Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: help

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 2 Oct 2009 10:09:59 -0400
Thank you for posting the Snort-Users Digest in it's entirety.  Did you have
a question about something in it?
J

On Fri, Oct 2, 2009 at 9:09 AM, Mordecai Kraushar <mk125 () nyu edu> wrote:




----- Original Message -----
From: snort-users-request () lists sourceforge net
Date: Monday, September 28, 2009 2:20 pm
Subject: Snort-users Digest, Vol 40, Issue 30
To: snort-users () lists sourceforge net



Send Snort-users mailing list submissions to
      snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
      https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
      snort-users-request () lists sourceforge net

You can reach the person managing the list at
      snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. supression part 2- gen_id and sid_id? from "base" (Ron Kaye Jr)
   2. Re: 2.8.4 to 2.8.5 wild ride (John York)
   3. Re: 2.8.4 to 2.8.5 wild ride (John York)
   4. Re: 2.8.4 to 2.8.5 wild ride (Joel Esler)


----------------------------------------------------------------------

Message: 1
Date: Mon, 28 Sep 2009 11:32:06 -0500 (CDT)
From: Ron Kaye Jr    <rekaye1005 () verizon net>
Subject: [Snort-users] supression part 2- gen_id and sid_id? from
      "base"
To: snort-users () lists sourceforge net, ny-sug () lists snort org
Message-ID:
      <26988130.110393.1254155526870.JavaMail.root () vms076 mailsrvcs net>
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Mon, 28 Sep 2009 13:20:11 -0400
From: "John York" <YorkJ () brcc edu>
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride
To: "John York" <YorkJ () brcc edu>
Cc: snort-users () lists sourceforge net
Message-ID:
      <49DF20DF84F8D84AAC5B8ED6D41D2C7606D88979 () bramail br vccs edu>
Content-Type: text/plain;     charset="US-ASCII"

Found it!!  The PulledPork subroutine copysorules is coded to use this
path:

$temp_path/tha_rules/so_rules/precompiled/$Distro/i386/$Snort/

For Ubuntu 8.04, there is only an x86-64 version and i386 doesn't exist.
It looks like RHEL-5.0 is the same way.  CentOS-5.0 and FC-9 have both.

I've just changed the i386 to x86-64 in mine.  The next version of
PulledPork is going to need a processor variable that gets set in the
.conf file

Thanks
John

-----Original Message-----
From: John York
Sent: Monday, September 28, 2009 11:52 AM
To: Ryan Jordan
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride

Thanks Ryan.

Changing the detection line to this worked:
"config detection: search-method ac-bnfa max_queue_events 5"

The seg fault problem appears to be related my use of pulledpork. The
.so rules were never making it to /usr/local/lib/snortdynamicrules.
What I had in there dated back to 6/16/09.  I manually copied the new
precompiled rules, and everything ran.  I'm looking for my problem with
pulledpork at the moment, and will send an update when I find it.

Thanks
John


-----Original Message-----
From: Ryan Jordan [mailto:ryan.jordan () sourcefire com]
Sent: Monday, September 28, 2009 10:09 AM
To: John York
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride

Allow me to explain a couple things... comments inline.


On Fri, Sep 25, 2009 at 4:06 PM, John York <YorkJ () brcc edu> wrote:


      Hi

      I'm running on Ubuntu 8.04LTS, Snort compiled from source, with
      pulledpork fixing up the SO rules for me.  Snort 2.8.4 with
CURRENT
      rules was working fine.  I know you're only supposed run CURRENT
if you
      use the CVS current version of Snort, but what the hey?  It was
working.

      After the upgrade to 2.8.5, PulledPork ran Snort to set up the
so rules
      and got this error:
      ERROR: /usr/local/etc/snort/snort.conf(190) Config option
"detection"
      can only be configured once.
      Fatal Error, Quitting..


      @$%#@!!!  Busted.  Guess I'll have to go to the 2.8 rules.

      (It turned out the error was caused by these lines from my old
2.8.4
      snort.conf.  Went back to 2.8 rules anyway) config detection:
      search-method ac-bnfa config detection: max_queue_events 5



It would have sufficed to just combine those two into one "detection"
line.
"config detection: search-method ac-bnfa max_queue_events 5".

Like they say, hindsight is 20/20.



      So, changed PulledPork to point to 2.8 rules, took the 2.8.5
snort.conf
      and moved all my stuff into it.  I was amazed at how much
difference
      there was between the current and 2.8.5 snort.conf files--lots
more
      stuff in the current version.

      The next time Snort ran, it had segmentation faults.  That
turned out to
      happen any time any one of these lines appeared in snort.conf
(moved
      over from the CURRENT config, thinking they were necessary for
the SO
      rules):

      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
      dynamicpreprocessor file

/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so

      OK, "Do not meddle in the affairs of wizards, for they are
subtle and
      quick to anger."  Comment all those out, hope the so rules still
run.



Snort ships with .so files that contain the dynamic preprocessors. When
you install a new version of Snort, you need to make sure you install
the new versions of these files! Running a new Snort with old .so files
will cause segmentation faults.

Typically, this is handled by "make install", but if you used a new
directory for 2.8.5 then you need to make sure your snort.conf contains
the correct path.

I'm surprised that Snort ran after you commented out those lines. I
guess you didn't try to configure any of the dynamic preprocessors, or
else you would have been met with another error message.



      Woohoo!  Snort runs!

      After 3 hours, Ruh Roh.  Snort's been pretty busy:
      Rule            Hits
      3:13287:3       2,861,181
      3:8092:3        1,191,487
      3:13307:1       993,864
      3:8351:4        521,964
      3:15450:2       226,397
      3:13825:2       1,626
      3:13827:2       1,626
      SO rules are running all right--never saw anything near this
number of
      hits, though.  Ouch.  At the moment I'm trying to decide whether
to
      comment out those rules, give CURRENT another try with the 2.8.5
CURRENT
      config file, or punt.




      John York
      Network Engineer
      Blue Ridge Community College
      1 College Lane, Weyers Cave, VA




------------------------------------------------------------------------
------
      Come build with us! The BlackBerry&reg; Developer Conference in
SF, CA
      is the only developer event you need to attend this year.
Jumpstart your
      developing skills, take BlackBerry mobile applications to market
and stay
      ahead of the curve. Join us from November 9&#45;12, 2009.
Register now&#33;
      http://p.sf.net/sfu/devconf
      _______________________________________________
      Snort-users mailing list
      Snort-users () lists sourceforge net
      Go to this URL to change user options or unsubscribe:
      https://lists.sourceforge.net/lists/listinfo/snort-users
      Snort-users
<
list archive:
      http://www.geocrawler.com/redir-sf.php3?list=snort-users








------------------------------

Message: 3
Date: Mon, 28 Sep 2009 14:04:33 -0400
From: "John York" <YorkJ () brcc edu>
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride
To: <snort-users () lists sourceforge net>
Message-ID:
      <49DF20DF84F8D84AAC5B8ED6D41D2C7606D8897B () bramail br vccs edu>
Content-Type: text/plain;     charset="US-ASCII"

Oops, just found that this problem is fixed in the latest version of
PulledPork.  CentOS-5.0 and FC-9 will still have to do something if they
want x86.

-----Original Message-----
From: John York
Sent: Monday, September 28, 2009 1:20 PM
To: John York
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 2.8.4 to 2.8.5 wild ride

Found it!!  The PulledPork subroutine copysorules is coded to use this
path:

$temp_path/tha_rules/so_rules/precompiled/$Distro/i386/$Snort/

For Ubuntu 8.04, there is only an x86-64 version and i386 doesn't exist.
It looks like RHEL-5.0 is the same way.  CentOS-5.0 and FC-9 have both.

I've just changed the i386 to x86-64 in mine.  The next version of
PulledPork is going to need a processor variable that gets set in the
.conf file

Thanks
John

-----Original Message-----
From: John York
Sent: Monday, September 28, 2009 11:52 AM
To: Ryan Jordan
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride

Thanks Ryan.

Changing the detection line to this worked:
"config detection: search-method ac-bnfa max_queue_events 5"

The seg fault problem appears to be related my use of pulledpork. The
.so rules were never making it to /usr/local/lib/snortdynamicrules.
What I had in there dated back to 6/16/09.  I manually copied the new
precompiled rules, and everything ran.  I'm looking for my problem with
pulledpork at the moment, and will send an update when I find it.

Thanks
John


-----Original Message-----
From: Ryan Jordan [mailto:ryan.jordan () sourcefire com]
Sent: Monday, September 28, 2009 10:09 AM
To: John York
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride

Allow me to explain a couple things... comments inline.


On Fri, Sep 25, 2009 at 4:06 PM, John York <YorkJ () brcc edu> wrote:


      Hi

      I'm running on Ubuntu 8.04LTS, Snort compiled from source, with
      pulledpork fixing up the SO rules for me.  Snort 2.8.4 with
CURRENT
      rules was working fine.  I know you're only supposed run CURRENT
if you
      use the CVS current version of Snort, but what the hey?  It was
working.

      After the upgrade to 2.8.5, PulledPork ran Snort to set up the
so rules
      and got this error:
      ERROR: /usr/local/etc/snort/snort.conf(190) Config option
"detection"
      can only be configured once.
      Fatal Error, Quitting..


      @$%#@!!!  Busted.  Guess I'll have to go to the 2.8 rules.

      (It turned out the error was caused by these lines from my old
2.8.4
      snort.conf.  Went back to 2.8 rules anyway) config detection:
      search-method ac-bnfa config detection: max_queue_events 5



It would have sufficed to just combine those two into one "detection"
line.
"config detection: search-method ac-bnfa max_queue_events 5".

Like they say, hindsight is 20/20.



      So, changed PulledPork to point to 2.8 rules, took the 2.8.5
snort.conf
      and moved all my stuff into it.  I was amazed at how much
difference
      there was between the current and 2.8.5 snort.conf files--lots
more
      stuff in the current version.

      The next time Snort ran, it had segmentation faults.  That
turned out to
      happen any time any one of these lines appeared in snort.conf
(moved
      over from the CURRENT config, thinking they were necessary for
the SO
      rules):

      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
      dynamicpreprocessor file

/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
      dynamicpreprocessor file
      /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so

      OK, "Do not meddle in the affairs of wizards, for they are
subtle and
      quick to anger."  Comment all those out, hope the so rules still
run.



Snort ships with .so files that contain the dynamic preprocessors. When
you install a new version of Snort, you need to make sure you install
the new versions of these files! Running a new Snort with old .so files
will cause segmentation faults.

Typically, this is handled by "make install", but if you used a new
directory for 2.8.5 then you need to make sure your snort.conf contains
the correct path.

I'm surprised that Snort ran after you commented out those lines. I
guess you didn't try to configure any of the dynamic preprocessors, or
else you would have been met with another error message.



      Woohoo!  Snort runs!

      After 3 hours, Ruh Roh.  Snort's been pretty busy:
      Rule            Hits
      3:13287:3       2,861,181
      3:8092:3        1,191,487
      3:13307:1       993,864
      3:8351:4        521,964
      3:15450:2       226,397
      3:13825:2       1,626
      3:13827:2       1,626
      SO rules are running all right--never saw anything near this
number of
      hits, though.  Ouch.  At the moment I'm trying to decide whether
to
      comment out those rules, give CURRENT another try with the 2.8.5
CURRENT
      config file, or punt.




      John York
      Network Engineer
      Blue Ridge Community College
      1 College Lane, Weyers Cave, VA




------------------------------------------------------------------------
------
      Come build with us! The BlackBerry&reg; Developer Conference in
SF, CA
      is the only developer event you need to attend this year.
Jumpstart your
      developing skills, take BlackBerry mobile applications to market
and stay
      ahead of the curve. Join us from November 9&#45;12, 2009.
Register now&#33;
      http://p.sf.net/sfu/devconf
      _______________________________________________
      Snort-users mailing list
      Snort-users () lists sourceforge net
      Go to this URL to change user options or unsubscribe:
      https://lists.sourceforge.net/lists/listinfo/snort-users
      Snort-users
<
list archive:
      http://www.geocrawler.com/redir-sf.php3?list=snort-users








------------------------------

Message: 4
Date: Mon, 28 Sep 2009 14:19:35 -0400
From: Joel Esler <jesler () sourcefire com>
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride
To: John York <YorkJ () brcc edu>
Cc: snort-users () lists sourceforge net
Message-ID:
      <314cf0830909281119y4f124306wc11c3ce5873daec8 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

I am sure the author of Pulled-Pork would appreciate a bug to fix these
issues.
J

On Mon, Sep 28, 2009 at 2:04 PM, John York <YorkJ () brcc edu> wrote:


Oops, just found that this problem is fixed in the latest version of
PulledPork.  CentOS-5.0 and FC-9 will still have to do something if

they

want x86.

-----Original Message-----
From: John York
Sent: Monday, September 28, 2009 1:20 PM
To: John York
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 2.8.4 to 2.8.5 wild ride

Found it!!  The PulledPork subroutine copysorules is coded to use this
path:

$temp_path/tha_rules/so_rules/precompiled/$Distro/i386/$Snort/

For Ubuntu 8.04, there is only an x86-64 version and i386 doesn't

exist.

It looks like RHEL-5.0 is the same way.  CentOS-5.0 and FC-9 have both.

I've just changed the i386 to x86-64 in mine.  The next version of
PulledPork is going to need a processor variable that gets set in the
.conf file

Thanks
John

-----Original Message-----
From: John York
Sent: Monday, September 28, 2009 11:52 AM
To: Ryan Jordan
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride

Thanks Ryan.

Changing the detection line to this worked:
"config detection: search-method ac-bnfa max_queue_events 5"

The seg fault problem appears to be related my use of pulledpork. The
.so rules were never making it to /usr/local/lib/snortdynamicrules.
What I had in there dated back to 6/16/09.  I manually copied the new
precompiled rules, and everything ran.  I'm looking for my problem with
pulledpork at the moment, and will send an update when I find it.

Thanks
John


-----Original Message-----
From: Ryan Jordan [mailto:ryan.jordan () sourcefire com]
Sent: Monday, September 28, 2009 10:09 AM
To: John York
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride

Allow me to explain a couple things... comments inline.


On Fri, Sep 25, 2009 at 4:06 PM, John York <YorkJ () brcc edu> wrote:


       Hi

       I'm running on Ubuntu 8.04LTS, Snort compiled from source, with
       pulledpork fixing up the SO rules for me.  Snort 2.8.4 with
CURRENT
       rules was working fine.  I know you're only supposed run CURRENT
if you
       use the CVS current version of Snort, but what the hey?  It was
working.

       After the upgrade to 2.8.5, PulledPork ran Snort to set up the
so rules
       and got this error:
       ERROR: /usr/local/etc/snort/snort.conf(190) Config option
"detection"
       can only be configured once.
       Fatal Error, Quitting..


       @$%#@!!!  Busted.  Guess I'll have to go to the 2.8 rules.

       (It turned out the error was caused by these lines from my old
2.8.4
       snort.conf.  Went back to 2.8 rules anyway) config detection:
       search-method ac-bnfa config detection: max_queue_events 5



It would have sufficed to just combine those two into one "detection"
line.
"config detection: search-method ac-bnfa max_queue_events 5".

Like they say, hindsight is 20/20.



       So, changed PulledPork to point to 2.8 rules, took the 2.8.5
snort.conf
       and moved all my stuff into it.  I was amazed at how much
difference
       there was between the current and 2.8.5 snort.conf files--lots
more
       stuff in the current version.

       The next time Snort ran, it had segmentation faults.  That
turned out to
       happen any time any one of these lines appeared in snort.conf
(moved
       over from the CURRENT config, thinking they were necessary for
the SO
       rules):

       dynamicpreprocessor file
       /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
       dynamicpreprocessor file
       /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
       dynamicpreprocessor file

/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
       dynamicpreprocessor file
       /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
       dynamicpreprocessor file
       /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
       dynamicpreprocessor file
       /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so

       OK, "Do not meddle in the affairs of wizards, for they are
subtle and
       quick to anger."  Comment all those out, hope the so rules still
run.



Snort ships with .so files that contain the dynamic preprocessors. When
you install a new version of Snort, you need to make sure you install
the new versions of these files! Running a new Snort with old .so files
will cause segmentation faults.

Typically, this is handled by "make install", but if you used a new
directory for 2.8.5 then you need to make sure your snort.conf contains
the correct path.

I'm surprised that Snort ran after you commented out those lines. I
guess you didn't try to configure any of the dynamic preprocessors,

or

else you would have been met with another error message.



       Woohoo!  Snort runs!

       After 3 hours, Ruh Roh.  Snort's been pretty busy:
       Rule            Hits
       3:13287:3       2,861,181
       3:8092:3        1,191,487
       3:13307:1       993,864
       3:8351:4        521,964
       3:15450:2       226,397
       3:13825:2       1,626
       3:13827:2       1,626
       SO rules are running all right--never saw anything near this
number of
       hits, though.  Ouch.  At the moment I'm trying to decide whether
to
       comment out those rules, give CURRENT another try with the 2.8.5
CURRENT
       config file, or punt.




       John York
       Network Engineer
       Blue Ridge Community College
       1 College Lane, Weyers Cave, VA






------------------------------------------------------------------------

------
       Come build with us! The BlackBerry&reg; Developer Conference

in

SF, CA
       is the only developer event you need to attend this year.
Jumpstart your
       developing skills, take BlackBerry mobile applications to market
and stay
       ahead of the curve. Join us from November 9&#45;12, 2009.
Register now&#33;
       http://p.sf.net/sfu/devconf
       _______________________________________________
       Snort-users mailing list
       Snort-users () lists sourceforge net
       Go to this URL to change user options or unsubscribe:
       https://lists.sourceforge.net/lists/listinfo/snort-users
       Snort-users
<
list archive:
       http://www.geocrawler.com/redir-sf.php3?list=snort-users









------------------------------------------------------------------------------

Come build with us! The BlackBerry&reg; Developer Conference in SF,

CA

is the only developer event you need to attend this year. Jumpstart

your

developing skills, take BlackBerry mobile applications to market and

stay

ahead of the curve. Join us from November 9&#45;12, 2009. Register

now&#33;

http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------



------------------------------------------------------------------------------

Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and
stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register

now&#33;

http://p.sf.net/sfu/devconf

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 40, Issue 30
*******************************************



------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: