Snort mailing list archives
RE: RE: start using argus snort
From: "Scott Renna" <srenna () d-a-s com>
Date: Tue, 22 Jul 2003 08:33:25 -0400
Check your path Switch to the directory that snort is in(/usr/local/bin ?) *************************** Scott Renna Head Systems Administrator Dynamic Animation Systems 703-503-0500 *************************** -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of ???? Sent: Tuesday, July 22, 2003 6:56 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] RE: start using argus snort Hi ! I installed the argus quick install of snort ,in the menual it is written that in order to start I need to issue the ./snort -v connamd i recieve: -bash: ./snort: No such file or directory why is that? thanks -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Tuesday, July 22, 2003 5:30 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #3366 - 3 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Viewing ACID set's off P..O..R..N rules ... (Jason Whitson) 2. RE: Viewing ACID set's off P..O..R..N rules ... (Scott Renna) 3. Re: Problem with test script for Cisco vulnerability (Bennett Todd) --__--__-- Message: 1 From: "Jason Whitson" <jason () visionxtreme net> To: "Scott Renna" <srenna () d-a-s com>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Viewing ACID set's off P..O..R..N rules ... Date: Mon, 21 Jul 2003 16:12:41 -0500 So ... /usr/local/bin/snort -U -d -D -c /etc/snort/snort.conf not \ 172.16.1.172:80 ? Because that didn't work. Do I surround my IP in ( ) ... ? - Jason ----- Original Message ----- From: "Scott Renna" <srenna () d-a-s com> To: "'Jason Whitson'" <jason () visionxtreme net>; <snort-users () lists sourceforge net> Sent: Monday, July 21, 2003 3:32 PM Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ...
Try this from 7/8: Bryan Irvine <bryan.irvine () kingcountyjournal com> writes:Is there a way to get snort to skip over ip's? I keep tripping the porno alerts whenever I view someone elses porno log in acid. I'd like for it to not log my ip.The easiest way is to do a bpf filter on the snort command line snort <args> not \( host <ip> and port 80 \) -- Chris Green <cmg () sourcefire com> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx *************************** Scott Renna Head Systems Administrator Dynamic Animation Systems 703-503-0500 *************************** -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason Whitson Sent: Monday, July 21, 2003 4:24 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Viewing ACID set's off P..O..R..N rules ... Well today I decided to turn on the P..O..R..N ruleset to see if anyone here wan't working on ... work. Much to my surprise, ACID "blew up" with Rule violations. This is great and all but when I view the rule violations in the ACID console and refresh to see the latest, all the rules that were listed get relisted because I was viewing them! Is there a way to exclude the machine I use to view the ACID console from the rules? I would hate to have to explain the rule violationsfrom my workstation. Even though the source IP is the box running snort ... - Jason ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 2 From: "Scott Renna" <srenna () d-a-s com> To: "'Jason Whitson'" <jason () visionxtreme net>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ... Date: Mon, 21 Jul 2003 17:13:06 -0400 you forgot to add the word "host" before your IP *************************** Scott Renna Head Systems Administrator Dynamic Animation Systems 703-503-0500 *************************** -----Original Message----- From: Jason Whitson [mailto:jason () visionxtreme net] Sent: Monday, July 21, 2003 5:13 PM To: Scott Renna; snort-users () lists sourceforge net Subject: Re: [Snort-users] Viewing ACID set's off P..O..R..N rules ... So ... /usr/local/bin/snort -U -d -D -c /etc/snort/snort.conf not \ 172.16.1.172:80 ? Because that didn't work. Do I surround my IP in ( ) ... ? - Jason ----- Original Message ----- From: "Scott Renna" <srenna () d-a-s com> To: "'Jason Whitson'" <jason () visionxtreme net>; <snort-users () lists sourceforge net> Sent: Monday, July 21, 2003 3:32 PM Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ...
Try this from 7/8: Bryan Irvine <bryan.irvine () kingcountyjournal com> writes:Is there a way to get snort to skip over ip's? I keep tripping the porno alerts whenever I view someone elses porno log in acid. I'd like for it to not log my ip.The easiest way is to do a bpf filter on the snort command line snort <args> not \( host <ip> and port 80 \) -- Chris Green <cmg () sourcefire com> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx *************************** Scott Renna Head Systems Administrator Dynamic Animation Systems 703-503-0500 *************************** -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason Whitson Sent: Monday, July 21, 2003 4:24 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Viewing ACID set's off P..O..R..N rules ... Well today I decided to turn on the P..O..R..N ruleset to see if anyone here wan't working on ... work. Much to my surprise, ACID "blew up" with Rule violations. This is great and all but when I view the rule violations in the ACID console and refresh to see the latest, all the rules that were listed get relisted because I was viewing them! Is there a way to exclude the machine I use to view the ACID console from the rules? I would hate to have to explain the rule violationsfrom my workstation. Even though the source IP is the box running snort ... - Jason ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 3 Date: Mon, 21 Jul 2003 17:43:41 -0400 From: Bennett Todd <bet () rahul net> To: CMartin () infosol com Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Problem with test script for Cisco vulnerability --yVhtmJPUSI46BTXb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline 2003-07-21T14:26:30 CMartin () infosol com:
I tried to implement this script to test my snort rules; however, it
appears
that I don't have hping in my /usr/local/sbin directory or not in my
/sbin
directory. I am running redhat v9.
As others have mentioned, download from <URL:http://www.hping.com/> and build yourself. If you want an rpm install, I have a spec file I'll be glad to pass you. It's trivial.
Also I get the following error when I try to run the script (sh exploit.sh). exploit.sh: line 8: syntax error near unexpected token `(' exploit.sh: line 8: `foreach protocol (53 55 77 103)'
The exploit script as posted was in tcsh, which has a different syntax from sh.
But also an interesting note, my whole /usr/local/sbin is empty.
/usr/local is reserved for non-packaged software. rpms are normally properly written to install into /usr/sbin, /usr/bin, and so forth. -Bennett --yVhtmJPUSI46BTXb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/HF6NHZWg9mCTffwRAk/JAKCy3T/XlSzhn1ddXuTfJ+tf0YVhGQCfSXbQ +BQU2ebDI3BJTU81H6WxegU= =PDRf -----END PGP SIGNATURE----- --yVhtmJPUSI46BTXb-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: start using argus snort חואן (Jul 22)
- Re: RE: start using argus snort Dani?l Haslinger (Jul 22)
- RE: RE: start using argus snort Scott Renna (Jul 22)