Snort mailing list archives
Re: Snort-users Digest, Vol 86, Issue 13
From: anagha b <banagha3 () gmail com>
Date: Thu, 11 Jul 2013 14:26:13 +0530
Hi all, I solved the root access problem by changing barnyard.conf but I am still not getting one point that I configured snort with user anagha and I have to run snort as root ? Can anybody give solution for it . On Mon, Jul 8, 2013 at 7:40 PM, <snort-users-request () lists sourceforge net>wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: @snort startup (waldo kitty) 2. Re: @snort log (waldo kitty) 3. Re: Snort on WindowsXP (Michael Steele) 4. Re: Snort on WindowsXP (waldo kitty) 5. Re: a few questions... (Russ Combs) ---------------------------------------------------------------------- Message: 1 Date: Sat, 06 Jul 2013 09:25:37 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] @snort startup To: snort-users () lists sourceforge net Message-ID: <51D81AD1.6060104 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 7/6/2013 04:11, anagha b wrote:I am using snort on ubuntu12.04 and configured one interface eth0 inbarnyard . i don't think that barnyard is going to be part of this problem...I have only one interface eth0 so using it for acquiring packet I amgettingfollowing error. command :snort -c /snort-2.9.4.6/etc/snort.conf -i eth01. is this a fully self built snort installation? 2. please provide the complete snort output instead of just the tail of it... 3. please provide your snort.conf... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------ Message: 2 Date: Sat, 06 Jul 2013 09:36:15 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] @snort log To: snort-users () lists sourceforge net Message-ID: <51D81D4F.9030401 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 7/6/2013 07:52, anagha b wrote:Hi all Got snort running but everytime i start snort i have to set librarypath forlibdnet.1 I am getting file snort.u2.1373105384 format in /var/log/snort. how to read these files?U2 files are a combination log format... you must use a tool like barnyard to break them apart and place them into a database... then you use tools to read the database for correlation of the events...I searched on net but not getting . I want to see snort log should i go for snorby for viewing it? Plz provide link to use gui with snort.[pedantic] you are not looking for a GUI strictly for snort. that implies a GUI that only controls snort, snort's configs and possibly the rules files...[/pedantic] it sounds like you are instead looking for a GUI to interface to the alert database... snorby is one of numerous such tools... you might want to look at security onion which contains several GUI interfaces so you can choose which one(s) you want or need to use... each has its good points and bad points... some are hard to configure but offer a huge range of capabilities while others are easy to configure but offer a limited set of abilities... http://securityonion.blogspot.com/ NOTE: i have not looked at security onion and do not use it at this time... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------ Message: 3 Date: Sat, 6 Jul 2013 16:37:26 -0400 From: "Michael Steele" <michaels () winsnort com> Subject: Re: [Snort-users] Snort on WindowsXP To: "'waldo kitty'" <wkitty42 () windstream net>, <snort-users () lists sourceforge net> Message-ID: <000801ce7a88$a0c24430$e246cc90$@winsnort.com> Content-Type: text/plain; charset="iso-8859-1" You might want to explain to him how this converts to Windows :) ---------\ grep -i -E "shellcode" /path/to/your/rules/*.rules ---------/ B est regards, Michael... WINSNORT.com Management? -- ****************** Established ~ 2001 ******************* *????????? Visit Us @ http://www.winsnort.com?????????? * *????? ~~ FREE WinIDS Snort installation guides ~~????? * *?????????????? ~~ FREE support forums ~~?????????????? * * Snort: Open Source Network IDS - http://www.snort.org * ********************************************************* -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Saturday, July 06, 2013 9:21 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort on WindowsXP On 7/6/2013 02:19, MCLEOD, DONNIE wrote:Hi Snort users,can someone help with code alert for Snort to detect shell code on the above conf Snort is run in IDS mode using the following command line; snort -c C:\snort\etc\snort.conf -l C:\snort\log -i 1 Iam trying to get the IDS to trigger an alert on detection,thanks.is this a school assignment? there are already (139) existing shellcode related rules available... do they not fit your needs? grep -i -E "shellcode" /path/to/your/rules/*.rules -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ---------------------------------------------------------------------------- -- This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------ Message: 4 Date: Sun, 07 Jul 2013 13:01:08 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] Snort on WindowsXP To: snort-users () lists sourceforge net Message-ID: <51D99ED4.7030203 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 7/6/2013 16:37, Michael Steele wrote:You might want to explain to him how this converts to Windows :) ---------\ grep -i -E "shellcode" /path/to/your/rules/*.rules ---------/ooohh... yeah! i totally skipped out on the c:\ stuff in their post... but then again, i have windows flavors of most *nix tools like grep, sed and awk ;) i suppose one might use the file search function to search for *.rules files that contain the phrase "shellcode"... then they can look at them with whatever file viewer or editor they desire... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------ Message: 5 Date: Mon, 8 Jul 2013 10:10:34 -0400 From: Russ Combs <rcombs () sourcefire com> Subject: Re: [Snort-users] a few questions... To: waldo kitty <wkitty42 () windstream net> Cc: snort-users () lists sourceforge net Message-ID: <CAN8FaB87GWRNPGpgo+PDN7q0P0s7FTCcwChn9szzJugu= YKngw () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" On Fri, Jul 5, 2013 at 7:53 PM, waldo kitty <wkitty42 () windstream net> wrote:On 7/5/2013 18:35, Russ Combs wrote:On Fri, Jul 5, 2013 at 5:56 PM, waldo kitty <wkitty42 () windstream net>wrote: [trim]1. i do have 14 compiled so dynamic rules files in my libdirectory.snortdoes recognize them and appears to load them as can be seen in theexecutionoutput attached below. the question is why does snort report "0Dynamicrules" when it is initializing the rule chains? there /are/ 72rulesstubsin the so_rules directory and they were created from the compiledrules bysnort's --dump-dynamic-rules option... did i miss a change in the so_rules/src/Makefile other than changing the SNORT_VERSION entry? Those are dynamically activated rules as opposed to dynamically loadedrules.Check here: http://manual.snort.org/node29.html#SECTION00421000000000000000 http://manual.snort.org/node29.html#SECTION00426000000000000000ahh! ok... perhaps that header can be changed to say "DynamicallyActivatedrules" to clarify this? it might also be a nice idea to place anadditionalcategory in the "XXX Snort rules read" section that states how many "Dynamically loaded rules" there are in that total of rules read (and processed)??2. when i terminate snort, the "Packet I/O Totals" count ofprocesseddoesn't make sense. it says 4054 received and analyzed but the"Breakdown byprotocol" says there were 4057. where did the extra three packetscome from?it also reports 125 "Other" packets. how can i find out what theyare or were?They are certain rebuilt packets counted here: S5 G 2: 3 ( 0.074%)ya know? i don't recall if i even saw that entry... sometimes it is kinda of hard to break out the counts properly... one would normally think that they can add up that whole column to come up with the same total but that's definitely not the proper thing to do... can you provide a hint on what is considered as "Other" packets that my short run turned up? 125 of them makes me curious as to what is going on onthatbox that i'm not aware of ;)They are cases where the decoding stopped due to an unsupported protocol, eg an ethertype for which there is no decoder. It could also be that available decoders weren't built (./configure --enable-non-ether-decoders may help here).Check here: http://manual.snort.org/node9.html#SECTION00273000000000000000 I guess that should also state that packets flushed at shutdown arecountedthere as well.that would be a good idea, as well ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted.------------------------------------------------------------------------------This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 86, Issue 13 *******************************************
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 86, Issue 13 anagha b (Jul 11)
- Re: Snort-users Digest, Vol 86, Issue 13 waldo kitty (Jul 11)