Snort mailing list archives
Snort doesn't generate unified2 alert log
From: Jutichai Thongkrachai <thsecmaniac () gmail com>
Date: Wed, 8 Oct 2014 11:27:23 +0700
Hello, My Snort doesn't generate unified2 alert log. It just generate 1. normal alert log 2. tcpdump.log 3. u2_log.log (unified2 log) These are log files that in my /var/log/snort: *-rw-r--r--. 1 root root 3248466 Oct 8 10:23 alert-rw-------. 1 snort snort 458058 Oct 7 09:37 tcpdump.log.1412584211-rw-------. 1 snort snort 24353 Oct 7 09:41 tcpdump.log.1412649469-rw-------. 1 snort snort 646404 Oct 8 09:54 tcpdump.log.1412649720-rw-------. 1 snort snort 67633 Oct 8 09:59 tcpdump.log.1412736874-rw-------. 1 snort snort 494560 Oct 8 10:23 tcpdump.log.1412737189-rw-------. 1 snort snort 546396 Oct 8 10:23 u2_log.log* and Here an output configuration in snort.conf of my Snort: *# unified2# Recommended for most installsoutput unified2: filename u2.log, limit 128, nostamp# Additional configuration for specific types of installsoutput alert_unified2: filename u2.alert, limit 128, nostampoutput log_unified2: filename u2_log.log, limit 128, nostamp# syslogoutput alert_syslog: LOG_AUTH LOG_ALERT LOG_PID# pcapoutput log_tcpdump: tcpdump.log* 2014-10-08 10:23 GMT+07:00 <snort-users-request () lists sourceforge net>:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: Snort.org confirmation email (Jeremy Hoel) 2. Re: Snort.org confirmation email (Stuart Wyatt) 3. Re: Get Invalid Configuration in blacklist.rules when restart Snort (Jutichai Thongkrachai) ---------- จดหมายที่ถูกส่งต่อ ---------- From: Jeremy Hoel <jthoel () gmail com> To: Stuart Wyatt <stuart () wyatt pops net> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netDate: Tue, 7 Oct 2014 22:18:09 +0000 Subject: Re: [Snort-users] Snort.org confirmation email Did you check your spam folders? This email from you was in my spam folder.. maybe your signups went there. On Tue, Oct 7, 2014 at 9:01 PM, Stuart Wyatt <stuart () wyatt pops net> wrote:I’ve tried signing up on Snort.org for a few days now, but can’t get a confirmation email. I’ve tried two email addresses on very different systems and tried the resend confirmation email process several times with no success. If I try to sign up again it says my email address has been used, so the initial sign up did work to some extent. Is the system having issues? Stuart ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!---------- จดหมายที่ถูกส่งต่อ ---------- From: Stuart Wyatt <stuart () wyatt pops net> To: Jeremy Hoel <jthoel () gmail com> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netDate: Wed, 8 Oct 2014 00:12:02 +0000 Subject: Re: [Snort-users] Snort.org confirmation email I found the server was rejecting sendgrid.info as the sender. I disabled and re-enabled the sender filter and it started letting the email come through. No idea why it denied it, and I can’t reproduce it. *From:* Jeremy Hoel [mailto:jthoel () gmail com] *Sent:* Tuesday, October 07, 2014 3:18 PM *To:* Stuart Wyatt *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Snort.org confirmation email Did you check your spam folders? This email from you was in my spam folder.. maybe your signups went there. On Tue, Oct 7, 2014 at 9:01 PM, Stuart Wyatt <stuart () wyatt pops net> wrote: I’ve tried signing up on Snort.org for a few days now, but can’t get a confirmation email. I’ve tried two email addresses on very different systems and tried the resend confirmation email process several times with no success. If I try to sign up again it says my email address has been used, so the initial sign up did work to some extent. Is the system having issues? Stuart ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------- จดหมายที่ถูกส่งต่อ ---------- From: Jutichai Thongkrachai <thsecmaniac () gmail com> To: snort-users () lists sourceforge net Cc: Date: Wed, 8 Oct 2014 10:23:40 +0700 Subject: Re: [Snort-users] Get Invalid Configuration in blacklist.rules when restart Snort To Dr. Stephen, I corrected my pulledpork.pl and try to run this script again including restart snort again. There is no invalid configuration again. Thank you so much! 2014-10-06 21:27 GMT+07:00 <snort-users-request () lists sourceforge net>:Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: 93.184.215.200 black listed IP address (Joel Esler (jesler)) 2. Re: Get Invalid Configuration in blacklist.rules when restart Snort (Joel Esler (jesler)) ---------- จดหมายที่ถูกส่งต่อ ---------- From: "Joel Esler (jesler)" <jesler () cisco com> To: Ceejay Cervantes <ceejay.cervantes () gmail com> Cc: "snort-users () lists sourceforge net" < snort-users () lists sourceforge net> Date: Mon, 6 Oct 2014 14:22:24 +0000 Subject: Re: [Snort-users] 93.184.215.200 black listed IP address We have it listed as an “Attacker” from an outside source. It’s a private IP out registered through RIPE’s server. Allegedly registered to a private address in Santa Monica, CA. Don’t think that’s Microsoft. -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Talos On Oct 6, 2014, at 10:07 AM, Ceejay Cervantes <ceejay.cervantes () gmail com> wrote: Hello, Good day. Any idea on why the 93.184.215.200 IP address was included on the black_list.rules? It seems to be a false positive. Am seeing microsoft.com domains on tcpdump. regards, Ceejay ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------- จดหมายที่ถูกส่งต่อ ---------- From: "Joel Esler (jesler)" <jesler () cisco com> To: Stephen Gantz <stephen.gantz () faculty umuc edu> Cc: Jutichai Thongkrachai <thsecmaniac () gmail com>, " snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Date: Mon, 6 Oct 2014 14:26:55 +0000 Subject: Re: [Snort-users] Get Invalid Configuration in blacklist.rules when restart Snort Good call Stephen… I’m sure I have the power to fix this issue… J On Oct 6, 2014, at 10:21 AM, Stephen Gantz < stephen.gantz () faculty umuc edu> wrote: Don't confuse blacklist.rules (one of the VRT rules files) with the blacklist of IP addresses referenced in your reputation preprocessor. It looks like you may have edited blacklist.rules instead of the black_list.rules file referenced by default by the preprocessor in snort.conf. Bear in mind that black_list.rules does not exist when you install Snort - your have to create it (and the white_list.rules file too if you are using a whitelist). I tell my students to choose a different name for the blacklist file (the one with the IP addresses) to try to avoid exactly this confusion. Dr. Stephen D. Gantz CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO Professor of Information Assurance The Graduate School University of Maryland University College stephen.gantz () faculty umuc edu On Oct 6, 2014, at 8:56 AM, "Joel Esler (jesler)" <jesler () cisco com> wrote: On Oct 6, 2014, at 1:38 AM, Jutichai Thongkrachai <thsecmaniac () gmail com> wrote: Hello, Before I have a problem, I installed pulledpork for getting the latest rule from snort. After that I restart snort but get this error: Oct 06 12:25:55 snort[25714]: Detection: Oct 06 12:25:55 snort[25714]: Search-Method = AC-Full-Q Oct 06 12:25:55 snort[25714]: Split Any/Any group = enabled Oct 06 12:25:55 snort[25714]: Search-Method-Optimizations = enabled Oct 06 12:25:55 snort[25714]: Maximum pattern length = 20 Oct 06 12:25:55 snort[25714]: FATAL ERROR: /etc/snort/rules/blacklist.rules(1) Invalid configuration line: 1.122.106.236 Oct 06 12:25:55 snort[25709]: [33B blob data] Oct 06 12:25:55 systemd[1]: snort.service: control process exited, code=exited status=1 Oct 06 12:25:55 systemd[1]: Failed to start LSB: Start up the SNORT Intrusion Detection System daemon. but in the blacklist.rules, there are just ip address per line only <trim digest> Looks like you aren’t loading the blacklist as a blacklist inside the preprocessor. It appears Snort is trying to load the Blacklist as a configuration option or something. Can you attach your snort.conf? -- *Joel Esler* Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort doesn't generate unified2 alert log Jutichai Thongkrachai (Oct 07)