Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: help

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 15 Jul 2009 23:08:13 -0400
I got these emails too.    I am looking for a question in this email...

2009/7/15 jiangzhw2008 <jiangzhw2008 () yeah net>





在2009-07-16 02:41:56,snort-users-request () lists sourceforge net 写道:

Send Snort-users mailing list submissions to
    snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
    snort-users-request () lists sourceforge net

You can reach the person managing the list at
    snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

  1. Joel Esler Speaking in Augusta Georgia - Tonight (Mike Guiterman)
  2. Speaking tonight at the CSRA Snort Users Group (Joel Esler)
  3. Re: Web UI (JJ Cummings)
  4. Re: Web UI (Russell Fulton)
  5. Re: Web UI (Joel Esler)
  6. Re: New netbios rules? (craig bowser)


----------------------------------------------------------------------

Message: 1
Date: Tue, 14 Jul 2009 16:28:46 -0400
From: Mike Guiterman <mguiterman () sourcefire com>
Subject: [Snort-users] Joel Esler Speaking in Augusta Georgia -
    Tonight
To: Snort Users List <snort-users () lists sourceforge net>,
    emerging-sigs () emergingthreats net
Message-ID:
    <9ff4f37d0907141328v23c4727exa49e70fc8212ff63 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Hi all,

Sorry for the late notice, Sourcefire's Joel Esler speaking tonight at the
CSRA Snort Users group in Augusta, Georgia at 6:30pm.  If you are in the
area, and would like to attend, the meeting will be held in downtown
Augusta, please contact Joel Esler @ joel.esler [at] sourcefire.com for
directions.

Regards,

Mike
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Tue, 14 Jul 2009 16:35:56 -0400
From: Joel Esler <jesler () sourcefire com>
Subject: [Snort-users] Speaking tonight at the CSRA Snort Users Group
To: Snort Users <snort-users () lists sourceforge net>
Message-ID:
    <314cf0830907141335t612d134exf68ba9e300910fd7 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Wanted to let you all know, and sorry that it's on short notice, but I will
be speaking tonight at the CSRA (Augusta, Georgia and surrounding area)
Snort Users Group.

The meeting is being held in downtown Augusta, Georgia, so if you are the
area and would like to attend, I plan to start around 6:30-6:45, several of
us will probably go to dinner afterwards.  All are invited.

If you are interested in coming, like I said, I know it's short notice,
email me for directions.  (The location has asked that their address isn't
posted.)  Thanks!

Joel Esler
SOURCEfire
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Tue, 14 Jul 2009 14:50:00 -0600
From: JJ Cummings <cummingsj () gmail com>
Subject: Re: [Snort-users] Web UI
To: "Burks, Doug" <doug.burks () morris com>
Cc: SElgram () verifpoint com,       Snort Users List
    <snort-users () lists sourceforge net>
Message-ID:
    <1c79c7b70907141350x58e1a01fn723f8fbaa66bf49d () mail gmail com>
Content-Type: text/plain; charset="windows-1252"

There is also Snorby (google will help you there), I have been playing with
it a bit lately.. it's still BETA / Brand new..

you can also always go the route of syslog etc...

On Tue, Jul 14, 2009 at 1:57 PM, Burks, Doug <doug.burks () morris com> wrote:


 Hi Scott,

ACID should not be used anymore.  BASE is definitely more current.

A brand new web front-end called Snorby (http://www.snorby.org/) just
appeared.  It's still in Beta and may not be ready for production use.

If you don't require a web front-end, I would recommend looking at Sguil (
http://sguil.sourceforge.net/).  It can be installed very quickly and
easily using NSMnow (http://www.securixlive.com/nsmnow/index.php).  If
you'd like to try Sguil from a LiveCD environment, please take a look at my
Security Onion LiveCD (http://securityonion.blogspot.com/).

Thanks,
Doug Burks

 ------------------------------
 *From:* Scott Elgram [mailto:SElgram () VerifPoint com]
*Sent:* Tuesday, July 14, 2009 2:38 PM
*To:* 'Snort Users List'
*Subject:* [Snort-users] Web UI

 Hello,

            I am looking to setup a new SNORT IDS.  I set one up a while
back with ACID as my UI, I liked it very much but now I?m looking to build a
brand new one and it would seem that many things have changed sense I did
this last.  Most notably, it looks like the ACID project has been dropped.
Is ACID still a good web based UI for SNORT or is there a better one these
days?  I?d also appreciate your opinion on BASE which looks pretty much like
ACID but seems to be more current.



-Scott




------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 4
Date: Wed, 15 Jul 2009 14:42:13 +1200
From: Russell Fulton <r.fulton () auckland ac nz>
Subject: Re: [Snort-users] Web UI
To: Joel Esler <jesler () sourcefire com>
Cc: "SElgram () verifpoint com" <SElgram () verifpoint com>, Snort Users
    List <snort-users () lists sourceforge net>
Message-ID: <ED79CCB0-B556-4B7F-A1F8-9E6F40580B3A () auckland ac nz>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes


On 15/07/2009, at 8:01 AM, Joel Esler wrote:


It's much better than ACID ever was.

It's the biggest web gui there is for Snort. With over 20k users.


Anyone have a feeling for how many events it will handle in the
database?  Last time I looked (a long time ago) it would go very soggy
if I tried to keep more than a weeks worth of alerts in the DB.   My
current (Placid *) system works fine with about 6 million events.  But
has very limited functionality.

R

* Phil (Denault) Loaths ACID  :)



------------------------------

Message: 5
Date: Wed, 15 Jul 2009 01:27:02 -0400
From: Joel Esler <jesler () sourcefire com>
Subject: Re: [Snort-users] Web UI
To: Russell Fulton <r.fulton () auckland ac nz>
Cc: "SElgram () verifpoint com" <SElgram () verifpoint com>, Snort Users
    List <snort-users () lists sourceforge net>
Message-ID: <F210085A-80AF-4F90-9096-F33CCCF984D6 () sourcefire com>
Content-Type: text/plain;    charset=us-ascii;       format=flowed;  delsp=yes

I've seen systems with 14 million events on a very powerful machine.

--
Sent from my iPhone

On Jul 14, 2009, at 10:42 PM, Russell Fulton <r.fulton () auckland ac nz>
wrote:



On 15/07/2009, at 8:01 AM, Joel Esler wrote:


It's much better than ACID ever was.

It's the biggest web gui there is for Snort. With over 20k users.


Anyone have a feeling for how many events it will handle in the
database?  Last time I looked (a long time ago) it would go very
soggy if I tried to keep more than a weeks worth of alerts in the
DB.   My current (Placid *) system works fine with about 6 million
events.  But has very limited functionality.

R

* Phil (Denault) Loaths ACID  :)




------------------------------

Message: 6
Date: Wed, 15 Jul 2009 14:41:48 -0400
From: craig bowser <reswob10 () gmail com>
Subject: Re: [Snort-users] New netbios rules?
To: Snort <snort-users () lists sourceforge net>
Message-ID:
    <cfec1a3a0907151141y17abe160i642cbabeb16c31d5 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

I just got the same problem as jlay <jlay () slave-tothe-box net>.  I've had
v2.8.4.1 running just fine for a while, but today I updated the rules (both
from Snort and from Emerging threats) and performed an 'apt-get upgrade' and
suddenly I'm getting this error.  I don't have either "preprocessor dcerpc2"
or " preprocessor dcerpc_server: default" in my snort.conf and the entry for
dce/rpc is as follows:

# Per Step #2, set the following to load the dcerpc preprocessor
# dynamicpreprocessor file <full path to libsf_dcerpc_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>

preprocessor dcerpc: \
   autodetect \
   max_frag_size 3000 \
   memcap 100000

So it appears to be enabled.

However, I looked for libsf_dcerpc_preproc.so, but that file is not
present.  Do I need to create one?  The README.dcerpc file does not say how
to format such a file.

OTOH, did I screw up something updating the rules?

Thanks.

Craig Bowser



On Tue, Jun 16, 2009 at 10:45 AM, Griffin, Chris Andrew (Chris) <
cg58 () alcatel-lucent com> wrote:


I'm having the same problem

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Warning: /etc/snort/rules/netbios.rules(24) => Unknown keyword '
dce_iface' in rule!
Fatal Error, Quitting..

and I found this post:


https://forums.snort.org/forums/snort-newbies/topics/snort-error-when-starting-snort-unknown-keyword-dce_iface

I can't find "preprocessor dcerpc_server: default" in snort.conf to
disable, but I think it's because my snort.conf is old.  I'm going to try
and upgrade my snort.conf to the latest version (v2.8.4.1).  If you haven't
upgraded your snort.conf in a while I may suggest you try the same.




________________________________

From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Tuesday, June 16, 2009 10:31 AM
To: jlay () slave-tothe-box net
Cc: Snort
Subject: Re: [Snort-users] New netbios rules?



On Jun 16, 2009, at 10:17 AM, jlay () slave-tothe-box net wrote:


       After updating this morning I see:

       Jun 16 08:12:25 10.21.10.2 snort[7899]: FATAL ERROR: Warning:
       /usr/local/etc/snort/rules/netbios.rules(24) => Unknown keyword '
       dce_iface' in rule!

       Version is:

       Version 2.8.4.1 (Build 38)

       Do I need to update snort?  Thanks.


No, but you do need to enable the dce/rpc2 preprocesor in your snort.conf


--
joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
[m]



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 38, Issue 13
*******************************************




------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- joel esler | Sourcefire | AIM: eslerjoel | Google Voice: 302-223-5974

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: