Snort mailing list archives

Re: Snort-users Digest, Vol 87, Issue 67

From: anagha b <banagha3 () gmail com>
Date: Sat, 24 Aug 2013 13:14:27 +0530

I tried to make uninstall of snort using root

and performed rm -rf on snort and snort-2.9.5 directory.

Using synaptic package manager removed all snort packages .


plz help


On Sat, Aug 24, 2013 at 12:32 PM, <snort-users-request () lists sourceforge net

wrote:

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim
your response.

Today's Topics:

   1. Re: Snort-users Digest, Vol 87, Issue 65 (anagha b)


----------------------------------------------------------------------

Message: 1
Date: Sat, 24 Aug 2013 12:31:52 +0530
From: anagha b <banagha3 () gmail com>
Subject: Re: [Snort-users] Snort-users Digest, Vol 87, Issue 65
To: snort-users () lists sourceforge net
Message-ID:
        <CACCbNds=
SoKTguy51Y7fhLWe6ZCWXxAWcTM8ytOR-AROL3ofHw () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

I tried to uninstall snort using

oneadmin@a:~/snort-2.9.5$ make uninstall

and checked snort version

oneadmin@a:~/snort-2.9.5$ snort -V

     -*> Snort! <*-

o" )~ Version 2.9.4.6 GRE (Build 73)


how to remove this snort2.9.4.6 ?




On Sat, Aug 24, 2013 at 10:40 AM, anagha b <banagha3 () gmail com> wrote:

 @dynamic preprocessor error

here is the information you asked

1] I removed all the files from snort_dynamicpreprocessor dir
2] In snort.conf I set  them to snort_dynamicpreprocessor dir as per the
installation guide.
3] o/p of snort -v

If i goto snort dir i get following error

snort -v
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Failed to lookup interface: no suitable device found. Please
specify one with -i switch
Fatal Error, Quitting..


If i goto snort-2.9.5 dir then i get follwing o/p

oneadmin@a:~/snort-2.9.5$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4.6 GRE (Build 73)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4

I think i am using 2.9.5 rules with 2.9.4.6 snort but I used 2.9.5

.tar.gz

for installation .





On Fri, Aug 23, 2013 at 7:22 PM, <
snort-users-request () lists sourceforge net> wrote:

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please
trim your response.

Today's Topics:

   1. community-rules.tar.gz.md5 empty? (Jeremy Hoel)
   2. Re: community-rules.tar.gz.md5 empty? (Joel Esler)
   3. Last (short) chance to submit papers for PacSec in        Tokyo

Nov

      13-14. Deadline FRIDAY. (Dragos Ruiu)
   4. Query for fast_pattern override (Arvind Kumar)
   5. @dynamic preprocessor error (anagha b)
   6. Re: @dynamic preprocessor error (waldo kitty)


----------------------------------------------------------------------

Message: 1
Date: Thu, 22 Aug 2013 23:42:23 +0000
From: Jeremy Hoel <jthoel () gmail com>
Subject: [Snort-users] community-rules.tar.gz.md5 empty?
To: "snort-users () lists sourceforge net"
        <snort-users () lists sourceforge net>
Message-ID:
        <
CAH_p-VPD88XeU9gmpU73jeJ-3Y4-b+itog7w9Zm+ppEb_KSkhQ () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

I was testing the svn of Pulledpork and noticed that it was looping on
community rules and the md5sum check..


Checking latest MD5 for snortrules-snapshot-2950.tar.gz....
 They Match
Done!
Checking latest MD5 for community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
 No Match
Done
Rules tarball download of community-rules.tar.gz....
No Match
 Done
Rules tarball download of community-rules.tar.gz....
No Match
Done


checking the community-rules.tar.gz.md5 shows that it's an empty file.

tried downloading it myself in another directory and it's also empty.

Is this a recent problem or a known issue?
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Thu, 22 Aug 2013 19:48:07 -0400
From: Joel Esler <jesler () sourcefire com>
Subject: Re: [Snort-users] community-rules.tar.gz.md5 empty?
To: Jeremy Hoel <jthoel () gmail com>
Cc: "snort-users () lists sourceforge net"
        <snort-users () lists sourceforge net>
Message-ID: <A1F35D53-E447-4CE5-B5B4-5A7C8A941D48 () sourcefire com>
Content-Type: text/plain;       charset=us-ascii

Let me check into this.

--
Joel Esler

On Aug 22, 2013, at 7:42 PM, Jeremy Hoel <jthoel () gmail com> wrote:

I was testing the svn of Pulledpork and noticed that it was looping on

community rules and the md5sum check..



Checking latest MD5 for snortrules-snapshot-2950.tar.gz....
      They Match
      Done!
Checking latest MD5 for community-rules.tar.gz....
Rules tarball download of community-rules.tar.gz....
      No Match
      Done
Rules tarball download of community-rules.tar.gz....
      No Match
      Done
Rules tarball download of community-rules.tar.gz....
      No Match
      Done


checking the community-rules.tar.gz.md5 shows that it's an empty file.

 I tried downloading it myself in another directory and it's also empty.


Is this a recent problem or a known issue?

------------------------------------------------------------------------------

Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance

Management.

Visit us today!

http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!



------------------------------

Message: 3
Date: Thu, 22 Aug 2013 18:42:45 -0700
From: Dragos Ruiu <dr () kyx net>
Subject: [Snort-users] Last (short) chance to submit papers for PacSec
        in      Tokyo Nov 13-14. Deadline FRIDAY.
To: snort-users () lists sourceforge net
Message-ID: <2C1076F2-6EEC-40E9-9AA5-DF5AF1AC67B7 () kyx net>
Content-Type: text/plain; charset="us-ascii"

Since we didn't mail out to the traditional mailing lists for for PacSec
this year, this note is being sent out, and
we are allowing submissions to secwest13 () pacsec jp up until this

Friday,

August 23.

After more than ten years, you know the drill, and if you don't CFP
details are on the website.

thanks,
--dr

--
Dragos Ruiu (dr () kyx net)
PacSec - Technology Enhancement  - 2013 Tokyo November 13-14 -
https://pacsec.jp
PGP: https://cansecwest.com/kyxpgp2013-2.asc - E471 9B0E E774 EB21 18C8
8C95 37D1 C250 5D2B 20D0







-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail

------------------------------

Message: 4
Date: Fri, 23 Aug 2013 14:10:16 +0530
From: Arvind Kumar <arvind.kumar12 () gmail com>
Subject: [Snort-users] Query for fast_pattern override
To: snort-users () lists sourceforge net
Message-ID:
        <
CANOpJwVaTXY+Nivdy+6HVJm-wRN2uYLp9455HGWNUSCMVwaEeQ () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Hello Guys,

I have following query on fast_pattern; our snort.conf file has
*max-pattern-len
20 *for fast_pattern , I have only used* fast_pattern* keyword(here i

have

not used  fast_pattern:only; *or* * ** fast_pattern:x,y;*)  in the rule
for
the content which is more then 20 bytes to change the default snort
behavior of longest content as fast_pattern candidate .

My question : will "*fast_pattern* " keyword with a content size greater
then  20 bytes will override the snort's default longest content as
fast_pattern candidate and it will also override the max-pattern-len 20

or

should i use fast_pattern:only; to override the max-pattern-len and

snort

default longest content as fast_pattern  ?

Warm Regards

Arvind Kumar
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 5
Date: Fri, 23 Aug 2013 18:56:43 +0530
From: anagha b <banagha3 () gmail com>
Subject: [Snort-users] @dynamic preprocessor error
To: snort-users () lists sourceforge net
Message-ID:
        <
CACCbNdsvsB4+H15iYE+98LZ5QdEcmFp27wPWt4_o8oyztxoYsQ () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Hi all


Using snort-2.9.5 and configured it with --enable sourcefire

when tried to run snort got following error

ERROR size 448 != 456
ERROR: Failed to initialize dynamic preprocessor: SF_IMAP version 1.0.1
(-2)
Fatal Error, Quitting..


Tried solutions
1]removed dynamic preprocessor and done make install again
2] tried to run snort with -T

snort -c /snort.conf -T instead of snort -c /snort.conf -i eth0

still same error persists I am using daq-2.0.0 and libdne-1.12.


plz help .
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 6
Date: Fri, 23 Aug 2013 09:52:43 -0400
From: waldo kitty <wkitty42 () windstream net>
Subject: Re: [Snort-users] @dynamic preprocessor error
To: snort-users () lists sourceforge net
Message-ID: <5217692B.9080804 () windstream net>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 8/23/2013 09:26, anagha b wrote:

ERROR size 448 != 456
ERROR: Failed to initialize dynamic preprocessor: SF_IMAP version

1.0.1

(-2)

Fatal Error, Quitting..

Tried solutions
1]removed dynamic preprocessor and done make install again


1. where did you remove the preprocessors from?
2. where is the snort.conf pointing to for them?
3. what does "snort -V" return?

--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.



------------------------------

------------------------------------------------------------------------------

Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!

http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk


------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 87, Issue 65
*******************************************

-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 87, Issue 67
*******************************************

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort-users Digest, Vol 87, Issue 67 anagha b (Aug 24)