Snort mailing list archives
Cannot install Snort with RPM file.
From: Jutichai Thongkrachai <thsecmaniac () gmail com>
Date: Tue, 30 Sep 2014 15:07:05 +0700
Hello, I try to install Snort with RPM file that is in snort.org but I got this error: error: Failed dependencies: libdnet.1()(64bit) is needed by snort-1:2.9.6.2-1.x86_64 libpcre.so.0()(64bit) is needed by snort-1:2.9.6.2-1.x86_64 It's strange because in centos 7 , there are: 1. libdnet 1.12 including its devel package 2. pcre 8.32 incliding its devel package in the system already? 2014-09-29 21:56 GMT+07:00 <snort-users-request () lists sourceforge net>:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: http_header not working (NIDS TEAM) 2. Re: http_header not working (Mitesh Jadia) 3. Salir Suscripcion (Dilan Loboa) 4. Re: http_header not working (waldo kitty) ---------- จดหมายที่ถูกส่งต่อ ---------- From: NIDS TEAM <nidsteam () gmail com> To: "Joel Esler (jesler)" <jesler () cisco com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netDate: Mon, 29 Sep 2014 13:52:20 +0200 Subject: Re: [Snort-users] http_header not working So I just compiled Snort with --enable-sourcefire. Snort runs with the following rule: alert tcp any any <> any any (msg:"TEST HOST alert"; content:"google"; http_uri; gid:1; sid:99999; rev:2;) I then do one single request to www.google.com/mail The following request is visible with Snort (I do not copy all the SYN/ACK packets): =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/29-09:03:51.706262 213.156.231.85:38364 -> 173.194.32.210:80 TCP TTL:64 TOS:0x0 ID:60575 IpLen:20 DgmLen:170 DF ***AP*** Seq: 0xE1581B62 Ack: 0x746B8DA Win: 0x73 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1809643521 4126477955 47 45 54 20 2F 6D 61 69 6C 20 48 54 54 50 2F 31 GET /mail HTTP/1 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 .1..User-Agent: 57 67 65 74 2F 31 2E 31 33 2E 34 20 28 6C 69 6E Wget/1.13.4 (lin 75 78 2D 67 6E 75 29 0D 0A 41 63 63 65 70 74 3A ux-gnu)..Accept: 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 77 77 77 2E */*..Host: www. 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E google.com..Conn 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 76 65 0D 0A 0D 0A ve.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The Preprocessor Profile Statistics shows: 3 httpinspect 0 2 2 4 2.11 0.60 0.60 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 0 HTTP Request Headers extracted: 0 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 0 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 2 It looks like the http_inspect preprocessor doesn't do anything here, besides passing the packet. The http_inspect configuration is identical to: http://labs.snort.org/snort/2962/snort.conf On Fri, Sep 26, 2014 at 5:50 PM, Joel Esler (jesler) <jesler () cisco com> wrote:I suggest you compile with —enable-sourcefire. That turns on all the things we usually troubleshoot with.On Sep 26, 2014, at 11:46 AM, NIDS TEAM <nidsteam () gmail com> wrote: No, but is there any dependency? These are the compile flags: ./configure \ --quiet \ --prefix=/opt/snort \ --enable-static=no \ --with-libpcap-includes=/opt/snort/include \ --with-libpcap-libraries=/opt/snort/lib \ --with-dnet-includes=/opt/snort/include \ --with-dnet-libraries=/opt/snort/lib \ --with-daq-includes=/opt/snort/include \ --with-daq-libraries=/opt/snort/lib \ --enable-reload \ --enable-reload-error-restart \ --enable-normalizer---------- จดหมายที่ถูกส่งต่อ ---------- From: Mitesh Jadia <mitesh.jadia () gmail com> To: NIDS TEAM <nidsteam () gmail com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netDate: Mon, 29 Sep 2014 19:10:55 +0530 Subject: Re: [Snort-users] http_header not working Hello, As per my understanding... Following signature alert ip any any -> any any (content:"test"; http_header; msg:"Test Signature"; sid:"9999998"; rev:1); will not trigger because content "test" in your GET request will not be the part of http_header field. http_uri and http_raw_uri are proper keywords to match this content. alert ip any any -> any any (content:"test"; http_uri; msg:"Test Signature"; sid:"9999997"; rev:1); Logically you should use 'alert tcp' for this signature. However with alert ip this signature is working for me here. On Fri, Sep 26, 2014 at 5:59 PM, NIDS TEAM <nidsteam () gmail com> wrote:Hi I just encounter a problem with the http_* keywords in Snort rules. There is a GET request to www.anywebsite.com/test The following signature triggers: alert ip any any -> any any (content:"test"; msg:"Test Signature"; sid:"9999999"; rev:1); The following signatures do not: alert ip any any -> any any (content:"test"; http_header; msg:"Test Signature"; sid:"9999998"; rev:1); alert ip any any -> any any (content:"test"; http_uri; msg:"Test Signature"; sid:"9999997"; rev:1); Does anyone have an idea why? I tested the behaviour with: - Security Onion - Snort 2.9.5.6 Default shipped configuration plus the above rules - Ubuntu Snort download off the shelf - Snort 2.9.6.0 - Latest and greatest compiled - Snort 2.9.6.2 There is always the same behaviour. Thanks already guido ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!---------- จดหมายที่ถูกส่งต่อ ---------- From: Dilan Loboa <dilan1396 () gmail com> To: snort-users-request () lists sourceforge net, snort-users-owner () lists sourceforge net, snort-users () lists sourceforge net Cc: Date: Mon, 29 Sep 2014 08:53:45 -0500 Subject: [Snort-users] Salir Suscripcion Deseo Salir ---------- จดหมายที่ถูกส่งต่อ ---------- From: waldo kitty <wkitty42 () windstream net> To: snort-users () lists sourceforge net Cc: Date: Mon, 29 Sep 2014 10:56:20 -0400 Subject: Re: [Snort-users] http_header not working On 9/29/2014 7:52 AM, NIDS TEAM wrote:So I just compiled Snort with --enable-sourcefire. Snort runs with the following rule: alert tcp any any <> any any (msg:"TEST HOST alert"; content:"google"; http_uri; gid:1; sid:99999; rev:2;)are you saying that you have no other rules at all? only this one rule plus the built-in ones in the internal functions? I then do one single request to www.google.com/mailThe following request is visible with Snort (I do not copy all the SYN/ACK packets):[trim] It looks like the http_inspect preprocessor doesn't do anything here,besides passing the packet. The http_inspect configuration is identical to: http://labs.snort.org/snort/2962/snort.confwhat do you expect to see from the http_inspect preprocessor? where do you expect to see it emitted? -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Cannot install Snort with RPM file. Jutichai Thongkrachai (Sep 30)
- Re: Cannot install Snort with RPM file. Kurzawa, Kevin (Sep 30)
- Re: Cannot install Snort with RPM file. Bill Bernsen (Sep 30)
- Re: Cannot install Snort with RPM file. Kurzawa, Kevin (Sep 30)