Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users Digest, Vol 26, Issue 2

From: "Dilnawaz Ahmed" <dilnawaza () gmail com>
Date: Wed, 2 Jul 2008 16:46:02 +0400
Dear All,

I am new to snort, Installed snort but while installing BASE getting this
error


D:\win-ids\php>pear install
http://download.pear.php.net/package/Image_Graph-0.7
.2.tgz
downloading Image_Graph-0.7.2.tgz ...
Starting to download Image_Graph-0.7.2.tgz (368,056 bytes)
....done: 368,056 bytes
Did not download dependencies: pear/Image_Canvas, pear/Numbers_Words, use
--alld
eps or --onlyreqdeps to download automatically
pear/Image_Graph requires package "pear/Image_Canvas" (version >= 0.3.0)
pear/Image_Graph can optionally use package "pear/Numbers_Words"
No valid packages found
install failed

Please help me out.

Thanks & Regards,

Dilnawaz Ahmed


On 7/2/08, snort-users-request () lists sourceforge net <
snort-users-request () lists sourceforge net> wrote:


Send Snort-users mailing list submissions to
       snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
       https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
       snort-users-request () lists sourceforge net

You can reach the person managing the list at
       snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

  1. Re: dynamic (so) rules (Nerijus Krukauskas)
  2. Updated Snort Security Platform 3.0 Beta Available
     (Snort Releases)
  3. Opportunity with Enterprise-size Company (Burke, Leonard)
  4. oversize_chunk_encoding (Sascha Hintz)
  5. Re: dynamic (so) rules (Nerijus Krukauskas)
  6. Re: dynamic (so) rules (chris ryan)
  7. Re: oversize_chunk_encoding (chris ryan)
  8. Re: dynamic (so) rules (chris ryan)


----------------------------------------------------------------------

Message: 1
Date: Tue, 1 Jul 2008 20:32:58 +0300
From: "Nerijus Krukauskas" <nkrukauskas () gmail com>
Subject: Re: [Snort-users] dynamic (so) rules
To: "chris ryan" <chris.ryan () gmx de>
Cc: snort-users () lists sourceforge net
Message-ID:
       <951e50da0807011032x57ca03f1l941e594e2961ccdb () mail gmail com>
Content-Type: text/plain; charset=UTF-8

On 01/07/2008, chris ryan <chris.ryan () gmx de> wrote:

chris ryan wrote:

Just for curiosity, can anybody explain that to me?


Another related question is why the loaded(!) dynamic rules are not
shown as active, while the corresponding libraries are (the path to the
merged dynamic rules file is totally correct, and there is no error
message at all):

<snip_error_blurb>

Take a look at the article by Richard Bejtlich:

http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00.html
.
And then suit yourself with some drinks
(http://blog.joelesler.net/2008/02/snort-drinking-game-by-erek-adams.html)
as so_rules were already discussed in [snort-users]. Cheers! ;)

--
http://nk99.org/



------------------------------

Message: 2
Date: Tue, 01 Jul 2008 15:14:13 -0400
From: Snort Releases <snortreleases () snort org>
Subject: [Snort-users] Updated Snort Security Platform 3.0 Beta
       Available
To: snort-users () lists sourceforge net
Message-ID: <486A8205.10406 () snort org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi everybody,

We made a few minor modifications to the SnortSP 3.0 beta, available at
http://www.snort.org/dl/snortsp/

* Fixed building on Debian

* Added sspiffy.sh file referenced in README.bridge

As always, send any beta feedback to sspbeta () sourcefire com.

The Snort Release Team





------------------------------

Message: 3
Date: Tue, 1 Jul 2008 17:53:07 -0400
From: "Burke, Leonard" <lburke () teksystems com>
Subject: [Snort-users] Opportunity with Enterprise-size Company
To: <snort-users () lists sourceforge net>
Message-ID:
       <
609F9AF91E02A94ABBF303F206F8DCC5A6C42E () AG00-EXMBX03 allegisgroup com>
Content-Type: text/plain; charset="us-ascii"

Good Evening,
My name is Leonard and I am a Technical Recruiter for TEK Systems. I am
contacting you from our Connecticut office. Currently, we are working
with one of our major clients out in the Hartford, Ct area and they are
looking for a Senior Information Security Specialist. This opportunity
will allow the ideal candidate work for an enterprise-sized company;
which would be a great opportunity for growth in your careers. The ideal
candidate will have experience with IDS, Intrusion Detection System, as
well as SNORT software. This position is a fulltime one. It is an
excellent opportunity that I feel would fit your skill set. If this is
of any interest to you please contact me at your earliest convenience,
and on the other hand if you may know of anyone with similar skill sets
please let them know of this opportunity and contact me as well. I look
forward to hearing from you. Take care


Leonard Burke Jr. Recruiter
20 Stanford Drive, 1st Floor, Farmington, CT  06032
Direct Line 860-255-5085
F 860-255-5110
www.teksystems.com





____________________________________________________________________________________________________
This electronic mail (including any attachments) may contain information
that is privileged, confidential, and/or otherwise protected from disclosure
to anyone other than its intended recipient(s). Any dissemination or use of
this electronic email or its contents (including any attachments) by persons
other than the intended recipient(s) is strictly prohibited. If you have
received this message in error, please notify us immediately by reply email
so that we may correct our internal records. Please then delete the original
message (including any attachments) in its entirety. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 4
Date: Wed, 02 Jul 2008 09:53:09 +0200
From: "Sascha Hintz" <sascha.hintz () gmx net>
Subject: [Snort-users] oversize_chunk_encoding
To: snort-users () lists sourceforge net
Message-ID: <20080702075309.70680 () gmx net>
Content-Type: text/plain; charset="iso-8859-1"

Hey guys,

i have two problems with my http_inspect configuration

the first problem is that the preprocessor only accepts the default server
configuration. I have added a special individual server configuration
because is the firewall but with no affect.

the second problem is how can i deactivate oversize_cunk_encoding ?

preprocessor http_inspect: global \
               iis_unicode_map unicode.map 1250
#
preprocessor http_inspect_server: server default \
               profile apache \
               ports { 80 8080 } \
               no_alerts
#               flow_depth 300 \
#               ascii no \
#               multi_slash no \
#               chunk_length {50000 alert no } \
#               apache_whitespace no \
#               utf_8 no \
#               non_strict \
#               webroot no \
#               no_alerts

preprocessor http_inspect_server: server xx.xx.xx.xx profile all ports { 80
8080 } oversize_dir_length 500 no_alerts
#               ports { 80 8080 } \
#               oversize_dir_length 500 \
#               no_alerts
#               no_alerts
#               flow_depth 300 \
#               ascii no \
#               multi_slash no \
#               chunk_length 1000000000000 \
#               apache_whitespace yes \
#               utf_8 no \
#               non_strict  \
#               directory no

Greetings
Sascha

--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer



------------------------------

Message: 5
Date: Wed, 2 Jul 2008 11:51:15 +0300
From: "Nerijus Krukauskas" <nkrukauskas () gmail com>
Subject: Re: [Snort-users] dynamic (so) rules
To: "chris ryan" <chris.ryan () gmx de>
Cc: snort-users () lists sourceforge net
Message-ID:
       <951e50da0807020151n26addb48tffa9cb3fcbae0095 () mail gmail com>
Content-Type: text/plain; charset=UTF-8

On 02/07/2008, chris ryan <chris.ryan () gmx de> wrote:

The rules in the tarball are about 75, after compiling and stub'ing 'em,
there are only 22 left. I just wanted to know on what exactly that
resulting number depends (platform-, systemspecific?). The precompiled
librariers are crashing, so switching to them and all the 75 rules is no
option.


I've got 71. Can you explain the '22' thing? I'm not getting idea of
your counting...

--
http://nk99.org/



------------------------------

Message: 6
Date: Wed, 02 Jul 2008 11:16:49 +0200
From: chris ryan <chris.ryan () gmx de>
Subject: Re: [Snort-users] dynamic (so) rules
To: snort-users () lists sourceforge net
Message-ID: <486B4781.7050708 () gmx de>
Content-Type: text/plain; charset=UTF-8

Nerijus Krukauskas wrote:

On 01/07/2008, chris ryan <chris.ryan () gmx de> wrote:
Just for curiosity, can anybody explain that to me?



Take a look at the article by Richard Bejtlich:

Thanks for that link. It answers my second qestion:
"Don't be confused by the line "0 Dynamic rules." Dynamic in this case
refers to Dynamic/Activate rules, which are being phased out in favor
of a combination of tagging and flowbits."


And then suit yourself with some drinks as so_rules were already
discussed in [snort-users]. Cheers! ;)

Hmmm....beer. But - not yet. I still am curios about the rule count
before and after the compilation. I hope i'm not annoying.

The rules in the tarball are about 75, after compiling and stub'ing 'em,
there are only 22 left. I just wanted to know on what exactly that
resulting number depends (platform-, systemspecific?). The precompiled
librariers are crashing, so switching to them and all the 75 rules is no
option.


Thanks in advance, Chris.






------------------------------

Message: 7
Date: Wed, 02 Jul 2008 11:18:37 +0200
From: chris ryan <chris.ryan () gmx de>
Subject: Re: [Snort-users] oversize_chunk_encoding
To: snort-users () lists sourceforge net
Message-ID: <486B47ED.7050607 () gmx de>
Content-Type: text/plain; charset=ISO-8859-1

Sascha Hintz schrieb:


the first problem is that the preprocessor only accepts the
default server configuration.



I have added a special individual server configuration because is
the firewall but with no affect.


What is the snort/httpinspect startup output about that?
I suggest you to read the manual oder README for the http-inspect, as
this preproc with it's profiles can be confusing sometimes.


the second problem is how can i deactivate oversize_cunk_encoding ?

In the corresponding server profile or in the new prerpoc.rules
(HI-CLIENT*), i guess.


bye, Chris.







------------------------------

Message: 8
Date: Wed, 02 Jul 2008 11:32:15 +0200
From: chris ryan <chris.ryan () gmx de>
Subject: Re: [Snort-users] dynamic (so) rules
To: Nerijus Krukauskas <nkrukauskas () gmail com>
Cc: snort-users () lists sourceforge net
Message-ID: <486B4B1F.8020108 () gmx de>
Content-Type: text/plain; charset=UTF-8

Nerijus Krukauskas schrieb:

On 02/07/2008, chris ryan <chris.ryan () gmx de> wrote:

The rules in the tarball are about 75, after compiling and stub'ing 'em,
there are only 22 left. I just wanted to know on what exactly that
resulting number depends (platform-, systemspecific?). The precompiled
librariers are crashing, so switching to them and all the 75 rules is no
option.


  I've got 71. Can you explain the '22' thing? I'm not getting idea of
your counting...



The unchanged *.rules in the snortrules-snapshot-current tarball:
(i guess these are to be used with the precompiled libraries)

/etc/snort/rules/src/so_rules# cat *.rules | grep -v skeleton | wc -l
75


After the make, witch generates the librariers and stub rule files in
./src, i've only 22 rules in the usable stub files:

/etc/snort/rules/src/so_rules# cat ./src/*.rules | grep -v skeleton | wc -l
22

So, i think can only use a subset of 22 rules out of 75...



------------------------------

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 26, Issue 2
******************************************


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: