Snort mailing list archives
Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode
From: Jutichai Thongkrachai <thsecmaniac () gmail com>
Date: Tue, 19 Aug 2014 11:29:01 +0700
To Waldo kitty I install from .tar.gz (source not binary) 2014-08-19 0:52 GMT+07:00 <snort-users-request () lists sourceforge net>:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: May be wrong error msg (waldo kitty) 2. Re: May be wrong error msg (Balasubramaniam Natarajan) 3. Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode (Jutichai Thongkrachai) 4. Tcp session hijacking (Meysam Farazmand) 5. Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode (waldo kitty) 6. Re: Tcp session hijacking (waldo kitty) 7. Snort Blog: Snort Subscriber Ruleset: Re-categorization of the Shared Object Rules (Joel Esler (jesler)) ---------- จดหมายที่ถูกส่งต่อ ---------- From: waldo kitty <wkitty42 () windstream net> To: snort-users () lists sourceforge net Cc: Date: Sat, 16 Aug 2014 13:23:59 -0400 Subject: Re: [Snort-users] May be wrong error msg On 8/16/2014 2:54 AM, Balasubramaniam Natarajan wrote:Hi While installing snort, I included a particular rule in its conf file. Later when I ran snort against a pcap I found that snort's error message was not completely correct (Or my understanding about it is wrong) about pointing the absolute RULE_PATH. Attached is a screenshot for your reference.snort automatically adds etc/ to paths when it cannot access the specified file... are your permissions correct for the file in question so that snort can load it?? -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ---------- จดหมายที่ถูกส่งต่อ ---------- From: Balasubramaniam Natarajan <bala150985 () gmail com> To: waldo kitty <wkitty42 () windstream net> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netDate: Sat, 16 Aug 2014 23:31:13 +0530 Subject: Re: [Snort-users] May be wrong error msg On Sat, Aug 16, 2014 at 10:53 PM, waldo kitty <wkitty42 () windstream net> wrote:snort automatically adds etc/ to paths when it cannot access the specified file... are your permissions correct for the file in question so that snort can load it??Well I figured out that there was no file with that name in the rules directory and I had removed that rule line from the snort.conf file. However why would snort add */sec/snort/etc/* to the path without which I could have spotted the error more easily. Does it signify the place from where my conf file is getting loaded ? If yes, I would not understand the reason for that. -- Regards, Balasubramaniam Natarajan http://blog.etutorshop.com ---------- จดหมายที่ถูกส่งต่อ ---------- From: Jutichai Thongkrachai <thsecmaniac () gmail com> To: snort-users () lists sourceforge net Cc: Date: Sun, 17 Aug 2014 14:10:49 +0700 Subject: [Snort-users] Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Hello I would like to turn on Sniffer mode of Snort 2.9.6 on Centos 7 but I got the error below: ------------------------------------------------ ./snort -v Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "nflog". ERROR: Cannot decode data link type 239 Fatal Error, Quitting.. ------------------------------------------------- Please help. ---------- จดหมายที่ถูกส่งต่อ ---------- From: Meysam Farazmand <farazmand.meisam () gmail com> To: snort-users () lists sourceforge net Cc: Date: Sun, 17 Aug 2014 14:07:51 +0430 Subject: [Snort-users] Tcp session hijacking Hi all, I used "check_session_hijacking" in stream5 preprocessor for session hijacking attacks detection and launched a mitm attack. But snort did not detect it. I also checked preprocessor rules for detecting this type of attack and there was some rules in my ruleset. Does anyone know how to configure snort to detect session hijacking and mitm attacks? ---------- จดหมายที่ถูกส่งต่อ ---------- From: waldo kitty <wkitty42 () windstream net> To: snort-users () lists sourceforge net Cc: Date: Sun, 17 Aug 2014 12:52:55 -0400 Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode On 8/17/2014 3:10 AM, Jutichai Thongkrachai wrote:------------------------------------------------ ./snort -v Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "nflog". ERROR: Cannot decode data link type 239 Fatal Error, Quitting.. -------------------------------------------------is this self compiled or a binary you downloaded from somewhere? -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ---------- จดหมายที่ถูกส่งต่อ ---------- From: waldo kitty <wkitty42 () windstream net> To: snort-users () lists sourceforge net Cc: Date: Sun, 17 Aug 2014 12:55:48 -0400 Subject: Re: [Snort-users] Tcp session hijacking On 8/17/2014 5:37 AM, Meysam Farazmand wrote:Hi all, I used "check_session_hijacking" in stream5 preprocessor for session hijacking attacks detection and launched a mitm attack. But snort did not detect it.session hijacking and mitm are not the same... session hijacking is where you take over or continue with someone's existing or previous session... mitm is where you are in the middle and have valid sessions with both parties and pass their traffic across while doing what you want with it in the middle... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ---------- จดหมายที่ถูกส่งต่อ ---------- From: "Joel Esler (jesler)" <jesler () cisco com> To: snort-sigs <snort-sigs () lists sourceforge net>, snort-devel mailinglist <snort-devel () lists sourceforge net>, snort-users < snort-users () lists sourceforge net>, "snort-openappid () lists sourceforge net" <snort-openappid () lists sourceforge net> Cc: Date: Mon, 18 Aug 2014 17:52:30 +0000 Subject: [Snort-users] Snort Blog: Snort Subscriber Ruleset: Re-categorization of the Shared Object Rules Snort Subscriber Ruleset: Re-categorization of the Shared Object Rules In 2012, the VRT (now Talos) performed a massive restructuring of the plaintext ruleset from the old category structure to a new category structure. Since then we've received overwhelmingly positive feedback about them, so we will continue the effort by moving the Shared Object Rules into a similar category structure. Read more here: http://blog.snort.org/2014/08/snort-subscriber-ruleset-re.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 17)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode waldo kitty (Aug 17)
- <Possible follow-ups>
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 18)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 19)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 21)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 22)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 23)