Snort mailing list archives
Re: Snort-users Digest, Vol 93, Issue 13
From: Aditya Prakash <adipra90 () gmail com>
Date: Wed, 12 Feb 2014 09:36:49 +0530
plz can anybody tell how to trim the snort alert that is in timestamp i do not want the microsecond field .i just want date n time in hr nin sec format . On Wed, Feb 12, 2014 at 4:11 AM, <snort-users-request () lists sourceforge net>wrote:
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-owner () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
When responding, please don't respond with the entire Digest. Please trim
your response.
Today's Topics:
1. Re: sudo snort -Tc snort.conf failure (Nicholas Mavis (nmavis))
2. sfportscan not writing to BASE (Richard Smollett)
3. Getting Incorrect URL Error Message for a working URL
(MMartin () jwpepper com)
4. Re: Getting Incorrect URL Error Message for a working URL
(MMartin () jwpepper com)
----------------------------------------------------------------------
Message: 1
Date: Tue, 11 Feb 2014 15:20:51 +0000
From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Subject: Re: [Snort-users] sudo snort -Tc snort.conf failure
To: David Montgomery <davidmontgomery () gmail com>,
"snort-users () lists sourceforge net"
<snort-users () lists sourceforge net>
Message-ID: <CF1FA8D1.E4D9%nmavis () cisco com>
Content-Type: text/plain; charset="us-ascii"
David,
As Y M mentioned, if you are installing snort via the Ubuntu repositories
it is going to be outdated. I would recommend downloading an updated
release (2.9.6) from snort.org. The errors you are seeing are fairly
straight forward.
Initializing rule chains...
WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated;
use detection_filter instead.
ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed:
!$DNS_SERVERS
As seen in the error above, you have $DNS_SERVERS variable set to "!any"
within your snort.conf which is not allowed.
From: David Montgomery <davidmontgomery () gmail com<mailto:
davidmontgomery () gmail com>>
Date: Tuesday, February 11, 2014 8:03 AM
To: "snort-users () lists sourceforge net<mailto:
snort-users () lists sourceforge net>" <snort-users () lists sourceforge net
<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] sudo snort -Tc snort.conf failure
Initializing rule chains...
WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated;
use detection_filter instead.
ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed:
!$DNS_SERVERS
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Tue, 11 Feb 2014 15:59:14 -0500
From: Richard Smollett <yawningdogge () gmail com>
Subject: [Snort-users] sfportscan not writing to BASE
To: snort-users () lists sourceforge net
Message-ID:
<CAC=
Gbs6VQwRNGoOC2F1PR-CfQaXNFZKjZU5+7tmRsnAVfDHojg () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"
After a portscan, my log file contains the following.
Time: 02/11-14:49:22.006688
event_ref: 0
172.28.61.88 -> 172.28.61.39 (portscan) TCP Portscan
Priority Count: 5
Connection Count: 5
IP Count: 1
Scanner IP Range: 172.28.61.88:172.28.61.88
Port/Proto Count: 5
Port/Proto Range: 23:993
So it looks like the preprocessor is working. But in the BASE interface,
portscan traffic remains 0%. My rules are reporting to BASE just fine.
Preprocessor config looks like this.
preprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000
} sense_level { low } logfile { /etc/snort/sfportscan.log }
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 3
Date: Tue, 11 Feb 2014 16:54:28 -0500
From: MMartin () jwpepper com
Subject: [Snort-users] Getting Incorrect URL Error Message for a
working URL
To: snort-users () lists sourceforge net
Message-ID:
<
OF5E480AC0.AF542C41-ON85257C7C.00745DD7-85257C7C.00785867 () jwpepper com>
Content-Type: text/plain; charset="us-ascii"
Hello All,
Installed Version: Snort v2.9.6.0 --and-- Oinkmaster v2.0
Let me start by saying I am new to Snort, but I have it configured and
running in IDS mode. The issue I'm having is with Oinkmaster.pl, which is
telling me the URL I am giving is incorrect. Sorry if this was asked
before, but I tried checking the mail-list's archive for a similar
situation at but without a search function it was impossible to find a
similar case...
But anyway, I am a registered User on snort.org and I generated an
"Oinkcode" from My Account page in order to get a URL configured for
oinkmaster to update my rules.
I added the following URL from my "My Oinkcode" page, under "Registered
User Release", which was generated using my specific code that was given
to me, which I added to my "/etc/oinkmaster.conf" file: (*FYI, I hid my
OinkCode with 'xxx....' below)
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This link was the default one given as an example so I tried the
".../snortrules-snapshot-2960.tar.gz/..." because that is the Snort
version I currently have installed, and when I open that in a browser I
get this error below..:
Snort.org Rule Pack Download Error:
--------------------------
Subscription: false
--------------------------
No rule pack with this filename is available to you.
--------------------------
I assume since this is the newest version of Snort available, the rules
are not yet ready for download...?
So I tried the next newest release, which was -->
"snortrules-snapshot-2956.tar.gz"
http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I entered that URL above into a browser, and when the page loads I'm
prompted with a download dialog to download the snortrules-snapshot.
Since I got a download prompt I assume this is the correct URL for me to
use. So I entered the following line in my oinkmaster.conf file:
url =
http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Now, when I run the oinkmaster command to update/download the newest
rule's file I get an error about the URL, see below:
# oinkmaster -o /etc/snort/rules
Loading /etc/oinkmaster.conf
/usr/local/bin/oinkmaster: Error: incorrect URL: "
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
Oink, oink. Exiting...
Since the URL works in a browser I'm not sure why it wouldn't work from
the oinkmaster.pl command..?
Does anyone know why this would be happening? Any thoughts or suggestions
would be much appreciated.
Thanks in Advance,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 4
Date: Tue, 11 Feb 2014 17:41:22 -0500
From: MMartin () jwpepper com
Subject: Re: [Snort-users] Getting Incorrect URL Error Message for a
working URL
To: snort-users () lists sourceforge net
Message-ID:
<
OF92E3AC43.8A1FF157-ON85257C7C.007B4451-85257C7C.007CA3E1 () jwpepper com>
Content-Type: text/plain; charset="us-ascii"
Hey Guys,
Sorry to double post, but I think I may have found the problem...
Looking at the Perl code for oinkmaster.pl I found the section that checks
the URL by comparing it to a REGEX... You can see in the snippet of code
below, that the regex wants the URL to end with ".tar.gz" --or-- ".tgz"...
Which is why my URL wouldn't work...
Here is the REGEX from the Snippet below ==>
/^((?:https*|ftp|file|scp):\/\/.+\.(?:tar\.gz|tgz))$/
__________________________ __________________________
CODE SNIPPET
# Make sure all urls look ok, and untaint them.
my @urls = @{$config{url}};
$#{$config{url}} = -1;
foreach my $url (@urls) {
clean_exit("incorrect URL: \"$url\"")
unless ($url =~ /^((?:https*|ftp|file|scp):\/\/.+\.(?:tar\.gz|tgz))$/
|| $url =~ /^(dir:\/\/.+)/);
my $ok_url = $1;
:.....MORE CODE.....
}
________________________END CODE SNIPPET________________________
The problem is my URL actually ends with my Oinkcode and NOT the file
name...
I think I'll try to adjust the REGEX to match MY url and give it another
try in the morning... I'll let you guys know what happens just in case
anyone else has or had this issue and isn't familiar with Perl and/or
REGEXs. Although, I could probably just remove the '$' at the end of the
REGEX and it should probably work just fine since that matches the end of
the line, and by including "^" at the start, and '$' at the end, it's
basically saying it has to start and end exactly like this..... And
removing the '$' will basically just make it want to see that ".tar.gz" or
".tgz" is included somewhere in the URL...
I'll post back shortly. Again, sorry about double posting...
Thanks Again,
Matt
From: MMartin () jwpepper com
To: snort-users () lists sourceforge net
Date: 02/11/2014 05:12 PM
Subject: [Snort-users] Getting Incorrect URL Error Message for a
working URL
Hello All,
Installed Version: Snort v2.9.6.0 --and-- Oinkmaster v2.0
Let me start by saying I am new to Snort, but I have it configured and
running in IDS mode. The issue I'm having is with Oinkmaster.pl, which is
telling me the URL I am giving is incorrect. Sorry if this was asked
before, but I tried checking the mail-list's archive for a similar
situation at but without a search function it was impossible to find a
similar case...
But anyway, I am a registered User on snort.org and I generated an
"Oinkcode" from My Account page in order to get a URL configured for
oinkmaster to update my rules.
I added the following URL from my "My Oinkcode" page, under "Registered
User Release", which was generated using my specific code that was given
to me, which I added to my "/etc/oinkmaster.conf" file: (*FYI, I hid my
OinkCode with 'xxx....' below)
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This link was the default one given as an example so I tried the
".../snortrules-snapshot-2960.tar.gz/..." because that is the Snort
version I currently have installed, and when I open that in a browser I
get this error below..:
Snort.org Rule Pack Download Error:
--------------------------
Subscription: false
--------------------------
No rule pack with this filename is available to you.
--------------------------
I assume since this is the newest version of Snort available, the rules
are not yet ready for download...?
So I tried the next newest release, which was -->
"snortrules-snapshot-2956.tar.gz"
http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I entered that URL above into a browser, and when the page loads I'm
prompted with a download dialog to download the snortrules-snapshot.
Since I got a download prompt I assume this is the correct URL for me to
use. So I entered the following line in my oinkmaster.conf file:
url =
http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Now, when I run the oinkmaster command to update/download the newest
rule's file I get an error about the URL, see below:
# oinkmaster -o /etc/snort/rules
Loading /etc/oinkmaster.conf
/usr/local/bin/oinkmaster: Error: incorrect URL: "
http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
Oink, oink. Exiting...
Since the URL works in a browser I'm not sure why it wouldn't work from
the oinkmaster.pl command..?
Does anyone know why this would be happening? Any thoughts or suggestions
would be much appreciated.
Thanks in Advance,
Matt
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort
news!
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest, Vol 93, Issue 13
*******************************************
-- Aditya prakash(SDDE)
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 93, Issue 13 Aditya Prakash (Feb 11)