Snort mailing list archives
Re: Snort-users Digest, Vol 72, Issue 37
From: Dennis Circolone <djcircolone () gmail com>
Date: Fri, 18 May 2012 14:48:47 -0500
Thanks for the information but it didn't really address the error I was getting. I added screen shots with the errors to my original email , were you able to see the error or are you telling me not to use base because there is no fix? On Fri, May 18, 2012 at 1:10 PM, <snort-users-request () lists sourceforge net>wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: php, base issue (Greg Williams) ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 May 2012 12:10:47 -0600 From: Greg Williams <alphawebfx () gmail com> Subject: Re: [Snort-users] php, base issue To: Doug Burks <doug.burks () gmail com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>, Dennis Circolone <djcircolone () gmail com> Message-ID: <CAH1YzBQFPVKCOpUkwYkfaZUzjFrX78v5fw2j3dda1i58aC+iLQ () mail gmail comContent-Type: text/plain; charset="iso-8859-1" Thanks Doug. I'll probably try it again after you guys rebuild it with 12.04. I could have also been my hard drives. They died about a month after I tested Security Onion. I would like to test further at some point. Thanks for the link though. I'll remember it when I go through testing again. On Fri, May 18, 2012 at 12:05 PM, Doug Burks <doug.burks () gmail com> wrote:Hi Greg, We'd be glad to help you troubleshoot any performance issues you'rehavingwith Security Onion over on our mailing list: http://groups.google.com/group/security-onion Thanks, Doug On Fri, May 18, 2012 at 1:56 PM, Greg Williams <alphawebfx () gmail com wrote:I tried it and was a little disappointed in how slow it was running for me. I only gave it about 15 minutes, but I was definitely losing more packets than my custom install. Maybe it's better now. ~400-500 MBps sustained. On Fri, May 18, 2012 at 11:53 AM, Rick Chisholm <chavez243 () gmail comwrote:FWIW - you can always take a look at Security Onion - it has a bunch of Snort front-ends you can play with. First we had ACID and it went ker-splat, then BASE, which is dying on the vine. Not sure what the next move is, all I know is that I need a functional front-end and for right now that's Snorby. On Fri, May 18, 2012 at 1:46 PM, Greg Williams <alphawebfx () gmail comwrote:Well said! I 100% agree. Even though I have alerts forwarding via syslog to other destinations like Splunk, there is just somethingaboutBASE that trumps everything else. I've tried many other apps as well including Snorby and Sguil. On May 18, 2012, at 11:36 AM, Ron Sinclair <unixfool () gmail com>wrote:I hear such statements all the time. Would be nice if someone took BASE and revamped (but not whole-hog) it. I've been using BASE for almost 10 years, even after using both Sguil and Snorby. There's something about BASE that Snorby just can't match...just my opinion. I do check Snorby from time to time toassess anynew features. Last I checked, it still had a long way to go, so Ikeptusing BASE. Sguil...I don't know, since I never force myself to spend enough time to better utilize it. I usually just get frustrated andwipeit out. BASE seems less maintenance intensive than either Sguil and Snorby. I don't want to have to learn Ruby/Rails to use Snorby. I didn'treally haveto understand all that much about PHP to begin using BASE, and Ialreadyhad a good knowledge of MySQL, Snort, and Apache (and a multitude ofotherthings). I'll be using BASE for another 10 years, or until somethingelse(that isn't Sguil or Snorby) is released. If that doesn't happen,I'll gostraight to the raw logs and begin using correlation scripts andtools.On Fri, May 18, 2012 at 1:06 PM, Rick Chisholm <chavez243 () gmail comwrote:Hi Dennis: BASE is getting pretty long in the tooth, does not appear to be actively developed and as PHP advances, is slowly breaking. It isadvisableto switch to something like Snorby, Sguil etc. On Fri, May 18, 2012 at 12:37 PM, Dennis Circolone < djcircolone () gmail com> wrote:Hello, I have configured snort-2.9.2.2 on an opensuse 12.1 box, everything is working great except for the portscan traffic stays at 0% afteran NMAPtest and when I select source ports link or dest ports link Irecieve anerror.Does anyone know how I can resolve this issue? Basic Analysis and Security Engine (BASE) - Today's alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> SourceIP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> DestinationIP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=18&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> -Last 24 Hours alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> SourceIP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> DestinationIP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=17&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> -Last 72 Hours alerts: unique<http://10.2.7.170/base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+listing<http://10.2.7.170/base/base_qry_main.php?new=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=Query+DB&num_result_rows=-1&time_cnt=1> SourceIP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> DestinationIP<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=15&time%5B0%5D%5B4%5D=2012&time%5B0%5D%5B5%5D=16&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+> -Most recent 15 Alerts: any protocol<http://10.2.7.170/base/base_qry_main.php?new=1&caller=last_any&num_result_rows=-1&submit=Last%20AnyTCP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&caller=last_tcp&num_result_rows=-1&submit=Last%20TCPUDP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&caller=last_udp&num_result_rows=-1&submit=Last%20UDPICMP<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&caller=last_icmp&num_result_rows=-1&submit=Last%20ICMP> -Last Source Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=-1&sort_order=last_dTCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=6&sort_order=last_dUDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=1&proto=17&sort_order=last_d> -Last Destination Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=-1&sort_order=last_dTCP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=6&sort_order=last_dUDP<http://10.2.7.170/base/base_stat_ports.php?caller=last_ports&port_type=2&proto=17&sort_order=last_d> -Most Frequent Source Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=-1&sort_order=occur_dTCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=6&sort_order=occur_dUDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=1&proto=17&sort_order=occur_d> -Most Frequent Destination Ports: any protocol<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=-1&sort_order=occur_dTCP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=6&sort_order=occur_dUDP<http://10.2.7.170/base/base_stat_ports.php?caller=most_frequent&port_type=2&proto=17&sort_order=occur_d> -Most frequent 15 Addresses: Source<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=1&sort_order=occur_dDestination<http://10.2.7.170/base/base_stat_uaddr.php?caller=most_frequent&addr_type=2&sort_order=occur_d> -Most recent 15 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=last_alerts&sort_order=last_d> -Most frequent 5 Unique Alerts<http://10.2.7.170/base/base_stat_alerts.php?caller=most_frequent&sort_order=occur_d*Queried on *: Fri May 18, 2012 16:34:43 *Database:* snort@localhost (*Schema Version:* 107) *Time Window:* [2012-05-18 11:05:19] - [2012-05-18 11:06:55] *Search <http://10.2.7.170/base/base_qry_main.php?new=1>* *Graph Alert Data <http://10.2.7.170/base/base_graph_main.php>* Graph Alert Detection Time<http://10.2.7.170/base/base_stat_time.php>------------------------------ *Sensors/Total:* 1 <http://10.2.7.170/base/base_stat_sensor.php>/2 *Unique Alerts:* 1 <http://10.2.7.170/base/base_stat_alerts.php> *Categories: *1<http://10.2.7.170/base/base_stat_class.php?sort_order=class_a>*Total Number of Alerts:* 48<http://10.2.7.170/base/base_qry_main.php?&num_result_rows=-1&submit=Query+DB¤t_view=-1- Src IP addrs: 13<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=1>- Dest. IP addrs: 1<http://10.2.7.170/base/base_stat_uaddr.php?addr_type=2>- Unique IP links 13 <http://10.2.7.170/base/base_stat_iplink.php>- Source Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=-1>- - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=6>) UDP( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=1&proto=17>) - Dest Ports: 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=-1>- - TCP ( 0<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=6>) UDP( 2<http://10.2.7.170/base/base_stat_ports.php?port_type=2&proto=17>) *Traffic Profile by Protocol* TCP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=TCP&num_result_rows=-1&sort_order=time_d&submit=Query+DBUDP (100%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=UDP&num_result_rows=-1&sort_order=time_d&submit=Query+DBICMP (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=ICMP&num_result_rows=-1&sort_order=time_d&submit=Query+DB------------------------------ Portscan Traffic (0%)<http://10.2.7.170/base/base_qry_main.php?new=1&layer4=RawIP&num_result_rows=-1&sort_order=time_d&submit=Query+DBBasic Analysis and Security Engine (BASE) Home <http://10.2.7.170/base/base_main.php> | Search<http://10.2.7.170/base/base_qry_main.php?new=1>[ Back <http://10.2.7.170/base/base_main.php?back=1&> ] /srv/www/htdocs/base/includes/base_cache.inc.php:556: ERROR: $number_sensors_array is NOT an array! /srv/www/htdocs/base/includes/base_cache.inc.php:564: ERROR: $number_sensors_array is either NULL or empty! *Queried on* : Fri May 18, 2012 16:36:23 Meta Criteria * any * IP Criteria * any * Layer 4 Criteria * none * Payload Criteria * any * *No Alerts were found.* <<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_aPort ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=port_d<<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_aSensor ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sensor_d<<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_aOccurrences ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=occur_d<<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_aUnique Alerts ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=alerts_d<<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_aSrc. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=sip_d<<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_aDest. Addr. ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=dip_d<<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_aFirst ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=first_d<<http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_aLast ><http://10.2.7.170/base/base_stat_ports.php?caller=&sort_order=&port_type=1&proto=1&sort_order=last_dACTION { action }ADD to AG (by ID)ADD to AG (by Name)Create AG (byName)Deletealert(s)Email alert(s) (full)Email alert(s) (summary)Email alert(s) (csv)Archive alert(s) (copy)Archive alert(s) (move)------------------------------------------------------------------------------Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all thelatestSnort news!-- Rick Chisholm http://parallel42.ca http://appliedusers.ca ========================= "There is no faith which has never yet been broken, except that of a truly faithful dog." - Konrad Lorenz------------------------------------------------------------------------------Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Rick Chisholm http://parallel42.ca http://appliedusers.ca ========================= "There is no faith which has never yet been broken, except that of a truly faithful dog." - Konrad Lorenz------------------------------------------------------------------------------Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond.Discussionswill include endpoint security, mobile security and the latest inmalwarethreats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Doug Burks | http://securityonion.blogspot.com Don't miss SANS SEC503 Intrusion Detection In-Depth in Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members! http://augusta.issa.org/drupal/SANS-Augusta-2012-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 72, Issue 37 *******************************************
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 72, Issue 37 Dennis Circolone (May 18)