Snort mailing list archives
Re: Snort-users Digest, Vol 132, Issue 20
From: Nicholas Vigneur <nvigneur () gmail com>
Date: Thu, 18 May 2017 21:13:25 -0400
Specifying the policy will a "null" state is not necessary unless you add a preprocessor. Policy needs to be # if not needed to stop the Error. Policies can be pre-defined by the user or from a known "list". Very Respectfully, Nicholas E. Vigneur 210-862-8678 A+(CE), SEC+(CE), CASP, CEH, CISSP nvigneur () gmail com
On May 18, 2017, at 4:20 PM, snort-users-request () lists sourceforge net wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. what is snort policy? ( ???? ) 2. How to get the previous black_list.rules (Asad, Hafiz ul) 3. Re: How to get the previous black_list.rules (Joel Esler (jesler)) 4. Help! Newbie Needs Help (Dionne Queen) 5. Re: Help! Newbie Needs Help (wkitty42 () windstream net) 6. (no subject) (?moon sun? ?) ---------------------------------------------------------------------- Message: 1 Date: Tue, 16 May 2017 11:11:33 +0800 From: " ???? " <85358830 () qq com> Subject: [Snort-users] what is snort policy? To: " Snort-users " <snort-users () lists sourceforge net> Message-ID: <tencent_6BC60F73387DBA540ED6326B () qq com> Content-Type: text/plain; charset="gb18030" Hello everyone. I tried to read the snort source code,I'm reading the snort/src/dynamic_preprocessor/reputation/spp_reputation.c I can't understand the meaning of policy in the source code. In the init function ReputationInit(The 447 line): static void ReputationInit(struct _SnortConfig *sc, char *argp) { tSfPolicyId policy_id = _dpd.getParserPolicy(sc); ?????What is tSfPolicyId?Why should we use it? ReputationConfig *pDefaultPolicyConfig = NULL; ?????what is the policy? ReputationConfig *pPolicyConfig = NULL; ?????what is the policy? if (reputation_config == NULL) { /*create a context*/ reputation_config = sfPolicyConfigCreate(); if (reputation_config == NULL) { DynamicPreprocessorFatalMessage("Failed to allocate memory " "for Reputation config.\n"); } _dpd.addPreprocConfCheck(sc, ReputationCheckConfig); _dpd.registerPreprocStats(REPUTATION_NAME, ReputationPrintStats); _dpd.addPreprocExit(ReputationCleanExit, NULL, PRIORITY_LAST, PP_REPUTATION); #ifdef PERF_PROFILING _dpd.addPreprocProfileFunc("reputation", (void *)&reputationPerfStats, 0, _dpd.totalPerfStats, NULL); #endif } sfPolicyUserPolicySet (reputation_config, policy_id); ?????what is the policy? pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config); ?????what is the policy? pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetCurrent(reputation_config); ?????what is the policy? if ((policy_id != 0) && (pDefaultPolicyConfig == NULL)) { DynamicPreprocessorFatalMessage("%s(%d) => Reputation configuration may only" " be enabled in default configuration\n", *_dpd.config_file, *_dpd.config_line); } if (pPolicyConfig != NULL) { DynamicPreprocessorFatalMessage("%s(%d) => Reputation preprocessor can only be " "configured once.\n", *_dpd.config_file, *_dpd.config_line); } pPolicyConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig)); if (!pPolicyConfig) { DynamicPreprocessorFatalMessage("Could not allocate memory for " "Reputation preprocessor configuration.\n"); } sfPolicyUserDataSetCurrent(reputation_config, pPolicyConfig); ParseReputationArgs(pPolicyConfig, (u_char *)argp); if ((0 == pPolicyConfig->numEntries)&&(!pPolicyConfig->sharedMem.path)) ?????what is the policy? { return; } if (policy_id != 0) pPolicyConfig->memcap = pDefaultPolicyConfig->memcap; ?????what is the policy? if (!pPolicyConfig->sharedMem.path && pPolicyConfig->localSegment) IPtables = &pPolicyConfig->localSegment; #ifdef SHARED_REP if (pPolicyConfig->sharedMem.path && (!_dpd.isTestMode())) ?????what is the policy? _dpd.addPostConfigFunc(sc, initShareMemory, pPolicyConfig); #endif } There are a lot of policy, but I can't understand what they mean. Who can explain their meaning? Thanks in advance. minggang ------------------------------ Message: 2 Date: Wed, 17 May 2017 11:54:09 +0000 From: "Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk> Subject: [Snort-users] How to get the previous black_list.rules To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <HE1PR0302MB265213DF0752CC584311D78F90E70 () HE1PR0302MB2652 eurprd03 prod outlook com> Content-Type: text/plain; charset="iso-8859-1" Snort Users, The "black_list.rules" is updated everyday by the pulledpork. I am interested in to monitor it's evaluation and for that reason I need these rules, let say, for the last one week. I can start saving them now, but I wonder, is there a way or place, where all previous "black_list.rules" are stored and I can instantly access it for the last one week? Asad ------------------------------ Message: 3 Date: Wed, 17 May 2017 13:09:38 +0000 From: "Joel Esler (jesler)" <jesler () cisco com> Subject: Re: [Snort-users] How to get the previous black_list.rules To: "Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <836359F1-89E6-4607-90E5-FC5CE8946FE6 () cisco com> Content-Type: text/plain; charset="utf-8" There is not. This list is updated every 15 minutes, and we don?t keep around old copies. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On May 17, 2017, at 7:54 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk<mailto:Hafiz-ul.Asad () city ac uk>> wrote: Snort Users, The "black_list.rules" is updated everyday by the pulledpork. I am interested in to monitor it's evaluation and for that reason I need these rules, let say, for the last one week. I can start saving them now, but I wonder, is there a way or place, where all previous "black_list.rules" are stored and I can instantly access it for the last one week? Asad ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------ Message: 4 Date: Thu, 18 May 2017 03:09:32 +0000 (UTC) From: Dionne Queen <ddd1236 () yahoo com> Subject: [Snort-users] Help! Newbie Needs Help To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <1376333049.334726.1495076972805 () mail yahoo com> Content-Type: text/plain; charset="utf-8" I installed Snort and used the following to create alert: c:\Snort\bin> snort -i 2 -c c:\Snort\etc\snort.conf - A console ?However, I keep getting the above Error message displaying no such file or directory - log/snort.log.1495074784 This is what is on my C: Drive - I am using the following alert: alert icmp any any -> any any (msg: "icmp testing rule"; sid: 1000001;) Snort won't allow any alerts due to the Error Message. Please Help. I am a "newbie". Thanks. Dionneddd1235 () yahoo com | | Virus-free. www.avast.com | ------------------------------ Message: 5 Date: Thu, 18 May 2017 02:34:35 -0400 From: wkitty42 () windstream net Subject: Re: [Snort-users] Help! Newbie Needs Help To: snort-users () lists sourceforge net Message-ID: <1853816d-b3af-f39a-8372-737791764aea () windstream net> Content-Type: text/plain; charset=utf-8; format=flowedOn 05/17/2017 11:09 PM, Dionne Queen wrote: I installed Snort and used the following to create alert: c:\Snort\bin> snort -i 2 -c c:\Snort\etc\snort.conf - A console However, I keep getting the above Error message displaying no such file or directory - log/snort.log.1495074784 This is what is on my C: Drive -hunh?? above error??? there's not even one below...I am using the following alert: alert icmp any any -> any any (msg: "icmp testing rule"; sid: 1000001;) Snort won't allow any alerts due to the Error Message. Please Help. I am a "newbie".but i believe you might be better served by using a more rounded testing suit of rules instead of shoving everything into the ICMP protocol... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 6 Date: Thu, 18 May 2017 20:17:51 +0000 (UTC) From: ?moon sun? ? <msun489 () yahoo com> Subject: [Snort-users] (no subject) To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <180624959.1549981.1495138671909 () mail yahoo com> Content-Type: text/plain; charset=UTF-8 Hello, I'm trying to use linux shell script to perform multiple snort commands , i put them in a vi editor and save it and then make this file executable: $ cd ~/snort5_src $ cd snort-2.9.9.0 $ snort -dev -n 20? -l /home/hduser/log7 -b -c /etc/snort5/snort.conf $ chmod a+rwx /home/hduser/log7/snort.log.* $ tcpdump -n -tttt -r /home/hduser/log7/snort.log.* > /home/hduser/log7/bigfile2.txt when i execute this file in terminal it give me this message : ./snort-command: line 1: $: command not found ./snort-command: line 2: $: command not found ./snort-command: line 3: $: command not found ./snort-command: line 4: $: command not found ./snort-command: line 5: $: command not found Is this the right way to use snort commands in shell script ? or there is something else to do in snort ? ------------------------------ ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 132, Issue 20 ********************************************
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 132, Issue 20 Nicholas Vigneur (May 18)