Re: Snort-users Digest, Vol 4, Issue 18

[Pharel's foussom via Snort-users <snort-users () lists snort org>]

slt I can not create an account on snort and receive my usernames
normally nor a good confirmation code.
Please help me


2017-09-20 5:36 GMT+01:00 <snort-users-request () lists snort org>:

> Send Snort-users mailing list submissions to
>         snort-users () lists snort org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.snort.org/mailman/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request () lists snort org
>
> You can reach the person managing the list at
>         snort-users-owner () lists snort org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
>
> Today's Topics:
>
>    1. BASE is showing "Snort Alert" and sid instead of the message
>       field. (William Pearson)
>    2. Re: BASE is showing "Snort Alert" and sid instead of the
>       message field. (Al Lewis (allewi))
>    3. Re: Snort is using a lot of memory (Joel Esler (jesler))
>    4. Snort alerts and extra information (Kanan Alkanan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 19 Sep 2017 10:43:10 -0600
> From: William Pearson <william () cnsp net>
> To: Snort-users () lists snort org
> Subject: [Snort-users] BASE is showing "Snort Alert" and sid instead
>         of the message field.
> Message-ID:
>         <CAJEJux2_Fo+4sgeX9GK9PsSJh8dp3XFRRnagK1w3n
> E9-JqzsXg () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> [snort <http://www.snort.org/search/sid/120-3>] Snort Alert [120:3:1]
>
>
> Any help in having it show the message field instead would be helpful. Not
> sure why it's doing that.
>
> Will
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-users/
> attachments/20170919/363cc590/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 19 Sep 2017 16:50:23 +0000
> From: "Al Lewis (allewi)" <allewi () cisco com>
> To: William Pearson <william () cnsp net>, "Snort-users () lists snort org"
>         <Snort-users () lists snort org>
> Subject: Re: [Snort-users] BASE is showing "Snort Alert" and sid
>         instead of the message field.
> Message-ID: <DB14773E-D6A4-4DC3-8C63-1CEA3855BFFD () cisco com>
> Content-Type: text/plain; charset="utf-8"
>
> Its a preprocessor rule:
>
> ALLEWI-M-8257:~ allewi$ less /var/tmp/snort-2.9.9.0-
> released/preproc_rules/preprocessor.rules | grep 120 | grep "sid: 3"
> alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata:
> rule-type preproc ; classtype:unknown; )
> ALLEWI-M-8257:~ allewi$
>
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi () cisco com<mailto:allewi () cisco com>
>
> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-
> bounces () lists snort org>> on behalf of William Pearson <william () cnsp net
> <mailto:william () cnsp net>>
> Date: Tuesday, September 19, 2017 at 12:43 PM
> To: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <
> Snort-users () lists snort org<mailto:Snort-users () lists snort org>>
> Subject: [Snort-users] BASE is showing "Snort Alert" and sid instead of
> the message field.
>
>
> [snort<http://www.snort.org/search/sid/120-3>] Snort Alert [120:3:1]
>
>
> Any help in having it show the message field instead would be helpful. Not
> sure why it's doing that.
>
> Will
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-users/
> attachments/20170919/1ea1335d/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 19 Sep 2017 16:55:46 +0000
> From: "Joel Esler (jesler)" <jesler () cisco com>
> To: Anna <Anna () sonru com>
> Cc: "snort-users () lists snort org" <snort-users () lists snort org>
> Subject: Re: [Snort-users] Snort is using a lot of memory
> Message-ID: <9E19E9C2-23A8-4FAD-807C-BECAA21B95D0 () cisco com>
> Content-Type: text/plain; charset="utf-8"
>
> Are you sure that you are referring to the correct snort.conf?
>
> We need more information.
>
> --
> Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>
>
>
>
>
>
>
> On Sep 19, 2017, at 9:25 AM, Anna <Anna () sonru com<mailto:Anna () sonru com>>
> wrote:
>
>
>
> Hi,
>
> Snort: 2.9.9.0
> OS: Centos 7
>
> Recently Snort started to use a lot of memory, and it is constantly on
> 29-30% of usage, it did not happen before (even when Snort was using more
> memory at the beginning - it went down after an hour or two), the only
> change to the server was a Centos upgrade
>
> I put the memcap in the snort.conf ?> stream5: global and restarted snort,
> but the memory usage did not go down. It is as Snort is ignoring the config
>
> Any help with this?
>
>
> <Screen Shot 2017-09-19 at 14.15.49.png>
>
> Thank you
>
> Anna
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org<mailto:Snort-users () lists snort org>
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-users/
> attachments/20170919/7bc99100/attachment-0001.html>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 20 Sep 2017 04:36:00 +0000
> From: Kanan Alkanan <kanan_SD () hotmail com>
> To: "snort-users () lists snort org" <snort-users () lists snort org>
> Subject: [Snort-users] Snort alerts and extra information
> Message-ID:
>         <CY4PR01MB3301B66E22BC1E2ABA881580EC610 () CY4PR01MB3301 prod.
> exchangelabs.com>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I am using snort to detect some bad traffic in our system, however, I need
> to add more information to the logged alerts such as to which tenant the
> attacker's ip address belongs, the network id? Assuming I have multiple
> tenant however all private ips are duplicated over tenants, so it is not
> possible to tell which node cause the attack, so I am thinking to include
> the tenant id, network id which are unique to each tenant and then attach
> the private ip of attacker to the proper tenant. Current snort alerts will
> not provide these information, any help will be appreciated!
>
>
> Can I modify snort.conf for this
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-users/
> attachments/20170920/3f87d083/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-users
>
>
> ------------------------------
>
> End of Snort-users Digest, Vol 4, Issue 18
> ******************************************
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!