Snort mailing list archives
Snort-users digest, Vol 1 #794 - 9 msgs
From: snort-users () lists sourceforge net
Date: Tue, 10 Jul 2001 12:33:26 +0200
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. On the road... (Martin Roesch)
2. Re: spp_arpspoof core - solaris 2.6 (after adding -lresolv to LIBS var) (Fyodor)
3. Re: Re: Snort-users digest, Vol 1 #791 - 5 msgs (Fyodor)
4. UNSUBSCRIBE... (ORA)
5. More spp_arpspoof crashing on solaris 2.6 (Bill Marquette)
6. Re: UNSUBSCRIBE... (Ramin Alidousti)
7. Re: More spp_arpspoof crashing on solaris 2.6 (Fyodor)
8. error message with snort (Darrin Powell)
9. RE: error message with snort (Kevin Brown)
--__--__--
Message: 1
Date: Tue, 10 Jul 2001 11:48:26 -0400
From: Martin Roesch <roesch () sourcefire com>
To: snort-users <snort-users () lists sourceforge net>,
snort-dev <snort-devel () lists sourceforge net>
Subject: [Snort-users] On the road...
I'll be out of town at BlackHat until Saturday, so if anyone has any
urgent problems, please use the lists to get help. For those of you
going to BH/DC, I'll see you there!
-Marty
--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org
--__--__--
Message: 2
Date: Tue, 10 Jul 2001 22:57:11 +0700
From: Fyodor <fygrave () tigerteam net>
To: Bill Marquette <wlmarque () hewitt com>
Cc: snort-users <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] spp_arpspoof core - solaris 2.6 (after adding -lresolv to LIBS var)
On Tue, Jul 10, 2001 at 09:48:15AM -0500, Bill Marquette wrote:
From snort.conf...I shouldn't need any arguments to the arpspoof plugin unlessI'm misunderstanding the below. FWIW, I don't believe I had an output plugin defined either, but that shouldn't have caused this crash.
CVS up the sourcetree. :) I guess both issues (inet_aton() and empty args from arpspoof) should be fixed by now. --__--__-- Message: 3 Date: Tue, 10 Jul 2001 23:08:53 +0700 From: Fyodor <fygrave () tigerteam net> To: ORA <LSMITH147 () nc rr com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Re: Snort-users digest, Vol 1 #791 - 5 msgs On Tue, Jul 10, 2001 at 11:38:40AM -0400, ORA wrote:
ke stop wasting my time. your information is garbage you POOFPOOFPOOFPOOFare a selfrighteous idiot and your messages are a joke!!!!FAKE ASS COMPUTER PROGRAMER FJKKLWWJKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBB jfkslaffffffffjwiiiiiiiiqoooooojjjjjjjjj'aaaaaaaieeeeeeeqooooodjjjjjjnvvvvvv vjffsllllllkddddddddpwwwwwwwmwbbbbbbkdddddddwoooooooojffffffflssskbbbkkkkkkk kkbkbkbkbbkbkbkbkbkbkbkbasssssssssssssssssssssaassssssssssssssssssssssssssss ssdkdkDKDJFHDIEFLSLDKFJDKDLFJFJDKFLDNKFLD;D'DJJDLLKDKDKDKKBKBKBKBKBKBKBKBKBK BKBKBKBKBKBKBKBKBKBKBKBKBKBKBKBKBKIBKIBKIKJOKEUR A
Hey mate, suffering from outrageous drugs abuse? Junkies are not welcome here..
--__--__--
Message: 4
From: "ORA" <LSMITH147 () nc rr com>
To: <snort-users () lists sourceforge net>
Date: Tue, 10 Jul 2001 12:49:46 -0400
Subject: [Snort-users] UNSUBSCRIBE...
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01C1093E.CC579A00
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
please remove my email from your snort list. lsmith147 () nc rr com. I no =
longer want to be a part of this
chat.
I thank you for your immediately attention.
LSmith.
------=_NextPart_000_0005_01C1093E.CC579A00
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3018.900" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>please remove my email from your snort =
list. <A=20
href=3D"mailto:lsmith147 () nc rr com">lsmith147 () nc rr com</A>. I no longer =
want to=20
be a part of this</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>chat.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I thank you for your immediately=20
attention.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>LSmith.</FONT></DIV></BODY></HTML>
------=_NextPart_000_0005_01C1093E.CC579A00--
--__--__--
Message: 5
From: "Bill Marquette" <wlmarque () hewitt com>
To: snort-users () lists sourceforge net, snort-devel () lists sourceforge net
Date: Tue, 10 Jul 2001 12:45:21 -0500
Subject: [Snort-users] More spp_arpspoof crashing on solaris 2.6
I've seen this before on Solaris...mac addresses don't seem to be byte =
aligned
properly. Attached is a diff that appears to fix the core I had (it's =
been
running for over 2 minutes now where it died in under 5 seconds previou=
sly).
--Bill
*** spp_arpspoof.c Tue Jul 10 12:54:51 2001
--- spp_arpspoof.c.orig Tue Jul 10 12:54:02 2001
***************
*** 195,201 ****
Event event;
char logMessage[180];
IPMacEntry *ipme;
! u_int8_t addr[6];
if(p && (p->eh !=3D NULL && p->ah !=3D NULL))
{
--- 195,201 ----
Event event;
char logMessage[180];
IPMacEntry *ipme;
! u_int32_t *addr;
if(p && (p->eh !=3D NULL && p->ah !=3D NULL))
{
***************
*** 249,255 ****
break;
}
/* LookupIPMacEntryByIP() is too slow, will be fixed la=
ter */
! bcopy((void *)&p->ah->arp_spa, (void *)addr, sizeof(u_i=
nt8_t) *
6);
if ((ipme =3D LookupIPMacEntryByIP(ipmel, *addr)) =3D=3D NULL=
)
{((ipme
#ifdef DEBUG
--- 249,255 ----
break;
}
/* LookupIPMacEntryByIP() is too slow, will be fixed la=
ter */
! addr =3D (u_int32_t *)&p->ah->arp_spa;
if ((ipme =3D LookupIPMacEntryByIP(ipmel, *addr)) =3D=3D NULL=
)
{((ipme
#ifdef DEBUG
------------------------
Core was generated by `/apps/snort/current/bin/snort -o -c
/apps/snort/current/etc/snort.conf -i le0'.
Program terminated with signal 10, Bus Error.
Reading symbols from /usr/lib/libm.so.1...done.
Reading symbols from /usr/lib/libsocket.so.1...done.
Reading symbols from /usr/lib/libnsl.so.1...done.
Reading symbols from /usr/lib/libc.so.1...done.
Reading symbols from /usr/lib/libdl.so.1...done.
Reading symbols from /usr/lib/libmp.so.2...done.
Reading symbols from /usr/lib/nss_files.so.1...done.
#0 0x526e8 in ARPspoofPreprocFunction (p=3D0xeffff3c8) at spp_arpspoof=
.c:253
253 if ((ipme =3D LookupIPMacEntryByIP(ipmel, *addr)) =3D=3D=
NULL)
(gdb) bt
#0 0x526e8 in ARPspoofPreprocFunction (p=3D0xeffff3c8) at spp_arpspoof=
.c:253
#1 0x2be18 in Preprocess (p=3D0xeffff3c8) at rules.c:3427
#2 0x1fee8 in ProcessPacket (user=3D0x0, pkthdr=3D0xbc800, pkt=3D0xc37=
9e "=FF=FF=FF=FF=FF=FF") at
snort.c:512
#3 0x52ba8 in pcap_read ()
#4 0x537a8 in pcap_loop ()
#5 0x214f4 in InterfaceThread (arg=3D0xbc838) at snort.c:1441
#6 0x1fd84 in main (argc=3D772152, argv=3D0xeffffac4) at snort.c:445
(gdb) p ipme
$1 =3D (IPMacEntry *) 0x82c00
(gdb) p ipmel
$2 =3D (IPMacEntryList *) 0xf2540
(gdb) p p
$3 =3D (Packet *) 0xeffff3c8
(gdb) p *p
$4 =3D {pkth =3D 0xeffff8b8, pkt =3D 0xc379e "=FF=FF=FF=FF=FF=FF", fddi=
hdr =3D 0x0, fddisaps =3D 0x0,
fddisna =3D 0x0,
fddiiparp =3D 0x0, fddiother =3D 0x0, trh =3D 0x0, trhllc =3D 0x0, tr=
hmr =3D 0x0, sllh =3D
0x0, eh =3D 0xc379e, vh =3D 0x0,
ehllc =3D 0x0, ehllcother =3D 0x0, ah =3D 0xc37ac, iph =3D 0x0, orig_=
iph =3D 0x0,
ip_options_len =3D 0,
ip_options_data =3D 0x0, tcph =3D 0x0, orig_tcph =3D 0x0, tcp_options=
_len =3D 0,
tcp_options_data =3D 0x0,
udph =3D 0x0, orig_udph =3D 0x0, icmph =3D 0x0, orig_icmph =3D 0x0, e=
xt =3D 0x0, data =3D
0x0, dsize =3D 0,
frag_flag =3D 0 '\000', frag_offset =3D 0, mf =3D 0 '\000', df =3D 0 =
'\000', rf =3D 0
'\000', sp =3D 0, dp =3D 0,
orig_sp =3D 0, orig_dp =3D 0, caplen =3D 0, URI =3D {uri =3D 0x0, len=
gth =3D 0}, ssnptr =3D
0x0, ip_options =3D {{
code =3D 0 '\000', len =3D 0, data =3D 0x0} <repeats 40 times>}, =
ip_option_count
=3D 0,
ip_lastopt_bad =3D 0 '\000', tcp_options =3D {{code =3D 0 '\000', len=
=3D 0, data =3D
0x0} <repeats 40 times>},
tcp_option_count =3D 0, tcp_lastopt_bad =3D 0 '\000', csum_flags =3D =
0 '\000',
packet_flags =3D 0,
wire_packet =3D 0 '\000'}
(gdb) p *p->ah
$5 =3D {ea_hdr =3D {ar_hrd =3D 1, ar_pro =3D 2048, ar_hln =3D 6 '\006',=
ar_pln =3D 4 '\004',
ar_op =3D 1},
arp_sha =3D "\000\000=A2=CB)=D9", arp_spa =3D "\n\024\017=FE", arp_th=
a =3D "=FF=FF=FF=FF=FF=FF", arp_tpa
=3D "\n\024\013O"}
=
--__--__--
Message: 6
Date: Tue, 10 Jul 2001 14:50:17 -0400
From: Ramin Alidousti <ramin () cannon eng us uu net>
To: ORA <LSMITH147 () nc rr com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] UNSUBSCRIBE...
Mr LSmith,
If you take a good look at the email header, you'll see:
List-Unsubscribe: <http://lists.sourceforge.net/lists/listinfo/snort-users>,
<mailto:snort-users-request () lists sourceforge net?subject=unsubscribe>
There you can unsubscribe yourself from the list, at least if you
still know your password.
Ramin
On Tue, Jul 10, 2001 at 12:49:46PM -0400, ORA wrote:
please remove my email from your snort list. lsmith147 () nc rr com. I no longer want to be a part of this chat. I thank you for your immediately attention. LSmith.
--__--__-- Message: 7 Date: Wed, 11 Jul 2001 01:58:58 +0700 From: Fyodor <fygrave () tigerteam net> To: Bill Marquette <wlmarque () hewitt com> Cc: snort-users () lists sourceforge net, snort-devel () lists sourceforge net Subject: Re: [Snort-users] More spp_arpspoof crashing on solaris 2.6 On Tue, Jul 10, 2001 at 12:45:21PM -0500, Bill Marquette wrote:
I've seen this before on Solaris...mac addresses don't seem to be byte aligned properly. Attached is a diff that appears to fix the core I had (it's been running for over 2 minutes now where it died in under 5 seconds previously).
yup, type declaration and alignment problem. Committed the fix, thanks alot :)
--__--__--
Message: 8
From: Darrin Powell <dpowell () lssi net>
Reply-To: dpowell () lssi net
Organization: lssi.net
To: snort-users <snort-users () lists sourceforge net>
Date: Tue, 10 Jul 2001 15:16:25 -0400
Subject: [Snort-users] error message with snort
I tried to run snort and get this error message
ERROR /etc/snort/snort.conf (8) => Rule IP addr ("2xx.xx.xxx.xxx") didn't
x-late, WTF?
Any help would be greatly appreciated..
Thanks in advance
Darrin
--__--__--
Message: 9
Date: Tue, 10 Jul 2001 12:23:16 -0700
From: Kevin Brown <Kevin.M.Brown () asu edu>
Subject: RE: [Snort-users] error message with snort
To: "'dpowell () lssi net'" <dpowell () lssi net>,
snort-users <snort-users () lists sourceforge net>
Did you set the HOME_NET and EXTERNAL variables in the snort.conf file?
That seems to be the most common culprit for this error.
I tried to run snort and get this error message
ERROR /etc/snort/snort.conf (8) => Rule IP addr
("2xx.xx.xxx.xxx") didn't
x-late, WTF?
Any help would be greatly appreciated..
--__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-users digest, Vol 1 #794 - 9 msgs snort-users (Jul 11)