Re: Snort-users Digest, Vol 86, Issue 13

[anagha b <banagha3 () gmail com>]

Hi all,


I solved the root access problem by changing barnyard.conf but I am still
not getting one point that I configured snort with user anagha and I have
to run snort as root ?

Can anybody give solution for it .


On Mon, Jul 8, 2013 at 7:40 PM,
<snort-users-request () lists sourceforge net>wrote:

> Send Snort-users mailing list submissions to
>         snort-users () lists sourceforge net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request () lists sourceforge net
>
> You can reach the person managing the list at
>         snort-users-owner () lists sourceforge net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Re: @snort startup (waldo kitty)
>    2. Re: @snort log (waldo kitty)
>    3. Re: Snort on WindowsXP (Michael Steele)
>    4. Re: Snort on WindowsXP (waldo kitty)
>    5. Re: a few questions... (Russ Combs)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 06 Jul 2013 09:25:37 -0400
> From: waldo kitty <wkitty42 () windstream net>
> Subject: Re: [Snort-users] @snort startup
> To: snort-users () lists sourceforge net
> Message-ID: <51D81AD1.6060104 () windstream net>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 7/6/2013 04:11, anagha b wrote:
> > I am using snort on ubuntu12.04 and configured one interface eth0 in
> barnyard .
>
> i don't think that barnyard is going to be part of this problem...
>
> > I have only one interface eth0 so using it for acquiring packet I am
> getting
> > following error.
> >
> > command  :snort -c /snort-2.9.4.6/etc/snort.conf -i eth0
>
> 1. is this a fully self built snort installation?
> 2. please provide the complete snort output instead of just the tail of
> it...
> 3. please provide your snort.conf...
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 06 Jul 2013 09:36:15 -0400
> From: waldo kitty <wkitty42 () windstream net>
> Subject: Re: [Snort-users] @snort log
> To: snort-users () lists sourceforge net
> Message-ID: <51D81D4F.9030401 () windstream net>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 7/6/2013 07:52, anagha b wrote:
> > Hi all
> >
> > Got snort running  but everytime i start snort i have to set library
> path for
> > libdnet.1
> >
> > I am getting file  snort.u2.1373105384  format in /var/log/snort.
> >
> > how to read these files?
>
> U2 files are a combination log format... you must use a tool like barnyard
> to
> break them apart and place them into a database... then you use tools to
> read
> the database for correlation of the events...
>
> > I searched on net but not getting .
> >
> > I want to see snort log should i go for snorby for viewing it?
> >
> > Plz provide link to use gui with snort.
>
> [pedantic] you are not looking for a GUI strictly for snort. that implies
> a GUI
> that only controls snort, snort's configs and possibly the rules
> files...[/pedantic]
>
> it sounds like you are instead looking for a GUI to interface to the alert
> database... snorby is one of numerous such tools... you might want to look
> at
> security onion which contains several GUI interfaces so you can choose
> which
> one(s) you want or need to use... each has its good points and bad
> points...
> some are hard to configure but offer a huge range of capabilities while
> others
> are easy to configure but offer a limited set of abilities...
>
>    http://securityonion.blogspot.com/
>
> NOTE: i have not looked at security onion and do not use it at this time...
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 6 Jul 2013 16:37:26 -0400
> From: "Michael Steele" <michaels () winsnort com>
> Subject: Re: [Snort-users] Snort on WindowsXP
> To: "'waldo kitty'" <wkitty42 () windstream net>,
>         <snort-users () lists sourceforge net>
> Message-ID: <000801ce7a88$a0c24430$e246cc90$@winsnort.com>
> Content-Type: text/plain;       charset="iso-8859-1"
>
> You might want to explain to him how this converts to Windows :)
>
> ---------\
> grep -i -E "shellcode" /path/to/your/rules/*.rules
> ---------/
> B
> est regards,
> Michael...
>
> WINSNORT.com Management?
> --
> ****************** Established ~ 2001 *******************
> *????????? Visit Us @ http://www.winsnort.com?????????? *
> *????? ~~ FREE WinIDS Snort installation guides ~~????? *
> *?????????????? ~~ FREE support forums ~~?????????????? *
> * Snort: Open Source Network IDS - http://www.snort.org *
> *********************************************************
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 () windstream net]
> Sent: Saturday, July 06, 2013 9:21 AM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Snort on WindowsXP
>
> On 7/6/2013 02:19, MCLEOD, DONNIE wrote:
> > Hi Snort users,can someone help with code alert for Snort to detect
> > shell code on the above conf Snort is run in IDS mode using the
> > following command line; snort -c C:\snort\etc\snort.conf -l
> > C:\snort\log -i 1
> >
> > Iam trying to get the IDS to trigger an alert on detection,thanks.
>
> is this a school assignment?
>
> there are already (139) existing shellcode related rules available... do
> they not fit your needs?
>
> grep -i -E "shellcode" /path/to/your/rules/*.rules
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ----------------------------------------------------------------------------
> --
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Sun, 07 Jul 2013 13:01:08 -0400
> From: waldo kitty <wkitty42 () windstream net>
> Subject: Re: [Snort-users] Snort on WindowsXP
> To: snort-users () lists sourceforge net
> Message-ID: <51D99ED4.7030203 () windstream net>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 7/6/2013 16:37, Michael Steele wrote:
> > You might want to explain to him how this converts to Windows :)
> >
> > ---------\
> > grep -i -E "shellcode" /path/to/your/rules/*.rules
> > ---------/
>
> ooohh... yeah! i totally skipped out on the c:\ stuff in their post... but
> then
> again, i have windows flavors of most *nix tools like grep, sed and awk ;)
>
> i suppose one might use the file search function to search for *.rules
> files
> that contain the phrase "shellcode"... then they can look at them with
> whatever
> file viewer or editor they desire...
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 8 Jul 2013 10:10:34 -0400
> From: Russ Combs <rcombs () sourcefire com>
> Subject: Re: [Snort-users] a few questions...
> To: waldo kitty <wkitty42 () windstream net>
> Cc: snort-users () lists sourceforge net
> Message-ID:
>         <CAN8FaB87GWRNPGpgo+PDN7q0P0s7FTCcwChn9szzJugu=
> YKngw () mail gmail com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Fri, Jul 5, 2013 at 7:53 PM, waldo kitty <wkitty42 () windstream net>
> wrote:
>
> > On 7/5/2013 18:35, Russ Combs wrote:
> > > On Fri, Jul 5, 2013 at 5:56 PM, waldo kitty <wkitty42 () windstream net>
> > wrote:
> > [trim]
> > >     1. i do have 14 compiled so dynamic rules files in my lib
> directory.
> > snort
> > >     does recognize them and appears to load them as can be seen in the
> > execution
> > >     output attached below. the question is why does snort report "0
> > Dynamic
> > >     rules" when it is initializing the rule chains? there /are/ 72
> rules
> > stubs
> > >     in the so_rules directory and they were created from the compiled
> > rules by
> > >     snort's --dump-dynamic-rules option... did i miss a change in the
> > >     so_rules/src/Makefile other than changing the SNORT_VERSION entry?
> > >
> > >
> > > Those are dynamically activated rules as opposed to dynamically loaded
> > rules.
> > > Check here:
> > >
> > > http://manual.snort.org/node29.html#SECTION00421000000000000000
> > > http://manual.snort.org/node29.html#SECTION00426000000000000000
> >
> > ahh! ok... perhaps that header can be changed to say "Dynamically
> Activated
> > rules" to clarify this? it might also be a nice idea to place an
> additional
> > category in the "XXX Snort rules read" section that states how many
> > "Dynamically
> > loaded rules" there are in that total of rules read (and processed)??
> >
> > >     2. when i terminate snort, the "Packet I/O Totals" count of
> processed
> > >     doesn't make sense. it says 4054 received and analyzed but the
> > "Breakdown by
> > >     protocol" says there were 4057. where did the extra three packets
> > come from?
> > >     it also reports 125 "Other" packets. how can i find out what they
> > are or were?
> > > They are certain rebuilt packets counted here:
> > >
> > >       S5 G 2:            3 (  0.074%)
> >
> > ya know? i don't recall if i even saw that entry... sometimes it is kinda
> > of
> > hard to break out the counts properly... one would normally think that
> > they can
> > add up that whole column to come up with the same total but that's
> > definitely
> > not the proper thing to do...
> >
> > can you provide a hint on what is considered as "Other" packets that my
> > short
> > run turned up? 125 of them makes me curious as to what is going on on
> that
> > box
> > that i'm not aware of ;)
>
> They are cases where the decoding stopped due to an unsupported protocol,
> eg an ethertype for which there is no decoder.  It could also be that
> available decoders weren't built (./configure --enable-non-ether-decoders
> may help here).
>
> > > Check here:
> > >
> > > http://manual.snort.org/node9.html#SECTION00273000000000000000
> > >
> > > I guess that should also state that packets flushed at shutdown are
> > counted
> > > there as well.
> >
> > that would be a good idea, as well ;)
> >
> > --
> > NOTE: No off-list assistance is given without prior approval.
> >        Please keep mailing list traffic on the list unless
> >        private contact is specifically requested and granted.
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by Windows:
> >
> > Build for Windows Store.
> >
> > http://p.sf.net/sfu/windows-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 86, Issue 13
> *******************************************
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!