Snort mailing list archives
RE: Snort-users digest, Vol 1 #2641 - 15 msgs
From: חואן <juan () sarel co il>
Date: Tue, 7 Jan 2003 09:18:58 +0200
I did what u told me an know I recive allmouns the same error:
/etc/init.d/snortd start :no such file or directorybin/sh :command not found :no such file or direcory.d/init.d/function :command not found :command not found 'etc/rc.d/init.d/snortd: line 24:syntax error near unexpected token 'i=
n
'etc/rc.d/init.d/snortd: line 24:'case "$1" in
Do u have any other idea? thanks -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Monday, January 06, 2003 5:02 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2641 - 15 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Bad Protocol? (J Irving) 2. Re: Deprecated Plugin API (Andrew R. Baker) 3. RE: Deprecated Plugin API (Frank Reid) 4. Snort+POstgresql (Laurent =?iso-8859-1?Q?Mesur=E9?=) 5. Re: Snort+POstgresql (Nicholas Bachmann) 6. problems starting snort (Greg) 7. Re: problems starting snort (Alberto Gonzalez) 8. Re: Syntax question (Papa Mike) 9. Disable Snort logging to /var/log/snort (Sam Ng) 10. hepl !cant start snort (=?ISO-8859-8?Q?=E7=E5=E0=EF?=) 11. Re: Disable Snort logging to /var/log/snort (Dirk Geschke) 12. Csv not logging (Sh J) 13. Re: hepl !cant start snort (Erek Adams) 14. Re: Disable Snort logging to /var/log/snort (Andrew R. Baker) 15. Re: db question (Martin Roesch) --__--__-- Message: 1 Date: Sun, 5 Jan 2003 14:01:32 -0800 From: J Irving <j () erf sh> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Bad Protocol? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mike Could you post a tcpdump -x of the packet in question? Many anomalous IP tweaks can evade interpretation by tools that...uh ...interpret. tcpdump -x should give you the actual content of the packet (well, the headers and a bit of payload (probably)), which you could then compare to RFCs, Richard Stevens, or whichever authority you prefer. cheers j * Mike Koponick <mike () redhawk info> [2003.01.05 09:30 -0800]:
From: "Mike Koponick" <mike () redhawk info> To: <snort-users () lists sourceforge net> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Subject: [Snort-users] Bad Protocol? X-BeenThere: snort-users () lists sourceforge net X-Mailman-Version: 2.0.9-sf.net X-Original-Date: Sun, 5 Jan 2003 09:30:20 -0800 Date: Sun, 5 Jan 2003 09:30:20 -0800 Now that I have decent loggin working, I'm getting some messages that
appear
to be normal packets, but SNORT seems to think that something is wrong
with
them. I think it might be a rule problem.. has anyone else seen this?
01/05-17:33:24.184929 [**] [118:1:1] (spp_conversation) Bad IP protocol!
[**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514
Obviously, this is a SYSLOG message, which we do have a node on the
network
logging to the snort box for syslog parsing. This is what the packet looks like: [**] (spp_conversation) Bad IP protocol! [**] 01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514 UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171 Thanks in advance for your help. Mike ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- https://erf.sh/chao.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) Comment: Hail Eris! iD8DBQE+GKs8UMt2z+iZNdMRAr+nAJ9ENmm3LTe8/EkTVdhMb1Jr1JQTOgCgzL2o GbNCbqKku7sl1hz8txAdcS4= =ulHP -----END PGP SIGNATURE----- --__--__-- Message: 2 Date: Sun, 05 Jan 2003 17:33:56 -0500 From: "Andrew R. Baker" <andrewb () snort org> To: Frank Reid <fcreid () ourcorner org> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Deprecated Plugin API Frank Reid wrote:
When I test my configuration with Snort -T, I get a "WARNING: Deprecated Plugin API..." message. My snort.conf only has enabled those active plugins in the distribution etc/snort.conf, with the exception of the MySQL database logging facility. Is that the deprecated plugin?
Those are mine. I updated the CVS code to not print the messages (for now). They went in while I was working on revising the plugin system API. Of course, other tasks have caused me not to finish the changes, so *all* of the output plugins use the "deprecated" API. -A --__--__-- Message: 3 From: "Frank Reid" <fcreid () ourcorner org> To: "'Andrew R. Baker'" <andrewb () snort org> Cc: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Deprecated Plugin API Date: Sun, 5 Jan 2003 17:55:52 -0500 Thanks, Andrew. You had me going there removing one after the other attempting to locate it! :) Thanks. I can live with the warning, as long as I know why. Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Andrew R. Baker Sent: Sunday, January 05, 2003 5:34 PM To: Frank Reid Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Deprecated Plugin API Frank Reid wrote:
When I test my configuration with Snort -T, I get a "WARNING: Deprecated Plugin API..." message. My snort.conf only has enabled those active plugins in the distribution etc/snort.conf, with the exception of the MySQL database logging facility. Is that the deprecated plugin?
Those are mine. I updated the CVS code to not print the messages (for now). They went in while I was working on revising the plugin system API. Of course, other tasks have caused me not to finish the changes, so *all* of the output plugins use the "deprecated" API. -A ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 4 Date: Mon, 06 Jan 2003 00:33:21 +0100 From: Laurent =?iso-8859-1?Q?Mesur=E9?= <lmesure () nerim net> To: Snort Users <snort-users () lists sourceforge net> Subject: [Snort-users] Snort+POstgresql Hi, i'm a newly subscriber to this list. I'm trying to set Snort working with PostgreSQL. But i have a problem with the libpq.so library. Snort+postgresql need the libpq.so.2 but i'm using postgresql 7.3 which need the libpq.so.3 How can i do to use Snort with the libpq.so.3 ? Regards Laurent --__--__-- Message: 5 Date: Sun, 05 Jan 2003 20:45:24 -0500 From: Nicholas Bachmann <nbachmann () mail davison k12 mi us> To: =?ISO-8859-1?Q?Laurent_Mesur=E9?= <lmesure () nerim net>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort+POstgresql Laurent Mesur=E9 wrote:
Hi, i'm a newly subscriber to this list. I'm trying to set Snort working with PostgreSQL. But i have a problem with the libpq.so library.=20 Snort+postgresql need the libpq.so.2 but i'm using postgresql 7.3 which need the libpq.so.3 How can i do to use Snort with the libpq.so.3 ? =20
Compile Snort yourself... see http://www.snort.org/docs/ for help. --=20 Regards, Nick Nicholas Bachmann, SSCP Tech Department Davison Community Schools --__--__-- Message: 6 Date: Sun, 5 Jan 2003 21:06:35 -0500 From: Greg <snort () petrasfamily com> To: snort-users () lists sourceforge net Subject: [Snort-users] problems starting snort I am attempting to get snort running on an OpenBSD 3.2 system. I compiled snort 1.9.0 with no problems, and attempting to start snort using: snort -c /data/snort/conf/rules/snort.conf -u snort -g snort -dev -l /data/snort/log -i fxp1 -D I have created the user and group 'snort'. fxp1 is an interface running at autosense, both on the switch and on my server. When I run the above command to start snort, I don't see anything running when I do a 'ps -ax'. Does anyone have any idea what I could be doing wrong? Any help would be greatly appreciated. I should also mention I have a couple other systems running an identical configuration and everything is fine with those systems. Thanks in advance, Greg --__--__-- Message: 7 Date: Sun, 05 Jan 2003 21:30:12 -0800 From: Alberto Gonzalez <albertg () cerebro wwjh net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] problems starting snort Did you give user 'snort' ability to write to /data/snort/log ? Also, try running it without '-D' (remove daemon mode) and see what types of errors you get, or you can just tail /var/log/daemon to see what the errors were. I'm currently running it on a OpenBSD 3.2 system myself without any problems as the user/group snort. You probably just missed a simple step. Bye! Cheers, Alberto Gonzalez. Greg wrote:
I am attempting to get snort running on an OpenBSD 3.2 system. I compiled
snort
1.9.0 with no problems, and attempting to start snort using: snort -c /data/snort/conf/rules/snort.conf -u snort -g snort -dev -l /data/snort/log -i fxp1 -D I have created the user and group 'snort'. fxp1 is an interface running at autosense, both on the switch and on my server. When I run the above
command to
start snort, I don't see anything running when I do a 'ps -ax'. Does anyone
have
any idea what I could be doing wrong? Any help would be greatly
appreciated. I
should also mention I have a couple other systems running an identical configuration and everything is fine with those systems. Thanks in advance, Greg ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- The secret to success is to start from scratch and keep on scratching. --__--__-- Message: 8 Date: Sun, 5 Jan 2003 23:07:12 -0500 (EST) From: Papa Mike <online_puppy () yahoo ca> Subject: Re: [Snort-users] Syntax question To: snort-users () lists sourceforge net --- Dustin Decker <dustind () moon-lite com> wrote: > Hello all,
I'm new to the list, and using Snort 1.9.0 (Build
209).
I'm logging to a binary file in
/var/log/snort_dumps, and later replaying
them into my DB by hand using -r flag. I'm getting
ready to make this
somewhat automated, and have hit a minor snag. I
use the -L flag with
snort to indicate I wish the binary file be named
based on the cheezy
variable you see displayed below:
[snippet from my shell script]
STAMP=`/bin/date +%m%d%y-%H`
/usr/sbin/snort -b -L /var/log/snort_dumps/$STAMP -i
eth0 -c \
/etc/snort/snort.conf
This is suiting my purposes quite well, with one
exception. I get file
names such as this: 010403-09.1041693435
Any recommendations on getting rid of the additional
".1041693435" portion
of the file name?
Funny. I'm running 1.8.6 and my default tracefile naming convention is "snort-MMdd () hhmm log". That's without using the '-L' switch. When you do, you should just specify the filename, not the path. Give the path with the '-l' switch. ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca --__--__-- Message: 9 From: "Sam Ng" <sng () drasecurity com> To: <snort-users () lists sourceforge net> Date: Mon, 6 Jan 2003 16:47:59 +0800 Subject: [Snort-users] Disable Snort logging to /var/log/snort Snort keep logging to /var/log/snort even I have enable DB output plugin, how can I stop snort from loggin to this directory??
Sam NG
Doctor A Security Systems (HK) Ltd.
708 Millennium City 2
378 Kwuntong Road
Kowloon
HONG KONG
Tel: +852 2342-4355
Fax: +852 2342-4310
Email: sng () drasecurity com
--__--__--
Message: 10
From: =?ISO-8859-8?Q?=E7=E5=E0=EF?= <juan () sarel co il>
To: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Date: Mon, 6 Jan 2003 11:08:56 +0200
Subject: [Snort-users] hepl !cant start snort
whan I try to start snort I recive the follwing errors:
/etc/rc.d/init.d/snortd start
:no such file or directorybin/sh
:command not foundortd
:no such file or direcorytc/rc.d/init.d/function
:command not foundortd
:command not foundortd
'etc/rc.d/init.d/snortd: line 24:syntax error near unexpected token 'in
'etc/rc.d/init.d/snortd: line 24:'case "$1" in
of course the program dont start can someone help please?
--__--__--
Message: 11
From: Dirk Geschke <Dirk_Geschke () genua de>
Subject: Re: [Snort-users] Disable Snort logging to /var/log/snort
To: sng () drasecurity com (Sam Ng)
Date: Mon, 6 Jan 2003 10:43:38 +0100 (CET)
Cc: snort-users () lists sourceforge net
Hi,
Snort keep logging to /var/log/snort even I have enable DB output plugin, how can I stop snort from loggin to this directory??
use the command line option -N:
-N Turn off packet logging. The program still
generates alerts normally.
Best regards
Dirk
+------------------------------------------------------------+
| Dr. Dirk Geschke | E-mail: geschke () genua de |
| Gesellschaft fuer Netzwerk | Tel. : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany | Raeter Stra/3e 26 |
+------------------------------------------------------------+
--__--__--
Message: 12
Date: Mon, 6 Jan 2003 04:11:30 -0800 (PST)
From: Sh J <shay_work () yahoo com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] Csv not logging
--0-1005940906-1041855090=:48617
Content-Type: text/plain; charset=us-ascii
Hello friends,
I'm running snort 1.9 on win2000 and trying to log alerts to csv file my
line is:
output alert_CSV: c:\snort\log\csv.txt default
i get alerts but nothing shows at the file.
Any idea's????????????????????????????
---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
--0-1005940906-1041855090=:48617
Content-Type: text/html; charset=us-ascii
<P>Hello friends,</P>
<P>I'm running snort 1.9 on win2000 and trying to log alerts to
csv file my line is:</P>
<P>output alert_CSV: c:\snort\log\csv.txt default</P>
<P>i get alerts but nothing shows at the file.</P>
<P>Any idea's????????????????????????????</P><p><br><hr size=1>Do you
Yahoo!?<br>
<a href="http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com";>Yahoo!
Mail Plus</a> - Powerful. Affordable. <a
href="http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com";>Sign up
now</a>
--0-1005940906-1041855090=:48617--
--__--__--
Message: 13
Date: Mon, 6 Jan 2003 07:45:17 -0500 (EST)
From: Erek Adams <erek () snort org>
To: "=?ISO-8859-8?Q?=E7=E5=E0=EF?=" <juan () sarel co il>
cc:
"'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] hepl !cant start snort
On Mon, 6 Jan 2003, [ISO-8859-8] =E7=E5=E0=EF wrote:
whan I try to start snort I recive the follwing errors: /etc/rc.d/init.d/snortd start :no such file or directorybin/sh :command not foundortd :no such file or direcorytc/rc.d/init.d/function :command not foundortd :command not foundortd 'etc/rc.d/init.d/snortd: line 24:syntax error near unexpected token 'i=
n
'etc/rc.d/init.d/snortd: line 24:'case "$1" in of course the program dont start can someone help please?
Your problem is nothing to do with Snort. It's just simply with the she= ll script that starts it. I'm going to guess and say you don't have the first line as: =09#!/bin/sh See if that's it. Cheers! ----- Erek Adams "When things get tough, the wierd get going." H.S. Thompson --__--__-- Message: 14 Date: Mon, 06 Jan 2003 08:17:23 -0500 From: "Andrew R. Baker" <andrewb () snort org> To: Sam Ng <sng () drasecurity com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Disable Snort logging to /var/log/snort Dirk Geschke wrote:
Hi,Snort keep logging to /var/log/snort even I have enable DB output plugin, how can I stop snort from loggin to this directory??use the command line option -N: -N Turn off packet logging. The program still generates alerts normally.
A bit of qualification on this, this will work if you are using "output database: alert ...". However, if you are using "output database: log ...", you will want to add "-A none" to the command line instead. "-N" turns off packet logging output plugins, "-A none" turns of alerting plugins". The database plugin can act as either alerting or logging. Also, alert information is available to the packet logging output plugins, so you can still get alerts with "-A none" (depending on which output plugins you use). -A --__--__-- Message: 15 Date: Mon, 06 Jan 2003 10:00:30 -0500 Subject: Re: [Snort-users] db question From: Martin Roesch <roesch () sourcefire com> To: William Bradd <wbradd () comcast net>, snort-users () lists sourceforge net You could write a simple Perl translator (using DBI) to copy from one DB to the other, or you can just dump the MySQL DB out to a flat (CSV) file and bulk load it into Oracle using sqlldr. Check out this thread on PHP-DB: http://www.phpbuilder.com/mail/php-db/2000111/0250.php -Marty On 1/3/03 10:04 PM, "William Bradd" <wbradd () comcast net> wrote:
Hi, my client wants to move from mysql to oracle. I know snort will work, but has anyone tried re-writing ACID for Oracle. I have searched for a reference, but have not found one. any pointers would be greatly appreciated. Right now, I am one deep trying to do the work of 5 with no relief in
site.
Thanks w. Bradd ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #2641 - 15 msgs חואן (Jan 07)