Snort mailing list archives
unsubscribe
From: "Ryan McClure (Systems Admin) - United Shipping" <rmcclure () unitedshipping com>
Date: Fri, 11 May 2001 08:20:08 -0600
I unsubscribed from this list this morning. Please STOP SENDING ME EMAILS! -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Friday, May 11, 2001 7:46 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #635 - 7 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Slightly OT - Re: [Snort-users] My apologies (Avleen Vig) 2. Broadscan Smurf Scanner (Jones, Benny) 3. RE: Rules vs performance (Robinson, Ken) 4. NetFlow output plugin? (Mayers, Philip J) 5. FW: [Snort-users] NetFlow output plugin? (Mayers, Philip J) 6. snort 1.7+mysql+acid == headaches. pass the aspirin? (long) (Jason Costomiris) 7. unsubscribe (Ryan McClure (Systems Admin) - United Shipping) --__--__-- Message: 1 From: "Avleen Vig" <avleen () ivision co uk> To: <Kevin.Brown () asu edu>, <snort-users () lists sourceforge net> Subject: Slightly OT - Re: [Snort-users] My apologies Date: Fri, 11 May 2001 09:58:44 +0100
I don't know what happened but the mail I send from outlook gets turned
into
html garbage when I send to this list. I verified my options in both
outlook
and with sourceforge, so somewhere between the two (maybe the damn
exchange
server) is converting my plain text messages into htmlized junk.
Indeed, it IS your server: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =5.5.2653.12"> <TITLE>RE: [Snort-users] Rules vs performance</TITLE> </HEAD> <BODY> Recommend you hit your mail admin over the head with a large banana, especially in days of HTML transfered viruses - if things like this pass, how long until someone finds a way to infect the Exchange Server's HTML generator? Hmmmmmmmm possibly time to create a rule that servers are adding this? I dunno <shrug> --__--__-- Message: 2 Date: Fri, 11 May 2001 07:39:38 -0400 From: "Jones, Benny" <Ben () wcom net> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: [Snort-users] Broadscan Smurf Scanner What's the significance of the ICMP Broadscan Smurf Scanner alert? I've read about Smurf attacks; is this one, or a precursor to one? Thanks. Benny --__--__-- Message: 3 From: "Robinson, Ken" <ken.robinson () ccra-adrc gc ca> To: "'Jean-Francois Zwobada'" <zwobada () fluxus net>, Kevin Brown <Kevin.M.Brown () asu edu>, "Snort List (E-mail)" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Rules vs performance Date: Fri, 11 May 2001 08:18:27 -0400 I want to handle full duplex, 100Mbit. We're using Ether Taps, so each direction is actually a different NIC. -----Original Message----- From: Jean-Francois Zwobada [mailto:zwobada () fluxus net] Sent: May 11, 2001 2:55 AM To: Kevin Brown; 'Robinson, Ken'; Snort List (E-mail) Subject: RE: [Snort-users] Rules vs performance Hi guys What's the average and peak bandwidth you're trying to analyse ? Regards JF At 12:53 10/05/01 -0700, Kevin Brown wrote:
I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s link the snort was clocking 40% of the cpu with absolutely no rules or plugins. I don't remember the specifics, but I was removing rules from the list till snort dropped to 80% or less and of the ruleset of 400 rules I had to drop all but 50 I believe to get it down. I'm currently using a Sparc 500 and it is clocking 50% of the CPU (same link) with the full ruleset in place (snort1.8b5 build 20). I downloaded top and compiled it and just watch the processes and notice that with just the database and spp plugins snort is slowing eating up my 1GB of memory. I don't know if that is a memory leak or just a lot of memory caching going on within
snort.
-----Original Message----- From: Robinson, Ken [<mailto:ken.robinson () ccra-adrc gc ca>mailto:ken.robinson () ccra-adrc gc ca] Sent: Thursday, May 10, 2001 12:42 To: Snort List (E-mail) Subject: [Snort-users] Rules vs performance Hello, Are there any rule-of-thumb, or such on how the number of Snort rules affects the performance? In doing some lab tests, we found that has the amount of traffic went up,
we
detected fewer and fewer test attacks. CPU usage was high, but not peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit NICs and 256Meg RAM. I don't know of the misses were due to an issue with the hardware (NIC missing packets?), or if there were too many rules to sort through for the Snort software, or too much logging? We've looked through the snort rules from Whitehats and found many cases were we could reduce the rules by either dropping them (i.e. don't care), reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping instead of detecting which OS), or making groups of them as activate rules (i.e. the DeepThroat backdoor rules). We could also use the Activate rules to log the next 50 packets and then run a full set or rules on those logged packets. So, any advise for us? Should we use Activate rules as much as possible? Should we generalize rules? Or is all of this not going to make much of a difference? Thanks. ---- Ken Robinson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>http://lists.sourc
eforge.net/lists/listinfo/snort-users
Snort-users list archive: <http://www.geocrawler.com/redir-sf.php3?list=snort-users>http://www.geocra
wler.com/redir-sf.php3?list=snort-users
Jean-Francois Zwobada Cellule Securite - Fluxus Phone : +33.1.44.97.70.00 - Fax : +33.1.44.97.70.14 30, rue du Chateau des Rentiers - 75013 PARIS --__--__-- Message: 4 From: "Mayers, Philip J" <p.mayers () ic ac uk> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Fri, 11 May 2001 13:30:44 +0100 Subject: [Snort-users] NetFlow output plugin? All, We're successfully sniffing out 100Mb connection (and getting good data too) with Snort 1.7 - congratulations to all for a great product. In case anyone's interested, we're sniffing 7k packets/sec (30Mbits) on a 256Mb PIII800 (Compaq DL380) at about 15-20% CPU usage. We're going to try a 64-bit PCI gigabit card at some point, hopefully before we move to a Gigabit connection (eek!). Anyway, my managers like pretty graphs so I've been investigating the possibility of writing a preprocessor that will do things like top-N hosts and bucket-sorting based on packet size/subnet/port number/etc. The thought occurred to me that the best way to do this would be to have Snort generate Cisco NetFlow stats and use some of the many tools available to pull that data out. Has anyone thought about that, or should I give it a look? Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ --__--__-- Message: 5 From: "Mayers, Philip J" <p.mayers () ic ac uk> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: FW: [Snort-users] NetFlow output plugin? Date: Fri, 11 May 2001 14:09:59 +0100 Here's a list (no particular order) of the tools I've been looking at: EHNT: http://sourceforge.net/projects/ehnt/ The Caida tools are good: http://www.caida.org/tools/measurement/cflowd/ Netramet: http://www2.auckland.ac.nz/net/Accounting/ntm.Release.note.html Flowc: http://www.univ.kiev.ua/~roman/soft/flowc/ Cisco have some stuff: http://www.cisco.com/warp/public/732/netflow/ Flowscan: http://net.doit.wisc.edu/~plonka/FlowScan/ Freesite is a total billing system: http://www.sisd.com/freeside/ Some random stuff: http://www.tsh.or.id/netflow.shtml http://www.switch.ch/tf-tant/floma/software.html For those of you with Extreme switches in your network, I've been hearing rumbles that the next release of the firmware will support flow-export (like Cisco's). Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ -----Original Message----- From: Chris Schuler [mailto:cschuler () mindleaders com] Sent: 11 May 2001 13:54 To: 'p.mayers () ic ac uk' Subject: [Snort-users] NetFlow output plugin? My managers are the same way, but Im getting ready to start my research on what tools analyze the data. Your email soudned like you knew of a few tools that worked w/ netflow data... could you take a min and list a few for me to look into? All, We're successfully sniffing out 100Mb connection (and getting good data too) with Snort 1.7 - congratulations to all for a great product. In case anyone's interested, we're sniffing 7k packets/sec (30Mbits) on a 256Mb PIII800 (Compaq DL380) at about 15-20% CPU usage. We're going to try a 64-bit PCI gigabit card at some point, hopefully before we move to a Gigabit connection (eek!). Anyway, my managers like pretty graphs so I've been investigating the possibility of writing a preprocessor that will do things like top-N hosts and bucket-sorting based on packet size/subnet/port number/etc. The thought occurred to me that the best way to do this would be to have Snort generate Cisco NetFlow stats and use some of the many tools available to pull that data out. Has anyone thought about that, or should I give it a look? Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: <http://www.geocrawler.com/redir-sf.php3?list=snort-users> --__--__-- Message: 6 Date: Fri, 11 May 2001 09:24:52 -0400 From: Jason Costomiris <jcostom () jasons org> To: snort-users () lists sourceforge net Subject: [Snort-users] snort 1.7+mysql+acid == headaches. pass the aspirin? (long) Yesterday, I brought up a shiny new RH 7.1 box specifically for testing snort. It's got two NICs installed, eth0 sits on my private net, behind the firewall, eth1 is connected to the external network, is up, but has no IP configured on it - so-called stealth mode. The external net is @home's network in my home area. The whole deal looks like this: @home----cablemodem----hub-----.... Both my firewall and the eth1 i/f from the snort box are connected to that hub. Pretty normal configuration, based on my previous IDS experience, mostly deploying RealSecure. I started by building my own RPMs for libpcap-0.6.2, so I could dump the RH 0.4 version. Then I built snort from the RPM provided on snort.org, with a few subtle changes (--enable-smbalerts --with-mysql --with-openssl). Everything installed just swimmingly and SEEMS to be in working order. Seems indeed. I'm using the vision rules from whitehats, so this config is not exactly the "stock" configuration. However, I see no reason for it not to work: var INTERNAL 24.a.b.c/32 var EXTERNAL !$INTERNAL preprocessor defrag preprocessor http_decode: 80 preprocessor portscan: $INTERNAL 5 5 /var/log/snort/portscan.log preprocessor stream: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384 output database: alert, mysql, dbname=snort host=localhost user=snort output log_tcpdump: log.tcpdump include /etc/snort/vision.rules Currently, my init scripts invoke snort as: /usr/sbin/snort -u snort -g snort -d -D -i eth1 -l /var/log/snort \ -c /etc/snort/vision.conf Having read elsewhere that -D supresses errors, I invoked it myself without the -D and get the following: --== Initializing Snort ==-- Initializing Network Interface eth1 WARNING: OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... database: compiled support for ( mysql postgresql ) database: configured to use mysql database: database name = snort database: host = localhost database: user = snort database: sensor name = <sensor-name-removed> database: sensor id = 1 database: using the "alert" facility 533 Snort rules read... 533 Option Chains linked into 199 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->log->pass --== Initialization Complete ==-- This seems to indicate that snort's cool with logging to the database. However, it never logs anything. I created the database using the create_mysql script that came as a part of snort-1.7.tar.gz, I also added the snortdb-extra stuff as well. Bottom line is that nothing gets logged to the database, nor do I get anything in the tcpdump logs either. On another note, I also installed ACID 0.9.6b8, which seemed to go in without any trouble, but also confirms no alerts are in the db. ACID is also complaining about snort signatures not being in the database: Database ERROR:Table 'snort.signature' doesn't exist Thoughts? -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions. --__--__-- Message: 7 From: "Ryan McClure (Systems Admin) - United Shipping" <rmcclure () unitedshipping com> To: snort-users () lists sourceforge net Date: Fri, 11 May 2001 07:45:36 -0600 Subject: [Snort-users] unsubscribe -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, May 10, 2001 4:12 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #633 - 6 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: DNS Query Logging? (Steve Frank) 2. Re: Snort + Acid w/ MySQL question(s) (alexus) 3. Re: Snort + Acid w/ MySQL question(s) (Koaps) 4. Snort won't run (alexus) 5. RE: Snort won't run (Kevin Brown) 6. Re: Snort won't run (alexus) -- __--__-- Message: 1 From: Steve Frank <sfrank () midcom-inc com> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] DNS Query Logging? Date: Thu, 10 May 2001 16:22:05 -0500 Isn't that logged in most default DNS installations anyway? My NSTATS are configured to pop into my syslog all the time--you should be able to see all your query types there--or are you looking for something more specific than that, Jeff? Steve Frank Network Manager Midcom, Inc. -----Original Message----- From: Richard, Jeff [mailto:Jeff-Richard () forum-financial com] Sent: Thursday, May 10, 2001 3:48 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] DNS Query Logging? I hope someone can give a hand on this. I need to get a count of how many DNS queries my DNS servers are receiving. What should a rule for DNS queries look like? I'm not failure with DNS traffic, but realize that UDP 53, is the protocol/port, just not sure of any signature(s). -Jeff _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- __--__-- Message: 2 From: "alexus" <ml () db nexgen com> To: <roman () danyliw com> Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s) Date: Thu, 10 May 2001 17:26:25 -0400 mysql> select * from user where user='alexus'; +-----------+--------+------------------+-------------+-------------+------- ------+-------------+-------------+-----------+-------------+--------------- +--------------+-----------+------------+-----------------+------------+---- --------+ | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | +-----------+--------+------------------+-------------+-------------+------- ------+-------------+-------------+-----------+-------------+--------------- +--------------+-----------+------------+-----------------+------------+---- --------+ | localhost | alexus | 34484ed463a66850 | Y | Y | N | Y | N | N | N | N | N | N | N | N | N | N | +-----------+--------+------------------+-------------+-------------+------- ------+-------------+-------------+-----------+-------------+--------------- +--------------+-----------+------------+-----------------+------------+---- --------+ 1 row in set (0.00 sec) mysql> i copy and paste mysql output to show you that i do have all right privileges i also upgrade acid to 0.9.6b9 (which is latest beta for today) it still doesn't work ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 11:18 AM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
One observation: - ACID 0.9.5 does not use ADODB. This DB abstraction was introduced in 0.9.6b2 (Jan 2001). Hence, this addition into acid_conf.php will be ignored. Two recommendations: - are you sure that you have CREATE permissions on the DB user set in acid_conf.php? If all else fails, try using the "create_acid_tbls_mysql.sql" to manually create the ACID tables. - upgrade to a more recent version of ACID => 0.9.6b9. There are significant feature improvements as well as bug fixes. If you prefer an older version, upgrade to at least 0.9.6b1 for it has a number of important bug fixes cheers, RomanI'm using the following: FreeBSD 4.3 - RELEASE (STABLE) ACID-0.9.5 - RELEASE (STABLE) ADODB v1.0.1 - RELEASE (STABLE) PHP - 4.0.5 - RELEASE (STABLE) APACHE - 1.3.19 - RELEASE (STABLE) SNORT - 1.7 - RELEASE (STABLE) to compile snort i used following line: ../configure --with-mysql=/usr/local/mysql;make;make install i did change acid_conf.php i put path to adodb in adodb i put local path in adodb.inc.php when i go to http://localhost/acid it redirects me to acid_main.php and
when
it gets there i get this: The underlying database alexus@localhost apears to be invalid. The database version is valid, but the ACID DB structure (table:
acid_ag) is
not present. Use the Setup page to configure and optimize the DB when i click on "Setup page" in status window i get "DONE" for "Search Indexes" and i have "Create
ACID
AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
I do that nothing happenes, it won't disappear or it won't change status
to
"DONE".. what am i missing? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/
-- __--__-- Message: 3 From: "Koaps" <koaps () 2nutz com> To: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s) Date: Thu, 10 May 2001 14:48:04 -0700 I am having problems with Snort Logging to mysql too Orginally I had Snort and MySQL on the same OpenBSD box, this caused MySQL to crash, alot... So I installed MySQL on a windows box, which also runs Snort Locally, Amazingly the windows based Snort/MySQL/ACID works perfectly, and the OpenBSD snort trying to log to MySQL on windows is failing to write alerts... just my two cents worth of crap.... L8rZ, )\_/( < o,0 > ~ \ / KoAps ----- Original Message ----- From: "alexus" <ml () db nexgen com> To: <roman () danyliw com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 2:26 PM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s) mysql> select * from user where user='alexus'; +-----------+--------+------------------+-------------+-------------+------- ------+-------------+-------------+-----------+-------------+--------------- +--------------+-----------+------------+-----------------+------------+---- --------+ | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | +-----------+--------+------------------+-------------+-------------+------- ------+-------------+-------------+-----------+-------------+--------------- +--------------+-----------+------------+-----------------+------------+---- --------+ | localhost | alexus | 34484ed463a66850 | Y | Y | N | Y | N | N | N | N | N | N | N | N | N | N | +-----------+--------+------------------+-------------+-------------+------- ------+-------------+-------------+-----------+-------------+--------------- +--------------+-----------+------------+-----------------+------------+---- --------+ 1 row in set (0.00 sec) mysql> i copy and paste mysql output to show you that i do have all right privileges i also upgrade acid to 0.9.6b9 (which is latest beta for today) it still doesn't work ----- Original Message ----- From: <roman () danyliw com> To: "alexus" <ml () db nexgen com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 11:18 AM Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
One observation: - ACID 0.9.5 does not use ADODB. This DB abstraction was introduced in 0.9.6b2 (Jan 2001). Hence, this addition into acid_conf.php will be ignored. Two recommendations: - are you sure that you have CREATE permissions on the DB user set in acid_conf.php? If all else fails, try using the "create_acid_tbls_mysql.sql" to manually create the ACID tables. - upgrade to a more recent version of ACID => 0.9.6b9. There are significant feature improvements as well as bug fixes. If you prefer an older version, upgrade to at least 0.9.6b1 for it has a number of important bug fixes cheers, RomanI'm using the following: FreeBSD 4.3 - RELEASE (STABLE) ACID-0.9.5 - RELEASE (STABLE) ADODB v1.0.1 - RELEASE (STABLE) PHP - 4.0.5 - RELEASE (STABLE) APACHE - 1.3.19 - RELEASE (STABLE) SNORT - 1.7 - RELEASE (STABLE) to compile snort i used following line: ../configure --with-mysql=/usr/local/mysql;make;make install i did change acid_conf.php i put path to adodb in adodb i put local path in adodb.inc.php when i go to http://localhost/acid it redirects me to acid_main.php and
when
it gets there i get this: The underlying database alexus@localhost apears to be invalid. The database version is valid, but the ACID DB structure (table:
acid_ag) is
not present. Use the Setup page to configure and optimize the DB when i click on "Setup page" in status window i get "DONE" for "Search Indexes" and i have "Create
ACID
AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
I do that nothing happenes, it won't disappear or it won't change status
to
"DONE".. what am i missing? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- __--__-- Message: 4 From: "alexus" <ml () db nexgen com> To: <snort-users () lists sourceforge net> Date: Thu, 10 May 2001 17:49:38 -0400 Subject: [Snort-users] Snort won't run i'm using snort 1.7 with latest set of rules for some reason it won't run, any ideas? su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf --== Initializing Snort ==-- Initializing Network Interface fxp0 Decoding Ethernet on interface fxp0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... *WARNING*: unknown preprocessor "stream2", ignoring! *WARNING*: unknown preprocessor "rpc_decode", ignoring! *WARNING*: unknown preprocessor "bo", ignoring! *WARNING*: unknown preprocessor "telnet_decode", ignoring! database: compiled support for ( mysql ) database: configured to use mysql database: user = alexus database: database name = alexus database: password is set database: host = localhost database: sensor name = 64.81.208.245 database: sensor id = 1 database: using the "log" facility Error: Unknown config: classification su-2.04# what am i doin wrong now? -- __--__-- Message: 5 Date: Thu, 10 May 2001 14:56:12 -0700 From: Kevin Brown <Kevin.M.Brown () asu edu> Subject: RE: [Snort-users] Snort won't run To: 'alexus' <ml () db nexgen com>, snort-users () lists sourceforge net This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D99C.07192D70 Content-Type: text/plain; charset="iso-8859-1" looks like you are missing a file. do you have a classification.config file in the directory with your .rules files. If yes, then do you have it included in snort.conf along with the rules? -----Original Message----- From: alexus [mailto:ml () db nexgen com] Sent: Thursday, May 10, 2001 14:50 To: snort-users () lists sourceforge net Subject: [Snort-users] Snort won't run i'm using snort 1.7 with latest set of rules for some reason it won't run, any ideas? su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf --== Initializing Snort ==-- Initializing Network Interface fxp0 Decoding Ethernet on interface fxp0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... *WARNING*: unknown preprocessor "stream2", ignoring! *WARNING*: unknown preprocessor "rpc_decode", ignoring! *WARNING*: unknown preprocessor "bo", ignoring! *WARNING*: unknown preprocessor "telnet_decode", ignoring! database: compiled support for ( mysql ) database: configured to use mysql database: user = alexus database: database name = alexus database: password is set database: host = localhost database: sensor name = 64.81.208.245 database: sensor id = 1 database: using the "log" facility Error: Unknown config: classification su-2.04# what am i doin wrong now? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------_=_NextPart_001_01C0D99C.07192D70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: [Snort-users] Snort won't run</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>looks like you are missing a file. do you have = a classification.config file in the directory with your .rules = files. If yes, then do you have it included in snort.conf along = with the rules?</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: alexus [<A = HREF=3D"mailto:ml () db nexgen com">mailto:ml () db nexgen com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 14:50</FONT> <BR><FONT SIZE=3D2>To: snort-users () lists sourceforge net</FONT> <BR><FONT SIZE=3D2>Subject: [Snort-users] Snort won't run</FONT> </P> <BR> <P><FONT SIZE=3D2>i'm using snort 1.7 with latest set of rules</FONT> </P> <P><FONT SIZE=3D2>for some reason it won't run, any ideas?</FONT> </P> <P><FONT SIZE=3D2>su-2.04# /usr/local/bin/snort -c = /usr/local/bin/rules/snort.conf</FONT> </P> <P><FONT SIZE=3D2> --=3D=3D = Initializing Snort =3D=3D--</FONT> </P> <P><FONT SIZE=3D2>Initializing Network Interface fxp0</FONT> <BR><FONT SIZE=3D2>Decoding Ethernet on interface fxp0</FONT> <BR><FONT SIZE=3D2>Initializing Preprocessors!</FONT> <BR><FONT SIZE=3D2>Initializing Plug-ins!</FONT> <BR><FONT SIZE=3D2>Initializating Output Plugins!</FONT> </P> <P><FONT = SIZE=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT> <BR><FONT SIZE=3D2>Initializing rule chains...</FONT> </P> <P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "stream2", = ignoring!</FONT> </P> <BR> <P><FONT SIZE=3D2>*WARNING*: unknown preprocessor = "rpc_decode", ignoring!</FONT> </P> <BR> <P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "bo", = ignoring!</FONT> </P> <BR> <P><FONT SIZE=3D2>*WARNING*: unknown preprocessor = "telnet_decode", ignoring!</FONT> </P> <P><FONT SIZE=3D2>database: compiled support for ( mysql )</FONT> <BR><FONT SIZE=3D2>database: configured to use mysql</FONT> <BR><FONT = SIZE=3D2>database: = user =3D alexus</FONT> <BR><FONT SIZE=3D2>database: database name =3D alexus</FONT> <BR><FONT SIZE=3D2>database: password is set</FONT> <BR><FONT = SIZE=3D2>database: = host =3D localhost</FONT> <BR><FONT SIZE=3D2>database: sensor name =3D = 64.81.208.245</FONT> <BR><FONT SIZE=3D2>database: sensor id =3D = 1</FONT> <BR><FONT SIZE=3D2>database: using the "log" facility</FONT> <BR><FONT SIZE=3D2>Error: Unknown config: classification</FONT> <BR><FONT SIZE=3D2>su-2.04# </FONT> </P> <P><FONT SIZE=3D2>what am i doin wrong now?</FONT> </P> <BR> <P><FONT = SIZE=3D2>_______________________________________________</FONT> <BR><FONT SIZE=3D2>Snort-users mailing list</FONT> <BR><FONT SIZE=3D2>Snort-users () lists sourceforge net</FONT> <BR><FONT SIZE=3D2>Go to this URL to change user options or = unsubscribe:</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://lists.sourceforge.net/lists/listinfo/snort-users" = TARGET=3D"_blank">http://lists.sourceforge.net/lists/listinfo/snort-user= s</A></FONT> <BR><FONT SIZE=3D2>Snort-users list archive:</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" = TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u= sers</A></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D99C.07192D70-- -- __--__-- Message: 6 From: "alexus" <ml () db nexgen com> To: "Kevin Brown" <Kevin.M.Brown () asu edu>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort won't run Date: Thu, 10 May 2001 18:10:38 -0400 This is a multi-part message in MIME format. ------=_NextPart_000_0035_01C0D97C.84409150 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: [Snort-users] Snort won't runyes I do, I belive it came with = snortrules.tgz file su-2.04# ls -al /usr/local/bin/rules/classification.config=20 -rw-r--r-- 1 root users 1899 Apr 20 08:11 = /usr/local/bin/rules/classification.config su-2.04#=20 just in case in snort.conf i change following line from this=20 include classification.config to this include /usr/local/bin/rules/classification.config still same error ----- Original Message -----=20 From: Kevin Brown=20 To: 'alexus' ; snort-users () lists sourceforge net=20 Sent: Thursday, May 10, 2001 5:56 PM Subject: RE: [Snort-users] Snort won't run looks like you are missing a file. do you have a = classification.config file in the directory with your .rules files. If = yes, then do you have it included in snort.conf along with the rules? -----Original Message-----=20 From: alexus [mailto:ml () db nexgen com]=20 Sent: Thursday, May 10, 2001 14:50=20 To: snort-users () lists sourceforge net=20 Subject: [Snort-users] Snort won't run=20 i'm using snort 1.7 with latest set of rules=20 for some reason it won't run, any ideas?=20 su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf=20 --=3D=3D Initializing Snort =3D=3D--=20 Initializing Network Interface fxp0=20 Decoding Ethernet on interface fxp0=20 Initializing Preprocessors!=20 Initializing Plug-ins!=20 Initializating Output Plugins!=20 +++++++++++++++++++++++++++++++++++++++++++++++++++=20 Initializing rule chains...=20 *WARNING*: unknown preprocessor "stream2", ignoring!=20 *WARNING*: unknown preprocessor "rpc_decode", ignoring!=20 *WARNING*: unknown preprocessor "bo", ignoring!=20 *WARNING*: unknown preprocessor "telnet_decode", ignoring!=20 database: compiled support for ( mysql )=20 database: configured to use mysql=20 database: user =3D alexus=20 database: database name =3D alexus=20 database: password is set=20 database: host =3D localhost=20 database: sensor name =3D 64.81.208.245=20 database: sensor id =3D 1=20 database: using the "log" facility=20 Error: Unknown config: classification=20 su-2.04#=20 what am i doin wrong now?=20 _______________________________________________=20 Snort-users mailing list=20 Snort-users () lists sourceforge net=20 Go to this URL to change user options or unsubscribe:=20 http://lists.sourceforge.net/lists/listinfo/snort-users=20 Snort-users list archive:=20 http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20 ------=_NextPart_000_0035_01C0D97C.84409150 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>RE: [Snort-users] Snort won't run</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4613.1700" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT size=3D2>yes I do, I belive it came with snortrules.tgz=20 file</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>su-2.04# ls -al = /usr/local/bin/rules/classification.config=20 <BR>-rw-r--r-- 1 root users 1899 Apr 20 08:11=20 /usr/local/bin/rules/classification.config<BR>su-2.04# </FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>just in case in snort.conf i change</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>following line from this </FONT></DIV> <DIV><FONT size=3D2>include classification.config</FONT></DIV> <DIV><FONT size=3D2>to this</FONT></DIV> <DIV><FONT size=3D2>include=20 /usr/local/bin/rules/classification.config</FONT></DIV> <DIV><FONT size=3D2>still same error</FONT></DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3DKevin.M.Brown () asu edu = href=3D"mailto:Kevin.M.Brown () asu edu">Kevin=20 Brown</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dml () db nexgen com = href=3D"mailto:ml () db nexgen com">'alexus'</A> ; <A=20 title=3Dsnort-users () lists sourceforge net=20 = href=3D"mailto:snort-users () lists sourceforge net">snort-users@lists.sourc= eforge.net</A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, May 10, 2001 = 5:56=20 PM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: [Snort-users] = Snort won't=20 run</DIV> <DIV><BR></DIV> <P><FONT size=3D2>looks like you are missing a file. do you have = a=20 classification.config file in the directory with your .rules = files. If=20 yes, then do you have it included in snort.conf along with the=20 rules?</FONT></P> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 alexus [<A = href=3D"mailto:ml () db nexgen com">mailto:ml () db nexgen com</A>]</FONT>=20 <BR><FONT size=3D2>Sent: Thursday, May 10, 2001 14:50</FONT> <BR><FONT = size=3D2>To: <A=20 = href=3D"mailto:snort-users () lists sourceforge net">snort-users@lists.sourc= eforge.net</A></FONT>=20 <BR><FONT size=3D2>Subject: [Snort-users] Snort won't run</FONT> = </P><BR> <P><FONT size=3D2>i'm using snort 1.7 with latest set of rules</FONT> = </P> <P><FONT size=3D2>for some reason it won't run, any ideas?</FONT> </P> <P><FONT size=3D2>su-2.04# /usr/local/bin/snort -c=20 /usr/local/bin/rules/snort.conf</FONT> </P> <P><FONT size=3D2> --=3D=3D = Initializing=20 Snort =3D=3D--</FONT> </P> <P><FONT size=3D2>Initializing Network Interface fxp0</FONT> <BR><FONT = size=3D2>Decoding Ethernet on interface fxp0</FONT> <BR><FONT=20 size=3D2>Initializing Preprocessors!</FONT> <BR><FONT = size=3D2>Initializing=20 Plug-ins!</FONT> <BR><FONT size=3D2>Initializating Output = Plugins!</FONT> </P> <P><FONT = size=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT>=20 <BR><FONT size=3D2>Initializing rule chains...</FONT> </P> <P><FONT size=3D2>*WARNING*: unknown preprocessor "stream2", = ignoring!</FONT>=20 </P><BR> <P><FONT size=3D2>*WARNING*: unknown preprocessor "rpc_decode", = ignoring!</FONT>=20 </P><BR> <P><FONT size=3D2>*WARNING*: unknown preprocessor "bo", = ignoring!</FONT>=20 </P><BR> <P><FONT size=3D2>*WARNING*: unknown preprocessor "telnet_decode",=20 ignoring!</FONT> </P> <P><FONT size=3D2>database: compiled support for ( mysql )</FONT> = <BR><FONT=20 size=3D2>database: configured to use mysql</FONT> <BR><FONT=20 = size=3D2>database: = user =3D=20 alexus</FONT> <BR><FONT size=3D2>database: database name =3D = alexus</FONT>=20 <BR><FONT size=3D2>database: password is set</FONT> <BR><FONT=20 = size=3D2>database: = host =3D=20 localhost</FONT> <BR><FONT size=3D2>database: sensor name = =3D=20 64.81.208.245</FONT> <BR><FONT = size=3D2>database: sensor=20 id =3D 1</FONT> <BR><FONT size=3D2>database: using the "log" = facility</FONT>=20 <BR><FONT size=3D2>Error: Unknown config: classification</FONT> = <BR><FONT=20 size=3D2>su-2.04# </FONT></P> <P><FONT size=3D2>what am i doin wrong now?</FONT> </P><BR> <P><FONT = size=3D2>_______________________________________________</FONT>=20 <BR><FONT size=3D2>Snort-users mailing list</FONT> <BR><FONT=20 size=3D2>Snort-users () lists sourceforge net</FONT> <BR><FONT = size=3D2>Go to this=20 URL to change user options or unsubscribe:</FONT> <BR><FONT = size=3D2><A=20 target=3D_blank=20 = href=3D"http://lists.sourceforge.net/lists/listinfo/snort-users">http://l= ists.sourceforge.net/lists/listinfo/snort-users</A></FONT>=20 <BR><FONT size=3D2>Snort-users list archive:</FONT> <BR><FONT = size=3D2><A=20 target=3D_blank=20 = href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http:= //www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A></FONT>=20 </P></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0035_01C0D97C.84409150-- -- __--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 10)
- <Possible follow-ups>
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- unsubscribe Ryan McClure (Systems Admin) - United Shipping (May 11)
- Re: unsubscribe Andy Lowton (May 11)
- unsubscribe per.thorsheim (May 13)