Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #1914 - 6 msgs

From: john () dndlabs net
Date: Sun, 26 May 2002 14:32:12 -0400
Sounds like you're trying to install SNORT for MSSQL support.  The file 
nomally is found with the MSSQL Client Tools off the MSSQL server CD. 
Other than that you can get it from the Windows binary distribution of PHP-4.2.1.  This will be a zipped distro and the 
dll can be found in the "dlls" 
directory.  Hope this helps.

-John




snort-users-request () lists sourceforge net
Sent by: snort-users-admin () lists sourceforge net
05/25/2002 03:10 PM
Please respond to snort-users

 
        To:     snort-users () lists sourceforge net
        cc: 
        Subject:        Snort-users digest, Vol 1 #1914 - 6 msgs



Send Snort-users mailing list submissions to
                 snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
                 https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
                 snort-users-request () lists sourceforge net

You can reach the person managing the list at
                 snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Same question again.. (C Boss)
   2. where can I find Ntwdblib.dll (y q)
   3. No UDP by nmap scan (tino.brandt () t-online de)
   4. Re: Same question again.. (John Sage)
   5. Re: Same question again.. (Bamm Visscher)
   6. Re: Same question again.. (Erek Adams)

--__--__--

Message: 1
From: "C Boss" <cboss99 () hotmail com>
To: snort-users () lists sourceforge net
Date: Thu, 23 May 2002 15:36:46 -0400
Subject: [Snort-users] Same question again..

Guys, help me out here please. This is the second time I have put out this 

question. Is the question plain stupid or do you need more information. 
Please let me know.

"I want to log in a binary format and thus am using the -b option. I am 
also 
logging all alerts to syslog. So I have something like LOG_LOCAL7 
LOG_ALERTS 
in the snort.conf file.

The problem is that if I use the -b oprion with Snort, I don't see any
alerts in the syslog.

Do the two don't work together ?"

Thanks.


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.



--__--__--

Message: 2
Date: Thu, 23 May 2002 20:08:38 -0700 (PDT)
From: y q <guodj69 () yahoo com>
To: snort-users () lists sourceforge net
Subject: [Snort-users] where can I find Ntwdblib.dll

Hi:
  I download  snort-stable-snapshot.tar. When it runs
it says cannot find ntwdblib.dll. Where can I find
this file?

            yq

__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com


--__--__--

Message: 3
Date: Fri, 24 May 2002 19:56:48 +0200
From: tino.brandt () t-online de
Subject: [Snort-users] No UDP by nmap scan 
To: snort-users () lists sourceforge net
Cc: 

This is a multi-part message in MIME format.

--bound1022263008
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello,

I am running snort-1.8.6 (with mysql and openssl support)  on a SuSe 7.3, 
libpcap 0.7.1, tcpdump-3.7.1 with
ACID and MySQL. eth1 is on a public side (hooked up to a cisco switch).
command used:

/usr/local/bin/snort -i eth1 -c /usr/local/snort/snort.conf -D -l 
/var/log/snort

eth1 is brought up by:
ifconfig eth1 promisc up
with no IP assigned.

I can see alerts (spp_portscan) coming from the TCP and (ICMP) side, but 
no UDP packets (nmap -sU ..).

What is the Problem?


Thanks in advance,
Tino

--bound1022263008--


--__--__--

Message: 4
Date: Sat, 25 May 2002 10:36:36 -0700
From: John Sage <jsage () finchhaven com>
To: C Boss <cboss99 () hotmail com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Same question again..

On Linux 2.2.14, snort 1.8.4 build 99, I'm doing this:

Command line:

/usr/bin/snort184 -b -i ppp0 -o -c /usr/local/snort-1.8.4/snort184.conf

Relevant snort.conf:

<snip>
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT 

output alert_syslog: LOG_DAEMON LOG_ALERT
# keep as from 1.8.2 - this is FACILITY-LEVEL, I believe.. 
# -------------------------------------------------
# output alert_full

output alert_full: /var/log/snort/alert184.full
# keep as from 1.8.2 # attempted in snort182.conf for snort 1.8.2 11/25/01 
- works ;-)
# attempted in snort18REL.conf for snort 1.8.1-RELEASE
# hasn't been shown in snort.conf for several releases: works as from 1.7
<snip>


This binary logs to this sort of a file, for example:

4678983 May 20 15:19 snort-0520 () 0722 log


and alerts go to this sort of a file:

11226 May 20 15:14 alert184.full-0520 () 0722 log


and syslog get alerts, and logcheck picks them up, thus:

<snip>
Security Violations
=-=-=-=-=-=-=-=-=-=
May 20 15:14:35 greatwall snort: [1:0:0] TCP to 1433 MS MySQL server {TCP}
+211.202.3.249:2986 -> 12.82.133.65:1433
<snip>


So this works for me...

YMMV..


- John
-- 
You simply can never have too many shells

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 



On Thu, May 23, 2002 at 03:36:46PM -0400, C Boss wrote:

Guys, help me out here please. This is the second time I have put out 

this 

question. Is the question plain stupid or do you need more information. 
Please let me know.

"I want to log in a binary format and thus am using the -b option. I am 

also 

logging all alerts to syslog. So I have something like LOG_LOCAL7 

LOG_ALERTS 

in the snort.conf file.

The problem is that if I use the -b oprion with Snort, I don't see any
alerts in the syslog.

Do the two don't work together ?"

Thanks.



--__--__--

Message: 5
Subject: Re: [Snort-users] Same question again..
From: Bamm Visscher <bamm () satx rr com>
To: C Boss <cboss99 () hotmail com>
Cc: snort-users () lists sourceforge net
Date: 25 May 2002 13:24:25 -0500

You are not really giving us enough info to diagnose the exact problem
(ie relevant info from snort.conf and the what command line switches you
are using to start snort), which is probably why no one is replying. 

The -b option will only affect "log" output. If you are in fact using
"LOG_ALERTS" as the priority for syslog output, then that may be the
problem. LOG_ALERTS is not a valid priority for syslog. Try LOG_ALERT
(no "S") and make sure syslogd is setup correctly to handle that
facility/priority combination (man syslog.conf). 

Bammkkkk

On Thu, 2002-05-23 at 14:36, C Boss wrote:

Guys, help me out here please. This is the second time I have put out 

this 

question. Is the question plain stupid or do you need more information. 
Please let me know.

"I want to log in a binary format and thus am using the -b option. I am 

also 

logging all alerts to syslog. So I have something like LOG_LOCAL7 

LOG_ALERTS 

in the snort.conf file.

The problem is that if I use the -b oprion with Snort, I don't see any
alerts in the syslog.

Do the two don't work together ?"

Thanks.






--__--__--

Message: 6
Date: Sat, 25 May 2002 11:53:57 -0700 (PDT)
From: Erek Adams <erek () theadamsfamily net>
To: C Boss <cboss99 () hotmail com>
cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Same question again..

On Thu, 23 May 2002, C Boss wrote:


Guys, help me out here please. This is the second time I have put out 

this

question. Is the question plain stupid or do you need more information.
Please let me know.

"I want to log in a binary format and thus am using the -b option. I am 

also

logging all alerts to syslog. So I have something like LOG_LOCAL7 

LOG_ALERTS

in the snort.conf file.

The problem is that if I use the -b oprion with Snort, I don't see any
alerts in the syslog.

Do the two don't work together ?"



Actually, you can answer your own question.

Ever see the phrase "Command line options override....."?  Snort is 
telling
you that if you put something in the .conf file it's overriden by using a
command line option.

Use John Sages' suggestions and move it all into the .conf file.  It'll 
work.
:)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: