Snort mailing list archives
Re: Snort-devel Digest, Vol 65, Issue 3
From: Parbat Bhatiya via Snort-devel <snort-devel () lists snort org>
Date: Fri, 11 Nov 2022 03:01:19 +0530
hello here attached screenshots [image: munabhaimbbs-munabhaimbbs-com-Services-Snort-Alerts.png][image: munabhaimbbs-munabhaimbbs-com-Services-Snort-Global-Settings.png][image: munabhaimbbs-munabhaimbbs-com-Services-Snort-Interface-Settings-WAN-Rules.png][image: munabhaimbbs-munabhaimbbs-com-Services-Snort-Interface-Settings-WAN-Categories.png][image: munabhaimbbs-munabhaimbbs-com-Services-Snort-WAN-Interface-Settings.png][image: munabhaimbbs-munabhaimbbs-com-Services-Snort-Interfaces.png] On Fri, Nov 11, 2022 at 1:11 AM <snort-devel-request () lists snort org> wrote:
Send Snort-devel mailing list submissions to snort-devel () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org You can reach the person managing the list at snort-devel-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Re: Snort-devel Digest, Vol 65, Issue 1 (Adrian Mamolea (admamole)) ---------------------------------------------------------------------- Message: 1 Date: Wed, 9 Nov 2022 18:39:07 +0000 From: "Adrian Mamolea (admamole)" <admamole () cisco com> To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: Re: [Snort-devel] Snort-devel Digest, Vol 65, Issue 1 Message-ID: < SN6PR11MB32299E0E5C012CD87C4B27C0C23E9 () SN6PR11MB3229 namprd11 prod outlook comContent-Type: text/plain; charset="utf-8" Hello Parbat, What version of Snort is pfsense using? Could you: - describe what you are trying to do, - provide a copy of the snort configuration including policy files - provide a log extract for the issue. Thanks, Adrian From: Snort-devel <snort-devel-bounces () lists snort org> On Behalf Of Parbat Bhatiya via Snort-devel Sent: Monday, November 7, 2022 4:15 PM To: snort-devel () lists snort org Subject: Re: [Snort-devel] Snort-devel Digest, Vol 65, Issue 1 hello anybody can help me or guide me i have pfsense installed with public ip if i transfer one vm to another vm or other network to vm ssh copy or some activity even my ip getting blocked like T SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infec (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE ET SCAN Potential SSH Scan misc activity misc unknow traffic detection of network scan ET POLICY RDP connection confirm like this all more i have anyone can guide me or something i can do normal behaviour only critical or risky operation can block possible ? On Tue, Nov 8, 2022 at 12:22 AM <snort-devel-request () lists snort org <mailto:snort-devel-request () lists snort org>> wrote: Send Snort-devel mailing list submissions to snort-devel () lists snort org<mailto:snort-devel () lists snort org> To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org<mailto: snort-devel-request () lists snort org> You can reach the person managing the list at snort-devel-owner () lists snort org<mailto: snort-devel-owner () lists snort org> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Snort 3 output to linux journal is buffered? (Neville, Andrew) ---------------------------------------------------------------------- Message: 1 Date: Mon, 7 Nov 2022 15:08:59 +0000 From: "Neville, Andrew" <Andrew.Neville () fujitsu co uk<mailto: Andrew.Neville () fujitsu co uk>> To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" < snort-devel () lists snort org<mailto:snort-devel () lists snort org>> Subject: [Snort-devel] Snort 3 output to linux journal is buffered? Message-ID: < CWLP123MB46741BEB8A47A238FF834F2FDE3C9 () CWLP123MB4674 GBRP123 PROD OUTLOOK COM <mailto: CWLP123MB46741BEB8A47A238FF834F2FDE3C9 () CWLP123MB4674 GBRP123 PROD OUTLOOK COMContent-Type: text/plain; charset="us-ascii" Hi, I'm looking for some help with a slightly odd behaviour we see when running Snort 3 as a systemd service. When Snort3 is started from a simple systemd service definition it does not immediately show its normal full startup information into the journal. I'm expecting approximately 300 lines ending with "Commencing packet processing" and then the list of interfaces its monitoring, but I don't get all lines - only around 230 ish lines. The only way to get the remaining output seems to be to make Snort write something else to the journal, like send it a USR1 signal. And actually, in response to the USR1 signal again we see only some of the USR1 runtime information is written to the journal. We have to send the USR1 signal twice in order to make sure we immediately get all the output from the first signal. When running Snort in the foreground, all the expected output is displayed to the terminal immediately. Similarly, starting Snort3 at the command line, but putting it into the background, still allows all the startup and USR1 information to display fully. The most recent test I've tried is with Snort3 compiled on a basic CentOS 8 stream VM, following the guide from the snort.org<http://snort.org>, with a really vanilla configuration as far as I can tell (registered rules were loaded). snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.43.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.9 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 1.1.1k FIPS 25 Mar 2021 Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version 8.42 2018-03-20 Using ZLIB version 1.2.11 Using Hyperscan version 5.3.0 2020-08-10 Using LZMA version 5.2.4 As far as I know this behaviour is not as a result of any journald configuration (I just have the default) and we have seen the same behaviour with Alma and Ubuntu too. Anyone have any pointers please?? Thanks, Andrew. Andrew Neville Defence & National Security Fujitsu Jays Close, Viables Industrial Estate, Basingstoke, Hampshire, RG22 4BY Email: andrew.neville () fujitsu co uk<mailto:andrew.neville () fujitsu co uk<mailto:andrew.neville () fujitsu co uk<mailto:andrew.neville () fujitsu co uk[cid:image001.jpg@01D8F2BA.E208B550]< https://www.fujitsu.com/uk/solutions/industry/defence-national-security/> Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); Fujitsu EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW; PFU (EMEA) Limited, (registered in England No 1578652) registered offices at: Belmont, Belmont Road, Uxbridge, England, UB8 1HE and Fujitsu Research of Europe Ltd (registered in England No. 4153469) 4th Floor, Building 3, Hyde Park Hayes, 11 Millington Road, Hayes, UB3 4AZ. This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free. -------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.snort.org/pipermail/snort-devel/attachments/20221107/7481e8b1/attachment.htm-------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 19594 bytes Desc: image001.jpg URL: < https://lists.snort.org/pipermail/snort-devel/attachments/20221107/7481e8b1/attachment.jpg------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org<mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 65, Issue 1 ****************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.snort.org/pipermail/snort-devel/attachments/20221109/a8f3831c/attachment.htm------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 65, Issue 3 ******************************************
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 65, Issue 3 Parbat Bhatiya via Snort-devel (Nov 14)