Snort mailing list archives
Re: Snort-users Digest, Vol 17, Issue 10
From: Divyanshu Banerjee via Snort-users <snort-users () lists snort org>
Date: Sun, 14 Oct 2018 15:12:21 +0530
is there any way of collecting multiple snort sensor logs to a centralized location? On Fri, Oct 12, 2018 at 9:35 PM <snort-users-request () lists snort org> wrote:
Send Snort-users mailing list submissions to snort-users () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists snort org You can reach the person managing the list at snort-users-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Snort Blog: Snort 2.9.12.0 has been released (Joel Esler (jesler)) 2. Re: Snort Blog: Snort 2.9.12.0 has been released (Ian) 3. Re: Monitor progress and ETA while running snort (Assaf) ---------- Forwarded message ---------- From: "Joel Esler (jesler)" <jesler () cisco com> To: "Thomas McCourt (tmccourt) via Snort-users" < snort-users () lists snort org>, "snort-devel () lists snort org" < snort-devel () lists snort org>, "snort-sigs () lists snort org" < snort-sigs () lists snort org>, "Joel Esler (jesler) via Snort-openappid" < snort-openappid () lists snort org> Cc: Bcc: Date: Thu, 11 Oct 2018 19:55:53 +0000 Subject: [Snort-users] Snort Blog: Snort 2.9.12.0 has been released https://blog.snort.org/2018/10/snort-29120-has-been-released.html Snort 2.9.12.0 has been released Please join us as we welcome SNORTⓇ 2.9.12.0 to the family! Some release notes on this latest version: New Additions - Parsing HTTP CONNECT to extract the tunnel IP and port information. - Alerting and dechunking for chunked encoding in HTTP1.0 request and response. Improvements - Fixed an issue where, if we have a junk line before HTTP response header, the header was wrongly parsed. - Fixed GZIP evasions where an HTTP response with content-encoding:gzip contains a body that has a GZIP-related anomaly. - Fixed an issue in certain scenarios where a BitTorrent pattern is seen only on the third packet of the session, causing us to miss our client detection. - SMB improvements for file detection and processing. We'd like to thank the following members of the Snort community for reporting issues and submitting code to the project: - Elof - Anuj Patel - Markus - David Binderman - Stephan Zeisbarg As always, we welcome feedback and community participation in Snort on the snort-users mailing list <https://snort.org/community>. ---------- Forwarded message ---------- From: Ian <snort_list () fishnet co uk> To: snort-users () lists snort org Cc: Bcc: Date: Fri, 12 Oct 2018 09:52:45 +0100 Subject: Re: [Snort-users] Snort Blog: Snort 2.9.12.0 has been released Hi, I've just build from the source RPM on a centos 6 system that I previously built 2.9.11.0 using the command: rpmbuild --rebuild snort-2.9.12-1.src.rpm The rpms created are: snort-openappid-2.9.12-1.x86_64.rpm snort-openappid-debuginfo-2.9.12-1.x86_64.rpm Is this version with openappid a drop in replacement for the previous one ? Will any reconfiguring need doing? Thanks Ian -- On 11/10/2018 20:55, Joel Esler (jesler) via Snort-users wrote:https://blog.snort.org/2018/10/snort-29120-has-been-released.html Snort 2.9.12.0 has been released Please join us as we welcome SNORTⓇ 2.9.12.0 to the family! Some release notes on this latest version: New Additions * Parsing HTTP CONNECT to extract the tunnel IP and port information. * Alerting and dechunking for chunked encoding in HTTP1.0 request and response. Improvements * Fixed an issue where, if we have a junk line before HTTP response header, the header was wrongly parsed. * Fixed GZIP evasions where an HTTP response with content-encoding:gzip contains a body that has a GZIP-related anomaly. * Fixed an issue in certain scenarios where a BitTorrent pattern is seen only on the third packet of the session, causing us to miss our client detection. * SMB improvements for file detection and processing. We'd like to thank the following members of the Snort community for reporting issues and submitting code to the project: * Elof * Anuj Patel * Markus * David Binderman * Stephan Zeisbarg As always, we welcome feedback and community participation in Snort on the snort-users mailing list <https://snort.org/community>._______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latestSnort news!Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette---------- Forwarded message ---------- From: Assaf <assaf.morami () gmail com> To: "Carter Waxman (cwaxman)" <cwaxman () cisco com> Cc: snort-users () lists snort org Bcc: Date: Fri, 12 Oct 2018 16:49:10 +0300 Subject: Re: [Snort-users] Monitor progress and ETA while running snort Thanks! I didn't knew about the USR1 trick. On Thu, Oct 11, 2018, 15:51 Carter Waxman (cwaxman) <cwaxman () cisco com> wrote:kill –USR1 (snort pid) and snort will dump stats to stdout. See “Packet I/O Totals” for packets read so far. --pcap-list will run a batch of pcaps, but be aware that Snort resets between each pcap so you would probably still need to do your merge. *From: *Snort-users <snort-users-bounces () lists snort org> on behalf of Assaf via Snort-users <snort-users () lists snort org> *Reply-To: *Assaf <assaf.morami () gmail com> *Date: *Thursday, October 11, 2018 at 12:56 AM *To: *"snort-users () lists snort org" <snort-users () lists snort org> *Subject: *[Snort-users] Monitor progress and ETA while running snort Hi, I just wanted to share how I monitor progress and ETA while running snort from a pcap file. If I have only one pcap I use pipe viewer (the pv command) like this: pv x.pcap | snort -r - If I have more than one pcap, e.g. from a big tcpdump run, I merge all of them on the fly using joincap ( https://github.com/assafmo/joincap ) like this: joincap *.pcap | pv -s $(du -bc *.pcap | awk '/total/{print $1}') | snort -r - This way pv print progress and ETA information while snort is running. :-) Shameless plug - I wrote joincap specifically for these kind of situations, because mergecap and tcpslice does not handle errors very well._______________________________________________ Snort-users mailing list Snort-users () lists snort org https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Snort-users Digest, Vol 17, Issue 10 Divyanshu Banerjee via Snort-users (Oct 15)