Snort mailing list archives

Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

From: Dorian ROSSE via Snort-devel <snort-devel () lists snort org>
Date: Sun, 12 Jun 2022 15:58:29 +0000

dear Russ,


here the documentation README.dump.md  :

'''Dump Module
===========

A wrapper DAQ module that presents the configuration stack as inline-interface-
and injection-capable.  All packet messages that are finalized with a passing
verdict (PASS, REPLACE, WHITELIST, IGNORE) or injected will be written to a PCAP
savefile.  By default, the packet capture file will be named 'inline-out.pcap'
in the current directory.  The default filename can be overridden with the
'file' variable.  For historical reasons, the 'output' variable also exists and
accepts only one valid argument in 'none' to disable writing out a PCAP file
altogether.

The Dump DAQ module also supports capturing received packets to a separate PCAP
savefile.  This is disabled by default, but can be enabled with the 'dump-rx'
variable.  The 'dump-rx' variable takes an optional argument for the filename
to dump received packets to; it defaults to 'inline-in.pcap' if no argument is
given.

When running with multiple instances, the both the TX and RX output filenamest
will be mangled to start with the instance ID followed by an underscore.  For
example, the default TX output filename would be '2_inline-out.pcap' for the
second instance.  Both the TX and RX output filenames must be bare (no directory
structure, relative nor absolute) in such a configuration.

Requirements
------------
* libpcap >= 1.0.0
    (LibPCAP 1.9.0 is available at the time of writing and is recommended.)
'''

as you see it miss the command line !

thus i repeat my question and i ask another question :

where are the command line with the dump and how i repair my problem ?!?

thank you in advance for your answer,

and finaly thank you in advance to doesn't answer aside,

Regards.


Dorian ROSSE.
________________________________
De : Russ Combs (rucombs) <rucombs () cisco com>
Envoyé : mardi 7 juin 2022 16:36
À : Dorian ROSSE <dorianbrice () hotmail fr>
Cc : Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () 
lists snort org>
Objet : Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

I recommend them all, including dump, depending on use case. You need to read up on the modules available in the libdaq 
and snort3 repos to find out which apply to your case and how to use them:

libdaq:

./README.md
./modules/dump/README.dump.md
./modules/divert/README.divert.md
./modules/trace/README.trace.md
./modules/savefile/README.savefile.md
./modules/bpf/README.bpf.md
./modules/gwlb/README.gwlb.md
./modules/pcap/README.pcap.md
./modules/fst/README.fst.md
./modules/nfq/README.nfq.md
./modules/afpacket/README.afpacket.md
./modules/netmap/README.netmap.md

snort3:

./doc/user/daq.txt (or the user manual)

________________________________
From: Dorian ROSSE <dorianbrice () hotmail fr>
Sent: Tuesday, June 7, 2022 9:33 AM
To: Russ Combs (rucombs) <rucombs () cisco com>
Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () 
lists snort org>
Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

Hello,


What module you advice aside dump ?

Thanks you in advance for your answer,

Regards.


Dorian Rosse.
________________________________
From: Russ Combs (rucombs) <rucombs () cisco com>
Sent: Tuesday, June 7, 2022 3:15:08 PM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () 
lists snort org>
Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

You got the error because the dump DAQ module does not support these DAQ variables you are setting on the command line. 
They look like afpacket variables. Check the DAQ READMEs to select and configure an appropriate module for your needs.


________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Akshay Prabhakar via Snort-users <snort-users 
() lists snort org>
Sent: Monday, June 6, 2022 6:20 PM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () 
lists snort org>
Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

i fall on this error since i have install the rules for the next last snort 2.3.30 :

'''~/snort_src/snort3-3.1.21.0$ sudo snort -c /usr/local/etc/snort/snort.lua --daq-dir ../libdaq-3.0.7 --daq pcap --daq 
dump --daq-var lb_total=4 --daq-var fanout_type=hash -s 65535 -k all -l /var/log/snort -i enp0s25 --daq-var lb_id=1 -i 
wlp3s0 --daq-var lb_id=2 -z 2 -m 0x1b
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading inline.lua:
Finished inline.lua:
Loading talos.lua:
Finished talos.lua:
trace
output
alert_json
ips
dnp3
binder
wizard
detection
reputation
    Processing blocklist file /usr/local/etc/snort/../lists/default.blocklist
    Reputation entries loaded: 801, invalid: 0, re-defined: 0 (from file 
/usr/local/etc/snort/../lists/default.blocklist)
appid
file_policy
file_id
http2_inspect
dce_tcp
active
dns
references
classifications
arp_spoof
snort
ERROR: /usr/local/etc/snort/snort.lua: snort.--daq-var is invalid
stream_user
stream_tcp
stream_icmp
stream_ip
profiler
alert_talos
stream
stream_udp
stream_file
back_orifice
imap
iec104
modbus
netflow
normalizer
pop
rpc_decode
sip
ssh
ssl
telnet
dce_smb
dce_udp
dce_http_proxy
dce_http_server
gtp_inspect
port_scan
smtp
ftp_server
ftp_client
ftp_data
http_inspect
alerts
daq
decode
host_cache
host_tracker
hosts
network
packets
process
search_engine
so_proxy
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
rule counts
       total rules loaded: 600
            builtin rules: 600
            option chains: 600
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     600       0       0       0
   total     600       0       0       0
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0     600       0     600    /usr/local/etc/snort/snort.lua
--------------------------------------------------
dump:pcap DAQ configured to inline.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..

On Wed, May 25, 2022 at 12:23 AM Dorian ROSSE via Snort-users <snort-users () lists snort org<mailto:snort-users () 
lists snort org>> wrote:
hello,


i fall on this error since i have install the rules for the next last snort 2.3.30 :

'''~/snort_src/snort3-3.1.21.0$ sudo snort -c /usr/local/etc/snort/snort.lua --daq-dir ../libdaq-3.0.7 --daq pcap --daq 
dump --daq-var lb_total=4 --daq-var fanout_type=hash -s 65535 -k all -l /var/log/snort -i enp0s25 --daq-var lb_id=1 -i 
wlp3s0 --daq-var lb_id=2 -z 2 -m 0x1b
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading inline.lua:
Finished inline.lua:
Loading talos.lua:
Finished talos.lua:
trace
output
alert_json
ips
dnp3
binder
wizard
detection
reputation
    Processing blocklist file /usr/local/etc/snort/../lists/default.blocklist
    Reputation entries loaded: 801, invalid: 0, re-defined: 0 (from file 
/usr/local/etc/snort/../lists/default.blocklist)
appid
file_policy
file_id
http2_inspect
dce_tcp
active
dns
references
classifications
arp_spoof
snort
ERROR: /usr/local/etc/snort/snort.lua: snort.--daq-var is invalid
stream_user
stream_tcp
stream_icmp
stream_ip
profiler
alert_talos
stream
stream_udp
stream_file
back_orifice
imap
iec104
modbus
netflow
normalizer
pop
rpc_decode
sip
ssh
ssl
telnet
dce_smb
dce_udp
dce_http_proxy
dce_http_server
gtp_inspect
port_scan
smtp
ftp_server
ftp_client
ftp_data
http_inspect
alerts
daq
decode
host_cache
host_tracker
hosts
network
packets
process
search_engine
so_proxy
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
rule counts
       total rules loaded: 600
            builtin rules: 600
            option chains: 600
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     600       0       0       0
   total     600       0       0       0
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0     600       0     600    /usr/local/etc/snort/snort.lua
--------------------------------------------------
dump:pcap DAQ configured to inline.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..
'''

i don't understand the error,

thanks you in advance to help myself fully repair this snort or since the other e-mail for snort 2.3.30,

Regards.


Dorian ROSSE.
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


--
WITH REGARDS
AKSHAY.K.PRABHAKAR
akshayk.prabhakar () gmail com<mailto:akshayk.prabhakar () gmail com>

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Russ Combs (rucombs) via Snort-devel (Jun 07)
- Message not available
  - Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Russ Combs (rucombs) via Snort-devel (Jun 07)
    - Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Dorian ROSSE via Snort-devel (Jun 13)