Snort mailing list archives
Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)
From: Dorian ROSSE via Snort-devel <snort-devel () lists snort org>
Date: Sun, 12 Jun 2022 15:58:29 +0000
dear Russ, here the documentation README.dump.md : '''Dump Module =========== A wrapper DAQ module that presents the configuration stack as inline-interface- and injection-capable. All packet messages that are finalized with a passing verdict (PASS, REPLACE, WHITELIST, IGNORE) or injected will be written to a PCAP savefile. By default, the packet capture file will be named 'inline-out.pcap' in the current directory. The default filename can be overridden with the 'file' variable. For historical reasons, the 'output' variable also exists and accepts only one valid argument in 'none' to disable writing out a PCAP file altogether. The Dump DAQ module also supports capturing received packets to a separate PCAP savefile. This is disabled by default, but can be enabled with the 'dump-rx' variable. The 'dump-rx' variable takes an optional argument for the filename to dump received packets to; it defaults to 'inline-in.pcap' if no argument is given. When running with multiple instances, the both the TX and RX output filenamest will be mangled to start with the instance ID followed by an underscore. For example, the default TX output filename would be '2_inline-out.pcap' for the second instance. Both the TX and RX output filenames must be bare (no directory structure, relative nor absolute) in such a configuration. Requirements ------------ * libpcap >= 1.0.0 (LibPCAP 1.9.0 is available at the time of writing and is recommended.) ''' as you see it miss the command line ! thus i repeat my question and i ask another question : where are the command line with the dump and how i repair my problem ?!? thank you in advance for your answer, and finaly thank you in advance to doesn't answer aside, Regards. Dorian ROSSE. ________________________________ De : Russ Combs (rucombs) <rucombs () cisco com> Envoyé : mardi 7 juin 2022 16:36 À : Dorian ROSSE <dorianbrice () hotmail fr> Cc : Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () lists snort org> Objet : Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) I recommend them all, including dump, depending on use case. You need to read up on the modules available in the libdaq and snort3 repos to find out which apply to your case and how to use them: libdaq: ./README.md ./modules/dump/README.dump.md ./modules/divert/README.divert.md ./modules/trace/README.trace.md ./modules/savefile/README.savefile.md ./modules/bpf/README.bpf.md ./modules/gwlb/README.gwlb.md ./modules/pcap/README.pcap.md ./modules/fst/README.fst.md ./modules/nfq/README.nfq.md ./modules/afpacket/README.afpacket.md ./modules/netmap/README.netmap.md snort3: ./doc/user/daq.txt (or the user manual) ________________________________ From: Dorian ROSSE <dorianbrice () hotmail fr> Sent: Tuesday, June 7, 2022 9:33 AM To: Russ Combs (rucombs) <rucombs () cisco com> Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Hello, What module you advice aside dump ? Thanks you in advance for your answer, Regards. Dorian Rosse. ________________________________ From: Russ Combs (rucombs) <rucombs () cisco com> Sent: Tuesday, June 7, 2022 3:15:08 PM To: Dorian ROSSE <dorianbrice () hotmail fr> Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) You got the error because the dump DAQ module does not support these DAQ variables you are setting on the command line. They look like afpacket variables. Check the DAQ READMEs to select and configure an appropriate module for your needs. ________________________________ From: Snort-users <snort-users-bounces () lists snort org> on behalf of Akshay Prabhakar via Snort-users <snort-users () lists snort org> Sent: Monday, June 6, 2022 6:20 PM To: Dorian ROSSE <dorianbrice () hotmail fr> Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () lists snort org> Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) i fall on this error since i have install the rules for the next last snort 2.3.30 : '''~/snort_src/snort3-3.1.21.0$ sudo snort -c /usr/local/etc/snort/snort.lua --daq-dir ../libdaq-3.0.7 --daq pcap --daq dump --daq-var lb_total=4 --daq-var fanout_type=hash -s 65535 -k all -l /var/log/snort -i enp0s25 --daq-var lb_id=1 -i wlp3s0 --daq-var lb_id=2 -z 2 -m 0x1b -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: Loading inline.lua: Finished inline.lua: Loading talos.lua: Finished talos.lua: trace output alert_json ips dnp3 binder wizard detection reputation Processing blocklist file /usr/local/etc/snort/../lists/default.blocklist Reputation entries loaded: 801, invalid: 0, re-defined: 0 (from file /usr/local/etc/snort/../lists/default.blocklist) appid file_policy file_id http2_inspect dce_tcp active dns references classifications arp_spoof snort ERROR: /usr/local/etc/snort/snort.lua: snort.--daq-var is invalid stream_user stream_tcp stream_icmp stream_ip profiler alert_talos stream stream_udp stream_file back_orifice imap iec104 modbus netflow normalizer pop rpc_decode sip ssh ssl telnet dce_smb dce_udp dce_http_proxy dce_http_server gtp_inspect port_scan smtp ftp_server ftp_client ftp_data http_inspect alerts daq decode host_cache host_tracker hosts network packets process search_engine so_proxy Finished /usr/local/etc/snort/snort.lua: -------------------------------------------------- rule counts total rules loaded: 600 builtin rules: 600 option chains: 600 chain headers: 1 -------------------------------------------------- port rule counts tcp udp icmp ip any 600 0 0 0 total 600 0 0 0 -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 600 0 600 /usr/local/etc/snort/snort.lua -------------------------------------------------- dump:pcap DAQ configured to inline. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting.. On Wed, May 25, 2022 at 12:23 AM Dorian ROSSE via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> wrote: hello, i fall on this error since i have install the rules for the next last snort 2.3.30 : '''~/snort_src/snort3-3.1.21.0$ sudo snort -c /usr/local/etc/snort/snort.lua --daq-dir ../libdaq-3.0.7 --daq pcap --daq dump --daq-var lb_total=4 --daq-var fanout_type=hash -s 65535 -k all -l /var/log/snort -i enp0s25 --daq-var lb_id=1 -i wlp3s0 --daq-var lb_id=2 -z 2 -m 0x1b -------------------------------------------------- o")~ Snort++ 3.1.21.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading snort_defaults.lua: Finished snort_defaults.lua: Loading file_magic.lua: Finished file_magic.lua: Loading inline.lua: Finished inline.lua: Loading talos.lua: Finished talos.lua: trace output alert_json ips dnp3 binder wizard detection reputation Processing blocklist file /usr/local/etc/snort/../lists/default.blocklist Reputation entries loaded: 801, invalid: 0, re-defined: 0 (from file /usr/local/etc/snort/../lists/default.blocklist) appid file_policy file_id http2_inspect dce_tcp active dns references classifications arp_spoof snort ERROR: /usr/local/etc/snort/snort.lua: snort.--daq-var is invalid stream_user stream_tcp stream_icmp stream_ip profiler alert_talos stream stream_udp stream_file back_orifice imap iec104 modbus netflow normalizer pop rpc_decode sip ssh ssl telnet dce_smb dce_udp dce_http_proxy dce_http_server gtp_inspect port_scan smtp ftp_server ftp_client ftp_data http_inspect alerts daq decode host_cache host_tracker hosts network packets process search_engine so_proxy Finished /usr/local/etc/snort/snort.lua: -------------------------------------------------- rule counts total rules loaded: 600 builtin rules: 600 option chains: 600 chain headers: 1 -------------------------------------------------- port rule counts tcp udp icmp ip any 600 0 0 0 total 600 0 0 0 -------------------------------------------------- ips policies rule stats id loaded shared enabled file 0 600 0 600 /usr/local/etc/snort/snort.lua -------------------------------------------------- dump:pcap DAQ configured to inline. FATAL: see prior 1 errors (0 warnings) Fatal Error, Quitting.. ''' i don't understand the error, thanks you in advance to help myself fully repair this snort or since the other e-mail for snort 2.3.30, Regards. Dorian ROSSE. _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette -- WITH REGARDS AKSHAY.K.PRABHAKAR akshayk.prabhakar () gmail com<mailto:akshayk.prabhakar () gmail com>
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Russ Combs (rucombs) via Snort-devel (Jun 07)
- Message not available
- Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Russ Combs (rucombs) via Snort-devel (Jun 07)
- Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Dorian ROSSE via Snort-devel (Jun 13)
- Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Russ Combs (rucombs) via Snort-devel (Jun 07)
- Message not available