Snort mailing list archives
Re: Snort-users digest, Vol 1 #785 - 13 msgs
From: "ORA" <LSMITH147 () nc rr com>
Date: Mon, 9 Jul 2001 00:23:06 -0400
kdb is the biggest bug of all.he loves to snort people that are not even interested in his tech knowledge. what ever that is.he must be in love and can't get over it.AVKRIC;RIRIFD;DGIFJDLPRFKJGHDKFTOKHLFORDPPRLDLDDKGJFJFJFFHGGJFFJFFFFKFJ ----- Original Message ----- From: <snort-users-request () lists sourceforge net> To: <snort-users () lists sourceforge net> Sent: Sunday, July 08, 2001 3:05 PM Subject: Snort-users digest, Vol 1 #785 - 13 msgs
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: >2Gb capture files (Shriman Gurung) 2. Re: Bug Roundup--Chroot Broken? (Erek Adams) 3. OT: Tool to Decode shellcode? (Erek Adams) 4. react (Ramin Alidousti) 5. Re: react (Martin Roesch) 6. Re: react (Dragos Ruiu) 7. Re: OT: Tool to Decode shellcode? (Dragos Ruiu) 8. Re: react (Ramin Alidousti) 9. Beta 10/Build 38 avaialable (Martin Roesch) 10. Re: OT: Tool to Decode shellcode? (Erek Adams) 11. Re: OT: Tool to Decode shellcode? (Fyodor) 12. Re: OT: Tool to Decode shellcode? (Steve Shockley) 13. Connection lost (Luca Mauri) --__--__-- Message: 1 From: Shriman Gurung <sg () dataconnection com> To: 'Martin Roesch' <roesch () sourcefire com>, "Clausing, James A (Jim), SOBUS" <jac () att com> Cc: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] >2Gb capture files Date: Sat, 7 Jul 2001 20:08:56 +0100 Doh! I didn't think of that. (Sound of hand hitting head.) shriman -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: 06 July 2001 19:46 To: Clausing, James A (Jim), SOBUS Cc: Shriman Gurung; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] >2Gb capture files Ding ding ding!!! Give that man a cigar. -Marty "Clausing, James A (Jim), SOBUS" wrote:Am I missing something? More than one snort process can listen
on
agiven interface, so start the new one first, then kill the old one.
There
should be an overlap of a few seconds, but nothing will be lost. ---Jim--__--__-- Message: 2 Date: Sat, 7 Jul 2001 15:38:23 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: Chris Green <cmg () uab edu> cc: Snorters Anonymous <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Bug Roundup--Chroot Broken? On 6 Jul 2001, Chris Green wrote:You understand it. The problem is that HUP basically tells snort to restart itself by exec() and it reparses its own command line and config file.Ok, then should it continue to 'recurse down the tree'? Each time you HUP
it,
it goes down deeper into the tree, forcing you to have HUGE trees if you
want
to be able to HUP it.Nope. It's been done by a few other nuts :> You just have to live with a full restart than an HUP.Full restart is fine. I just don't want to have to create directories
every
time I want to HUP it. Chris, what OS are you using? ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- Message: 3 Date: Sat, 7 Jul 2001 15:54:48 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: Snorters Anonymous <snort-users () lists sourceforge net> Subject: [Snort-users] OT: Tool to Decode shellcode? Since folks here tend to have seen the nifty things, has anyone a tool
that
will parse shellcode and spit out the ascii characters?
Thanks!
-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net
--__--__--
Message: 4
Date: Sat, 7 Jul 2001 21:31:49 -0400
From: Ramin Alidousti <ramin () cannon eng us uu net>
To: snort-users () lists sourceforge net
Subject: [Snort-users] react
Hi,
# cat tt
alert udp any any <> any 53 (react: block, msg;)
# snort -c tt
--== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system
Initializing Network Interface eth1
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file tt
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: tt (1) => Unknown keyword "react" in rule!
Fatal Error, Quitting..
Can someone explain what I'm doing wrong and why snort says Unknown
keyword "react"?
Ramin --__--__-- Message: 5 Date: Sat, 07 Jul 2001 21:50:50 -0400 From: Martin Roesch <roesch () sourcefire com> To: Ramin Alidousti <ramin () cannon eng us uu net> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] react make distclean && ./configure --enable-flexresp && make then try again. -Marty Ramin Alidousti wrote:Hi, # cat tt alert udp any any <> any 53 (react: block, msg;) # snort -c tt --== Initializing Snort ==-- Checking PID path... PATH_VARRUN is set to /var/run/ on this operating system Initializing Network Interface eth1 Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file tt +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: tt (1) => Unknown keyword "react" in rule! Fatal Error, Quitting.. Can someone explain what I'm doing wrong and why snort says Unknown
keyword "react"?
Ramin _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org --__--__-- Message: 6 From: Dragos Ruiu <dr () kyx net> Organization: kyx.net To: Ramin Alidousti <ramin () cannon eng us uu net>, snort-users () lists sourceforge net Subject: Re: [Snort-users] react Date: Sat, 7 Jul 2001 18:53:16 -0700 rerun ./configure with --enable-flexresp recompile and reinstall. cheers, --dr On Sat, 07 Jul 2001, Ramin Alidousti wrote:Hi, # cat tt alert udp any any <> any 53 (react: block, msg;) # snort -c tt --== Initializing Snort ==-- Checking PID path... PATH_VARRUN is set to /var/run/ on this operating system Initializing Network Interface eth1 Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file tt +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: tt (1) => Unknown keyword "react" in rule! Fatal Error, Quitting.. Can someone explain what I'm doing wrong and why snort says Unknown
keyword "react"?
Ramin _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the
future
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc --__--__-- Message: 7 From: Dragos Ruiu <dr () kyx net> Organization: kyx.net To: Erek Adams <erek () theadamsfamily net>, Snorters Anonymous <snort-users () lists sourceforge net> Subject: Re: [Snort-users] OT: Tool to Decode shellcode? Date: Sat, 7 Jul 2001 19:21:46 -0700 On Sat, 07 Jul 2001, Erek Adams wrote:Since folks here tend to have seen the nifty things, has anyone a tool
that
will parse shellcode and spit out the ascii characters?Do you mean the dissasembled shellcode instructions or ascii as in
snort -d
hexdumps? --dr --__--__-- Message: 8 Date: Sun, 8 Jul 2001 01:01:58 -0400 From: Ramin Alidousti <ramin () cannon eng us uu net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] react Thanks. I compiled it the way you said and changed my test to tcp instead of udp (as with udp it'll not be a connection). What I expect is that it blocks my tcp connections to port 53. However, it doesn't block the
connection
but generates lots of "Critical: SendTCP: libnet_write_ip". I'm sure that I'm still doing something wrong. Ramin On Sat, Jul 07, 2001 at 09:50:50PM -0400, Martin Roesch wrote:make distclean && ./configure --enable-flexresp && make then try again. -Marty Ramin Alidousti wrote:Hi, # cat tt alert udp any any <> any 53 (react: block, msg;) # snort -c tt --== Initializing Snort ==-- Checking PID path... PATH_VARRUN is set to /var/run/ on this operating system Initializing Network Interface eth1 Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file tt +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: tt (1) => Unknown keyword "react" in rule! Fatal Error, Quitting.. Can someone explain what I'm doing wrong and why snort says Unknown
keyword "react"?
Ramin _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org--__--__-- Message: 9 Date: Sun, 08 Jul 2001 08:43:22 -0400 From: Martin Roesch <roesch () sourcefire com> To: snort-users <snort-users () lists sourceforge net>, snort-dev <snort-devel () lists sourceforge net> Subject: [Snort-users] Beta 10/Build 38 avaialable Morning everyone, Beta 10/build 38 is now available in CVS, everyone testing please download it and have a look. I've addresses all the bug reports people have sent in as of yesterday afternoon. If there are no show stoppers this code will be the release version of 1.8. -Marty -- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org --__--__-- Message: 10 Date: Sun, 8 Jul 2001 06:08:32 -0700 (PDT) From: Erek Adams <erek () theadamsfamily net> To: Dragos Ruiu <dr () kyx net> cc: Snorters Anonymous <snort-users () lists sourceforge net> Subject: Re: [Snort-users] OT: Tool to Decode shellcode? On Sat, 7 Jul 2001, Dragos Ruiu wrote:Do you mean the dissasembled shellcode instructions or ascii as in
snort -d
hexdumps?Shellcode. I'm looking for something that I can cut-n-paste the shellcode from various exploits into and have it spit out what it will do. That make sense or am I smokin crack? ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net --__--__-- Message: 11 Date: Sun, 8 Jul 2001 20:34:43 +0700 From: Fyodor <fygrave () tigerteam net> To: Erek Adams <erek () theadamsfamily net> Cc: Dragos Ruiu <dr () kyx net>, Snorters Anonymous <snort-users () lists sourceforge net> Subject: Re: [Snort-users] OT: Tool to Decode shellcode? On Sun, Jul 08, 2001 at 06:08:32AM -0700, Erek Adams wrote:On Sat, 7 Jul 2001, Dragos Ruiu wrote:Do you mean the dissasembled shellcode instructions or ascii as in
snort -d
hexdumps?Shellcode. I'm looking for something that I can cut-n-paste the
shellcode
from various exploits into and have it spit out what it will do. That make sense or am I smokin crack?very likely smocking crack ;-D. Most you can do is to dumb binary of shellcode into a file, and use objdump to disasm it... then read the asm output ;) --__--__-- Message: 12 From: "Steve Shockley" <steve.shockley () shockley net> To: "Snorters Anonymous" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] OT: Tool to Decode shellcode? Date: Sun, 8 Jul 2001 13:41:24 -0400Shellcode. I'm looking for something that I can cut-n-paste the
shellcode
from various exploits into and have it spit out what it will do.They call that a microprocessor. Seriously, aside from signature
matching,
that'd be one heck of a coding achievement. --__--__-- Message: 13 Reply-To: "Luca Mauri" <luca.mauri () libero it> From: "Luca Mauri" <luca.mauri () libero it> To: "snort-users" <snort-users () lists sourceforge net> Date: Sun, 8 Jul 2001 20:13:56 +0200 Subject: [Snort-users] Connection lost Hi there ! I am an absolute beginner about Snort and I am just exploring this program for a more extensive use. I am testing the software on a stand alone machine with a 56K dial-up internet connection. After having setting the main parameters in the in the configuration file
as
in the snort.conf example, I have started Snort. Immediately after Snort starts, every traffic to internet is reduced to zero: no data are trasmitted or received at all. If I stop Snort, the internet traffic resume as normal. I have no explication for this strange behaviour, please try to help me . Thank you for your cooperation. -------------------------------------- Luca Mauri luca.mauri () libero it Amministratore e Webmaster di www.lucamauri.net - Luca Mauri Network www.lucamauri.com - Innovation in ICT --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #785 - 13 msgs ORA (Jul 08)