Snort mailing list archives
Re: Snort-users Digest, Vol 105, Issue 9
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 3 Feb 2015 16:29:44 +0000
Your path listed in your snort.conf file to your rules location is incorrect. Taken from the snort.conf file: # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH ../rules The variable “RULE_PATH” should be changed so that your rules can be found. More info can be found in the manual here: http://manual.snort.org/node16.html#SECTION00312000000000000000 Hope this helps! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Ikenna Chiadikaobi [mailto:reniykec () yahoo com] Sent: Tuesday, February 03, 2015 10:58 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort-users Digest, Vol 105, Issue 9 i have intsalled the pulledpork and was okay, but when i run sudo snort -T -c /etc/snort/snort.conf , i get the below error ERROR: /etc/snort//etc/snort/rules/snort.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/snort.rules": No such file or directory. CHIADIGHIKAOBI IKENNA RENE UNIVERSITI MALAYSIA SARAWAK FACULTY OF COMPUTER SEC& INFORMATION TECH COMPUTER NETWORK. BY THE GRACE OF GOD WE CAN DO ALL THINGS. On Tuesday, February 3, 2015 7:13 AM, "snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net>" <snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net>> wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net> You can reach the person managing the list at snort-users-owner () lists sourceforge net<mailto:snort-users-owner () lists sourceforge net> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: Upgraded to 2.9.7.0, then down graded to 2.9.6.2 and snort will not start (Avery Rozar) 2. Re: Welcome to the "Snort-users" mailing list (Digest mode) (Ikenna Chiadikaobi) ---------------------------------------------------------------------- Message: 1 Date: Tue, 3 Feb 2015 13:36:06 +0000 From: Avery Rozar <Avery.Rozar () i-techsupport com<mailto:Avery.Rozar () i-techsupport com>> Subject: Re: [Snort-users] Upgraded to 2.9.7.0, then down graded to 2.9.6.2 and snort will not start To: Juan Jesus Prieto <jjprieto () redborder org<mailto:jjprieto () redborder org>>, "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Message-ID: <DAE5B6F6CCE5954BAEF5DEC144735FF7CE2E3439 () iTechDAG1 i-techsupport com<mailto:DAE5B6F6CCE5954BAEF5DEC144735FF7CE2E3439 () iTechDAG1 i-techsupport com>> Content-Type: text/plain; charset="iso-8859-1" Sorry, I did get the uninstall working. I was not in the correct src directory, and it did fix the issue. Since 2.9.7 was not uninstalled it was trying to load OpenAppID with 2.9.6.2 but it's working now. Thanks! ________________________________________ From: Juan Jesus Prieto [jjprieto () redborder org<mailto:jjprieto () redborder org>] Sent: Monday, February 02, 2015 7:42 AM To: Avery Rozar; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Upgraded to 2.9.7.0, then down graded to 2.9.6.2 and snort will not start Hi Avery, Which is your 'make uninstall' output? El 02/02/15 13:18, Avery Rozar escribi?:
Thank you Juan, I think I may have found the issue. Not sure how to fix it though. "sudo snort -i dna0 -u snort -g snort" works fine... If I change the snort00.conf to use afpacket and not pfring_dna when running with the normal "sudo snort -Q -i dna0:dna1 -u snort -g snort -c /etc/snort/snort00.conf -l /var/log/snort/Z0" I get the following error.. "ERROR: Failed to initialize dynamic preprocessor: APPID version 1.1.4 (-1)" Appid id not in 2.9.6.2 so it seems my installing of 2.9.6.2 is sort of mixed.. It is defanitly trying to use 2.9.6.2. sudo snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.6.2 GRE (Build 77) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 Is there a proper "uninstall" method when using source? "make uninstall does not seem to work." ________________________________________ From: Juan Jesus Prieto [jjprieto () redborder org<mailto:jjprieto () redborder org>] Sent: Sunday, February 01, 2015 2:23 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Upgraded to 2.9.7.0, then down graded to 2.9.6.2 and snort will not start Hi Avery, Try executing snort (without -q and -D) in foreground, rsyslogd is dropping messages due to rate-limiting, and maybe you are discarding important messages. In the other hand, the barnyard2 messages are the known "lonely packet" effect. Are the rules set to 'log' intead of 'alert'? This messages appears when snort register a packet in the unified2 file and set event to null due the non existance of it (only log intead of alert/drop) or because the snort.log files has been rotated and the related event information has been lost from barnyard2 cache due a service restart. Regards. El 01/02/15 19:30, Avery Rozar escribi?:I'm tailing /var/log/messages and all I get is "ERROR version 7 < 11". After upgrading to 2.9.7.0 I was getting "WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x1e6fcc0], information has not been outputed." I did not realize it until I did not see any alerts for a few days. Thinking this may just be a Barnyard2 and Snort 2.9.7.0 compatibility issue I just decided to down grade to 2.9.6.2 and now snort will not start. I make sure the "/usr/local/lib/snort_dynamicrules/" has the proper so rules, and pulled pork is set for "2.9.6.2". Pulled pork pulls sigs just fine. Below is the output from "messages" when starting snort. Any ideas what I've done wrong? Starting snort: Feb 1 13:20:54 vs-101 snort[3091]: Enabling inline operation Feb 1 13:20:54 vs-101 snort[3091]: Running in IDS mode Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: --== Initializing Snort ==-- Feb 1 13:20:54 vs-101 snort[3091]: Initializing Output Plugins! Feb 1 13:20:54 vs-101 snort[3091]: Initializing Preprocessors! Feb 1 13:20:54 vs-101 snort[3091]: Initializing Plug-ins! Feb 1 13:20:54 vs-101 snort[3091]: Parsing Rules file "/etc/snort/snort00.conf" Feb 1 13:20:54 vs-101 snort[3091]: PortVar 'HTTP_PORTS' defined : Feb 1 13:20:54 vs-101 snort[3091]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: PortVar 'SHELLCODE_PORTS' defined : Feb 1 13:20:54 vs-101 snort[3091]: [ 0:79 81:65535 ] Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: PortVar 'ORACLE_PORTS' defined : Feb 1 13:20:54 vs-101 snort[3091]: [ 1024:65535 ] Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: PortVar 'SSH_PORTS' defined : Feb 1 13:20:54 vs-101 snort[3091]: [ 22 ] Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: PortVar 'FTP_PORTS' defined : Feb 1 13:20:54 vs-101 snort[3091]: [ 21 2100 3535 ] Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: PortVar 'SIP_PORTS' defined : Feb 1 13:20:54 vs-101 snort[3091]: [ 5060:5061 5600 ] Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: PortVar 'FILE_DATA_PORTS' defined : Feb 1 13:20:54 vs-101 snort[3091]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ] Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: PortVar 'GTP_PORTS' defined : Feb 1 13:20:54 vs-101 snort[3091]: [ 2123 2152 3386 ] Feb 1 13:20:54 vs-101 snort[3091]: Feb 1 13:20:54 vs-101 snort[3091]: Detection: Feb 1 13:20:54 vs-101 snort[3091]: Search-Method = AC-Full-Q Feb 1 13:20:54 vs-101 snort[3091]: Split Any/Any group = enabled Feb 1 13:20:54 vs-101 snort[3091]: Search-Method-Optimizations = enabled Feb 1 13:20:54 vs-101 snort[3091]: Maximum pattern length = 20 Feb 1 13:20:55 vs-101 snort[3091]: Tagged Packet Limit: 256 Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-apache.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-other.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/exploit-kit.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-linux.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-windows.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/malware-other.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-dns.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/policy-social.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-icmp.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-iis.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-other.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-pdf.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/os-other.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/pua-p2p.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-office.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-plugins.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-other.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-flash.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-image.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-executable.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-multimedia.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/netbios.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-webapp.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/malware-cnc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-ie.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-voip.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/indicator-shellcode.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-other.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-mail.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-oracle.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-nntp.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/server-mysql.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-java.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/protocol-snmp.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules Feb 1 13:20:55 vs-101 snort[3091]: Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... Feb 1 13:20:55 vs-101 snort[3091]: done Feb 1 13:20:55 vs-101 snort[3091]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ Feb 1 13:20:55 vs-101 snort[3091]: Log directory = /var/log/snort/Z0 Feb 1 13:20:55 vs-101 snort[3091]: Normalizer config: Feb 1 13:20:55 vs-101 snort[3091]: ip4: on Feb 1 13:20:55 vs-101 snort[3091]: ip4::df: off Feb 1 13:20:55 vs-101 snort[3091]: ip4::rf: off Feb 1 13:20:55 vs-101 snort[3091]: ip4::tos: off Feb 1 13:20:55 vs-101 snort[3091]: ip4::trim: off Feb 1 13:20:55 vs-101 snort[3091]: ip4::ttl: on (min=1, new=5) Feb 1 13:20:55 vs-101 snort[3091]: Normalizer config: Feb 1 13:20:55 vs-101 snort[3091]: tcp: on Feb 1 13:20:55 vs-101 snort[3091]: tcp::ecn: stream Feb 1 13:20:55 vs-101 snort[3091]: tcp::urp: on Feb 1 13:20:55 vs-101 snort[3091]: tcp::opt: off Feb 1 13:20:55 vs-101 snort[3091]: tcp::ips: on Feb 1 13:20:55 vs-101 snort[3091]: Normalizer config: Feb 1 13:20:55 vs-101 snort[3091]: icmp4: on Feb 1 13:20:55 vs-101 snort[3091]: Normalizer config: Feb 1 13:20:55 vs-101 snort[3091]: ip6: on Feb 1 13:20:55 vs-101 snort[3091]: ip6::hops: on (min=1, new=5) Feb 1 13:20:55 vs-101 snort[3091]: Normalizer config: Feb 1 13:20:55 vs-101 snort[3091]: icmp6: on Feb 1 13:20:55 vs-101 snort[3091]: Frag3 global config: Feb 1 13:20:55 vs-101 snort[3091]: Max frags: 65536 Feb 1 13:20:55 vs-101 snort[3091]: Fragment memory cap: 4194304 bytes Feb 1 13:20:55 vs-101 snort[3091]: Frag3 engine config: Feb 1 13:20:55 vs-101 snort[3091]: Bound Address: default Feb 1 13:20:55 vs-101 snort[3091]: Target-based policy: WINDOWS Feb 1 13:20:55 vs-101 snort[3091]: Fragment timeout: 180 seconds Feb 1 13:20:55 vs-101 snort[3091]: Fragment min_ttl: 1 Feb 1 13:20:55 vs-101 snort[3091]: Fragment Anomalies: Alert Feb 1 13:20:55 vs-101 snort[3091]: Overlap Limit: 10 Feb 1 13:20:55 vs-101 snort[3091]: Min fragment Length: 100 Feb 1 13:20:55 vs-101 snort[3091]: Stream5 global config: Feb 1 13:20:55 vs-101 snort[3091]: Track TCP sessions: ACTIVE Feb 1 13:20:55 vs-101 snort[3091]: Max TCP sessions: 262144 Feb 1 13:20:55 vs-101 snort[3091]: TCP cache pruning timeout: 30 seconds Feb 1 13:20:55 vs-101 snort[3091]: TCP cache nominal timeout: 3600 seconds Feb 1 13:20:55 vs-101 snort[3091]: Memcap (for reassembly packet storage): 8388608 Feb 1 13:20:55 vs-101 snort[3091]: Track UDP sessions: ACTIVE Feb 1 13:20:55 vs-101 snort[3091]: Max UDP sessions: 131072 Feb 1 13:20:55 vs-101 snort[3091]: UDP cache pruning timeout: 30 seconds Feb 1 13:20:55 vs-101 snort[3091]: UDP cache nominal timeout: 180 seconds Feb 1 13:20:55 vs-101 snort[3091]: Track ICMP sessions: INACTIVE Feb 1 13:20:55 vs-101 snort[3091]: Track IP sessions: INACTIVE Feb 1 13:20:55 vs-101 snort[3091]: Log info if session memory consumption exceeds 1048576 Feb 1 13:20:55 vs-101 snort[3091]: Send up to 2 active responses Feb 1 13:20:55 vs-101 snort[3091]: Wait at least 5 seconds between responses Feb 1 13:20:55 vs-101 snort[3091]: Protocol Aware Flushing: ACTIVE Feb 1 13:20:55 vs-101 snort[3091]: Maximum Flush Point: 16000 Feb 1 13:20:55 vs-101 snort[3091]: Max Expected Streams: 768 Feb 1 13:20:55 vs-101 snort[3091]: Stream5 TCP Policy config: Feb 1 13:20:55 vs-101 snort[3091]: Bound Address: default Feb 1 13:20:55 vs-101 snort[3091]: Reassembly Policy: WINDOWS Feb 1 13:20:55 vs-101 snort[3091]: Timeout: 180 seconds Feb 1 13:20:55 vs-101 snort[3091]: Limit on TCP Overlaps: 10 Feb 1 13:20:55 vs-101 snort[3091]: Maximum number of bytes to queue per session: 1048576 Feb 1 13:20:55 vs-101 snort[3091]: Maximum number of segs to queue per session: 2621 Feb 1 13:20:55 vs-101 snort[3091]: Options: Feb 1 13:20:55 vs-101 rsyslogd-2177: imuxsock begins to drop messages from pid 3091 due to rate-limiting ERROR version 7 < 11 [FAILED] ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------ Message: 2 Date: Tue, 3 Feb 2015 15:01:51 +0000 (UTC) From: Ikenna Chiadikaobi <reniykec () yahoo com<mailto:reniykec () yahoo com>> Subject: Re: [Snort-users] Welcome to the "Snort-users" mailing list (Digest mode) To: "Al Lewis (allewi)" <allewi () cisco com<mailto:allewi () cisco com>>, "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Message-ID: <382797135.927129.1422975712040.JavaMail.yahoo () mail yahoo com<mailto:382797135.927129.1422975712040.JavaMail.yahoo () mail yahoo com>> Content-Type: text/plain; charset="utf-8" hi, thanks for the reply, attached is my snort.conf file and pulledpork file.These are the error i get for the pulledpork when i run sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l Checking latest MD5 for etpro.rules.tar.gz.... ??? A 404 error occurred, please verify your filenames and urls for your tarball! ??? Error 404 when fetching https://rules.emergingthreatspro.com/et oinkcode/snort-2.9.7/etpro.rules.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 463. ??? main::md5file('et oinkcode', 'etpro.rules.tar.gz', '/tmp/', 'https://rules.emergingthreatspro.com/et oinkcode/snort-2.9.7/') called at /usr/local/bin/pulledpork.pl line 1847 ?Thanks. CHIADIGHIKAOBI IKENNA RENE UNIVERSITI MALAYSIA SARAWAK FACULTY OF COMPUTER SEC&?INFORMATION?TECH COMPUTER NETWORK. BY THE GRACE OF GOD WE CAN DO ALL THINGS. On Tuesday, February 3, 2015 3:31 AM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: #yiv2462380876 #yiv2462380876 -- _filtered #yiv2462380876 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv2462380876 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv2462380876 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv2462380876 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv2462380876 {font-family:Georgia;panose-1:2 4 5 2 5 4 5 2 3 3;} _filtered #yiv2462380876 {font-family:Candara;panose-1:2 14 5 2 3 3 3 2 2 4;}#yiv2462380876 #yiv2462380876 p.yiv2462380876MsoNormal, #yiv2462380876 li.yiv2462380876MsoNormal, #yiv2462380876 div.yiv2462380876MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv2462380876 a:link, #yiv2462380876 span.yiv2462380876MsoHyperlink {color:blue;text-decoration:underline;}#yiv2462380876 a:visited, #yiv2462380876 span.yiv2462380876MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv2462380876 span.yiv2462380876EmailStyle17 {color:#1F497D;}#yiv2462380876 .yiv2462380876MsoChpDefault {font-size:10.0pt;} _filtered #yiv2462380876 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv2462380876 div.yiv2462380876WordSection1 {}#yiv2462380876 Hello, ? Both of your errors point to missing files. ? This error: ERROR: /etc/snort//etc/snort/rules/snort.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/snort.rules": No such file or directory. ? Looks like your snort.conf rule location is setup incorrectly. ? ? ? The other error: Couldn't read /tmp/468.389031567739-black_list.rules - No such file or directory ? Looks like you are trying to pull down a file that doesn?t exist. ? ? Please provide a snort.conf file if possible. ? ? Thanks! ? Albert Lewis QA Software Engineer SOURCEfire, Inc.now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046? Phone: (office)?443.430.7112 Email:allewi () cisco com<mailto:allewi () cisco com>? ? From: Ikenna Chiadikaobi [mailto:reniykec () yahoo com<mailto:reniykec () yahoo com>] Sent: Tuesday, February 03, 2015 1:54 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Welcome to the "Snort-users" mailing list (Digest mode) ? hi, am rene, please i am facing this problem when configuring snort in ubuntu 14.04 ? Detection: ? ?Search-Method = AC-Full-Q ? ? Split Any/Any group = enabled ? ? Search-Method-Optimizations = enabled ? ? Maximum pattern length = 20 ERROR: /etc/snort//etc/snort/rules/snort.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/snort.rules": No such file or directory. ? Fatal Error, Quitting.. ? and also after using the puallpork following the guide pdf provided on the snort website, i get this problem ? IP Blacklist download ofhttp://labs.snort.org/feeds/ip-filter.blf.... Reading IP List... Couldn't read /tmp/468.389031567739-black_list.rules - No such file or directory ?at /usr/local/bin/pulledpork.pl line 487. ?????? main::read_iplist('HASH(0x9717abc)', '/tmp/468.389031567739-black_list.rules') called at /usr/local/bin/pulledpork.pl line 378 ?????? main::rulefetch('open', 'IPBLACKLIST0', '/tmp/', 'http://labs.snort.org/feeds/ip-filter.blf'<http://labs.snort.org/feeds/ip-filter.blf%27>) called at /usr/local/bin/pulledpork.pl line 1856 ? ?I will appreciate your help. ? Thanks. ? ? CHIADIGHIKAOBI IKENNA RENE UNIVERSITI MALAYSIA SARAWAK FACULTY OF COMPUTER SEC&?INFORMATION?TECH COMPUTER NETWORK. ? BY THE GRACE OF GOD WE CAN DO ALL THINGS. ? On Tuesday, February 3, 2015 2:15 PM, "snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net>" <snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net>> wrote: ? Welcome to theSnort-users () lists sourceforge net<mailto:theSnort-users () lists sourceforge net> mailing list! This list is for general discussion of Snort usage, problems, design, etc. Do not use this list, or the members of this list to market your or any other products to.? We value our Community's privacy and their right not to receive unsolicited email.? Any attempts to do so will result in your being banned from the lists indefinitely. To post to this list, send your email to: ? snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> General information about the mailing list is at: ? https://lists.sourceforge.net/lists/listinfo/snort-users If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: ? https://lists.sourceforge.net/lists/options/snort-users/reniykec%40yahoo.com You can also make such adjustments via email by sending a message to: ? Snort-users-request () lists sourceforge net<mailto:Snort-users-request () lists sourceforge net> with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe.? It is: ? rene00 Normally, Mailman will remind you of your lists.sourceforge.net mailing list passwords once every month, although you can disable this if you prefer.? This reminder will also include instructions on how to unsubscribe or change your account options.? There is also a button on your options page that will email your current password to you. -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: pulledpork.conf Type: application/octet-stream Size: 10290 bytes Desc: not available -------------- next part -------------- A non-text attachment was scrubbed... Name: snort.conf Type: application/octet-stream Size: 26888 bytes Desc: not available ------------------------------ ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 105, Issue 9 *******************************************
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 105, Issue 9 Al Lewis (allewi) (Feb 03)