Snort mailing list archives
snort tsnmp trap
From: "naganandas" <naganandas () indiatimes com>
Date: Fri, 13 Feb 2004 14:30:49 +0530
hi i installed snort-2.0.1 on one machine. also installed opennms on other machine. in snort i enabled snmptrap plugin,included snort mibfile in nms. but snort is not sending any alerts like portscan,stelthscan etc. plz help regading this snort-users () lists sourceforge net wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Updating Rules? (Vines Scott D 2d Lt AFFTC/IT) 2. Re: Updating Rules? (Andy Richter) 3. RE: Updating Rules? (John Creegan) 4. Re: Updating Rules? (=?iso-8859-1?Q?Andreas_=D6stling?=) 5. Re: Updating Rules? (Dusty Hall) 6. Re: snort-2.2.1-RC1 compile error (Ken Bergquist) 7. RE: Email (Michael Steele) 8. RE: Updating Rules? (Paul Schmehl) 9. RE: ACID (DeBerry, Casey) 10. Re: Updating Rules? (Paul Schmehl) 11. RE: ACID (Michael Steele) 12. Re: SNORT (Linux) / MySQL (Win32) (JP Vossen) --__--__-- Message: 1 From: Vines Scott D 2d Lt AFFTC/IT <Scott.Vines () edwards af mil> To: Dusty Hall <halljer () auburn edu>, snort-users () lists sourceforge net Subject: RE: [Snort-users] Updating Rules? Date: Thu, 12 Feb 2004 13:04:11 -0800 While we're on the subject of updating rules: I have customized my own rule files by disabling certain alerts within the files (but not turning off the entire rule set)...is there a graceful way to update rules without having to turn these off again? -----Original Message----- From: Dusty Hall [mailto:halljer () auburn edu] Sent: Thursday, February 12, 2004 12:17 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Updating Rules? I'm curious about the process of updating Snort 2.1.0 (NOT 2.1.1 RC1) rules. Snort.org list the following for rule packages: CURRENT - development is done here. Be careful if you use CURRENT 2_1 - the "stable" branch, where we do bug fixes for the currently "shipping" snort. probably ok for production, might not be release quality yet 2_0 - the "deprecated" branch, most definately release quality, but not really worked on, except for rule updates Which should I use for 2.1.0? Is 2.1.1 RC1 the "currently "shipping" snort"? Should I update? Thank goodness I don't use oinkmaster to autoupdate... Thanks, -Dusty ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 2 Cc: Dusty Hall <halljer () auburn edu>, snort-users () lists sourceforge net From: Andy Richter <jarichte () syr edu> Subject: Re: [Snort-users] Updating Rules? Date: Thu, 12 Feb 2004 16:32:08 -0500 To: Vines Scott D 2d Lt AFFTC/IT <Scott.Vines () edwards af mil> oinkmaster http://oinkmaster.sourceforge.net/ --andy richter On Feb 12, 2004, at 4:04 PM, Vines Scott D 2d Lt AFFTC/IT wrote:
While we're on the subject of updating rules: I have customized my own rule files by disabling certain alerts within the files (but not turning off the entire rule set)...is there a graceful way to update rules without having to turn these off again? -----Original Message----- From: Dusty Hall [mailto:halljer () auburn edu] Sent: Thursday, February 12, 2004 12:17 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Updating Rules? I'm curious about the process of updating Snort 2.1.0 (NOT 2.1.1 RC1) rules. Snort.org list the following for rule packages: CURRENT - development is done here. Be careful if you use CURRENT 2_1 - the "stable" branch, where we do bug fixes for the currently "shipping" snort. probably ok for production, might not be release quality yet 2_0 - the "deprecated" branch, most definately release quality, but not really worked on, except for rule updates Which should I use for 2.1.0? Is 2.1.1 RC1 the "currently "shipping" snort"? Should I update? Thank goodness I don't use oinkmaster to autoupdate... Thanks, -Dusty ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 3 Date: Thu, 12 Feb 2004 15:31:40 -0600 From: "John Creegan" <jcreegan () questarweb com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Updating Rules? When you say 'your own rule files', do you mean that you created your own rules files, and that you are updating with oinkmaster? If you are updating with oinkmaster, you can specify files to skip (not update) by adding "skipfile" lines to your oinkmaster.conf file.
Vines Scott D 2d Lt AFFTC/IT <Scott.Vines () edwards af mil> 02/12/04
03:04PM >>> While we're on the subject of updating rules: I have customized my own rule files by disabling certain alerts within the files (but not turning off the entire rule set)...is there a graceful way to update rules without having to turn these off again? -----Original Message----- From: Dusty Hall [mailto:halljer () auburn edu] Sent: Thursday, February 12, 2004 12:17 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Updating Rules? I'm curious about the process of updating Snort 2.1.0 (NOT 2.1.1 RC1) rules. Snort.org list the following for rule packages: CURRENT - development is done here. Be careful if you use CURRENT 2_1 - the "stable" branch, where we do bug fixes for the currently "shipping" snort. probably ok for production, might not be release quality yet 2_0 - the "deprecated" branch, most definately release quality, but not really worked on, except for rule updates Which should I use for 2.1.0? Is 2.1.1 RC1 the "currently "shipping" snort"? Should I update? Thank goodness I don't use oinkmaster to autoupdate... Thanks, -Dusty ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. --__--__-- Message: 4 Date: Thu, 12 Feb 2004 22:39:33 +0100 (CET) From: =?iso-8859-1?Q?Andreas_=D6stling?= <andreaso () it su se> To: Dusty Hall <halljer () auburn edu> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Updating Rules? On Thu, 12 Feb 2004, Dusty Hall wrote:
Which should I use for 2.1.0? Is 2.1.1 RC1 the "currently "shipping" snort"? Should I update?
Because of the alert mixup bug in Snort 2.1.0, I think it should be avoided. Snort 2.1.1 RC1 works fine from what I can tell, so I think you should use 2.1.1 RC1 and the 2_1 rules (or 2.0.6 and the 2_0 rules until 2.1.1 is released). Another reason to avoid 2.1.0 is that it doesn't have the flowbits feature which the 2_1 rules currently requires (which I guess they really shouldn't, but that's a known issue that has already been mentioned on the lists, and it doesn't really matter as 2.1.1 RC1 is the way to go anyway).
Thank goodness I don't use oinkmaster to autoupdate...
Can you please explain what you mean by this? Autoupdate is of course always a risk, especially if you for some mysterious reason do it without using snort -T on the new rules before loading them. I haven't had any problems with Oinkmaster or the update process. Btw, for those who actually use Oinkmaster and Snort 2.1.1 and want to use the 2_1 rules, a simple workaround to disable all the 'flowbits' rules (temporary, until you use a Snort that can handle them) can be (assuming Oinkmaster >= 0.9): modifysid * "(.*\bflowbits:.*)" | "#$1" Or simply "disablesid 2192,2350,2348,2349,2352", or use some modifysid statement or sed command or whatever to remove only the 'flowbits' parts if that is what you want. /Andreas --__--__-- Message: 5 Date: Thu, 12 Feb 2004 15:59:53 -0600 From: "Dusty Hall" <halljer () auburn edu> To: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Updating Rules? I guess I'll update as soon as possible... I think this needs to be = changed though: http://www.snort.org/dl/rules/ reads: -> If you are using 2.1.*, please use snortrules-snapshot-2_1 rules. <- Because snortrules-snapshot-2_1 rules.tar.gz BREAKS 2.1.0. If I was using = autoupdate with Oinkmaster and used that info I would have had problems = due to the flowbits addition. Luckily I manually update my rules using = Oinkmaster and inspect the results :). -Dusty
Andreas =D6stling <andreaso () it su se> 2/12/2004 3:39:33 PM >>>
On Thu, 12 Feb 2004, Dusty Hall wrote:
Which should I use for 2.1.0? Is 2.1.1 RC1 the "currently "shipping" snort"? Should I update?=20
Because of the alert mixup bug in Snort 2.1.0, I think it should be=20 avoided. Snort 2.1.1 RC1 works fine from what I can tell, so I think = you=20 should use 2.1.1 RC1 and the 2_1 rules (or 2.0.6 and the 2_0 rules = until=20 2.1.1 is released). Another reason to avoid 2.1.0 is that it doesn't = have=20 the flowbits feature which the 2_1 rules currently requires (which I = guess=20 they really shouldn't, but that's a known issue that has already been=20 mentioned on the lists, and it doesn't really matter as 2.1.1 RC1 is = the=20 way to go anyway).
Thank goodness I don't use oinkmaster to autoupdate...
Can you please explain what you mean by this? Autoupdate is of course always a risk, especially if you for some=20 mysterious reason do it without using snort -T on the new rules before=20 loading them. I haven't had any problems with Oinkmaster or the update=20 process. Btw, for those who actually use Oinkmaster and Snort 2.1.1 and want to = use=20 the 2_1 rules, a simple workaround to disable all the 'flowbits' rules (temporary, until you use a Snort that can handle them) can be (assuming=20= Oinkmaster >=3D 0.9): modifysid * "(.*\bflowbits:.*)" | "#$1" Or simply "disablesid 2192,2350,2348,2349,2352", or use some modifysid=20 statement or sed command or whatever to remove only the 'flowbits' = parts=20 if that is what you want. /Andreas --__--__-- Message: 6 Date: Thu, 12 Feb 2004 16:53:47 -0500 Subject: Re: [Snort-users] snort-2.2.1-RC1 compile error From: Ken Bergquist <kbergquist () wka com> To: snort-users () lists sourceforge net Will do. Thanks for the heads-up. This is being compiled on an Apple B&W G3 - OS X 10.1.5 (Darwin), by hand. ./configure --with-mysql=/usr/local/mysql make <break> No fink, I think. I'd rather use my thinker, lest it rot and stink. Though I may have it installed on this box. Why do you ask? Could it have an impact on this? Some library substitution perhaps?
I hope someone can shed some light on this. While making on OS X 10.1 (Darwin) the following error occurs first in the output:Could you check out HEAD (or get snort-current from snort.org) and try that? The libintsnort stuff was removed, as it was causing problems for a couple people. I've only seen this problem, in the case of Solaris, where people were compiling/linking snort using third party tools, and not the system tools. Out of curiosity, is this the same situation for you... are you using anything out of fink? In either case, check out HEAD and the problem should be fixed. Let me know if it isn't.
-- Ken Bergquist Director Internet Systems Walt Klein & Associates http://www.wka.com --__--__-- Message: 7 From: "Michael Steele" <michaels () winsnort com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Email Date: Thu, 12 Feb 2004 13:56:19 -0800 Check out Swatch for UNIX Check out EventWatchNT for Windows Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Syed Ali Sent: Thursday, February 12, 2004 12:48 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Email Hi, Can some tell me how to setup email Alerts in Snort. Snort box will be behind the firewall. I want to get a Alert if someone has success full attack on our web server so I get email notification. I am using Acid. Thanks, Syed ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 8 Date: Thu, 12 Feb 2004 15:59:37 -0600 From: Paul Schmehl <pauls () utdallas edu> To: "Vines Scott D 2d Lt AFFTC/IT" <Scott.Vines () edwards af mil>, snort-users () lists sourceforge net Subject: RE: [Snort-users] Updating Rules? --On Thursday, February 12, 2004 01:04:11 PM -0800 "Vines Scott D 2d Lt AFFTC/IT" <Scott.Vines () edwards af mil> wrote:
While we're on the subject of updating rules: I have customized my own rule files by disabling certain alerts within the files (but not turning off the entire rule set)...is there a graceful way to update rules without having to turn these off again?
Yes. Oinkmaster. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu --__--__-- Message: 9 From: "DeBerry, Casey" <Casey.DeBerry () trizetto com> To: snort-users () lists sourceforge net Subject: RE: [Snort-users] ACID Date: Thu, 12 Feb 2004 15:41:44 -0700 What OS are you running things on? Are you showing any events in your database? Are you logging any events locally? -----Original Message----- From: Oliver [mailto:quemit () yahoo com] Sent: Monday, February 09, 2004 4:58 PM To: snort-users () lists sourceforge net Subject: [Snort-users] ACID Installed ACID on Linux9. It look as if my SNort is functioning properly. My ACID web view is not displaying any events happening. I've preformed a couple of scans inside my network, still nothing is showing up on ACID. I've checked my snort.conf, it looks correct to me. Oh, by the way I'm new at this. Any suggestion? Thx __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 10 Date: Thu, 12 Feb 2004 17:36:28 -0600 From: Paul Schmehl <pauls () utdallas edu> To: Dusty Hall <halljer () auburn edu>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Updating Rules? --On Thursday, February 12, 2004 03:59:53 PM -0600 Dusty Hall <halljer () auburn edu> wrote:
I guess I'll update as soon as possible... I think this needs to be changed though: http://www.snort.org/dl/rules/ reads: -> If you are using 2.1.*, please use snortrules-snapshot-2_1 rules. <- Because snortrules-snapshot-2_1 rules.tar.gz BREAKS 2.1.0. If I was using autoupdate with Oinkmaster and used that info I would have had problems due to the flowbits addition. Luckily I manually update my rules using Oinkmaster and inspect the results :).
I updated mine with oinkmaster. All I had to do was grep the rules files for "flowbits" and add the rules returned to the "disablesid" list in oinkmaster.conf. End of problem. When the flowbits "problem" gets fixed, I'll re-enable them. Piece of cake. Oinkmaster rules. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu --__--__-- Message: 11 From: "Michael Steele" <michaels () winsnort com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] ACID Date: Thu, 12 Feb 2004 17:58:54 -0800 Create a file called test.rules and insert the 3 rules below in that file and save it to your /rules folder. Now in your snort.conf add a new include line at the bottom for "test.rules". Now restart Snort and generate some browser traffic and you should see all kinds of alerts in ACID being generated. Be sure to hash (#) out the new include line after the test is successful or you will fill your database up. Be sure to restart Snort after you has the line out. Test Rules: alert tcp any any -> any any (msg:"Alert: Got a TCP Packet";) alert udp any any -> any any (msg:"Alert: Got a UDP Packet";) alert icmp any any -> any any (msg:"Alert: Got a ICMP Packet";) Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: Oliver [mailto:quemit () yahoo com] Sent: Monday, February 09, 2004 4:58 PM To: snort-users () lists sourceforge net Subject: [Snort-users] ACID Installed ACID on Linux9. It look as if my SNort is functioning properly. My ACID web view is not displaying any events happening. I've preformed a couple of scans inside my network, still nothing is showing up on ACID. I've checked my snort.conf, it looks correct to me. Oh, by the way I'm new at this. Any suggestion? Thx
--__--__-- Message: 12 Date: Fri, 13 Feb 2004 02:01:04 -0500 (EST) From: JP Vossen <vossenjp () netaxs com> To: "M. Salman Farisi" <msalmanf () students ee itb ac id> cc: Snort Users List <snort-users () lists sourceforge net> Subject: Re: [Snort-users] SNORT (Linux) / MySQL (Win32) On Wed, 11 Feb 2004, M. Salman Farisi wrote:
I've tried the rpms of snort but there were problems : when i tried to restart snortd /etc/init.d/snortd restart [FAILED] when i test snort : snort -T -c /etc/snort/snort.conf it said : ERROR : /etc/snort/snort.conf(285) =>invalid file name for IIS Unicode Map file, Fatal Error, Quitting..
That's a known issue. What RPMs are you using and where did you get them from? Try the more recent RPMs at: http://www.starken.com/snort OR, grab the Snort.org tarball, extract unicode.map and copy it to your /etc/snort directory.
Do the rpms packages create database automatically?
No, you must do that yourself when you install ACID. ACID is NOT included in any of the RPMs.
what should i do then? I have checked mysql database for user snort but no database created after the installation
Read any of the Snort/ACID config guides mentioned in the list archives [1] for details. I'd love to have an ACID RPM but don't have the time to build one... HTH, JP [1] http://www.snort.org/lists.html ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com Bid for for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to http://airsahara.indiatimes.com and Bid Now! ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort tsnmp trap naganandas (Feb 13)