Snort mailing list archives
Re: Snort-users Digest, Vol 105, Issue 49
From: Ikenna Chiadikaobi <reniykec () yahoo com>
Date: Wed, 18 Feb 2015 02:44:11 +0000 (UTC)
hi, everyone, please how can i get the number of false negative and positive rate, after i evaluate Snort with Darpa dataset. Thanks On Wednesday, February 18, 2015 5:02 AM, "snort-users-request () lists sourceforge net" <snort-users-request () lists sourceforge net> wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? (James Lay) 2. Re: $eth1_ADDRESS still a valid variable in 2.9.7.0? (Starner, Mark) ---------------------------------------------------------------------- Message: 1 Date: Tue, 17 Feb 2015 13:51:58 -0700 From: James Lay <jlay () slave-tothe-box net> Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? To: <snort-users () lists sourceforge net> Message-ID: <51b1cadb56b0ced49e0c4debe71ac9e5@localhost> Content-Type: text/plain; charset="utf-8" On 2015-02-17 01:32 PM, Al Lewis (allewi) wrote:
Can you send us
the conf file you are using? Or how you are defining the variables?
Thanks! Albert Lewis QA Software Engineer
SOURCEFIRE, Inc. now part of CISCO
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112 Email:
allewi () cisco com
FROM: Starner, Mark
[mailto:mark.starner () unisys com]
SENT: Tuesday, February 17, 2015
12:54 PM
TO: snort-users () lists sourceforge net SUBJECT: Re:
[Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0?
Ok.. I get that?. So I come back to my original question.
How do I
get $ethX_ADDRESS variables assigned if -enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea?
Here is the section of code from parser.c #ifndef
SOURCEFIRE
/* If snort is not run with root privileges, no
interfaces will be defined,
* so user beware if an iface_ADDRESS
variable is used in snort.conf and
* snort is not run as root
(even if just in read mode) */
DefineAllIfaceVars(sc);
#endif
Is there another way to enable that? Curious what the
thinking is here?
Thanks Mark FROM: Joel Esler
(jesler) [mailto:jesler () cisco com [9]]
SENT: Tuesday, February 17,
2015 12:21 PM
TO: Starner, Mark CC:
snort-users () lists sourceforge net [10]
SUBJECT: Re: [Snort-users]
$eth1_ADDRESS still a valid variable in 2.9.7.0?
Unfortunately
that disables everything that we test against with the ruleset. I suggest you not do that.
On Feb 17, 2015, at 12:03 PM, Starner,
Mark <mark.starner () unisys com [1]> wrote:
I retract my question.
I configured "--enable-sourcefire" for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without "--enable-sourcefire" and all is well.
Maybe
this will help anyone else who comes across this.
Mark
FROM: Starner, Mark [mailto:mark.starner () unisys com [2]]
SENT:
Tuesday, February 17, 2015 11:33 AM
TO:
snort-users () lists sourceforge net [3]
SUBJECT: [Snort-users]
$eth1_ADDRESS still a valid variable in 2.9.7.0?
I use
$eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says:
ERROR: rules/local.rules(8) Undefined variable in the
string: $eth1_ADDRESS.
I think I encountered this with a
previous upgrade, but I don't recall how I resolved it.
So
1) Is this still valid with 2.9.7.0? 2) If Yes, then what
would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined.
Thanks Mark
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App
Integration & more
Get technology previously reserved for
billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________ [4]
Snort-users mailing list Snort-users () lists sourceforge net
[5]
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users [6]
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [7]
Please visit http://blog.snort.org [8] to stay current on all
the latest Snort news! Define it at the start of local.rules: ipvar eth1_ADDRESS <ip.address> James Links: ------ [1] mailto:mark.starner () unisys com [2] mailto:mark.starner () unisys com [3] mailto:snort-users () lists sourceforge net [4] http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________ [5] mailto:Snort-users () lists sourceforge net [6] https://lists.sourceforge.net/lists/listinfo/snort-users [7] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [8] http://blog.snort.org [9] mailto:jesler () cisco com [10] mailto:snort-users () lists sourceforge net -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Tue, 17 Feb 2015 20:38:38 +0000 From: "Starner, Mark" <mark.starner () unisys com> Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? To: "Al Lewis (allewi)" <allewi () cisco com>, "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <b232f59324364cddb16c26ebbf2dfc65 () US-EXCH13-2 na uis unisys com> Content-Type: text/plain; charset="utf-8" I am not defining the variable ? in the past (and without ?enable-sourcefire) Snort always defined the variable for me. And it still does if I don?t use the ??enable-sourcefire? config directive. I?d prefer not to send my conf file in the clear to the mailing list. I am just using that Snort defined variable in one of my rules to generate an alert for specific packets directed to the Management Interface of my Snort Sensor. My questions at this point are: 1) Is it safe to run Snort as root in order to get Snort to define the interface variables? (since that seems to be the only way to get those variables assigned if you ?enable-sourcefire)???? 2) Why does ??enable-sourcefire? disable the creation/assignment of the interface variables? Is there a risk using those variables in rules? From: Al Lewis (allewi) [mailto:allewi () cisco com] Sent: Tuesday, February 17, 2015 3:33 PM To: Starner, Mark; snort-users () lists sourceforge net Subject: RE: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? Can you send us the conf file you are using? Or how you are defining the variables? Thanks! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com <mailto:allewi () cisco com> From: Starner, Mark [mailto:mark.starner () unisys com] Sent: Tuesday, February 17, 2015 12:54 PM To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? Ok.. I get that?. So I come back to my original question. How do I get $ethX_ADDRESS variables assigned if ?enable-sourcefire is configured and I am not running snort as root? I thought running as root was a bad idea? Here is the section of code from parser.c #ifndef SOURCEFIRE /* If snort is not run with root privileges, no interfaces will be defined, * so user beware if an iface_ADDRESS variable is used in snort.conf and * snort is not run as root (even if just in read mode) */ DefineAllIfaceVars(sc); #endif Is there another way to enable that? Curious what the thinking is here? Thanks Mark From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Tuesday, February 17, 2015 12:21 PM To: Starner, Mark Cc: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? Unfortunately that disables everything that we test against with the ruleset. I suggest you not do that. On Feb 17, 2015, at 12:03 PM, Starner, Mark <mark.starner () unisys com <mailto:mark.starner () unisys com> > wrote: I retract my question. I configured ??enable-sourcefire? for the first time and found the comment in parser.c that said the $IF_ADDRESS variables are not defined if Sourcefire is enabled and snort is not running as root. So I recompiled without ??enable-sourcefire? and all is well. Maybe this will help anyone else who comes across this. Mark From: Starner, Mark [mailto:mark.starner () unisys com] Sent: Tuesday, February 17, 2015 11:33 AM To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Subject: [Snort-users] $eth1_ADDRESS still a valid variable in 2.9.7.0? I use $eth1_ADDRESS in one of my local rules, and when snort 2.9.7.0 starts, it says: ERROR: rules/local.rules(8) Undefined variable in the string: $eth1_ADDRESS. I think I encountered this with a previous upgrade, but I don?t recall how I resolved it. So 1) Is this still valid with 2.9.7.0? 2) If Yes, then what would cause this NOT to be defined (yes, I verified I have an eth1 and it has an IP address defined. Thanks Mark ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631 <http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________> &iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 9426 bytes Desc: not available ------------------------------ ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 105, Issue 49 ********************************************
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 105, Issue 49 Ikenna Chiadikaobi (Feb 17)