Snort mailing list archives

Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode

From: Jutichai Thongkrachai <thsecmaniac () gmail com>
Date: Tue, 19 Aug 2014 11:29:01 +0700

To Waldo kitty

I install from .tar.gz (source not binary)



2014-08-19 0:52 GMT+07:00 <snort-users-request () lists sourceforge net>:

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."

When responding, please don't respond with the entire Digest.  Please trim
your response.
Today's Topics:

   1. Re: May be wrong error msg (waldo kitty)
   2. Re: May be wrong error msg (Balasubramaniam Natarajan)
   3. Got the "ERROR: Cannot decode data link type 239" message
      when turn on sniffer mode (Jutichai Thongkrachai)
   4. Tcp session hijacking (Meysam Farazmand)
   5. Re: Got the "ERROR: Cannot decode data link type 239" message
      when turn on sniffer mode (waldo kitty)
   6. Re: Tcp session hijacking (waldo kitty)
   7. Snort Blog: Snort Subscriber Ruleset: Re-categorization of
      the Shared Object Rules (Joel Esler (jesler))


---------- จดหมายที่ถูกส่งต่อ ----------
From: waldo kitty <wkitty42 () windstream net>
To: snort-users () lists sourceforge net
Cc:
Date: Sat, 16 Aug 2014 13:23:59 -0400
Subject: Re: [Snort-users] May be wrong error msg
On 8/16/2014 2:54 AM, Balasubramaniam Natarajan wrote:

Hi

While installing snort, I included a particular rule in its conf file.
Later
when I ran snort against a pcap I found that snort's error message was not
completely correct (Or my understanding about it is wrong) about pointing
the
absolute RULE_PATH.  Attached is a screenshot for your reference.


snort automatically adds etc/ to paths when it cannot access the specified
file... are your permissions correct for the file in question so that snort
can load it??

--
 NOTE: No off-list assistance is given without prior approval.
       Please *keep mailing list traffic on the list* unless
       private contact is specifically requested and granted.




---------- จดหมายที่ถูกส่งต่อ ----------
From: Balasubramaniam Natarajan <bala150985 () gmail com>
To: waldo kitty <wkitty42 () windstream net>
Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net

Date: Sat, 16 Aug 2014 23:31:13 +0530
Subject: Re: [Snort-users] May be wrong error msg



On Sat, Aug 16, 2014 at 10:53 PM, waldo kitty <wkitty42 () windstream net>
wrote:


snort automatically adds etc/ to paths when it cannot access the specified
file... are your permissions correct for the file in question so that
snort can
load it??

Well I figured out that there was no file with that name in the rules
directory and I had removed that rule line from the snort.conf file.
However why would snort add */sec/snort/etc/* to the path without which I
could have spotted the error more easily.  Does it signify the place from
where my conf file is getting loaded ?  If yes, I would not understand the
reason for that.

--
Regards,
Balasubramaniam Natarajan
http://blog.etutorshop.com


---------- จดหมายที่ถูกส่งต่อ ----------
From: Jutichai Thongkrachai <thsecmaniac () gmail com>
To: snort-users () lists sourceforge net
Cc:
Date: Sun, 17 Aug 2014 14:10:49 +0700
Subject: [Snort-users] Got the "ERROR: Cannot decode data link type 239"
message when turn on sniffer mode
Hello

I would like to turn on Sniffer mode of Snort 2.9.6 on Centos 7 but I got
the error below:

------------------------------------------------
./snort -v
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "nflog".
ERROR: Cannot decode data link type 239
Fatal Error, Quitting..
-------------------------------------------------

Please help.


---------- จดหมายที่ถูกส่งต่อ ----------
From: Meysam Farazmand <farazmand.meisam () gmail com>
To: snort-users () lists sourceforge net
Cc:
Date: Sun, 17 Aug 2014 14:07:51 +0430
Subject: [Snort-users] Tcp session hijacking

Hi all,

I used "check_session_hijacking" in stream5 preprocessor for session
hijacking attacks detection and launched a mitm attack. But snort did not
detect it. I also checked preprocessor rules for detecting this type of
attack and there was some rules in my ruleset.

Does anyone know how to configure snort to detect session hijacking and
mitm attacks?


---------- จดหมายที่ถูกส่งต่อ ----------
From: waldo kitty <wkitty42 () windstream net>
To: snort-users () lists sourceforge net
Cc:
Date: Sun, 17 Aug 2014 12:52:55 -0400
Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link type
239" message when turn on sniffer mode
On 8/17/2014 3:10 AM, Jutichai Thongkrachai wrote:

------------------------------------------------
./snort -v
Running in packet dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "nflog".
ERROR: Cannot decode data link type 239
Fatal Error, Quitting..
-------------------------------------------------


is this self compiled or a binary you downloaded from somewhere?


--
 NOTE: No off-list assistance is given without prior approval.
       Please *keep mailing list traffic on the list* unless
       private contact is specifically requested and granted.




---------- จดหมายที่ถูกส่งต่อ ----------
From: waldo kitty <wkitty42 () windstream net>
To: snort-users () lists sourceforge net
Cc:
Date: Sun, 17 Aug 2014 12:55:48 -0400
Subject: Re: [Snort-users] Tcp session hijacking
On 8/17/2014 5:37 AM, Meysam Farazmand wrote:

Hi all,

I used "check_session_hijacking" in stream5 preprocessor for session
hijacking
attacks detection and launched a mitm attack. But snort did not detect it.


session hijacking and mitm are not the same...

session hijacking is where you take over or continue with someone's
existing or previous session...

mitm is where you are in the middle and have valid sessions with both
parties and pass their traffic across while doing what you want with it in
the middle...


--
 NOTE: No off-list assistance is given without prior approval.
       Please *keep mailing list traffic on the list* unless
       private contact is specifically requested and granted.




---------- จดหมายที่ถูกส่งต่อ ----------
From: "Joel Esler (jesler)" <jesler () cisco com>
To: snort-sigs <snort-sigs () lists sourceforge net>, snort-devel
mailinglist <snort-devel () lists sourceforge net>, snort-users <
snort-users () lists sourceforge net>, "snort-openappid () lists sourceforge net"
<snort-openappid () lists sourceforge net>
Cc:
Date: Mon, 18 Aug 2014 17:52:30 +0000
Subject: [Snort-users] Snort Blog: Snort Subscriber Ruleset:
Re-categorization of the Shared Object Rules

 Snort Subscriber Ruleset: Re-categorization of the Shared Object Rules

In 2012, the VRT (now Talos) performed a massive restructuring of the
plaintext ruleset from the old category structure to a new category
structure.  Since then we've received overwhelmingly positive feedback
about them, so we will continue the effort by moving the Shared Object
Rules into a similar category structure.


Read more here:

http://blog.snort.org/2014/08/snort-subscriber-ruleset-re.html


 --
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 17)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode waldo kitty (Aug 17)
- <Possible follow-ups>
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 18)
  - Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode waldo kitty (Aug 19)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 19)
  - Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode waldo kitty (Aug 19)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 21)
  - Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode waldo kitty (Aug 21)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 22)
  - Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode James Lay (Aug 23)
- Re: Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode Jutichai Thongkrachai (Aug 23)