Snort mailing list archives
Re: typical errors when trying pulledpork
From: PR <oly562 () gmail com>
Date: Sat, 08 Sep 2012 23:57:29 -0700
i followed the snortinstallguide293.pdf...for ubuntu 12.04 LTS however i noticed a typo stating 10.04, whatever, i moved along, i did this when i installed: created a barnyard2.waldo file following instructions from snort manual howto whatever for ubuntu 10.04. im on 12.04 but no matter. linux is linux to me. sudo tar zxvf barnyard2-1.9.tar.gz cd firnsy-barnyard2* sudo autoreconf -fvi -I ./m4 sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu sudo make sudo make install sudo cp etc/barnyard2.conf /usr/local/snort/etc sudo mkdir /var/log/barnyard2 sudo chmod 666 /var/log/barnyard2 sudo touch /var/log/snort/barnyard2.waldo sudo chown snort.snort /var/log/snort/barnyard2.waldo also: echo "create database snort;" | mysql -u root -p mysql -u root -p -D snort < ./schemas/create_mysql echo "grant create, insert, select, delete, update on snort.* to snort@localhost \ identified by 'XXXXXXX'" | mysql -u root -p also: sudo vi /usr/local/snort/etc/barnyard2.conf config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map #config hostname: thor #config interface: eth0 #output database: log, mysql, user=root password=test dbname=db host=localhost; reference_file: /usr/local/snort/etc/reference.config classification_file: /usr/local/snort/etc/classification.config gen_file: /usr/local/snort/etc/gen-msg.map sid_file: /usr/local/snort/etc/sid-msg.map config hostname: localhost config interface: eth1 output database: log, mysql, user=snort password=XXXXXX dbname=snort \ host=localhost i of course modified the location of directories... here is the command and stdout when starting snort.... **(note the dir tree)** /usr/local/etc/snort/bin/snort -u snort -g snort -c /usr/local/etc/snort/etc/snort.conf -i eth0 Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/usr/local/etc/snort/etc/snort.conf" PortVar 'HTTP_PORTS' defined : [ 80:81 311 591 593 901 1220 1414 1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180:8181 8243 8280 8800 8888 8899 9000 9080 9090:9091 9443 9999 11371 55555 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 591 593 901 1220 1414 1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180:8181 8243 8280 8800 8888 8899 9000 9080 9090:9091 9443 9999 11371 55555 ] PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 Tagged Packet Limit: 256 Loading dynamic engine /usr/local/etc/snort/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/local/etc/snort/lib/snort_dynamicrules... Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/web-client.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/exploit.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/smtp.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/web-activex.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/icmp.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/specific-threats.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/snmp.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/multimedia.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/bad-traffic.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/misc.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/chat.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/netbios.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/web-iis.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/p2p.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/dos.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/web-misc.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/imap.so... done Loading dynamic detection library /usr/local/etc/snort/lib/snort_dynamicrules/nntp.so... done Finished Loading all dynamic detection libs from /usr/local/etc/snort/lib/snort_dynamicrules Loading all dynamic preprocessor libs from /usr/local/etc/snort/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done Loading dynamic preprocessor library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/etc/snort/lib/snort_dynamicpreprocessor/ Log directory = /var/log/snort WARNING: ip4 normalizations disabled because not inline. WARNING: tcp normalizations disabled because not inline. WARNING: icmp4 normalizations disabled because not inline. WARNING: ip6 normalizations disabled because not inline. WARNING: icmp6 normalizations disabled because not inline. Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Bound Address: default Target-based policy: WINDOWS Fragment timeout: 180 seconds Fragment min_ttl: 1 Fragment Anomalies: Alert Overlap Limit: 10 Min fragment Length: 100 Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 262144 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: ACTIVE Max UDP sessions: 131072 Track ICMP sessions: INACTIVE Track IP sessions: INACTIVE Log info if session memory consumption exceeds 1048576 Send up to 2 active responses Wait at least 5 seconds between responses Protocol Aware Flushing: ACTIVE Maximum Flush Point: 16000 Stream5 TCP Policy config: Bound Address: default Reassembly Policy: WINDOWS Timeout: 180 seconds Limit on TCP Overlaps: 10 Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Options: Require 3-Way Handshake: YES 3-Way Handshake Timeout: 180 Detect Anomalies: YES Reassembly Ports: 21 client (Footprint) 22 client (Footprint) 23 client (Footprint) 25 client (Footprint) 42 client (Footprint) 53 client (Footprint) 79 client (Footprint) 80 client (Footprint) server (Footprint) 81 client (Footprint) server (Footprint) 109 client (Footprint) 110 client (Footprint) 111 client (Footprint) 113 client (Footprint) 119 client (Footprint) 135 client (Footprint) 136 client (Footprint) 137 client (Footprint) 139 client (Footprint) 143 client (Footprint) 161 client (Footprint) additional ports configured but not printed. Stream5 UDP Policy config: Timeout: 180 seconds HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /usr/local/etc/snort/etc/unicode.map IIS Unicode Map Codepage: 1252 Memcap used for logging URI and Hostname: 150994944 Max Gzip Memory: 838860 Max Gzip Sessions: 9532 Gzip Compress Depth: 65535 Gzip Decompress Depth: 65535 DEFAULT SERVER CONFIG: Server profile: All Ports (PAF): 80 81 311 591 593 901 1220 1414 1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180 8181 8243 8280 8800 8888 8899 9000 9080 9090 9091 9443 9999 11371 55555 Server Flow Depth: 0 Client Flow Depth: 0 Max Chunk Length: 500000 Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Max Header Field Length: 750 Max Number Header Fields: 100 Max Number of WhiteSpaces allowed with header folding: 200 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Normalize HTTP Headers: NO Inspect HTTP Cookies: YES Inspect HTTP Responses: YES Extract Gzip from responses: YES Unlimited decompression of gzip data from responses: YES Normalize Javascripts in HTTP Responses: YES Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Normalize HTTP Cookies: NO Enable XFF and True Client IP: NO Log HTTP URI data: NO Log HTTP Hostname data: NO Extended ASCII code support in URI: NO Ascii: YES alert: NO Double Decoding: YES alert: NO %U Encoding: YES alert: YES Bare Byte: YES alert: NO UTF 8: YES alert: NO IIS Unicode: YES alert: NO Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: NO Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 alert_fragments: INACTIVE alert_large_fragments: INACTIVE alert_incomplete: INACTIVE alert_multiple_requests: INACTIVE FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: NO Continue to check encrypted data: YES TELNET CONFIG: Ports: 23 Are You There Threshold: 20 Normalize: YES Detect Anomalies: YES FTP CONFIG: FTP Server: default Ports (PAF): 21 2100 3535 Check for Telnet Cmds: YES alert: YES Ignore Telnet Cmd Operations: YES alert: YES Identify open data channels: NO FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Ignore Telnet Cmd Operations: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25 465 587 691 Inspection Type: Stateful Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50 Ignore Data: No Ignore TLS Data: No Ignore SMTP Alerts: No Max Command Line Length: 512 Max Specific Command Line Length: ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255 EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255 ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500 IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246 QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246 SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246 TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246 XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246 XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246 XUSR:246 Max Header Line Length: 1000 Max Response Line Length: 512 X-Link2State Alert: Yes Drop on X-Link2State Alert: No Alert on commands: None Alert on unknown commands: No SMTP Memcap: 838860 MIME Max Mem: 838860 Base64 Decoding: Enabled Base64 Decoding Depth: Unlimited Quoted-Printable Decoding: Enabled Quoted-Printable Decoding Depth: Unlimited Unix-to-Unix Decoding: Enabled Unix-to-Unix Decoding Depth: Unlimited Non-Encoded MIME attachment Extraction: Enabled Non-Encoded MIME attachment Extraction Depth: Unlimited Log Attachment filename: Enabled Log MAIL FROM Address: Enabled Log RCPT TO Addresses: Enabled Log Email Headers: Enabled Email Hdrs Log Depth: 1464 SSH config: Autodetection: ENABLED Challenge-Response Overflow Alert: ENABLED SSH1 CRC32 Alert: ENABLED Server Version String Overflow Alert: ENABLED Protocol Mismatch Alert: ENABLED Bad Message Direction Alert: DISABLED Bad Payload Size Alert: DISABLED Unrecognized Version Alert: DISABLED Max Encrypted Packets: 20 Max Server Version String Length: 100 MaxClientBytes: 19600 (Default) Ports: 22 DCE/RPC 2 Preprocessor Configuration Global Configuration DCE/RPC Defragmentation: Enabled Memcap: 102400 KB Events: co SMB Fingerprint policy: Disabled Server Default Configuration Policy: WinXP Detect ports (PAF) SMB: 139 445 TCP: 135 UDP: 135 RPC over HTTP server: 593 RPC over HTTP proxy: None Autodetect ports (PAF) SMB: None TCP: 1025-65535 UDP: 1025-65535 RPC over HTTP server: 1025-65535 RPC over HTTP proxy: None Invalid SMB shares: C$ D$ ADMIN$ Maximum SMB command chaining: 3 commands DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 SSLPP config: Encrypted packets: not inspected Ports: 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 Server side data is trusted Sensitive Data preprocessor config: Global Alert Threshold: 25 Masked Output: DISABLED SIP config: Max number of sessions: 40000 Max number of dialogs in a session: 4 (Default) Status: ENABLED Ignore media channel: DISABLED Max URI length: 512 Max Call ID length: 80 Max Request name length: 20 (Default) Max From length: 256 (Default) Max To length: 256 (Default) Max Via length: 1024 (Default) Max Contact length: 512 Max Content length: 2048 Ports: 5060 5061 5600 Methods: invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack IMAP Config: Ports: 143 IMAP Memcap: 838860 Base64 Decoding: Enabled Base64 Decoding Depth: Unlimited Quoted-Printable Decoding: Enabled Quoted-Printable Decoding Depth: Unlimited Unix-to-Unix Decoding: Enabled Unix-to-Unix Decoding Depth: Unlimited Non-Encoded MIME attachment Extraction: Enabled Non-Encoded MIME attachment Extraction Depth: Unlimited POP Config: Ports: 110 POP Memcap: 838860 Base64 Decoding: Enabled Base64 Decoding Depth: Unlimited Quoted-Printable Decoding: Enabled Quoted-Printable Decoding Depth: Unlimited Unix-to-Unix Decoding: Enabled Unix-to-Unix Decoding Depth: Unlimited Non-Encoded MIME attachment Extraction: Enabled Non-Encoded MIME attachment Extraction Depth: Unlimited Modbus config: Ports: 502 DNP3 config: Memcap: 262144 Check Link-Layer CRCs: ENABLED Ports: 20000 Reputation config: WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled. +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 3029 Snort rules read 3029 detection rules 0 decoder rules 0 preprocessor rules 3029 Option Chains linked into 179 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 1361 4 0 0 | dst 1459 64 0 0 | any 118 47 28 27 | nc 51 12 1 0 | s+d 0 1 0 0 +---------------------------------------------------------------------------- +-----------------------[detection-filter-config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]------------------------------- ------------------------------------------------------------------------------- +-----------------------[rate-filter-config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]---------------------------------- +-----------------------[event-filter-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! WARNING: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option. ICMP tracking disabled, no ICMP sessions allocated IP tracking disabled, no IP sessions allocated WARNING: flowbits key 'file.hta' is set but not ever checked. WARNING: flowbits key 'backdoor.donalddick.1.5.b.3.conn' is checked but not ever set. WARNING: flowbits key 'file.plf' is set but not ever checked. WARNING: flowbits key 'file.mid' is set but not ever checked. WARNING: flowbits key 'file.wrf' is set but not ever checked. WARNING: flowbits key 'backdoor.fearless.runtime' is checked but not ever set. WARNING: flowbits key 'file.application' is set but not ever checked. WARNING: flowbits key 'waprox.init' is set but not ever checked. WARNING: flowbits key 'file.autodesk_max' is set but not ever checked. WARNING: flowbits key 'file.autodesk_ma' is set but not ever checked. WARNING: flowbits key 'file.cnt' is set but not ever checked. WARNING: flowbits key 'file.ffmpeg' is set but not ever checked. WARNING: flowbits key 'file.aom' is set but not ever checked. WARNING: flowbits key 'file.esignal' is set but not ever checked. WARNING: flowbits key 'file.rt' is set but not ever checked. WARNING: flowbits key 'file.msproducer' is set but not ever checked. WARNING: flowbits key 'file.3gp' is set but not ever checked. WARNING: flowbits key 'file.rss' is set but not ever checked. WARNING: flowbits key 'file.docx' is set but not ever checked. WARNING: flowbits key 'file.machobe' is set but not ever checked. WARNING: flowbits key 'file.addin' is set but not ever checked. WARNING: flowbits key 'file.arj' is set but not ever checked. WARNING: flowbits key 'file.mppl' is set but not ever checked. WARNING: flowbits key 'file.dat' is set but not ever checked. WARNING: flowbits key 'file.m4p' is set but not ever checked. WARNING: flowbits key 'file.job' is set but not ever checked. WARNING: flowbits key 'file.lzh' is set but not ever checked. WARNING: flowbits key 'file.mime' is set but not ever checked. WARNING: flowbits key 'file.rat' is set but not ever checked. WARNING: flowbits key 'file.flac' is set but not ever checked. WARNING: flowbits key 'file.oless.v3' is set but not ever checked. WARNING: flowbits key 'backdoor.asylum.connect' is checked but not ever set. WARNING: flowbits key 'file.xm' is set but not ever checked. WARNING: flowbits key 'file.bat' is set but not ever checked. WARNING: flowbits key 'file.m4r' is set but not ever checked. WARNING: flowbits key 'file.plp' is set but not ever checked. WARNING: flowbits key 'file.wk4' is set but not ever checked. WARNING: flowbits key 'file.fon' is set but not ever checked. WARNING: flowbits key 'file.screnc' is set but not ever checked. WARNING: flowbits key 'file.symantec' is set but not ever checked. WARNING: flowbits key 'file.bmp' is set but not ever checked. WARNING: flowbits key 'asteriskmi' is set but not ever checked. WARNING: flowbits key 'file.mp4' is set but not ever checked. WARNING: flowbits key 'file.rdp' is set but not ever checked. WARNING: flowbits key 'soliddb' is set but not ever checked. WARNING: flowbits key 'file.s3m' is set but not ever checked. WARNING: flowbits key 'file.wma' is set but not ever checked. WARNING: flowbits key 'file.pkp' is set but not ever checked. WARNING: flowbits key 'file.postscript' is set but not ever checked. WARNING: flowbits key 'file.cab' is set but not ever checked. WARNING: flowbits key 'file.bzip' is set but not ever checked. WARNING: flowbits key 'file.rmp' is set but not ever checked. WARNING: flowbits key 'file.realplayer' is set but not ever checked. WARNING: flowbits key 'dorkbot.ircinit' is set but not ever checked. WARNING: flowbits key 'file.cue' is set but not ever checked. WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked. WARNING: flowbits key 'ipp.application' is checked but not ever set. WARNING: flowbits key 'file.jar.agent_helper' is set but not ever checked. WARNING: flowbits key 'file.k3g' is set but not ever checked. WARNING: flowbits key 'oracle.connect' is checked but not ever set. WARNING: flowbits key 'file.skm' is set but not ever checked. WARNING: flowbits key 'file.bak' is set but not ever checked. WARNING: flowbits key 'file.pecompact' is set but not ever checked. WARNING: flowbits key 'file.mkv' is set but not ever checked. WARNING: flowbits key 'file.m4v' is set but not ever checked. WARNING: flowbits key 'file.binhex' is set but not ever checked. WARNING: flowbits key 'trojan.nervos' is set but not ever checked. WARNING: flowbits key 'file.macho64le' is set but not ever checked. WARNING: flowbits key 'file.ram' is set but not ever checked. WARNING: flowbits key 'file.ht3' is set but not ever checked. WARNING: flowbits key 'file.svg' is set but not ever checked. WARNING: flowbits key 'file.sln' is set but not ever checked. WARNING: flowbits key 'file.ivr' is set but not ever checked. WARNING: flowbits key 'file.cws' is set but not ever checked. WARNING: flowbits key 'file.sis' is set but not ever checked. WARNING: flowbits key 'file.tiff.big' is set but not ever checked. WARNING: flowbits key 'file.cov' is set but not ever checked. WARNING: flowbits key 'vnc.auth' is checked but not ever set. WARNING: flowbits key 'file.emf' is set but not ever checked. WARNING: flowbits key 'file.rar' is set but not ever checked. WARNING: flowbits key 'smtp.contenttype.attachment' is checked but not ever set. WARNING: flowbits key 'file.fli' is set but not ever checked. WARNING: flowbits key 'file.csv' is set but not ever checked. WARNING: flowbits key 'AOLAdmin1.1.connection' is checked but not ever set. WARNING: flowbits key 'file.vmd' is set but not ever checked. WARNING: flowbits key 'file.m4a' is set but not ever checked. WARNING: flowbits key 'file.cyb' is set but not ever checked. WARNING: flowbits key 'RTMP.sysMemCall' is set but not ever checked. WARNING: flowbits key 'file.7zip' is set but not ever checked. WARNING: flowbits key 'file.gzip' is set but not ever checked. WARNING: flowbits key 'file.vqf' is set but not ever checked. WARNING: flowbits key 'file.collada' is set but not ever checked. WARNING: flowbits key 'file.m4b' is set but not ever checked. WARNING: flowbits key 'file.siplog' is set but not ever checked. WARNING: flowbits key 'ABSystemSpy_Inforetrieve1' is set but not ever checked. WARNING: flowbits key 'file.3g2' is set but not ever checked. WARNING: flowbits key 'file.cur' is set but not ever checked. WARNING: flowbits key 'file.maki' is set but not ever checked. WARNING: flowbits key 'file.oless.v4' is set but not ever checked. WARNING: flowbits key 'file.vwr' is set but not ever checked. WARNING: flowbits key 'file.pptx' is set but not ever checked. WARNING: flowbits key 'file.cy3' is set but not ever checked. WARNING: flowbits key 'file.cryptff' is set but not ever checked. WARNING: flowbits key 'dce.spoolss.4.call' is checked but not ever set. WARNING: flowbits key 'file.dvr-ms' is set but not ever checked. WARNING: flowbits key 'file.mht' is set but not ever checked. WARNING: flowbits key 'file.nab' is set but not ever checked. WARNING: flowbits key 'file.webm' is set but not ever checked. WARNING: flowbits key 'file.mov' is set but not ever checked. WARNING: flowbits key 'file.dbp' is set but not ever checked. WARNING: flowbits key 'file.qt' is set but not ever checked. WARNING: flowbits key 'file.tnef' is set but not ever checked. WARNING: flowbits key 'file.hlp' is set but not ever checked. WARNING: flowbits key 'smb.neoteris' is checked but not ever set. WARNING: flowbits key 'file.daz_ds' is set but not ever checked. WARNING: flowbits key 'file.eml' is set but not ever checked. WARNING: flowbits key 'file.rp' is set but not ever checked. WARNING: flowbits key 'file.machole' is set but not ever checked. WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked but not ever set. WARNING: flowbits key 'file.file.tar' is set but not ever checked. WARNING: flowbits key 'file.macho64be' is set but not ever checked. WARNING: flowbits key 'file.htm' is set but not ever checked. WARNING: flowbits key 'file.search-ms' is set but not ever checked. WARNING: flowbits key 'file.rmf' is set but not ever checked. WARNING: flowbits key 'file.amf' is set but not ever checked. WARNING: flowbits key 'file.mpeg' is set but not ever checked. WARNING: flowbits key 'file.wps' is set but not ever checked. WARNING: flowbits key 'file.crx' is set but not ever checked. 214 out of 1024 flowbits in use. [ Port Based Pattern Matching Memory ] +- [ Aho-Corasick Summary ] ------------------------------------- | Storage Format : Full-Q | Finite Automaton : DFA | Alphabet Size : 256 Chars | Sizeof State : Variable (1,2,4 bytes) | Instances : 147 | 1 byte states : 136 | 2 byte states : 11 | 4 byte states : 0 | Characters : 46772 | States : 36133 | Transitions : 3332808 | State Density : 36.0% | Patterns : 3136 | Match States : 3021 | Memory (MB) : 17.90 | Patterns : 0.23 | Match Lists : 0.34 | DFA | 1 byte states : 0.74 | 2 byte states : 16.45 | 4 byte states : 0.00 +---------------------------------------------------------------- [ Number of patterns truncated to 20 bytes: 466 ] pcap DAQ configured to passive. Acquiring network traffic from "eth0". Reload thread starting... Reload thread started, thread 0xa6725b40 (2256) Decoding Ethernet Set gid to 116 Set uid to 107 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.3.1 IPv6 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.16 <Build 18> Rules Object: nntp Version 1.0 <Build 1> Rules Object: imap Version 1.0 <Build 1> Rules Object: web-misc Version 1.0 <Build 1> Rules Object: dos Version 1.0 <Build 1> Rules Object: p2p Version 1.0 <Build 1> Rules Object: web-iis Version 1.0 <Build 1> Rules Object: netbios Version 1.0 <Build 1> Rules Object: chat Version 1.0 <Build 1> Rules Object: misc Version 1.0 <Build 1> Rules Object: bad-traffic Version 1.0 <Build 1> Rules Object: multimedia Version 1.0 <Build 1> Rules Object: snmp Version 1.0 <Build 1> Rules Object: specific-threats Version 1.0 <Build 1> Rules Object: icmp Version 1.0 <Build 1> Rules Object: web-activex Version 1.0 <Build 1> Rules Object: smtp Version 1.0 <Build 1> Rules Object: exploit Version 1.0 <Build 1> Rules Object: web-client Version 1.0 <Build 1> Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3> Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9> Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13> Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3> Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1> Commencing packet processing (pid=2256) Looks good so far... however, mysql isn't taking any input yet, i haven't started barnyard2, and what is the ./m4 for? that autoreconf didnt error out but i look like it didn't do anything either.. should have showed a little stdout. lol more on barnyard2 to follow On Sat, 2012-09-08 at 07:56 -0400, Joel Esler wrote:
Are you outputting in binary (tcpdump) format, or are you outputting in unified2? -- Joel Esler Sent from my iPad On Sep 8, 2012, at 2:15 AM, PR <oly562 () gmail com> wrote:snort wont start up... trying to view the logs - of course they are not viewable with less/more. example: less /var/log/snort/snort.log.1346948607 "/var/log/snort/snort.log.1346948607" may be a binary file. See it anyway? here is the latest set of warnings: # ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checking latest MD5 for snortrules-snapshot-2920.tar.gz.... They Match Done! Prepping rules from snortrules-snapshot-2920.tar.gz for work.... Done! Reading rules... Generating Stub Rules.... An error occurred: !! WARNING: The database output plugins are considered deprecated as An error occurred: WARNING: ip4 normalizations disabled because not inline. An error occurred: WARNING: tcp normalizations disabled because not inline. An error occurred: WARNING: icmp4 normalizations disabled because not inline. An error occurred: WARNING: ip6 normalizations disabled because not inline. An error occurred: WARNING: icmp6 normalizations disabled because not inline. Done Reading rules... Reading rules... Reading rules... Activating Security rulesets.... Done Setting Flowbit State.... Enabled 637 flowbits Enabled 47 flowbits Enabled 4 flowbits Enabled 2 flowbits Done Writing /etc/snort/rules/snort.rules.... Done Writing /usr/local/etc/snort/rules/so_rules.rules.... Done Generating sid-msg.map.... Done Writing /usr/local/etc/snort/sid-msg.map.... Done Writing /var/log/sid_changes.log.... Done Rule Stats.... New:-------0 Deleted:---0 Enabled Rules:----6129 Dropped Rules:----0 Disabled Rules:---6875 Total Rules:------13004 Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly/crash....! more to follow.. sighs... On Fri, 2012-09-07 at 20:25 -0700, PR wrote:ha ha you funny dr jones... said like shorty ;) On Fri, 2012-09-07 at 22:16 -0400, Joel Esler wrote:I don't have a template for that question. Others, yes. -- Joel Esler Sent from my iPad On Sep 7, 2012, at 9:30 PM, PR <oly562 () gmail com> wrote:yep thanks for the templated noobish user response. ;) On Fri, 2012-09-07 at 18:17 -0400, Joel Esler wrote:If you are not a subscriber, yes. You'll need to wait your 15 minutes. But no, 2.9.2 is no longer supported. Please see the bottom of http://www.snort.org/vrt/rules/eol_policyfor currently supported versions and when they will expire. -- Joel Esler On Sep 7, 2012, at 4:17 PM, PR <oly562 () gmail com> wrote:i guess i should wait 15 mins? i dont think i can grab another since i dont pay for rules... what do you think? should i just go for it? On Fri, 2012-09-07 at 13:15 -0700, PR wrote:next error... i mv'd this file, guess i should put it back... ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checking latest MD5 for snortrules-snapshot-2920.tar.gz.... Rules tarball download of snortrules-snapshot-2920.tar.gz.... They Match Done! Prepping rules from snortrules-snapshot-2920.tar.gz for work.... Done! Reading rules... Generating Stub Rules.... An error occurred: ERROR: Unable to open rules file "/usr/local/etc/snort/database.conf": No such file or directory. An error occurred: Fatal Error, Quitting.. more to follow.... On Fri, 2012-09-07 at 12:30 -0700, PR wrote:opps, i figured out my mistake lolol... ok but now i run into the same prob as before. versioning! here is what i get when i do the cmd properly at tail of stdout: The specified Snort binary does not exist! Please correct the value or specify the FULL rules tarball name in the pulledpork.conf! at ./pulledpork.pl line 1736. i will goto pulledpork.pl line 1736 now. brb....... ok, i thought, no i swear it says on snort.org page, pulledpork will automajically decide which version to download/upgrade rules too. -*> Snort! <*- o" )~ Version 2.9.2 IPv6 GRE (Build 78) '''' By Martin Roesch & The Snort Team: so...... let me guess 2.9.2 isnt "supported" here is what i think, i think it's too hard for anyone to simply update rules unless you always update your snort program to the same version, thats just ludacrious! yes im running acidbase, yes it was loaded with apt-get install snort-mysql snort acidbase, so what... i can move files and confs to point in right direction, not the issue, its the updating of the snort program and ONLY allowing automation to those who either 1. pay 2. pay to have you guys install 3. pay to stay current 4. pay pay pay, rather than providing a script that keeps the snort program updated no matter what version you have in reason like 2.9.x 5. How about fixing that perl script on the server side to allows us to download the files automajically as it claims i used snort since the begging, it always was easy to update so forth, but now, it's getting silly. ok, there im done ranting, however, i still need FREE input, like community input. if not, as usual i will just figure it out, may take a while but i'll get it, i have before, and can do again. im complaining becuz its not simple anymore. or as simple as it can be to download some rules automatically. sighs.... you can comment if you like, but i know each of you have been here before at some point in your snorting career... On Fri, 2012-09-07 at 12:13 -0700, PR wrote:hi all, 1. modified and created dirs for what pulledpork.conf requires as root user. 2. ran this cmd: root@myserverhere:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security 3. got this error: root@myserverhere:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security ./pulledpork.conf: line 21: 6d31c34a34b8e7d8a42751d16b50e3dda634XXXX: command not found ./pulledpork.conf: line 21: snortrules-snapshot.tar.gz: command not found 4. here is the conf in entirety: # more pulledpork.conf # Config file for pulledpork # Be sure to read through the entire configuration file # If you specify any of these items on the command line, it WILL take # precedence over any value that you specify in this file! ####### ####### The below section defines what your oinkcode is (required for ####### VRT rules), defines a temp path (must be writable) and also ####### defines what version of rules that you are getting (for your ####### snort version and subscription etc...) ####### # The rule_url value replaces the old base_url and rule_file configuration # options. You can now specify one or as many rule_urls as you like, they # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specif y # each on an individual line, or you can specify them in a , separated list # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456 # note that the url, rule file, and oinkcode itself are separated by a pipe | # i.e. url|tarball|123456789, #rule_url=https://www.snort.org/reg-rules/| snortrules-snapshot.tar.gz|<oinkcode> ##*** ( here is line 21 )*** rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| 6d31c34a34b 8e7d8a42751d16b50e3dda634XXXX # get the rule docs! #rule_url=https://www.snort.org/reg-rules/|opensource.gz| 6d31c34a34b8e7d8a42751d 16b50e3dda634XXXX #rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz| open # THE FOLLOWING URL is for etpro downloads, note the tarball name change! # and the et oinkcode requirement! #rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et oinkcode> # NOTE above that the VRT snortrules-snapshot does not contain the version # portion of the tarball name, this is because PP now automatically populates # this value for you, if, however you put the version information in, PP will # NOT populate this value but will use your value! # Specify rule categories to ignore from the tarball in a comma separated list # with no spaces. There are four ways to do this: # 1) Specify the category name with no suffix at all to ignore the category # regardless of what rule-type it is, ie: netbios # 2) Specify the category name with a '.rules' suffix to ignore only gid 1 # rulefiles located in the /rules directory of the tarball, ie: policy.rules # 3) Specify the category name with a '.preproc' suffix to ignore only # preprocessor rules located in the /preproc_rules directory of the tarball, # ie: sensitive-data.preproc # 4) Specify the category name with a '.so' suffix to ignore only shared-object # rules located in the /so_rules directory of the tarball, ie: netbios.so # The example below ignores dos rules wherever they may appear, sensitive- # data preprocessor rules, p2p so-rules (while including gid 1 p2p rules), # and netbios gid-1 rules (while including netbios so-rules): # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules # These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x. ignore=deleted.rules,experimental.rules,local.rules # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the # previous ignore line and uncomment the following! # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data # Define your Oinkcode - DEPRICATED, SEE RULE_URL # oinkcode=replacethiswithyouroinkcode # What is our temp path, be sure this path has a bit of space for rule # extraction and manipulation, no trailing slash temp_path=/tmp ####### ####### The below section is for rule processing. This section is ####### required if you are not specifying the configuration using ####### runtime switches. Note that runtime switches do SUPERSEED ####### any values that you have specified here! ####### # What path you want the .rules file containing all of the processed # rules? (this value has changed as of 0.4.0, previously we copied # all of the rules, now we are creating a single large rules file # but still keeping a separate file for your so_rules! rule_path=/usr/local/etc/snort/rules/snort.rules # What path you want the .rules files to be written to, this is UNIQUE # from the rule_path and cannot be used in conjunction, this is to be used with the # -k runtime flag, this can be set at runtime using the -K flag or specified # here. If specified here, the -k option must also be passed at runtime, however # specifying -K <path> at runtime forces the -k option to also be set ###(created all the dirs and pointed to currently snort.conf ) # out_path=/usr/local/etc/snort/rules/ # If you are running any rules in your local.rules file, we need to # know about them to properly build a sid-msg.map that will contain your # local.rules metadata (msg) information. You can specify other rules # files that are local to your system here by adding a comma and more paths... # remember that the FULL path must be specified for EACH value. # local_rules=/path/to/these.rules,/path/to/those.rules ###(yadda) local_rules=/usr/local/etc/snort/rules/local.rules # Where should I put the sid-msg.map file? sid_msg=/usr/local/etc/snort/sid-msg.map # Where do you want me to put the sid changelog? This is a changelog # that pulledpork maintains of all new sids that are imported sid_changelog=/var/log/sid_changes.log # this value is optional ####### ####### The below section is for so_rule processing only. If you don't ####### need to use them.. then comment this section out! ####### Alternately, if you are not using pulledpork to process ####### so_rules, you can specify -T at runtime to bypass this altogether ####### # What path you want the .so files to actually go to *i.e. where is it # defined in your snort.conf, needs a trailing slash sorule_path=/usr/local/lib/snort_dynamicrules/ # Path to the snort binary, we need this to generate the stub files #snort_path=/usr/local/bin/snort (modified current path) snort_path=/usr/sbin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files config_path=/usr/local/etc/snort/snort.conf # This is the file that contains all of the shared object rules that pulledpork # has processed, note that this has changed as of 0.4.0 just like the rules_path ! sostub_path=/usr/local/etc/snort/rules/so_rules.rules # Define your distro, this is for the precompiled shared object libs! # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04 # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4 # FC-5, FC-9, FC-11, FC-12, RHEL-5.0 # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1 # OpenSUSE-11-3 distro=FreeBSD-8.0 ####### This next section is optional, but probably pretty useful to you. ####### Please read thoroughly! # What do you want to backup and archive? This is a comma separated list # of file or directory values. If a directory is specified, PP will recurse # through said directory and all subdirectories to archive all files. # The following example backs up all snort config files, rules, pulledpork # config files, and snort shared object binary rules. # backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dyn amicrules/ # what path and filename should we use for the backup tarball? # note that an epoch time value and the .tgz extension is automatically added # to the backup_file name on completeion i.e. the written file is: # pp_backup.1295886020.tgz # backup_file=/tmp/pp_backup # Where do you want the signature docs to be copied, if this is commented # out then they will not be copied / extracted. Note that extracting them # will add considerable runtime to pulledpork. # docs=/path/to/base/www # The following option, state_order, allows you to more finely control the order # that pulledpork performs the modify operations, specifically the enablesid # disablesid and dropsid functions. An example use case here would be to # disable an entire category and later enable only a rule or two out of it. # the valid values are disable, drop, and enable. # state_order=disable,drop,enable # Define the path to the pid files of any running process that you want to # HUP after PP has completed its run. # pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid # and so on... # pid_path=/var/run/snort_eth0.pid # This defines the version of snort that you are using, for use ONLY if the # proper snort binary is not on the system that you are fetching the rules with # Defining this value will set the Textonly flag, and thus will NOT allow # you to use shared object rules. This value MUST contain all 4 minor version # numbers. ET rules are now also dependant on this, verify supported ET versions # prior to simply throwing rubbish in this variable kthx! # snort_version=2.9.0.0 # Here you can specify what rule modification files to run automatically. # simply uncomment and specify the apt path. # enablesid=/usr/local/etc/snort/enablesid.conf # dropsid=/usr/local/etc/snort/dropsid.conf # disablesid=/usr/local/etc/snort/disablesid.conf # modifysid=/usr/local/etc/snort/modifysid.conf # What is the base ruleset that you want to use, please uncomment to use # and see the README.RULESETS for a description of the options. # Note that setting this value will disable all ET rulesets if you are # Running such rulesets # ips_policy=security ####### Remember, a number of these values are optional.. if you don't ####### need to process so_rules, simply comment out the so_rule section ####### you can also specify -T at runtime to process only GID 1 rules. version=0.6.0 5. your thoughts? your suggestions? thanks, pete
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: typical errors when trying pulledpork, (continued)
- Re: typical errors when trying pulledpork Joel Esler (Sep 07)
- Re: typical errors when trying pulledpork PR (Sep 07)
- Re: typical errors when trying pulledpork Joel Esler (Sep 07)
- Re: [Snort-sigs] typical errors when trying pulledpork waldo kitty (Sep 08)
- Re: [Snort-sigs] typical errors when trying pulledpork Eric G (Sep 08)
- Re: [Snort-sigs] typical errors when trying pulledpork PR (Sep 09)
- Re: typical errors when trying pulledpork Joel Esler (Sep 09)
- Re: typical errors when trying pulledpork waldo kitty (Sep 09)
- Re: typical errors when trying pulledpork Jack (Sep 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: typical errors when trying pulledpork Joel Esler (Sep 08)
- Re: typical errors when trying pulledpork PR (Sep 08)