RE: Snort-users digest, Vol 1 #1531 - 12 msgs

["Jessup, Justin" <Justin.Jessup () usdoj gov>]

hey to all almost forgot to mention
if you are creating the databases for snort in mysql you need to do this
get the tar.gz version of snort
unzip and untar it
cd to the snort dir
then type
mysql -u "your user name" -p"password" -h 192.168.0.99 snort < ./contrib/create_mysql
THIS WILL EXECUTE a sql script in the tared up version of snort
that will create the tables and fields in your snort database on your mysql server
example
mysql -u root -phappyone -h 192.168.0.99 snort < ./contrib/create_mysql
any questions email me via this usenet
good luck
check out
ACID
and 
snortreport

justin
:-)

-----Original Message-----
From:
/DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INETGW/P=GO
V+DOJ/A=TELEMAIL/C=US/
[mailto:/DDV=snort-users-request () lists sourceforge net/DDT=RFC-822/O=INE
TGW/P=GOV+DOJ/A=TELEMAIL/C=US/]
Sent: Tuesday, January 29, 2002 3:59 PM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #1531 - 12 msgs
Importance: Low


Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: detection and preprocessor plugins (Steve Halligan)
   2. Running Snort Daemon Problem (Bill)
   3. Re: FW: ISS Alert: Remote Denial of Service Vulnera
       bility in Snort ID S (Chris Green)
   4. Re: Help getting Snort working with mysql (Roman Danyliw)
   5. =?iso-8859-1?Q?CPU_usage_grow_to_max?= (=?iso-8859-1?Q?Alessandro_Fiorenzi?=)
   6. Re: Running Snort Daemon Problem (Chris Green)
   7. Re: Barnyard Solaris 2.6 make issue (Roelof JT Jonkman)
   8. Snort for RH 7.0 (Paulo Henrique Baptista de Oliveira)
   9. Re: Help getting Snort working with mysql (Phil Wood)
  10. Re: libpcap 0.7.1 (Phil Wood)
  11. RE: Help getting Snort working with mysql (Patrick S. Harper)

--__--__--

Message: 1
From: Steve Halligan <agent33 () geeksquad com>
To: "Snort-Users (E-mail)" <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] detection and preprocessor plugins
Date: Tue, 29 Jan 2002 09:34:28 -0600

Please allow me to answer my own question.  When frag2 is determines that it
has a complete packet rebuilt, it dumps the packet back into
ProcessPacket(), which will give all the preprocessors (even frag2 itself
actually) another shot at the new rebuilt packet.

-steve

 
> > > 3)  If one have multiple preprocessors, what determines the 
> > order they run
> > > in?  Can the defrag run first, then others, allowing them 
> > to see the packet
> > > in its defragged form?
> >
> > The order is determined by the way that they're loaded in the 
> > snort.conf
> > file.  The default order has spp_frag2 loaded first.
> So if frag2 is loaded first, will other preprocessors see a 
> packet in its
> defragged state?
> Or is the defragged packet only available to detection plugins and the
> signature engine?
>
> -steve


--__--__--

Message: 2
From: "Bill" <wkuhn () adelphia net>
To: <snort-users () lists sourceforge net>
Date: Tue, 29 Jan 2002 11:00:34 -0800
Subject: [Snort-users] Running Snort Daemon Problem

Hello,
I am trying to get Snort 1.7 installed on a Linux Server... I installed the
snort rpm and the tarball... I had to do that because the RPM doesn't have
the ability to log to postgresql database... I try to start the snortd
daemon and it gives me an error:

snortd: /etc/snort/snort.conf: Permission Denied

Here is the Start Section of the snortd (located in /etc/rc.d/init.d):
start)
echo -n "Starting snort: "
daemon /usr/local/bin/snort -u snort -dev -D \
-i $INTERFACE -l /var/log/snort -u snort -g snort -c
/etc/snort/snort.conf -b
touch /var/lock/subsys/snort
echo
;;

The Snort binary is owned by root and the group is snort (was root but same
error).

The /etc/snort directory is owned by root and group of root, the permissions
are 755 (rwxr_xr_x).
The files in the /etc/snort directory are owned by root and the group is
snort (this includes snort.conf)
The snort.conf is in mode 640....

I checked the /var/log/snort permissions:
the snort directory is snort.snort (owner.group) all files inside are
snort.snort.

Some things I tried were:
chmoding the content of /etc/snort to 777 but I get errors of none of the
commands in the snort.conf can be found....
/etc/snort/snort.conf: var: command not found [ OK ]
/etc/snort/snort.conf: var: command not found
/etc/snort/snort.conf: var: command not found
/etc/snort/snort.conf: preprocessor: command not found
/etc/snort/snort.conf: preprocessor: command not found

I would try running it from a command prompt:
/usr/local/bin/snort -u snort -dev -D -i eth0 -l /var/log/snort -u snort -g
snort -c /etc/snort/snort.conf -b

It says it started but running "ps aux / grep snort" shows nothing....

I am at a loss for this one...

Any ideas????



--__--__--

Message: 3
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW: ISS Alert: Remote Denial of Service Vulnera
 bility in Snort ID S
From: Chris Green <cmg () uab edu>
Reply-To: snort-users () lists sourceforge net
Date: Tue, 29 Jan 2002 10:05:51 -0600

Andreas Hasenack <andreas () conectiva com br> writes:

> But there is no 1.8.4 release in sight. So far, I think two important
> bugs are fixed in CVS:
> - that DoS one
> - the ICMP packet dumps having traces of snort.conf inside them
>
> There is no mention of these bugs at www.snort.org (at least at the
> download page and the main page), people going straight there to 
> download the package won't be aware of this.


Brian added
http://www.snort.org/downloads/snort-stable-snapshot.tar.gz and a news
item on the front page today.

Hopefully that will be good enough until 1.8.4 can be released.
-- 
Chris Green <cmg () uab edu>
"Yeah, but you're taking the universe out of context."


--__--__--

Message: 4
Date: Tue, 29 Jan 2002 11:44:10 -0500 (EST)
From: "Roman Danyliw" <roman () danyliw com>
To: "Graham, Randy \(RAW\) " <RAW () y12 doe gov>
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Help getting Snort working with mysql

How far did you get through the README.database instructions?  

The following URL from the MySQL manual should get you through the database
installation process (Step 1-2).

http://www.mysql.com/documentation/mysql/bychapter/manual_Installing.html

What issues are you having applying the DDL script (contrib/create_mysql)?

cheers,
Roman

On Tue, 29 Jan 2002 10:15:39 -0500, "Graham, Randy \(RAW\) " <RAW () y12 doe gov>
wrote :

> OK, I must be totally brain damaged, because there is absolutely no way I
> can figure out how to get snort working with mysql.  I don't know if I'm
> setting up mysql wrong, or snort wrong, or what, but I can't get it working,
> and I'm not sure how to perform some of the steps listed in the
> README.database file.  Would anyone be willing to help me on or off list
> with this?
>
> I'd be glad to just post my problems here if there is a need, but since I
> don't imagine this is of use to most readers of the list, I thought I'd wait
> and see if someone wanted to help me off list before filling up the list
> with personal support questions.
>
> Thanks,
>
> Randy Graham
> -- 
> The Internet?  Bah!  Is that thing still around?  -- Homer Simpson
> http://www.securitynewbie.com/ - for people like me
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--__--__--

Message: 5
Date: Tue, 29 Jan 2002 18:11:38 +0100
From: "=?iso-8859-1?Q?Alessandro_Fiorenzi?=" <a.iorenzi () libero it>
To: snort-users () lists sourceforge net
Subject: [Snort-users] =?iso-8859-1?Q?CPU_usage_grow_to_max?=

ICBIaSwgSSBoYXZlIGluc3RhbGxlZCBhIHNub3J0IHNlbnNvciBvbiBhIFBlbnRpdW0gSUlJ
IDczM01IeiB0byBtb25pdG9yIDMNCkMgY2xhc3MgdHJhZmZpYywgYnV0IEkgc2VlIGV2ZXJ5
dGltZSBjcHUgdXNhZ2UgMTAwJSBpcyBpdCBwb3NzaWJsZT8gDQpPbiB0aGlzIG1hY2hpbmUg
SSBoYXZlIHR3byBwcm9jZXNzb3IgYnV0IHNub3J0IHVzZSBvbmx5IG9uZSBwcm9jZXNzb3Is
DQppcyB0aGVyZSBhbnkgd2F5IHRvIHVzZSB0d28gcHJvY2Vzc29yPyANCg==




--__--__--

Message: 6
To: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Running Snort Daemon Problem
From: Chris Green <cmg () uab edu>
Reply-To: snort-users () lists sourceforge net
Date: Tue, 29 Jan 2002 12:33:38 -0600

"Bill" <wkuhn () adelphia net> writes:

> Hello,
> I am trying to get Snort 1.7 installed on a Linux Server

Ancient snort alert.  Upgrade to stable CVS.

> ... I installed the snort rpm and the tarball... I had to do that
> because the RPM doesn't have the ability to log to postgresql
> database... I try to start the snortd daemon and it gives me an
> error:
>
> snortd: /etc/snort/snort.conf: Permission Denied
>
> Here is the Start Section of the snortd (located in /etc/rc.d/init.d):
> start)
> echo -n "Starting snort: "
> daemon /usr/local/bin/snort -u snort -dev -D \
> -i $INTERFACE -l /var/log/snort -u snort -g snort -c
> /etc/snort/snort.conf -b
> touch /var/lock/subsys/snort
> echo
> ;;

That looks like the old chroot daemon script.   Where is this RPM from?

> The Snort binary is owned by root and the group is snort (was root
> but same error).
>
> The /etc/snort directory is owned by root and group of root, the permissions
> are 755 (rwxr_xr_x).
> The files in the /etc/snort directory are owned by root and the group is
> snort (this includes snort.conf)
> The snort.conf is in mode 640....

There is a missing \ at the end of your '-c' line

daemon /usr/local/bin/snort -u snort -dev -D \
       -i $INTERFACE -l /var/log/snort -u snort -g snort -c  \
       /etc/snort/snort.conf -b

-v shouldn't be used in daemon mode

If you're feeling brave, remove all the RPMs and bits of snort you
currently have installed and try some testing RPMS of the current
stable snapshot:

ftp://helium.tucc.uab.edu/pub/snort-rpm (compiled on rh7.2)
-- 
Chris Green <cmg () uab edu>
"I'm beginning to think that my router may be confused."  


--__--__--

Message: 7
From: Roelof JT Jonkman <roel () SiliconDefense com>
Subject: Re: [Snort-users] Barnyard Solaris 2.6 make issue 
To: Steve Rudolph <srudolph () iocenter net>
Cc: snort-users () lists sourceforge net
Date: Tue, 29 Jan 2002 10:44:24 -0800

Steve,

Add the following to your LDFLAGS: '-lnsl'

Or the quick and dirty way:

gcc  -g -O2 -Wall  -o barnyard  barnyard.o configparse.o mstring.o
strlcatu.o strlcpyu.o util.o spool.o sid.o debug.o classification.o
output-plugins/libop.a input-plugins/libdp.a -lsocket -lnsl

Barnyard works on solaris, there are a few caveats, but it works.

roel
http://www.SiliconDefense.com




--__--__--

Message: 8
Date: Tue, 29 Jan 2002 17:21:16 -0200
From: Paulo Henrique Baptista de Oliveira <baptista () linuxsolutions com br>
To: snort-users () lists sourceforge net
Organization: Linux Solutions
Subject: [Snort-users] Snort for RH 7.0


        Hi all,
        I have to install snort in a RH 7.0 system and can only find snort for RH 7.1 and 7.2 at rpmfind.net that 
generates a lot of dependencies.
        I dont use to manage RedHat (my background is Debian) so I'm asking for someone to send me a snort binary for 
RH 7.0.
        TIA,            Paulo Henrique


-- 
Paulo Henrique B de Oliveira
Gerente de Operações - Linux Solutions - http://www.linuxsolutions.com.br
O maior conteúdo de Linux em língua portuguesa - OLinux - http://www.olinux.com.br
(21) 2526-7262 ramal 31

        


--__--__--

Message: 9
From: Phil Wood <cpw () lanl gov>
Date: Tue, 29 Jan 2002 12:27:59 -0700
To: "Graham, Randy (RAW) " <RAW () y12 doe gov>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Help getting Snort working with mysql


--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Jan 29, 2002 at 10:15:39AM -0500, Graham, Randy (RAW)  wrote:
> OK, I must be totally brain damaged, because there is absolutely no way I
> can figure out how to get snort working with mysql.  I don't know if I'm
> setting up mysql wrong, or snort wrong, or what, but I can't get it working,
> and I'm not sure how to perform some of the steps listed in the
> README.database file.  Would anyone be willing to help me on or off list
> with this?
>
> I'd be glad to just post my problems here if there is a need, but since I
> don't imagine this is of use to most readers of the list, I thought I'd wait
> and see if someone wanted to help me off list before filling up the list
> with personal support questions.

I've attached a set of utilities which I use to keep me blissfully unaware.
( not that I need a lot of help with that ;)  Let me know if they help.

> Thanks,
>
> Randy Graham
> -- 
> The Internet?  Bah!  Is that thing still around?  -- Homer Simpson
> http://www.securitynewbie.com/ - for people like me
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


--Dxnq1zWXvFF0Q93v
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="acid_init-0.3.tar.gz"
Content-Transfer-Encoding: base64

H4sIADb3VjwAA+0ca3PbuDFfw1+xZ3sqO6O3LKuxo1xlW7m4Ez8qKc1k0jSmSEhiQ5E8krLi
NP3v3V0AfEg++27GcZKWO4lNgsBiF/sGQZuWY39wPCeu1Kut2qOvAvX6br3TbuPven2v0+Tf
9dae/C3hUb2z22y3O63dPWxvNHbbzUfQ/jrk5GERxWYI8MgKlrf2s53gIch5aDBz8v97fzA8
OT+75znqDZT77u4t8sdnndZes77baLfxutHc7bQfQf2e6bgR/s/lj1I3vjUNBXw7yNv/i5NX
/eG9z3GX/bdbLbT/ZqdTbzfb9RbZP0Jh/w8BlXBZCSv0DxAagMsADMgvJIBu+SmcmtcAf4ZG
fb/5FKYiJtWpRjPjd6JoNFoSxVNo7O03W2CFwozF78cA7c7TLIYm2CKKQ//6D6Bo1vcYRaOB
PO3X/wyRE4uK5XuTaizmgYsE/W5Uu+0sqqdgjyvWZJri+dai/V2Qt/9T86OYOK643znusH8M
+x2d/zU6Hcr/WpgBFvb/ELC5CVroYODNkR9ch850FsP20Q6aS72BTaEn4hje+L5NfajbaOZE
EIT+NDTngJeTUAiI/Em8NENxANf+AizTg1DYDpqoM17EApwYTM+u+SHMfduZXBMebFt4tggh
ngmIRTiPwJ/wzS9nr+EX4YnQdOFiMXYdC145lvAiASZOTS3RTNgwZjw04gXRMFQ0wAsfEZux
43sHIBx8HsKVCCO8h2YZkIhtMyY6Q/AD6rVDaEzvGsh2k77V3+A3ZcsGx+PpZ36ALMwQKzK1
dFwXxgIWkZgs3DKhwM7w5mT08vz1CHpnb+FNbzDonY3eHmDneObjU3ElJCoHPYiDmJGR0PTi
a1wTwnDaHxy9xCG9w5NXJ6O3xMSLk9FZfziEF+cD6MFFbzA6OXr9qjeAi9eDi/NhvwowFESW
IAS3rOmExYLrZqNjd9woYdxHIVrCuUJyTLBQO+4WUBmWIbpViH098W+JpgwnnlUtw16HfGkU
Qe8KRx+Z83Ho2FO8PO1BvdloPS3D62GvahgXg/O/9o9G3cRtGQbnLF1VuQDfpSo96PeOT/tp
qMmEjEwIg38Y0qevR4NVrw6mWaUOhqFm7F5aKHJ1c2kcnwy6W9uKzJ3K1rZ6smMYM+EG+8Zj
XmVJl2Gg79mHrW2mesd4/A4qNt4ikh14D1++wPyj7YSqxXgczqEyUXe1J8bjbXJdSB5UEhw7
8AW2LY3kgDt8wg44mq8/WxpBFe+r088aueYHKRTWzId6tQ7PNV8/Riwr4I9DPv5LtbzvOe6I
/3ud3ZaO/81Gg+J/s9WqF/H/IQCds/KRRfQvov93Hv1ZDvivh04Ljjimw7EM6CxU07KR5ZOY
+ixJFickAqJEJgCkgYbKACDy/DCG6FcXkBpzbEYiosEwM68EeH4MrjBR9W0U7ZJQmFa8MF33
Guam4+EqeQaNvRYxjjo0bcwdph5ens9gKVwXrwzj7HzU30ftEaQ8lrAXoYgAdVGg0tg+T4Kq
ZC2QdTWJ46E7QuWZXxNyZMn1CTWRqlIUUhf5uKoneGaPn6OcAsQuvDhCSWmOwDPnAlzno4AN
8vQx8r5RVZieBcuVYQEKYemHNrb+unBCti+WNhETiRDNgvQd859/LTyLRJglamVaPc27Z5E/
F/HM8abP32fnS5pRVo41S6yG1yqKcHafDULhsfz5HOWH3HiCVka4EfedB2SGqMG4Hi9xbYGU
jIgOhSuu0ICAMkFUaSOT8NGSGYyYdcr2BfGPGZpLCm7issdAnGgaQHxCmzc9S2gDoFSRM0FW
Kl5PxFnFXFHNx4qImuxNCf9Sopn7UcwmhWRZV+zuBj6yVcLpkTTGQ0wqPSA1JpYcz3YwzUwF
cmWGjjnGadBiJ44n/VBCUoJGk1SVvKY0zzHsSZ64H7aRRiurwQVBRVjMESuqJEqElp7WwZeI
wVvMx6gKSDx68gkSiNwEfoy/HHQH0rBSozLyqyMJpuVeeM6vC6VcuTFgTsgLR+ifLVHCFcxT
rzC+xTAToet0bbbyG3J3Ym0tf6eZKeZLgyLPx3EgWSpgryFNXdIqDUwuBS0+G5VWg8Q0E+JR
EuTtMQ5QEBwTGdes51XSNjNGWY+FZbJnIgwx6YjUSMKDq0+OYRFJoVJQ0nNZoROg4Sw8FHxE
E8zMIECfyx7OdzzUIMG2qOSktSSrJIQop6nVrJ/yxKcY4qWfzIV+kxZiabofgRyTTz6AFyzr
OZkzcc2+U5mr7+GwsaCYhk6HwlnquDAs+WV8SPEAp0+rM17od+SY3meskys59g4x1nXMATPk
kAeKiKmEIZJ4quVKYZXz144s1TKPNYccR6Ys/Do06KhzGxGpGCa+6/pLUgt2Zkp3I+UoldLL
BMOWGj1dkOxRDyKhIsUiyHtBosaZLkIOvVryNxiNZPo1a6dmnPULXVK4sGLGupEwuCFRAZyh
Ayiv+CAcv2YwlBus03KQQxkF6ImRtVJUKjOiklMqQymmH6KE7lSykwR7MhhTOZEb+Vzdm72L
x5xLUMJnT8zaoe2asaByRb7HZkZ8lkkXAnQvjrVwsbIgN6DFRfyT0PV60CyM403/8MNhb9hP
LJZyikVc1rwl8ZidEPKjNzhWYphXiimxiH0fPbw1U76Mk28cOSfNNYHqHSUMrRzSFVLYYn38
KERA7kNlzNLdEzImGeJrzHX/RRGkRChLOuWVir6YB3JVVV2h1OM8LCeFASPgsURMSYYgNlLp
uCwbq9Fnavrn1Xj6GVlONl6oy5EOWExGTs8xCoUOMnKdhoeA3LEnhbrBWiL1LGGbVifxx1nr
ZIqZMuXAqIc5Ri+oPaReYxmi5uQjm2DNzBDzRYph6J4xxKBxYnCcOMgSbJdMs8SBR3wyUR/F
DsksiaSOXoaxiJdC1QSkF/4iUuginHLOZRonq64/nZKvkBk3RKRdiWc2bt+7ydf/iSe+1xrz
jvq/1em0k/p/t96k/f/mbqeo/x8CNn+qjR2vhqoyo1ItDcXFdkCxHfCdbwc4E3gHW5tQcWOo
w/sDmoAqUt6/3jilyBAtgsCVWZfOC4T0+Gmdig68hAKiIMH9MODH5hQT2OoGPP9TkxB+Qik2
jIkjp/yJd+EbnBqszvpG1muRev7zOoqLN90tajFkeaM6GqPTi24tnge1rX8P//aqf/bLyVn/
P1tbisvKZ9jYwvbjw421KblZbibINH99Tonk08bWxZsN+KkLnzJIkJ6NSkWX/l3qwkM2c3lz
vj7b5rCLGRdXzKQunr/cMbKkm/YcbQGxaTSSfGPzJsSUAMv4GmEYtyhaYwsWlaFzhcKaisiQ
vFKQzs6CrMIWLl3V9S3TNYiSGdkg386o2KZph/3B3/uDAwyzBr2sefYM+ucv4Hlu6MkZ9hrB
ydnoXJID2zS+TNdlvTplSd4HoqssaZTXNrbHQl5L7uT1IrD19Y6ROTyAAd1diGi7tDUrlUtE
42ucvpRMhA8uesPhm/PBcWmnXHpbWv2/c2AgD4bte5gDJmxf8ioRupfnwxF8AaoPKphrRbVy
DWrT0iUvAmvDhu7GGrGRrlNWw77+ct3PsqjlQL3lFZE2E2UITngijjLNX3Lq9BsajLmlb9qE
nbSXiz7TdT7fZBpST1lNpV1+4TWs4O3Z+WA0HBzVaLMFw4VKtj5kp1wl57ex9Y5OjhmZRMJp
XDx2oxy6KuWyqyg3w7lcgCeUGebzv7QMvs8c467zH+12I83/mpz/0THgIv97ANjMpX+ZbZAi
/yvyvx8k/8Pw1fhh0j+V//0PZn/kPiisy83RXDzkB7RFoZv3dTp4c8C1Qz9IEsYs2jRdXEFM
kY6aJWLKGnKpHkc8YzV7NI77r/qjPrwYnJ+qHJTlx5ddSBMQmV3o1OEPJQ0q2n6vJ2jy8T99
Q3afc9wR/3dbe+n+T3uvzvG/Xnz/8SCg9n9k+M8c6i6ifxH9v+/ovyk+BRQMEt/b5ZeL2fbj
w+7Mn6YtqgLr1mb+XNTkq1v9UBVU6pkZmNZM1Gax7VtRTUaiGr+hz6Cn0JCfQBbUXSxBq3Kn
vmr583K89DO3SW9dyXZdZyIqTlRpVqIZkfRjJja42FuNNK85PuTExtCvtrqXthPyiy9du14a
dNG9TN6IpQ+MYBHNbKCMiAJoJZzI4xF0ZKJi7wfyLMq+6fne9dxfRH/BB1Xq4ZrjqqQAtXgq
quit9mv4MPT9uKY60PsSx5O4PrfuAZ/lS+oCP7ANQx7ZrWD+ollX3KT3Ur4/Q0X8mtu4ZBHY
ch3k+V/FPLdgB3UcWN1ZdnoZYD9eL6ZK/nhnVj6/fwJV+ZwjPb81DWYrd1Uf/Ty9WKPtomc3
PMMEKj9cHpjmnaXNf/5jy3Rpa8cekxjfweP3T7rVJ5v5ZsynNko6iy1tHGyWbkZCu0hrKHgn
L0GgtqluQUL2tYaEjS5BcoG+4DYUlAOuoVCJoUJB9n8rFSqrXqdEn7OSqLQjuBnX8aHrjHFI
PGMM6a0a3Ts+Pz78cNEbvbx5/NHMDONXWRS5Fk3Dy4tX56Nb0Bwf0ltbRQK/wE3WQbpfOcyg
Y1mJ11iKMah0Xyt/WR62ooKFzx/9tO5J2I5m3UuSOqnOpRGJGKuWS7mhO7uUuT9lFnyOybRt
9nCZzVYKOFpEf9lqUmBONed7zcW/BeTz//XjIPcxx137f41OJ/P9P33/3cYRRf7/EIAZWeas
UnIGqEj/i/T/O0//5UmyJR17S0/DTuQpcIP1KT0nFwl3govKp3DkGVckJ+KjwjdWEsEUK4nH
j9VLqU19WPuj5y/BmcjjTUtGjmH8o3FzJZIZr88VCW9K50kpe8cBvG/FRYiuQZJQ3q1RbK7F
fs20fXvMSDwhbHkCOJeL6cGZCJ6Oxud0lPnOwUls7JIh0HujKgVbqldwsNwVS0M96X248Dw6
mZsioIyq22rV9x6vcM4dMqPRXmM6tep7RST+1rDy/i9/TPKe5rgr/jdbjTT+tzAXaOy2ir//
8DBAL/3GXPEXwb8I/j9Q8M+e0o0CYTkTnDmKF5OJPi0dZTIEfoDDkv2p9Jw6vWAar+QRhpHb
RNSfTgEYa1uJOtLKN1P5iC+/MJMT2kiRFfvhtbG64ZhEepylghVzJTCnQodO17T00XN6DlFo
keKp74OEbaxvPdJ+I6zAJuhiOpLKqTXTtOhbK341NzZWtjZTtldw6Zdt9JmQbznp6egUR7K5
mex1rODIfG0mkzZNB789HBeZwcNAPv6rM/b3PMedf/+prr//3mur77/3ivM/DwObyR+02Ew/
objpQxr9WQUbq/6sgRyKDfQ9g7FpoPeE48Oz3mkftOdQbVQZAFUG6p68y1ofchjHiVNQrXyM
ca0k4YfD/tkQw51p4tQYNuk1R3q6gPdZy/JzszLIHejulqKOHBTdMFnkx+iGaUrPQSQESU4/
SARqTqKDuhB1d3xfUUABBRRQQAEFFFBAAQUUUEABBRRQQAEFFFBAAQUUUEABBRRQQAEFFFBA
AQUU8LXgv1WJS2UAeAAA

--Dxnq1zWXvFF0Q93v--


--__--__--

Message: 10
From: Phil Wood <cpw () lanl gov>
Date: Tue, 29 Jan 2002 13:44:22 -0700
To: "Crow, Owen" <Owen_Crow () bmc com>
Cc: snort-users () lists sourceforge net
Subject: [Snort-users] Re: libpcap 0.7.1

Looks correct.  My netscape, shift key, reload just didn't hack it
today.  Cleared my cache and things started to work again.

One caveat, the current snort.c incorrectly adds ps_drop to ps_recv to create
a total packets received by the filter.  This is actually MY fault, and I have
notified Marty.  It's actually worse than that.  In particular, here is the
skinny on how libpcap manages the "pcap_stat" structure:

        filter  
OS      applied ps_recv                   ps_drop

linux   before  all packets that passed   packets that passed the filter
                the filter including      but dropped due to lack of buffer
                those that were dropped.  space. 

bsd     after   ALL packets that hit      (Same as linux)
                the network interface     
                before being filtered    
                including packets that
                passed the filter and
                packets that were dropped.

The above synopsis is based on my read of the two files pcap-linux.c and
pcap-bpf.c.

I would very much like to change the way pcap_stats works, but the old
hands are tied due to the "api".  

-- 
Phil Wood, cpw () lanl gov



--__--__--

Message: 11
From: "Patrick S. Harper" <lists () internetsecurityguru com>
To: "'Graham, Randy \(RAW\) '" <RAW () y12 doe gov>,
   <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Help getting Snort working with mysql
Date: Tue, 29 Jan 2002 14:57:50 -0600

What platform are you on?  Are you using RPM's or source?  I have had
better luck using source on Linux.  The first link is a pretty good
tutorial.  I got all these from google when I first did this.

Good luck.

http://www.sfhn.net/whites/snortacid.html

http://www.andrew.cmu.edu/~rdanyliw/snort/acid_config.html

http://www.incident.org/snortdb/

http://www.sfhn.net/whites/snortacid.html

http://rr.sans.org/intrusion/snortsnarf.php

http://rr.sans.org/intrusion/ACID.php


Patrick S. Harper | MCSE ISS
mailto:patrick () internetsecurityguru com 
http://www.internetsecurityguru.com

How do I set a laser printer to stun?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Graham,
Randy (RAW) 
Sent: Tuesday, January 29, 2002 9:16 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Help getting Snort working with mysql


OK, I must be totally brain damaged, because there is absolutely no way
I can figure out how to get snort working with mysql.  I don't know if
I'm setting up mysql wrong, or snort wrong, or what, but I can't get it
working, and I'm not sure how to perform some of the steps listed in the
README.database file.  Would anyone be willing to help me on or off list
with this?

I'd be glad to just post my problems here if there is a need, but since
I don't imagine this is of use to most readers of the list, I thought
I'd wait and see if someone wanted to help me off list before filling up
the list with personal support questions.

Thanks,

Randy Graham
-- 
The Internet?  Bah!  Is that thing still around?  -- Homer Simpson
http://www.securitynewbie.com/ - for people like me

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users