Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users Digest, Vol 132, Issue 20

From: Nicholas Vigneur <nvigneur () gmail com>
Date: Thu, 18 May 2017 21:13:25 -0400
Specifying the policy will a "null" state is not necessary unless you add a preprocessor.  Policy needs to be # if not 
needed to stop the Error. Policies can be pre-defined by the user or from a known "list".

Very Respectfully,

Nicholas E. Vigneur
210-862-8678
A+(CE), SEC+(CE), CASP, CEH, CISSP
nvigneur () gmail com




On May 18, 2017, at 4:20 PM, snort-users-request () lists sourceforge net wrote:

Send Snort-users mailing list submissions to
   snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
   https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
   snort-users-request () lists sourceforge net

You can reach the person managing the list at
   snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

  1. what is snort policy? ( ???? )
  2. How to get the previous black_list.rules (Asad, Hafiz ul)
  3. Re: How to get the previous black_list.rules (Joel Esler (jesler))
  4. Help! Newbie Needs Help (Dionne Queen)
  5. Re: Help! Newbie Needs Help (wkitty42 () windstream net)
  6. (no subject) (?moon sun? ?)


----------------------------------------------------------------------

Message: 1
Date: Tue, 16 May 2017 11:11:33 +0800
From: " ???? " <85358830 () qq com>
Subject: [Snort-users] what is snort policy?
To: " Snort-users " <snort-users () lists sourceforge net>
Message-ID: <tencent_6BC60F73387DBA540ED6326B () qq com>
Content-Type: text/plain;    charset="gb18030"

Hello everyone.
I tried to read the snort source code,I'm reading the snort/src/dynamic_preprocessor/reputation/spp_reputation.c 
I can't understand the meaning of policy in the source code.
In the init function ReputationInit(The 447 line):


static void ReputationInit(struct _SnortConfig *sc, char *argp)
{
   tSfPolicyId policy_id = _dpd.getParserPolicy(sc);     ?????What is  tSfPolicyId?Why should we use it?
   ReputationConfig *pDefaultPolicyConfig = NULL;     ?????what is the policy?
   ReputationConfig *pPolicyConfig = NULL;                 ?????what is the policy?




   if (reputation_config == NULL)
   {
       /*create a context*/
       reputation_config = sfPolicyConfigCreate();                
       if (reputation_config == NULL)
       {
           DynamicPreprocessorFatalMessage("Failed to allocate memory "
                   "for Reputation config.\n");
       }


       _dpd.addPreprocConfCheck(sc, ReputationCheckConfig);
       _dpd.registerPreprocStats(REPUTATION_NAME, ReputationPrintStats);
       _dpd.addPreprocExit(ReputationCleanExit, NULL, PRIORITY_LAST, PP_REPUTATION);


#ifdef PERF_PROFILING
       _dpd.addPreprocProfileFunc("reputation", (void *)&reputationPerfStats, 0, _dpd.totalPerfStats, NULL);
#endif


   }


   sfPolicyUserPolicySet (reputation_config, policy_id);         ?????what is the policy?
   pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config);           ?????what is 
the policy?
   pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetCurrent(reputation_config);           ?????what is the 
policy?


   if ((policy_id != 0) && (pDefaultPolicyConfig == NULL))
   {
       DynamicPreprocessorFatalMessage("%s(%d) => Reputation configuration may only"
               " be enabled in default configuration\n",
               *_dpd.config_file, *_dpd.config_line);
   }


   if (pPolicyConfig != NULL)
   {
       DynamicPreprocessorFatalMessage("%s(%d) => Reputation preprocessor can only be "
               "configured once.\n",  *_dpd.config_file, *_dpd.config_line);
   }


   pPolicyConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig));
   if (!pPolicyConfig)
   {
       DynamicPreprocessorFatalMessage("Could not allocate memory for "
               "Reputation preprocessor configuration.\n");
   }


   sfPolicyUserDataSetCurrent(reputation_config, pPolicyConfig);


   ParseReputationArgs(pPolicyConfig, (u_char *)argp);


   if ((0 == pPolicyConfig->numEntries)&&(!pPolicyConfig->sharedMem.path))           ?????what is the policy?
   {
       return;
   }


   if (policy_id != 0)
       pPolicyConfig->memcap = pDefaultPolicyConfig->memcap;           ?????what is the policy?


   if (!pPolicyConfig->sharedMem.path && pPolicyConfig->localSegment)
       IPtables = &pPolicyConfig->localSegment;


#ifdef SHARED_REP
   if (pPolicyConfig->sharedMem.path && (!_dpd.isTestMode()))         ?????what is the policy?
       _dpd.addPostConfigFunc(sc, initShareMemory, pPolicyConfig);
#endif


}



There are a lot of policy, but I can't understand what they mean.


Who can explain their meaning?


Thanks in advance.






minggang

------------------------------

Message: 2
Date: Wed, 17 May 2017 11:54:09 +0000
From: "Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk>
Subject: [Snort-users] How to get the previous black_list.rules
To: "snort-users () lists sourceforge net"
   <snort-users () lists sourceforge net>
Message-ID:
   <HE1PR0302MB265213DF0752CC584311D78F90E70 () HE1PR0302MB2652 eurprd03 prod outlook com>
   
Content-Type: text/plain; charset="iso-8859-1"

Snort Users,


The "black_list.rules" is updated everyday by the pulledpork. I am interested in to monitor it's evaluation and for 
that reason I need these rules, let say, for the last one week. I can start saving them now, but I wonder, is there a 
way or place, where all previous "black_list.rules" are stored and I can instantly access it for the last one week?


Asad




------------------------------

Message: 3
Date: Wed, 17 May 2017 13:09:38 +0000
From: "Joel Esler (jesler)" <jesler () cisco com>
Subject: Re: [Snort-users] How to get the previous black_list.rules
To: "Asad, Hafiz ul" <Hafiz-ul.Asad () city ac uk>
Cc: "snort-users () lists sourceforge net"
   <snort-users () lists sourceforge net>
Message-ID: <836359F1-89E6-4607-90E5-FC5CE8946FE6 () cisco com>
Content-Type: text/plain; charset="utf-8"

There is not.  This list is updated every 15 minutes, and we don?t keep around old copies.

--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On May 17, 2017, at 7:54 AM, Asad, Hafiz ul <Hafiz-ul.Asad () city ac uk<mailto:Hafiz-ul.Asad () city ac uk>> wrote:

Snort Users,


The "black_list.rules" is updated everyday by the pulledpork. I am interested in to monitor it's evaluation and for 
that reason I need these rules, let say, for the last one week. I can start saving them now, but I wonder, is there a 
way or place, where all previous "black_list.rules" are stored and I can instantly access it for the last one week?


Asad


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------

Message: 4
Date: Thu, 18 May 2017 03:09:32 +0000 (UTC)
From: Dionne Queen <ddd1236 () yahoo com>
Subject: [Snort-users] Help! Newbie Needs Help
To: "snort-users () lists sourceforge net"
   <snort-users () lists sourceforge net>
Message-ID: <1376333049.334726.1495076972805 () mail yahoo com>
Content-Type: text/plain; charset="utf-8"

I installed Snort and used the following to create alert:
c:\Snort\bin> snort -i 2 -c c:\Snort\etc\snort.conf - A console

?However, I keep getting the above Error message displaying no such file or directory - log/snort.log.1495074784
This is what is on my C: Drive -


I am using the following alert:
alert icmp any any -> any any (msg: "icmp testing rule"; sid: 1000001;)
Snort won't allow any alerts due to the Error Message. Please Help.
I am a "newbie".

Thanks.
Dionneddd1235 () yahoo com

|  | Virus-free. www.avast.com  |


------------------------------

Message: 5
Date: Thu, 18 May 2017 02:34:35 -0400
From: wkitty42 () windstream net
Subject: Re: [Snort-users] Help! Newbie Needs Help
To: snort-users () lists sourceforge net
Message-ID: <1853816d-b3af-f39a-8372-737791764aea () windstream net>
Content-Type: text/plain; charset=utf-8; format=flowed


On 05/17/2017 11:09 PM, Dionne Queen wrote:
I installed Snort and used the following to create alert:
c:\Snort\bin> snort -i 2 -c c:\Snort\etc\snort.conf - A console

However, I keep getting the above Error message displaying no such file or directory - log/snort.log.1495074784
This is what is on my C: Drive -


hunh?? above error??? there's not even one below...


I am using the following alert:
alert icmp any any -> any any (msg: "icmp testing rule"; sid: 1000001;)
Snort won't allow any alerts due to the Error Message. Please Help.
I am a "newbie".


but i believe you might be better served by using a more rounded testing suit of 
rules instead of shoving everything into the ICMP protocol...

-- 
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list* unless
       private contact is specifically requested and granted.



------------------------------

Message: 6
Date: Thu, 18 May 2017 20:17:51 +0000 (UTC)
From: ?moon sun? ? <msun489 () yahoo com>
Subject: [Snort-users] (no subject)
To: "snort-users () lists sourceforge net"
   <snort-users () lists sourceforge net>
Message-ID: <180624959.1549981.1495138671909 () mail yahoo com>
Content-Type: text/plain; charset=UTF-8

Hello,
I'm trying to use linux shell script to perform multiple snort commands , i put them in a vi editor and save it and 
then make this file executable:


$ cd ~/snort5_src
$ cd snort-2.9.9.0
$ snort -dev -n 20? -l /home/hduser/log7 -b -c /etc/snort5/snort.conf
$ chmod a+rwx /home/hduser/log7/snort.log.*
$ tcpdump -n -tttt -r /home/hduser/log7/snort.log.* > /home/hduser/log7/bigfile2.txt
when i execute this file in terminal it give me this message :
./snort-command: line 1: $: command not found
./snort-command: line 2: $: command not found
./snort-command: line 3: $: command not found
./snort-command: line 4: $: command not found
./snort-command: line 5: $: command not found

Is this the right way to use snort commands in shell script ? or there is something else to do in snort ?


------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 132, Issue 20
********************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: