Snort mailing list archives
Re: Snort-users Digest, Vol 26, Issue 2
From: "Michael Steele" <michaels () winsnort com>
Date: Wed, 2 Jul 2008 09:35:22 -0400
Unless the other several previous packages have been installed successfully the package in question will not install. Go back to the guide and start over by removing the php folder and reinstall php again. If the php.ini file has been modified, save it somewhere, then move it back to the new php folder. Make SURE the guide is followed and install the packages in the order shown. Also, make SURE the guide being used is from our site, as there are a bunch of sites out there with outdated guides. Kindest regards, Michael... WINSNORT.com Management Team Member -- ****************** Established ~ 2001 ******************* * Visit Us @ http://www.winsnort.com <http://www.winsnort.com/> * * ~~ FREE WinIDS Snort installation guides ~~ * * ~~ FREE support forums ~~ * * Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org/> * ********************************************************* From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of Dilnawaz Ahmed Sent: Wednesday, July 02, 2008 8:46 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort-users Digest, Vol 26, Issue 2 Dear All, I am new to snort, Installed snort but while installing BASE getting this error D:\win-ids\php>pear install http://download.pear.php.net/package/Image_Graph-0.7 .2.tgz downloading Image_Graph-0.7.2.tgz ... Starting to download Image_Graph-0.7.2.tgz (368,056 bytes) ....done: 368,056 bytes Did not download dependencies: pear/Image_Canvas, pear/Numbers_Words, use --alld eps or --onlyreqdeps to download automatically pear/Image_Graph requires package "pear/Image_Canvas" (version >= 0.3.0) pear/Image_Graph can optionally use package "pear/Numbers_Words" No valid packages found install failed Please help me out. Thanks & Regards, Dilnawaz Ahmed On 7/2/08, snort-users-request () lists sourceforge net <snort-users-request () lists sourceforge net> wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: dynamic (so) rules (Nerijus Krukauskas) 2. Updated Snort Security Platform 3.0 Beta Available (Snort Releases) 3. Opportunity with Enterprise-size Company (Burke, Leonard) 4. oversize_chunk_encoding (Sascha Hintz) 5. Re: dynamic (so) rules (Nerijus Krukauskas) 6. Re: dynamic (so) rules (chris ryan) 7. Re: oversize_chunk_encoding (chris ryan) 8. Re: dynamic (so) rules (chris ryan) ---------------------------------------------------------------------- Message: 1 Date: Tue, 1 Jul 2008 20:32:58 +0300 From: "Nerijus Krukauskas" <nkrukauskas () gmail com> Subject: Re: [Snort-users] dynamic (so) rules To: "chris ryan" <chris.ryan () gmx de> Cc: snort-users () lists sourceforge net Message-ID: <951e50da0807011032x57ca03f1l941e594e2961ccdb () mail gmail com> Content-Type: text/plain; charset=UTF-8 On 01/07/2008, chris ryan <chris.ryan () gmx de> wrote:
chris ryan wrote:Just for curiosity, can anybody explain that to me?Another related question is why the loaded(!) dynamic rules are not shown as active, while the corresponding libraries are (the path to the merged dynamic rules file is totally correct, and there is no error message at all):
<snip_error_blurb> Take a look at the article by Richard Bejtlich: http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1299181,00 .html. And then suit yourself with some drinks (http://blog.joelesler.net/2008/02/snort-drinking-game-by-erek-adams.html) as so_rules were already discussed in [snort-users]. Cheers! ;) -- http://nk99.org/ ------------------------------ Message: 2 Date: Tue, 01 Jul 2008 15:14:13 -0400 From: Snort Releases <snortreleases () snort org> Subject: [Snort-users] Updated Snort Security Platform 3.0 Beta Available To: snort-users () lists sourceforge net Message-ID: <486A8205.10406 () snort org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi everybody, We made a few minor modifications to the SnortSP 3.0 beta, available at http://www.snort.org/dl/snortsp/ * Fixed building on Debian * Added sspiffy.sh file referenced in README.bridge As always, send any beta feedback to sspbeta () sourcefire com. The Snort Release Team ------------------------------ Message: 3 Date: Tue, 1 Jul 2008 17:53:07 -0400 From: "Burke, Leonard" <lburke () teksystems com> Subject: [Snort-users] Opportunity with Enterprise-size Company To: <snort-users () lists sourceforge net> Message-ID: <609F9AF91E02A94ABBF303F206F8DCC5A6C42E () AG00-EXMBX03 allegisgroup com> Content-Type: text/plain; charset="us-ascii" Good Evening, My name is Leonard and I am a Technical Recruiter for TEK Systems. I am contacting you from our Connecticut office. Currently, we are working with one of our major clients out in the Hartford, Ct area and they are looking for a Senior Information Security Specialist. This opportunity will allow the ideal candidate work for an enterprise-sized company; which would be a great opportunity for growth in your careers. The ideal candidate will have experience with IDS, Intrusion Detection System, as well as SNORT software. This position is a fulltime one. It is an excellent opportunity that I feel would fit your skill set. If this is of any interest to you please contact me at your earliest convenience, and on the other hand if you may know of anyone with similar skill sets please let them know of this opportunity and contact me as well. I look forward to hearing from you. Take care Leonard Burke Jr. Recruiter 20 Stanford Drive, 1st Floor, Farmington, CT 06032 Direct Line 860-255-5085 F 860-255-5110 www.teksystems.com <http://www.teksystems.com/> ____________________________________________________________________________ ________________________ This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 4 Date: Wed, 02 Jul 2008 09:53:09 +0200 From: "Sascha Hintz" <sascha.hintz () gmx net> Subject: [Snort-users] oversize_chunk_encoding To: snort-users () lists sourceforge net Message-ID: <20080702075309.70680 () gmx net> Content-Type: text/plain; charset="iso-8859-1" Hey guys, i have two problems with my http_inspect configuration the first problem is that the preprocessor only accepts the default server configuration. I have added a special individual server configuration because is the firewall but with no affect. the second problem is how can i deactivate oversize_cunk_encoding ? preprocessor http_inspect: global \ iis_unicode_map unicode.map 1250 # preprocessor http_inspect_server: server default \ profile apache \ ports { 80 8080 } \ no_alerts # flow_depth 300 \ # ascii no \ # multi_slash no \ # chunk_length {50000 alert no } \ # apache_whitespace no \ # utf_8 no \ # non_strict \ # webroot no \ # no_alerts preprocessor http_inspect_server: server xx.xx.xx.xx profile all ports { 80 8080 } oversize_dir_length 500 no_alerts # ports { 80 8080 } \ # oversize_dir_length 500 \ # no_alerts # no_alerts # flow_depth 300 \ # ascii no \ # multi_slash no \ # chunk_length 1000000000000 \ # apache_whitespace yes \ # utf_8 no \ # non_strict \ # directory no Greetings Sascha -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer ------------------------------ Message: 5 Date: Wed, 2 Jul 2008 11:51:15 +0300 From: "Nerijus Krukauskas" <nkrukauskas () gmail com> Subject: Re: [Snort-users] dynamic (so) rules To: "chris ryan" <chris.ryan () gmx de> Cc: snort-users () lists sourceforge net Message-ID: <951e50da0807020151n26addb48tffa9cb3fcbae0095 () mail gmail com> Content-Type: text/plain; charset=UTF-8 On 02/07/2008, chris ryan <chris.ryan () gmx de> wrote:
The rules in the tarball are about 75, after compiling and stub'ing 'em, there are only 22 left. I just wanted to know on what exactly that resulting number depends (platform-, systemspecific?). The precompiled librariers are crashing, so switching to them and all the 75 rules is no option.
I've got 71. Can you explain the '22' thing? I'm not getting idea of your counting... -- http://nk99.org/ ------------------------------ Message: 6 Date: Wed, 02 Jul 2008 11:16:49 +0200 From: chris ryan <chris.ryan () gmx de> Subject: Re: [Snort-users] dynamic (so) rules To: snort-users () lists sourceforge net Message-ID: <486B4781.7050708 () gmx de> Content-Type: text/plain; charset=UTF-8 Nerijus Krukauskas wrote:
On 01/07/2008, chris ryan <chris.ryan () gmx de> wrote: Just for curiosity, can anybody explain that to me?
Take a look at the article by Richard Bejtlich:
Thanks for that link. It answers my second qestion: "Don't be confused by the line "0 Dynamic rules." Dynamic in this case refers to Dynamic/Activate rules, which are being phased out in favor of a combination of tagging and flowbits."
And then suit yourself with some drinks as so_rules were already discussed in [snort-users]. Cheers! ;)
Hmmm....beer. But - not yet. I still am curios about the rule count before and after the compilation. I hope i'm not annoying. The rules in the tarball are about 75, after compiling and stub'ing 'em, there are only 22 left. I just wanted to know on what exactly that resulting number depends (platform-, systemspecific?). The precompiled librariers are crashing, so switching to them and all the 75 rules is no option. Thanks in advance, Chris. ------------------------------ Message: 7 Date: Wed, 02 Jul 2008 11:18:37 +0200 From: chris ryan <chris.ryan () gmx de> Subject: Re: [Snort-users] oversize_chunk_encoding To: snort-users () lists sourceforge net Message-ID: <486B47ED.7050607 () gmx de> Content-Type: text/plain; charset=ISO-8859-1 Sascha Hintz schrieb:
the first problem is that the preprocessor only accepts the default server configuration.
I have added a special individual server configuration because is the firewall but with no affect.
What is the snort/httpinspect startup output about that? I suggest you to read the manual oder README for the http-inspect, as this preproc with it's profiles can be confusing sometimes.
the second problem is how can i deactivate oversize_cunk_encoding ?
In the corresponding server profile or in the new prerpoc.rules (HI-CLIENT*), i guess. bye, Chris. ------------------------------ Message: 8 Date: Wed, 02 Jul 2008 11:32:15 +0200 From: chris ryan <chris.ryan () gmx de> Subject: Re: [Snort-users] dynamic (so) rules To: Nerijus Krukauskas <nkrukauskas () gmail com> Cc: snort-users () lists sourceforge net Message-ID: <486B4B1F.8020108 () gmx de> Content-Type: text/plain; charset=UTF-8 Nerijus Krukauskas schrieb:
On 02/07/2008, chris ryan <chris.ryan () gmx de> wrote:The rules in the tarball are about 75, after compiling and stub'ing 'em, there are only 22 left. I just wanted to know on what exactly that resulting number depends (platform-, systemspecific?). The precompiled librariers are crashing, so switching to them and all the 75 rules is no option.I've got 71. Can you explain the '22' thing? I'm not getting idea of your counting...
The unchanged *.rules in the snortrules-snapshot-current tarball: (i guess these are to be used with the precompiled libraries) /etc/snort/rules/src/so_rules# cat *.rules | grep -v skeleton | wc -l 75 After the make, witch generates the librariers and stub rule files in ./src, i've only 22 rules in the usable stub files: /etc/snort/rules/src/so_rules# cat ./src/*.rules | grep -v skeleton | wc -l 22 So, i think can only use a subset of 22 rules out of 75... ------------------------------ ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 26, Issue 2 ******************************************
------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users Digest, Vol 26, Issue 2 Dilnawaz Ahmed (Jul 02)
- Re: Snort-users Digest, Vol 26, Issue 2 Joel Esler (Jul 02)
- Re: Snort-users Digest, Vol 26, Issue 2 Michael Steele (Jul 02)