Snort mailing list archives
Re: Snort-users Digest, Vol 85, Issue 25
From: soukaina mzerda <soukaina.mz () gmail com>
Date: Fri, 7 Jun 2013 16:18:02 +0200
here's my debug : (gdb) set args -v (gdb) r Starting program: /usr/local/snort-2.9.4.6/src/snort -v Program received signal SIGSEGV, Segmentation fault. 0x00000002 in ?? () (gdb) bt #0 0x00000002 in ?? () (gdb) On Fri, Jun 7, 2013 at 11:25 AM, <snort-users-request () lists sourceforge net>wrote:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: Snort with IPtables (Steven McLaughlin) 2. Re: Snort with IPtables (Jeremy Hoel) 3. Re: Snort with IPtables (waldo kitty) 4. Re: Snort-users Digest, Vol 85, Issue 24 (soukaina mzerda) ---------------------------------------------------------------------- Message: 1 Date: Fri, 7 Jun 2013 14:13:58 +1000 From: Steven McLaughlin <steve () Lan com au> Subject: Re: [Snort-users] Snort with IPtables To: Jeremy Hoel <jthoel () gmail com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <CAC06-HX2GmkRTJvTCmWL_0pLj9P7UTX= NKEob8GsULPtrboF-g () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" That sort of makes sense since it is only listening in promisc mode, but not actually allowing traffic in destined for its interface. I guess IPtables works at L3 and without an IP it doesn't really matter if IPtables is on or off then. Would this be a true statement? (I am only running as a sniffer and not switching inline) I'm interested to hear more feedback on this. On 7 June 2013 14:08, Jeremy Hoel <jthoel () gmail com> wrote:we run iptables on all our sensors, but we don't give the sniffing port an ip and have no iptables entries for it. It works like a champ. On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve () lan com au> wrote:Hi All, Whats the take on running a snort sensor with IPtables running. Infirstinstance I would think this interferes with sensor detectioncapability.Is anyone running IPtables on the same host as their Snort sensor? Ifso,what is the best way to nail this? The reason I ask is that I have two interfaces. One is the management interface which will have an IPaddress.This interface will deny all incoming traffic except for tcp/22 andtcp/443inbound connections. The other interface is the snort sensor on eth1. The sensor islisteningonly. So is a rule allowing all incoming like so sufficient for Snort sniffing: -A INPUT -i eth1 -j ACCEPT Or should I also allow all outbound as follows: -A INPUT -i eth1 -j ACCEPT -A OUTPUT -i eth1 -j ACCEPT Alternatively, is there a best practice IPtables configuration forsnortsensors? thanks, Steve------------------------------------------------------------------------------How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!-- Best Regards, Steven McLaughlin steve () Lan com au 0459 351 266 -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Thu, 6 Jun 2013 22:32:21 -0600 From: Jeremy Hoel <jthoel () gmail com> Subject: Re: [Snort-users] Snort with IPtables To: Steven McLaughlin <steve () lan com au> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: < CAH_p-VPs5prKh5OkkER9J_dYtAD94hDZELZFtFADbPs+h2ZdBQ () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 well i can tell you it works for me. I imagine that yes, iptables would require an IP to be effective on that interface. So yes, I would say that iptables on works on L3 and not L2. When i get to work i can paste a quick copy of the iptables we use so you can see an example. On Thu, Jun 6, 2013 at 10:13 PM, Steven McLaughlin <steve () lan com au> wrote:That sort of makes sense since it is only listening in promisc mode, butnotactually allowing traffic in destined for its interface. I guess IPtables works at L3 and without an IP it doesn't really matter if IPtables is onoroff then. Would this be a true statement? (I am only running as a sniffer and not switching inline) I'm interested to hear more feedback on this. On 7 June 2013 14:08, Jeremy Hoel <jthoel () gmail com> wrote:we run iptables on all our sensors, but we don't give the sniffing port an ip and have no iptables entries for it. It works like a champ. On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve () lan com au> wrote:Hi All, Whats the take on running a snort sensor with IPtables running. Infirstinstance I would think this interferes with sensor detectioncapability.Is anyone running IPtables on the same host as their Snort sensor? If so, what is the best way to nail this? The reason I ask is that I have two interfaces. One is the management interface which will have an IP address. This interface will deny all incoming traffic except for tcp/22 and tcp/443 inbound connections. The other interface is the snort sensor on eth1. The sensor islisteningonly. So is a rule allowing all incoming like so sufficient for Snort sniffing: -A INPUT -i eth1 -j ACCEPT Or should I also allow all outbound as follows: -A INPUT -i eth1 -j ACCEPT -A OUTPUT -i eth1 -j ACCEPT Alternatively, is there a best practice IPtables configuration forsnortsensors? thanks, Steve------------------------------------------------------------------------------How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Best Regards, Steven McLaughlin steve () Lan com au 0459 351 266------------------------------ Message: 3 Date: Fri, 07 Jun 2013 04:07:54 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] Snort with IPtables To: snort-users () lists sourceforge net Message-ID: <51B194DA.80704 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 6/7/2013 00:08, Jeremy Hoel wrote:we run iptables on all our sensors, but we don't give the sniffing port an ip and have no iptables entries for it. It works like a champ.i can confirm that there's no conflict... our devices also use iptables and snort listens "outside" of them... it sees the traffic before iptables gets a chance to twiddle with it... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------ Message: 4 Date: Fri, 7 Jun 2013 11:25:17 +0200 From: soukaina mzerda <soukaina.mz () gmail com> Subject: Re: [Snort-users] Snort-users Digest, Vol 85, Issue 24 To: snort-users () lists sourceforge net Message-ID: <CABCqq+7wmsYwtPm7aQg-Y=ieyWSo5iPaaPMmy3n3Sd2G1= 6Gvw () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Yeas I rebuilt with --enable-dubug and I got the same error segmentation fault NB : first I have configured snort2.9.1 and snort rules 2940 without libdnet and daq but at least I was able to run successfuly snort -v but once I changed the bersion of snort snort rules and installed daq and libdnet I started getting the error in question . On Fri, Jun 7, 2013 at 6:08 AM, <snort-users-request () lists sourceforge net>wrote:Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Pleasetrimyour response. Today's Topics: 1. Re: troubleshooting snort (waldo kitty) 2. Snort.org Blog: Snort FAQ is open for community involvement! (Joel Esler) 3. segmentation fault (soukaina mzerda) 4. Re: segmentation fault (Russ Combs) 5. Snort with IPtables (Steven McLaughlin) 6. Re: Snort with IPtables (Jeremy Hoel) ---------------------------------------------------------------------- Message: 1 Date: Thu, 06 Jun 2013 14:08:15 -0400 From: waldo kitty <wkitty42 () windstream net> Subject: Re: [Snort-users] troubleshooting snort To: snort-users () lists sourceforge net Message-ID: <51B0D00F.9070505 () windstream net> Content-Type: text/plain; charset=UTF-8; format=flowed On 6/6/2013 08:34, soukaina mzerda wrote:Hi , I configured snort-2.9.4.6 with snortrule 2941 , libdnet-1.12 and daqand allthe pakages needed but I just can't run snort I did snort -v and I get segmentation default , at least plz tell mewhat dooesit comming from plzyou are not using the SO rules from that 2.9.4.1 rules package, are you?? -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------ Message: 2 Date: Thu, 6 Jun 2013 15:59:58 -0400 From: Joel Esler <jesler () sourcefire com> Subject: [Snort-users] Snort.org Blog: Snort FAQ is open for community involvement! To: "snort-users () lists sourceforge net mailinglist" <snort-users () lists sourceforge net>, "snort-sigs () lists sourceforge net list" <snort-sigs () lists sourceforge net>, Snort Developperssupport<snort-devel () lists sourceforge net> Message-ID: <45C4F2F5-95EE-4DF8-952C-53A269F847BF () sourcefire com> Content-Type: text/plain; charset=us-ascii http://blog.snort.org/2013/06/snort-faq-is-open-for-community.html Snort FAQ is open for community involvement! Following the success of our ClamAV FAQ being placed on Github, wedecidedto do the same thing to the Snort FAQ in hopes that it will make the content available to community users to submit content to and make it easily manageable. So, now available: https://github.com/vrtadmin/snort-faq/blob/master/README.md The reason we put it on Github is it makes it simple to edit (in Markdown format), it's easy to audit, it's easy to clone and import, etc. When we did this with the ClamAV FAQ, we found it made the content super easy to keep up to date, allows for several users to work on it and allows for community involvement. So this is what we are hoping you will do. I took the old FAQ that wasonhttp://www.snort.org, made it into Markdown and moved it to Github. Now we can add things like "Having a problem capturing TCP traffic? Have you tried "-k none" in your testing?" So, have at it. We'll review all content and approve it as it comes in through your pull requests. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------ Message: 3 Date: Thu, 6 Jun 2013 23:46:18 +0200 From: soukaina mzerda <soukaina.mz () gmail com> Subject: [Snort-users] segmentation fault To: snort-users () lists sourceforge net Message-ID: <CABCqq+4E0SM+Jboiqm3BOiak9Wqvye3wujmvOuSyJ= j1CG7RAw () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" I reconfigured snort-2946 ,snort rules-2946 , libdnet-1.12 and daq-2.0.0 very successfuly I run snort -v and I get an horrible error segmentation fault knowing that my ldd so not show any missing file , so any idea aboutwheredoes this come from ?plllllllllllllllllllllllllllllllllllllllllllllllllz Ineed your help :/ -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 4 Date: Thu, 6 Jun 2013 18:09:51 -0400 From: Russ Combs <rcombs () sourcefire com> Subject: Re: [Snort-users] segmentation fault To: soukaina mzerda <soukaina.mz () gmail com> Cc: snort-users () lists sourceforge net Message-ID: < CAN8FaB_cWd4pUMirXZhF-Zi9+NENVQmy7ArKN3HGp5sEKWcAUw () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" On Thu, Jun 6, 2013 at 5:46 PM, soukaina mzerda <soukaina.mz () gmail comwrote:I reconfigured snort-2946 ,snort rules-2946 , libdnet-1.12 anddaq-2.0.0very successfuly I run snort -v and I get an horrible error segmentation fault knowing that my ldd so not show any missing file , so any idea aboutwheredoes this come from ?plllllllllllllllllllllllllllllllllllllllllllllllllz Ineed your help :/What does snort -V give you? Can you rebuild with --enable-debug and send a back trace? We will also need, at least, `head config.log`.------------------------------------------------------------------------------How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 5 Date: Fri, 7 Jun 2013 14:03:07 +1000 From: Steven McLaughlin <steve () Lan com au> Subject: [Snort-users] Snort with IPtables To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <CAC06-HV2tn_hgFgJzh+oyEg8=_ sL+WFmAABSBoCQuOiUSTecFg () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi All, Whats the take on running a snort sensor with IPtables running. In first instance I would think this interferes with sensor detection capability. Is anyone running IPtables on the same host as their Snort sensor? If so, what is the best way to nail this? The reason I ask is that I have two interfaces. One is the management interface which will have an IPaddress.This interface will deny all incoming traffic except for tcp/22 andtcp/443inbound connections. The other interface is the snort sensor on eth1. The sensor is listening only. So is a rule allowing all incoming like so sufficient for Snort sniffing: -A INPUT -i eth1 -j ACCEPT Or should I also allow all outbound as follows: -A INPUT -i eth1 -j ACCEPT -A OUTPUT -i eth1 -j ACCEPT Alternatively, is there a best practice IPtables configuration for snort sensors? thanks, Steve -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 6 Date: Thu, 6 Jun 2013 22:08:16 -0600 From: Jeremy Hoel <jthoel () gmail com> Subject: Re: [Snort-users] Snort with IPtables To: Steven McLaughlin <steve () lan com au> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Message-ID: <CAH_p-VNt2BgmPhARNYP8_fP0mJ3ckq5-tOW= wfukbRRx_dibeg () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 we run iptables on all our sensors, but we don't give the sniffing port an ip and have no iptables entries for it. It works like a champ. On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve () lan com au> wrote:Hi All, Whats the take on running a snort sensor with IPtables running. Infirstinstance I would think this interferes with sensor detectioncapability.Is anyone running IPtables on the same host as their Snort sensor? Ifso,what is the best way to nail this? The reason I ask is that I have two interfaces. One is the management interface which will have an IPaddress.This interface will deny all incoming traffic except for tcp/22 andtcp/443inbound connections. The other interface is the snort sensor on eth1. The sensor islisteningonly. So is a rule allowing all incoming like so sufficient for Snort sniffing: -A INPUT -i eth1 -j ACCEPT Or should I also allow all outbound as follows: -A INPUT -i eth1 -j ACCEPT -A OUTPUT -i eth1 -j ACCEPT Alternatively, is there a best practice IPtables configuration forsnortsensors? thanks, Steve------------------------------------------------------------------------------How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!------------------------------------------------------------------------------------------------------------How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 85, Issue 24 *******************************************-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 85, Issue 25 *******************************************
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 85, Issue 25 soukaina mzerda (Jun 07)
- Re: Snort-users Digest, Vol 85, Issue 25 waldo kitty (Jun 07)