not
> > > port 21746"
> > >
> > > Of course, running command line it works just fine
> (have I mentioned how
> > > much I loathe launchd?).
> > >
> > > Danke folks
> > >
> > > James
>
> The command line is:
>
> /usr/snort/bin/snort -i ppp0 -D -u nobody -g nobody  -o -c
> /usr/snort/etc/snort/snort.conf -l /usr/snort/var/log 
> "ip and not port
> 21746"
>
> I used Lingon to create a .plist file and after removing
> the ""'s from the
> filter it works now.  This changed from:
>
>          <string>/usr/snort/var/log</string>
>         <string>"ip</string>
>         <string>and</string>
>         <string>not</string>
>         <string>port</string>
>         <string>21746"</string>
>     </array>
>
> To
>
>         <string>ip and not port 21746</string>
>     </array>
>
> This works fine now.
>
> As for the snort.conf, I had to comment out all the dynamic
> preprocessor
> jazz to get it to run without a Bus Error:
>
> #dynamicpreprocessor directory
> /usr/snort/lib/snort_dynamicpreprocessor/
> #dynamicengine
> /usr/snort/lib/snort_dynamicengine/libsf_engine.dylib
> #dynamicdetection directory
> /usr/snort/lib/snort_dynamicrule/
>
> and the dns, smtp, dce, and telnet/ftp dynamic
> preprocessors.  Once that was
> done it came up with no error.  I'll look through the
> BUGS and send along,
> but here's some of the info from the crash file:
>
> Process:         snort [72780]
> Path:            /usr/snort/bin/snort
> Identifier:      snort
> Version:         ??? (???)
> Code Type:       PPC (Native)
> Parent Process:  bash [71934]
>
> Exception Type:  EXC_BAD_ACCESS (SIGBUS)
> Exception Codes: KERN_PROTECTION_FAILURE at
> 0x0000000000000000
> Crashed Thread:  0
>
> Thread 0 Crashed:
> 0   ???                               0000000000 0 + 0
> 1   libsf_ssl_preproc.0.0.0.dylib     0x022c27d0
> InitializePreprocessor +
> 432
> 2   snort                             0x0004d194
> InitDynamicPreprocessorPlugins + 84
> 3   snort                             0x0004d50c
> InitDynamicPreprocessors +
> 588
> 4   snort                             0x0001da84 SnortMain
> + 2276
> 5   snort                             0x000024b4 start + 68
> 6   ???                               0000000000 0 + 0
>
> Thanks Marty,
>
> James
>
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 15 Sep 2008 15:41:10 +0200
> From: carlopmart <carlopmart () gmail com>
> Subject: [Snort-users] Snort generates alerts when I use
> rsync to
>       download        files
> To: Snort Users <Snort-users () lists sourceforge net>
> Message-ID: <48CE65F6.8020309 () gmail com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi all,
>
>   I am using snort on my laptop as a test lab. When I try
> to download files from 
> Internet, Snort displays this alert:
>
> 09/15-14:44:36.373001  [Drop] [**] [1:1390:6] SHELLCODE x86
> inc ebx NOOP [**] 
> [Classification: Executable code was detected] [Priority:
> 1] {TCP} 
> 193.109.191.9:873 -> 10.38.55.4:53662
>
> Why is this alert genereated?? I am downloading .rpm, .xml,
> and .gz files ...
>
>
> -- 
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
>
>
> ------------------------------
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move
> Developer's challenge
> Build the coolest Linux based applications with Moblin SDK
> & win great prizes
> Grand prize is a trip for two to an Open Source event
> anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 28, Issue 4
> ******************************************


      

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users