Snort mailing list archives
Re: Snort-users Digest, Vol 85, Issue 24
From: soukaina mzerda <soukaina.mz () gmail com>
Date: Fri, 7 Jun 2013 11:25:17 +0200
Yeas I rebuilt with --enable-dubug and I got the same error segmentation fault NB : first I have configured snort2.9.1 and snort rules 2940 without libdnet and daq but at least I was able to run successfuly snort -v but once I changed the bersion of snort snort rules and installed daq and libdnet I started getting the error in question . On Fri, Jun 7, 2013 at 6:08 AM, <snort-users-request () lists sourceforge net>wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: troubleshooting snort (waldo kitty) 2. Snort.org Blog: Snort FAQ is open for community involvement! (Joel Esler) 3. segmentation fault (soukaina mzerda) 4. Re: segmentation fault (Russ Combs) 5. Snort with IPtables (Steven McLaughlin) 6. Re: Snort with IPtables (Jeremy Hoel) ---------------------------------------------------------------------- Message: 1 Date: Thu, 06 Jun 2013 14:08:15 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] troubleshooting snort To: snort-users () lists sourceforge net Message-ID: <51B0D00F.9070505 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 6/6/2013 08:34, soukaina mzerda wrote:Hi , I configured snort-2.9.4.6 with snortrule 2941 , libdnet-1.12 and daqand allthe pakages needed but I just can't run snort I did snort -v and I get segmentation default , at least plz tell mewhat dooesit comming from plzyou are not using the SO rules from that 2.9.4.1 rules package, are you?? -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------ Message: 2 Date: Thu, 6 Jun 2013 15:59:58 -0400 From: Joel Esler <jesler () sourcefire com> Subject: [Snort-users] Snort.org Blog: Snort FAQ is open for community involvement! To: "snort-users () lists sourceforge net mailinglist" <snort-users () lists sourceforge net>, "snort-sigs () lists sourceforge net list" <snort-sigs () lists sourceforge net>, Snort Developpers support <snort-devel () lists sourceforge net> Message-ID: <45C4F2F5-95EE-4DF8-952C-53A269F847BF () sourcefire com> Content-Type: text/plain; charset=us-ascii http://blog.snort.org/2013/06/snort-faq-is-open-for-community.html Snort FAQ is open for community involvement! Following the success of our ClamAV FAQ being placed on Github, we decided to do the same thing to the Snort FAQ in hopes that it will make the content available to community users to submit content to and make it easily manageable. So, now available: https://github.com/vrtadmin/snort-faq/blob/master/README.md The reason we put it on Github is it makes it simple to edit (in Markdown format), it's easy to audit, it's easy to clone and import, etc. When we did this with the ClamAV FAQ, we found it made the content super easy to keep up to date, allows for several users to work on it and allows for community involvement. So this is what we are hoping you will do. I took the old FAQ that was on http://www.snort.org, made it into Markdown and moved it to Github. Now we can add things like "Having a problem capturing TCP traffic? Have you tried "-k none" in your testing?" So, have at it. We'll review all content and approve it as it comes in through your pull requests. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------ Message: 3 Date: Thu, 6 Jun 2013 23:46:18 +0200 From: soukaina mzerda <soukaina.mz () gmail com> Subject: [Snort-users] segmentation fault To: snort-users () lists sourceforge net Message-ID: <CABCqq+4E0SM+Jboiqm3BOiak9Wqvye3wujmvOuSyJ= j1CG7RAw () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" I reconfigured snort-2946 ,snort rules-2946 , libdnet-1.12 and daq-2.0.0 very successfuly I run snort -v and I get an horrible error segmentation fault knowing that my ldd so not show any missing file , so any idea about where does this come from ? plllllllllllllllllllllllllllllllllllllllllllllllllz I need your help :/ -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 4 Date: Thu, 6 Jun 2013 18:09:51 -0400 From: Russ Combs <rcombs () sourcefire com> Subject: Re: [Snort-users] segmentation fault To: soukaina mzerda <soukaina.mz () gmail com> Cc: snort-users () lists sourceforge net Message-ID: < CAN8FaB_cWd4pUMirXZhF-Zi9+NENVQmy7ArKN3HGp5sEKWcAUw () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" On Thu, Jun 6, 2013 at 5:46 PM, soukaina mzerda <soukaina.mz () gmail comwrote:I reconfigured snort-2946 ,snort rules-2946 , libdnet-1.12 and daq-2.0.0 very successfuly I run snort -v and I get an horrible error segmentation fault knowing that my ldd so not show any missing file , so any idea aboutwheredoes this come from ?plllllllllllllllllllllllllllllllllllllllllllllllllz Ineed your help :/What does snort -V give you? Can you rebuild with --enable-debug and send a back trace? We will also need, at least, `head config.log`.------------------------------------------------------------------------------How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 5 Date: Fri, 7 Jun 2013 14:03:07 +1000 From: Steven McLaughlin <steve () Lan com au> Subject: [Snort-users] Snort with IPtables To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <CAC06-HV2tn_hgFgJzh+oyEg8=_ sL+WFmAABSBoCQuOiUSTecFg () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi All, Whats the take on running a snort sensor with IPtables running. In first instance I would think this interferes with sensor detection capability. Is anyone running IPtables on the same host as their Snort sensor? If so, what is the best way to nail this? The reason I ask is that I have two interfaces. One is the management interface which will have an IP address. This interface will deny all incoming traffic except for tcp/22 and tcp/443 inbound connections. The other interface is the snort sensor on eth1. The sensor is listening only. So is a rule allowing all incoming like so sufficient for Snort sniffing: -A INPUT -i eth1 -j ACCEPT Or should I also allow all outbound as follows: -A INPUT -i eth1 -j ACCEPT -A OUTPUT -i eth1 -j ACCEPT Alternatively, is there a best practice IPtables configuration for snort sensors? thanks, Steve -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 6 Date: Thu, 6 Jun 2013 22:08:16 -0600 From: Jeremy Hoel <jthoel () gmail com> Subject: Re: [Snort-users] Snort with IPtables To: Steven McLaughlin <steve () lan com au> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <CAH_p-VNt2BgmPhARNYP8_fP0mJ3ckq5-tOW= wfukbRRx_dibeg () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 we run iptables on all our sensors, but we don't give the sniffing port an ip and have no iptables entries for it. It works like a champ. On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve () lan com au> wrote:Hi All, Whats the take on running a snort sensor with IPtables running. In first instance I would think this interferes with sensor detection capability. Is anyone running IPtables on the same host as their Snort sensor? If so, what is the best way to nail this? The reason I ask is that I have two interfaces. One is the management interface which will have an IPaddress.This interface will deny all incoming traffic except for tcp/22 andtcp/443inbound connections. The other interface is the snort sensor on eth1. The sensor is listening only. So is a rule allowing all incoming like so sufficient for Snort sniffing: -A INPUT -i eth1 -j ACCEPT Or should I also allow all outbound as follows: -A INPUT -i eth1 -j ACCEPT -A OUTPUT -i eth1 -j ACCEPT Alternatively, is there a best practice IPtables configuration for snort sensors? thanks, Steve------------------------------------------------------------------------------How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!------------------------------ ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 85, Issue 24 *******************************************
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 85, Issue 24 soukaina mzerda (Jun 07)