Snort mailing list archives
Re: Snort-users Digest, Vol 93, Issue 13
From: Aditya Prakash <adipra90 () gmail com>
Date: Wed, 12 Feb 2014 09:36:49 +0530
plz can anybody tell how to trim the snort alert that is in timestamp i do not want the microsecond field .i just want date n time in hr nin sec format . On Wed, Feb 12, 2014 at 4:11 AM, <snort-users-request () lists sourceforge net>wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: sudo snort -Tc snort.conf failure (Nicholas Mavis (nmavis)) 2. sfportscan not writing to BASE (Richard Smollett) 3. Getting Incorrect URL Error Message for a working URL (MMartin () jwpepper com) 4. Re: Getting Incorrect URL Error Message for a working URL (MMartin () jwpepper com) ---------------------------------------------------------------------- Message: 1 Date: Tue, 11 Feb 2014 15:20:51 +0000 From: "Nicholas Mavis (nmavis)" <nmavis () cisco com> Subject: Re: [Snort-users] sudo snort -Tc snort.conf failure To: David Montgomery <davidmontgomery () gmail com>, "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <CF1FA8D1.E4D9%nmavis () cisco com> Content-Type: text/plain; charset="us-ascii" David, As Y M mentioned, if you are installing snort via the Ubuntu repositories it is going to be outdated. I would recommend downloading an updated release (2.9.6) from snort.org. The errors you are seeing are fairly straight forward. Initializing rule chains... WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead. ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS As seen in the error above, you have $DNS_SERVERS variable set to "!any" within your snort.conf which is not allowed. From: David Montgomery <davidmontgomery () gmail com<mailto: davidmontgomery () gmail com>> Date: Tuesday, February 11, 2014 8:03 AM To: "snort-users () lists sourceforge net<mailto: snort-users () lists sourceforge net>" <snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] sudo snort -Tc snort.conf failure Initializing rule chains... WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead. ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed: !$DNS_SERVERS -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Tue, 11 Feb 2014 15:59:14 -0500 From: Richard Smollett <yawningdogge () gmail com> Subject: [Snort-users] sfportscan not writing to BASE To: snort-users () lists sourceforge net Message-ID: <CAC= Gbs6VQwRNGoOC2F1PR-CfQaXNFZKjZU5+7tmRsnAVfDHojg () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" After a portscan, my log file contains the following. Time: 02/11-14:49:22.006688 event_ref: 0 172.28.61.88 -> 172.28.61.39 (portscan) TCP Portscan Priority Count: 5 Connection Count: 5 IP Count: 1 Scanner IP Range: 172.28.61.88:172.28.61.88 Port/Proto Count: 5 Port/Proto Range: 23:993 So it looks like the preprocessor is working. But in the BASE interface, portscan traffic remains 0%. My rules are reporting to BASE just fine. Preprocessor config looks like this. preprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000 } sense_level { low } logfile { /etc/snort/sfportscan.log } -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Tue, 11 Feb 2014 16:54:28 -0500 From: MMartin () jwpepper com Subject: [Snort-users] Getting Incorrect URL Error Message for a working URL To: snort-users () lists sourceforge net Message-ID: < OF5E480AC0.AF542C41-ON85257C7C.00745DD7-85257C7C.00785867 () jwpepper com> Content-Type: text/plain; charset="us-ascii" Hello All, Installed Version: Snort v2.9.6.0 --and-- Oinkmaster v2.0 Let me start by saying I am new to Snort, but I have it configured and running in IDS mode. The issue I'm having is with Oinkmaster.pl, which is telling me the URL I am giving is incorrect. Sorry if this was asked before, but I tried checking the mail-list's archive for a similar situation at but without a search function it was impossible to find a similar case... But anyway, I am a registered User on snort.org and I generated an "Oinkcode" from My Account page in order to get a URL configured for oinkmaster to update my rules. I added the following URL from my "My Oinkcode" page, under "Registered User Release", which was generated using my specific code that was given to me, which I added to my "/etc/oinkmaster.conf" file: (*FYI, I hid my OinkCode with 'xxx....' below) http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx This link was the default one given as an example so I tried the ".../snortrules-snapshot-2960.tar.gz/..." because that is the Snort version I currently have installed, and when I open that in a browser I get this error below..: Snort.org Rule Pack Download Error: -------------------------- Subscription: false -------------------------- No rule pack with this filename is available to you. -------------------------- I assume since this is the newest version of Snort available, the rules are not yet ready for download...? So I tried the next newest release, which was --> "snortrules-snapshot-2956.tar.gz" http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx I entered that URL above into a browser, and when the page loads I'm prompted with a download dialog to download the snortrules-snapshot. Since I got a download prompt I assume this is the correct URL for me to use. So I entered the following line in my oinkmaster.conf file: url = http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Now, when I run the oinkmaster command to update/download the newest rule's file I get an error about the URL, see below: # oinkmaster -o /etc/snort/rules Loading /etc/oinkmaster.conf /usr/local/bin/oinkmaster: Error: incorrect URL: " http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx " Oink, oink. Exiting... Since the URL works in a browser I'm not sure why it wouldn't work from the oinkmaster.pl command..? Does anyone know why this would be happening? Any thoughts or suggestions would be much appreciated. Thanks in Advance, Matt -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 4 Date: Tue, 11 Feb 2014 17:41:22 -0500 From: MMartin () jwpepper com Subject: Re: [Snort-users] Getting Incorrect URL Error Message for a working URL To: snort-users () lists sourceforge net Message-ID: < OF92E3AC43.8A1FF157-ON85257C7C.007B4451-85257C7C.007CA3E1 () jwpepper com> Content-Type: text/plain; charset="us-ascii" Hey Guys, Sorry to double post, but I think I may have found the problem... Looking at the Perl code for oinkmaster.pl I found the section that checks the URL by comparing it to a REGEX... You can see in the snippet of code below, that the regex wants the URL to end with ".tar.gz" --or-- ".tgz"... Which is why my URL wouldn't work... Here is the REGEX from the Snippet below ==> /^((?:https*|ftp|file|scp):\/\/.+\.(?:tar\.gz|tgz))$/ __________________________ __________________________ CODE SNIPPET # Make sure all urls look ok, and untaint them. my @urls = @{$config{url}}; $#{$config{url}} = -1; foreach my $url (@urls) { clean_exit("incorrect URL: \"$url\"") unless ($url =~ /^((?:https*|ftp|file|scp):\/\/.+\.(?:tar\.gz|tgz))$/ || $url =~ /^(dir:\/\/.+)/); my $ok_url = $1; :.....MORE CODE..... } ________________________END CODE SNIPPET________________________ The problem is my URL actually ends with my Oinkcode and NOT the file name... I think I'll try to adjust the REGEX to match MY url and give it another try in the morning... I'll let you guys know what happens just in case anyone else has or had this issue and isn't familiar with Perl and/or REGEXs. Although, I could probably just remove the '$' at the end of the REGEX and it should probably work just fine since that matches the end of the line, and by including "^" at the start, and '$' at the end, it's basically saying it has to start and end exactly like this..... And removing the '$' will basically just make it want to see that ".tar.gz" or ".tgz" is included somewhere in the URL... I'll post back shortly. Again, sorry about double posting... Thanks Again, Matt From: MMartin () jwpepper com To: snort-users () lists sourceforge net Date: 02/11/2014 05:12 PM Subject: [Snort-users] Getting Incorrect URL Error Message for a working URL Hello All, Installed Version: Snort v2.9.6.0 --and-- Oinkmaster v2.0 Let me start by saying I am new to Snort, but I have it configured and running in IDS mode. The issue I'm having is with Oinkmaster.pl, which is telling me the URL I am giving is incorrect. Sorry if this was asked before, but I tried checking the mail-list's archive for a similar situation at but without a search function it was impossible to find a similar case... But anyway, I am a registered User on snort.org and I generated an "Oinkcode" from My Account page in order to get a URL configured for oinkmaster to update my rules. I added the following URL from my "My Oinkcode" page, under "Registered User Release", which was generated using my specific code that was given to me, which I added to my "/etc/oinkmaster.conf" file: (*FYI, I hid my OinkCode with 'xxx....' below) http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx This link was the default one given as an example so I tried the ".../snortrules-snapshot-2960.tar.gz/..." because that is the Snort version I currently have installed, and when I open that in a browser I get this error below..: Snort.org Rule Pack Download Error: -------------------------- Subscription: false -------------------------- No rule pack with this filename is available to you. -------------------------- I assume since this is the newest version of Snort available, the rules are not yet ready for download...? So I tried the next newest release, which was --> "snortrules-snapshot-2956.tar.gz" http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx I entered that URL above into a browser, and when the page loads I'm prompted with a download dialog to download the snortrules-snapshot. Since I got a download prompt I assume this is the correct URL for me to use. So I entered the following line in my oinkmaster.conf file: url = http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Now, when I run the oinkmaster command to update/download the newest rule's file I get an error about the URL, see below: # oinkmaster -o /etc/snort/rules Loading /etc/oinkmaster.conf /usr/local/bin/oinkmaster: Error: incorrect URL: " http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx " Oink, oink. Exiting... Since the URL works in a browser I'm not sure why it wouldn't work from the oinkmaster.pl command..? Does anyone know why this would be happening? Any thoughts or suggestions would be much appreciated. Thanks in Advance, Matt ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 93, Issue 13 *******************************************
-- Aditya prakash(SDDE)
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 93, Issue 13 Aditya Prakash (Feb 11)