Snort mailing list archives
Re: FW: AW: Libovar Man info.
From: Rameez Qureshi <rameez_q () hotmail co uk>
Date: Thu, 10 Apr 2014 17:45:01 +0100
I have commented out the # for the white & black list rules to run through the config document to see any other errors and have another error as follows: ERROR: ../rules/blacklist.rules(22) Unknown ClassType: trojan-activity Fatal Error, Quitting.. I have seen it relates to the classification and reference.config files which are in the config file as follows: include classification.config include reference.config When i add rule paths to them I get the following error: ERROR: ./../rules/usr/src/reference.config(0) Unable to open rules file "./../rules/usr/src/reference.config": No such file or directory. Fatal Error, Quitting.. I have attached my snort.conf which is unfinished as I started from scratch again Thanks Rameez From: rameez_q () hotmail co uk Date: Thu, 10 Apr 2014 16:37:33 +0100 To: snort () outlook com CC: Snort-users () lists sourceforge net Subject: Re: [Snort-users] FW: AW: Libovar Man info. I'm not quite sure what you mean in relation to touch themWould I be changing the following for example Whitelist $WHITE_LIST/white_list.rulesTo the following touch /path/to/directory/black_list.rules I don't seem to have any white or black list rules? ThanksRameez Sent from my iPhone On 10 Apr 2014, at 04:32 PM, "Y M" <snort () outlook com> wrote: I was about to reply, but you figured it out. For the list files, you will need to "touch" them in the respective directory as configured in your snort.conf file touch /path/to/directory/black_list.rules YM Sent from Mobile From: Rameez Qureshi Sent: 4/10/2014 6:27 PM To: Y M Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] FW: AW: Libovar Man info. Hello Please ignore my last email I have now made a directory for the dynamic rules and copied all the required files into that directory I I n now have a new error which is error:507 unable to open address file which is the white_list.rule and also I suspect the black_list.rule file will throw up the same error Sent from my iPhone On 10 Apr 2014, at 04:25 PM, "Rameez Qureshi" <rameez_q () hotmail co uk> wrote: Hello I've started my snort.conf from scratch and have an error 249 snort couldn't start dynamic module path dynamic rules I've took the rules out n # them n that still produces the error where may I find this file I have downloaded snort and the ruleset again and can't find the dynamic rules Thanks Rameez Sent from my iPhone On 10 Apr 2014, at 05:20 AM, "Y M" <snort () outlook com> wrote: line 540 from your snort.conf file says: include $RULE_PATH/usr/src/rulesfile-identify.rules It is missing the "/" after the "rules", compared to the other include statements. Another note is that since your RULE_PATH variable is defined at the beginning of your snort.conf file, you just simply append the rule name to that variable, for example: RULE_PATH /path/to/rules/ then your include statement would look something like: include $RULE_PATH/local.rules From: rameez_q () hotmail co uk To: wkitty42 () windstream net Date: Thu, 10 Apr 2014 01:59:04 +0100 CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] FW: AW: Libovar Man info. the error I get is as follows: root@kali:/usr/src# snort -dev -l ./log -h 192.168.0.10/24 -c snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "snort.conf" PortVar 'HTTP_PORTS' defined : [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] PortVar 'FILE_DATA_PORTS' defined : [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ] ERROR: snort.conf(540) Undefined variable name: RULE_PATH. Fatal Error, Quitting.. When i add in # before the rule path in line 540 of the snort.conf then it does not throw up any error but it reads 0 rules when initializing as follows: root@kali:/usr/src# snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "snort.conf" PortVar 'HTTP_PORTS' defined : [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] PortVar 'FILE_DATA_PORTS' defined : [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ] Tagged Packet Limit: 256 Log directory = ./log +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 0 Snort rules read 0 detection rules 0 decoder rules 0 preprocessor rules 0 Option Chains linked into 0 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 0 0 0 0 | nc 0 0 0 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- +-----------------------[detection-filter-config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]------------------------------- | none ------------------------------------------------------------------------------- +-----------------------[rate-filter-config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]---------------------------------- +-----------------------[event-filter-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! pcap DAQ configured to passive. Acquiring network traffic from "eth0". Reload thread starting... Reload thread started, thread 0xb6cb8b70 (4388) Decoding Ethernet --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.6.0 GRE (Build 47) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.2.1 Using PCRE version: 8.30 2012-02-04 Using ZLIB version: 1.2.7 Commencing packet processing (pid=4383) I have attached my snort.conf Thanks Rameez
Date: Wed, 9 Apr 2014 20:42:35 -0400
From: wkitty42 () windstream net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW: AW: Libovar Man info.
On 4/9/2014 6:19 PM, Rameez Qureshi wrote:
for my snort.conf file when taking out the # out of the rule paths for rules and
for including individual rules it throws up and error and this led me to taking
out the # where snort seemed to fire correctly but did not load any rules
what error???
So im still stuck on how to load rules without getting any errors
I have attached my snort.conf
Thanks
Rameez
Date: Wed, 9 Apr 2014 14:16:35 -0400
From: wkitty42 () windstream net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW: AW: Libovar Man info.
On 4/9/2014 1:35 PM, Rameez Qureshi wrote:
Hello
There is only one config file, am I correct in saying that the # comments
the files out and therefore i should take these out for part 7, 8 & 9
YES! '#' are comment indicators... lines starting with them are commented out...
i was wondering why you had so many lines starting with '#' characters... in
effect you barely have a working config with it in its current state...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
snort.conf
Description:
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: FW: AW: Libovar Man info., (continued)
- Re: FW: AW: Libovar Man info. Y M (Apr 09)
- Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
- Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
- Re: FW: AW: Libovar Man info. waldo kitty (Apr 10)
- Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
- Re: FW: AW: Libovar Man info. waldo kitty (Apr 10)
- Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
- Re: FW: AW: Libovar Man info. waldo kitty (Apr 09)
- Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
- Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)