Snort mailing list archives
Re: Lets talk about ....
From: AllowOverride <allowoverride () gmail com>
Date: Tue, 09 Oct 2012 11:55:52 -0700
hello jeremy, thanks for your input, ill consider your thoughts. i installed seconion and yes it has configs and such to review. not really my point of what im complaining about. it's the howtos. have you been following all what i said, or just the last few emails. in any event, you will notice a reoccurring them. see if you can find it ;) i find it funny how you and others write a lot of stuff, like you think i dont know anything, how about rather, jump in and help. it's called community. my mentors always helped, im always looking for more. i found a few here, so.. if you dont mind a few emails with valid complaints, then everything is cool. if not, what can i say dude, nothing is quite clear, heck you are even pointing me to seconion, thats not a howto, and no new user will be able to find out all the stuff required for all the pieces of the puzzling looking at a config server. you kidding? lolol actually responding this email is a waste of time... ill try not to from this point forward. if you feel you know it all just say, pointing people to a man page or google, well, thats not community in my book, nor is it friendly. I NEVER SAY TO ANYONE, RTFM, LMGTFY, thats evil... are you evil? ps. Mr. Bates is community :) pss. who are you? dont bother me, im busy....
--- Begin Message --- From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 9 Oct 2012 15:51:57 +0000
Honestly.. instead of going back and forth over and over and saying that the tools don't work, when everyone else here knows they do you should probably install security onion, see hows it works, including the settings, options, integration's with databases and all that, see that it does work, and then use it to figure out why your system isn't working. Plus they you can try changes on a known good working system and see how they effect things and then integrate them into whatever scripts you keep talking about using. The tools work and it's not nearly as hard as you are making it. And BTW - criticizing the people that write the tools, that's probably not going to help your case. On Tue, Oct 9, 2012 at 3:43 PM, AllowOverride <allowoverride () gmail com> wrote:reply, ok pcap got it. thanks. makes sense now. mine however does not say decoding when i start snort... like i have been saying something is not working... lots of little things are not working.... thanks for hanging in there. ---------- Forwarded message ---------- From: Peter Bates <peter.bates () ucl ac uk> To: Cc: <snort-users () lists sourceforge net> Date: Tue, 9 Oct 2012 09:10:54 +0100 Subject: Re: [Snort-users] Lets talk about .... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 08/10/2012 23:28, AllowOverride wrote:next topic, revisited: u2spewfoo snort.log.1349734894 get_record: (2) Failed to read all of record data. Read 14476 of 33555456 bytes why? i run snort/barnyard2 this way: should i change? /usr/local/bin/snort -A fast -c /etc/snort/etc/snort.conf -i eth0 &I should have made it clearer in my previous email, but you should drop the -A fast. # snort -A fast -c /etc/snort/snort.conf -i eth1 <snip> Commencing packet processing (pid=7855) Decoding Ethernet # ls -hl total 12K - -rw-r--r-- 1 root snort 448 Oct 9 09:05 alert - -rw------- 1 snort snort 480 Oct 9 09:05 snort.log.1349769868 # file snort.log.1349769868 snort.log.1349769868: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514) Again, Snort is creating a pcap file and not a unified2 log. # snort -c /etc/snort/snort.conf -i eth1 <snip> Commencing packet processing (pid=7882) Decoding Ethernet # ls -hl total 8.0K - -rw------- 1 snort snort 1.2K Oct 9 09:07 snort.log.1349770017 # file snort.log.1349770017 snort.log.1349770017: data # u2spewfoo snort.log.1349770017 |grep sig sig id: 10000001 gen id: 1 revision: 0 classification: 0 Obviously when all is running fine you can daemonize with -D. Using & you're backgrounding any startup errors you might see. After this I suspect barnyard2 will work fine as it will have the unified2 input it is expecting. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQc9wOAAoJELhVoVpEMS6RjaQH/3da/us0zZr+Pvn5fqZRN8lX NVncLkQxX4KviNd/WgedSksIkNEtUCDROK6e5dWqHuX6mq2udEPTCmv0/nDOxY2a wePhaGsdkgPkNEdn3OWBUQzpuolOf/QYfqVM3WgyS/jMIbyNkLKK251Sln3epvwX 7MHTgNJTe02wsmLeteMbSAZPtkpMoQskqyhuBaI3ecAw5IuMDIjMWZIwXnlx+MZf dZ+qjVOsR5P7n53WBSji5IuHSALjWZv/M+i8DnkwMSXiIepeajnhMN20BxJilWQL 3g3dNn8XneM43sMsX6ZI5KLY9TDIzk5ZxrA6j9cJbYjmjPs6PV2GaE3X5lDrJIM= =ABRW -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
--- End Message ---
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Lets talk about ...., (continued)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 08)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Jeremy Hoel (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Message not available
- Re: Lets talk about .... Peter Bates (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 09)
- Re: Lets talk about .... AllowOverride (Oct 08)
- Re: Lets talk about .... Peter Bates (Oct 07)
- Re: Lets talk about .... AllowOverride (Oct 07)