Snort mailing list archives
Re: help
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 15 Jul 2009 23:08:13 -0400
I got these emails too. I am looking for a question in this email... 2009/7/15 jiangzhw2008 <jiangzhw2008 () yeah net>
在2009-07-16 02:41:56,snort-users-request () lists sourceforge net 写道:Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Joel Esler Speaking in Augusta Georgia - Tonight (Mike Guiterman) 2. Speaking tonight at the CSRA Snort Users Group (Joel Esler) 3. Re: Web UI (JJ Cummings) 4. Re: Web UI (Russell Fulton) 5. Re: Web UI (Joel Esler) 6. Re: New netbios rules? (craig bowser) ---------------------------------------------------------------------- Message: 1 Date: Tue, 14 Jul 2009 16:28:46 -0400 From: Mike Guiterman <mguiterman () sourcefire com> Subject: [Snort-users] Joel Esler Speaking in Augusta Georgia - Tonight To: Snort Users List <snort-users () lists sourceforge net>, emerging-sigs () emergingthreats net Message-ID: <9ff4f37d0907141328v23c4727exa49e70fc8212ff63 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi all, Sorry for the late notice, Sourcefire's Joel Esler speaking tonight at the CSRA Snort Users group in Augusta, Georgia at 6:30pm. If you are in the area, and would like to attend, the meeting will be held in downtown Augusta, please contact Joel Esler @ joel.esler [at] sourcefire.com for directions. Regards, Mike -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Tue, 14 Jul 2009 16:35:56 -0400 From: Joel Esler <jesler () sourcefire com> Subject: [Snort-users] Speaking tonight at the CSRA Snort Users Group To: Snort Users <snort-users () lists sourceforge net> Message-ID: <314cf0830907141335t612d134exf68ba9e300910fd7 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Wanted to let you all know, and sorry that it's on short notice, but I will be speaking tonight at the CSRA (Augusta, Georgia and surrounding area) Snort Users Group. The meeting is being held in downtown Augusta, Georgia, so if you are the area and would like to attend, I plan to start around 6:30-6:45, several of us will probably go to dinner afterwards. All are invited. If you are interested in coming, like I said, I know it's short notice, email me for directions. (The location has asked that their address isn't posted.) Thanks! Joel Esler SOURCEfire -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Tue, 14 Jul 2009 14:50:00 -0600 From: JJ Cummings <cummingsj () gmail com> Subject: Re: [Snort-users] Web UI To: "Burks, Doug" <doug.burks () morris com> Cc: SElgram () verifpoint com, Snort Users List <snort-users () lists sourceforge net> Message-ID: <1c79c7b70907141350x58e1a01fn723f8fbaa66bf49d () mail gmail com> Content-Type: text/plain; charset="windows-1252" There is also Snorby (google will help you there), I have been playing with it a bit lately.. it's still BETA / Brand new.. you can also always go the route of syslog etc... On Tue, Jul 14, 2009 at 1:57 PM, Burks, Doug <doug.burks () morris com> wrote:Hi Scott, ACID should not be used anymore. BASE is definitely more current. A brand new web front-end called Snorby (http://www.snorby.org/) just appeared. It's still in Beta and may not be ready for production use. If you don't require a web front-end, I would recommend looking at Sguil ( http://sguil.sourceforge.net/). It can be installed very quickly and easily using NSMnow (http://www.securixlive.com/nsmnow/index.php). If you'd like to try Sguil from a LiveCD environment, please take a look at my Security Onion LiveCD (http://securityonion.blogspot.com/). Thanks, Doug Burks ------------------------------ *From:* Scott Elgram [mailto:SElgram () VerifPoint com] *Sent:* Tuesday, July 14, 2009 2:38 PM *To:* 'Snort Users List' *Subject:* [Snort-users] Web UI Hello, I am looking to setup a new SNORT IDS. I set one up a while back with ACID as my UI, I liked it very much but now I?m looking to build a brand new one and it would seem that many things have changed sense I did this last. Most notably, it looks like the ACID project has been dropped. Is ACID still a good web based UI for SNORT or is there a better one these days? I?d also appreciate your opinion on BASE which looks pretty much like ACID but seems to be more current. -Scott ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 4 Date: Wed, 15 Jul 2009 14:42:13 +1200 From: Russell Fulton <r.fulton () auckland ac nz> Subject: Re: [Snort-users] Web UI To: Joel Esler <jesler () sourcefire com> Cc: "SElgram () verifpoint com" <SElgram () verifpoint com>, Snort Users List <snort-users () lists sourceforge net> Message-ID: <ED79CCB0-B556-4B7F-A1F8-9E6F40580B3A () auckland ac nz> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes On 15/07/2009, at 8:01 AM, Joel Esler wrote:It's much better than ACID ever was. It's the biggest web gui there is for Snort. With over 20k users.Anyone have a feeling for how many events it will handle in the database? Last time I looked (a long time ago) it would go very soggy if I tried to keep more than a weeks worth of alerts in the DB. My current (Placid *) system works fine with about 6 million events. But has very limited functionality. R * Phil (Denault) Loaths ACID :) ------------------------------ Message: 5 Date: Wed, 15 Jul 2009 01:27:02 -0400 From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-users] Web UI To: Russell Fulton <r.fulton () auckland ac nz> Cc: "SElgram () verifpoint com" <SElgram () verifpoint com>, Snort Users List <snort-users () lists sourceforge net> Message-ID: <F210085A-80AF-4F90-9096-F33CCCF984D6 () sourcefire com> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes I've seen systems with 14 million events on a very powerful machine. -- Sent from my iPhone On Jul 14, 2009, at 10:42 PM, Russell Fulton <r.fulton () auckland ac nz> wrote:On 15/07/2009, at 8:01 AM, Joel Esler wrote:It's much better than ACID ever was. It's the biggest web gui there is for Snort. With over 20k users.Anyone have a feeling for how many events it will handle in the database? Last time I looked (a long time ago) it would go very soggy if I tried to keep more than a weeks worth of alerts in the DB. My current (Placid *) system works fine with about 6 million events. But has very limited functionality. R * Phil (Denault) Loaths ACID :)------------------------------ Message: 6 Date: Wed, 15 Jul 2009 14:41:48 -0400 From: craig bowser <reswob10 () gmail com> Subject: Re: [Snort-users] New netbios rules? To: Snort <snort-users () lists sourceforge net> Message-ID: <cfec1a3a0907151141y17abe160i642cbabeb16c31d5 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" I just got the same problem as jlay <jlay () slave-tothe-box net>. I've had v2.8.4.1 running just fine for a while, but today I updated the rules (both from Snort and from Emerging threats) and performed an 'apt-get upgrade' and suddenly I'm getting this error. I don't have either "preprocessor dcerpc2" or " preprocessor dcerpc_server: default" in my snort.conf and the entry for dce/rpc is as follows: # Per Step #2, set the following to load the dcerpc preprocessor # dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so> # or use commandline option # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so> preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 So it appears to be enabled. However, I looked for libsf_dcerpc_preproc.so, but that file is not present. Do I need to create one? The README.dcerpc file does not say how to format such a file. OTOH, did I screw up something updating the rules? Thanks. Craig Bowser On Tue, Jun 16, 2009 at 10:45 AM, Griffin, Chris Andrew (Chris) < cg58 () alcatel-lucent com> wrote:I'm having the same problem +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: Warning: /etc/snort/rules/netbios.rules(24) => Unknown keyword ' dce_iface' in rule! Fatal Error, Quitting.. and I found this post: https://forums.snort.org/forums/snort-newbies/topics/snort-error-when-starting-snort-unknown-keyword-dce_iface I can't find "preprocessor dcerpc_server: default" in snort.conf to disable, but I think it's because my snort.conf is old. I'm going to try and upgrade my snort.conf to the latest version (v2.8.4.1). If you haven't upgraded your snort.conf in a while I may suggest you try the same. ________________________________ From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, June 16, 2009 10:31 AM To: jlay () slave-tothe-box net Cc: Snort Subject: Re: [Snort-users] New netbios rules? On Jun 16, 2009, at 10:17 AM, jlay () slave-tothe-box net wrote: After updating this morning I see: Jun 16 08:12:25 10.21.10.2 snort[7899]: FATAL ERROR: Warning: /usr/local/etc/snort/rules/netbios.rules(24) => Unknown keyword ' dce_iface' in rule! Version is: Version 2.8.4.1 (Build 38) Do I need to update snort? Thanks. No, but you do need to enable the dce/rpc2 preprocesor in your snort.conf -- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 [m] ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 38, Issue 13 *******************************************------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- joel esler | Sourcefire | AIM: eslerjoel | Google Voice: 302-223-5974
------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ****SPAM(5.3)**** help jiangzhw2008 (Jul 15)
- Re: help Joel Esler (Jul 15)