Snort mailing list archives
Re: Snort-users Digest, Vol 4, Issue 18
From: Pharel's foussom via Snort-users <snort-users () lists snort org>
Date: Wed, 20 Sep 2017 08:20:07 +0100
slt I can not create an account on snort and receive my usernames normally nor a good confirmation code. Please help me 2017-09-20 5:36 GMT+01:00 <snort-users-request () lists snort org>:
Send Snort-users mailing list submissions to snort-users () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists snort org You can reach the person managing the list at snort-users-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. BASE is showing "Snort Alert" and sid instead of the message field. (William Pearson) 2. Re: BASE is showing "Snort Alert" and sid instead of the message field. (Al Lewis (allewi)) 3. Re: Snort is using a lot of memory (Joel Esler (jesler)) 4. Snort alerts and extra information (Kanan Alkanan) ---------------------------------------------------------------------- Message: 1 Date: Tue, 19 Sep 2017 10:43:10 -0600 From: William Pearson <william () cnsp net> To: Snort-users () lists snort org Subject: [Snort-users] BASE is showing "Snort Alert" and sid instead of the message field. Message-ID: <CAJEJux2_Fo+4sgeX9GK9PsSJh8dp3XFRRnagK1w3n E9-JqzsXg () mail gmail com> Content-Type: text/plain; charset="utf-8" [snort <http://www.snort.org/search/sid/120-3>] Snort Alert [120:3:1] Any help in having it show the message field instead would be helpful. Not sure why it's doing that. Will -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-users/ attachments/20170919/363cc590/attachment-0001.html> ------------------------------ Message: 2 Date: Tue, 19 Sep 2017 16:50:23 +0000 From: "Al Lewis (allewi)" <allewi () cisco com> To: William Pearson <william () cnsp net>, "Snort-users () lists snort org" <Snort-users () lists snort org> Subject: Re: [Snort-users] BASE is showing "Snort Alert" and sid instead of the message field. Message-ID: <DB14773E-D6A4-4DC3-8C63-1CEA3855BFFD () cisco com> Content-Type: text/plain; charset="utf-8" Its a preprocessor rule: ALLEWI-M-8257:~ allewi$ less /var/tmp/snort-2.9.9.0- released/preproc_rules/preprocessor.rules | grep 120 | grep "sid: 3" alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) ALLEWI-M-8257:~ allewi$ Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users- bounces () lists snort org>> on behalf of William Pearson <william () cnsp net <mailto:william () cnsp net>> Date: Tuesday, September 19, 2017 at 12:43 PM To: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" < Snort-users () lists snort org<mailto:Snort-users () lists snort org>> Subject: [Snort-users] BASE is showing "Snort Alert" and sid instead of the message field. [snort<http://www.snort.org/search/sid/120-3>] Snort Alert [120:3:1] Any help in having it show the message field instead would be helpful. Not sure why it's doing that. Will -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-users/ attachments/20170919/1ea1335d/attachment-0001.html> ------------------------------ Message: 3 Date: Tue, 19 Sep 2017 16:55:46 +0000 From: "Joel Esler (jesler)" <jesler () cisco com> To: Anna <Anna () sonru com> Cc: "snort-users () lists snort org" <snort-users () lists snort org> Subject: Re: [Snort-users] Snort is using a lot of memory Message-ID: <9E19E9C2-23A8-4FAD-807C-BECAA21B95D0 () cisco com> Content-Type: text/plain; charset="utf-8" Are you sure that you are referring to the correct snort.conf? We need more information. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Sep 19, 2017, at 9:25 AM, Anna <Anna () sonru com<mailto:Anna () sonru com>> wrote: Hi, Snort: 2.9.9.0 OS: Centos 7 Recently Snort started to use a lot of memory, and it is constantly on 29-30% of usage, it did not happen before (even when Snort was using more memory at the beginning - it went down after an hour or two), the only change to the server was a Centos upgrade I put the memcap in the snort.conf ?> stream5: global and restarted snort, but the memory usage did not go down. It is as Snort is ignoring the config Any help with this? <Screen Shot 2017-09-19 at 14.15.49.png> Thank you Anna _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-users/ attachments/20170919/7bc99100/attachment-0001.html> ------------------------------ Message: 4 Date: Wed, 20 Sep 2017 04:36:00 +0000 From: Kanan Alkanan <kanan_SD () hotmail com> To: "snort-users () lists snort org" <snort-users () lists snort org> Subject: [Snort-users] Snort alerts and extra information Message-ID: <CY4PR01MB3301B66E22BC1E2ABA881580EC610 () CY4PR01MB3301 prod. exchangelabs.com> Content-Type: text/plain; charset="iso-8859-1" I am using snort to detect some bad traffic in our system, however, I need to add more information to the logged alerts such as to which tenant the attacker's ip address belongs, the network id? Assuming I have multiple tenant however all private ips are duplicated over tenants, so it is not possible to tell which node cause the attack, so I am thinking to include the tenant id, network id which are unique to each tenant and then attach the private ip of attacker to the proper tenant. Current snort alerts will not provide these information, any help will be appreciated! Can I modify snort.conf for this -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-users/ attachments/20170920/3f87d083/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-users mailing list Snort-users () lists snort org https://lists.snort.org/mailman/listinfo/snort-users ------------------------------ End of Snort-users Digest, Vol 4, Issue 18 ******************************************
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 4, Issue 18 Pharel's foussom via Snort-users (Sep 20)