[Snort-users] unsubscribe

Ryan McClure (Systems Admin) - United Shipping rmcclure at ...2011...
Fri May 11 09:45:36 EDT 2001


-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Thursday, May 10, 2001 4:12 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #633 - 6 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: DNS Query Logging? (Steve Frank)
   2. Re: Snort + Acid w/ MySQL question(s) (alexus)
   3. Re: Snort + Acid w/ MySQL question(s) (Koaps)
   4. Snort won't run (alexus)
   5. RE: Snort won't run (Kevin Brown)
   6. Re: Snort won't run (alexus)

--__--__--

Message: 1
From: Steve Frank <sfrank at ...2014...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] DNS Query Logging?
Date: Thu, 10 May 2001 16:22:05 -0500

Isn't that logged in most default DNS installations anyway?  My NSTATS are
configured to pop into my syslog all the time--you should be able to see all
your query types there--or are you looking for something more specific than
that, Jeff?

Steve Frank
Network Manager
Midcom, Inc.


-----Original Message-----
From: Richard, Jeff [mailto:Jeff-Richard at ...562...]
Sent: Thursday, May 10, 2001 3:48 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] DNS Query Logging?


I hope someone can give a hand on this.  I need to get a count of how many
DNS queries my DNS servers are receiving.  What should a rule for DNS
queries look like?  I'm not failure with DNS traffic, but realize that UDP
53, is the protocol/port, just not sure of any signature(s).

-Jeff

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--__--__--

Message: 2
From: "alexus" <ml at ...1718...>
To: <roman at ...438...>
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
Date: Thu, 10 May 2001 17:26:25 -0400

mysql> select * from user where user='alexus';
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| Host      | User   | Password         | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv |
Index_priv | Alter_priv |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| localhost | alexus | 34484ed463a66850 | Y           | Y           | N
| Y           | N           | N         | N           | N             | N
| N         | N          | N               | N          | N          |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
1 row in set (0.00 sec)

mysql>


i copy and paste mysql output to show you that i do have all right
privileges

i also upgrade acid to 0.9.6b9 (which is latest beta for today)

it still doesn't work

----- Original Message -----
From: <roman at ...438...>
To: "alexus" <ml at ...1718...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 11:18 AM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)


> One observation:
>
> - ACID 0.9.5 does not use ADODB.  This DB abstraction was
> introduced in 0.9.6b2 (Jan 2001).  Hence, this addition into
> acid_conf.php will be ignored.
>
> Two recommendations:
>
> - are you sure that you have CREATE permissions on the DB
> user set in acid_conf.php?  If all else fails, try using the
> "create_acid_tbls_mysql.sql" to manually create the ACID
> tables.
>
> - upgrade to a more recent version of ACID => 0.9.6b9.  There
> are significant feature improvements as well as bug fixes.  If you
> prefer an older version, upgrade to at least 0.9.6b1 for it has
> a number of important bug fixes
>
> cheers,
> Roman
>
> > I'm using the following:
> >
> > FreeBSD 4.3 - RELEASE (STABLE)
> > ACID-0.9.5 - RELEASE (STABLE)
> > ADODB v1.0.1 - RELEASE (STABLE)
> > PHP - 4.0.5 - RELEASE (STABLE)
> > APACHE - 1.3.19 - RELEASE (STABLE)
> > SNORT - 1.7 - RELEASE (STABLE)
> >
> > to compile snort i used following line:
> > ../configure --with-mysql=/usr/local/mysql;make;make install
> >
> > i did change acid_conf.php i put path to adodb
> >
> > in adodb
> >
> > i put local path in adodb.inc.php
> >
> > when i go to http://localhost/acid it redirects me to acid_main.php and
when
> > it gets there i get this:
> >
> > The underlying database alexus at ...274... apears to be invalid.
> >
> > The database version is valid, but the ACID DB structure (table:
acid_ag) is
> > not present. Use the Setup page to configure and optimize the DB
> >
> > when i click on "Setup page"
> >
> > in status window i get "DONE" for "Search Indexes" and i have "Create
ACID
> > AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
> > I do that nothing happenes, it won't disappear or it won't change status
to
> > "DONE".. what am i missing?
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
>
>
>



--__--__--

Message: 3
From: "Koaps" <koaps at ...1804...>
To: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
Date: Thu, 10 May 2001 14:48:04 -0700

I am having problems with Snort Logging to mysql too

Orginally I had Snort and MySQL on the same OpenBSD box, this caused MySQL
to crash, alot...

So I installed MySQL on a windows box, which also runs Snort Locally,


Amazingly the windows based Snort/MySQL/ACID works perfectly, and the
OpenBSD snort trying to log to MySQL on windows is failing to write
alerts...

just my two cents worth of crap....


L8rZ,

  )\_/(
 < o,0 >
    ~
   \ /

KoAps



----- Original Message -----
From: "alexus" <ml at ...1718...>
To: <roman at ...438...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 2:26 PM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)


mysql> select * from user where user='alexus';
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| Host      | User   | Password         | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv |
Index_priv | Alter_priv |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| localhost | alexus | 34484ed463a66850 | Y           | Y           | N
| Y           | N           | N         | N           | N             | N
| N         | N          | N               | N          | N          |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
1 row in set (0.00 sec)

mysql>


i copy and paste mysql output to show you that i do have all right
privileges

i also upgrade acid to 0.9.6b9 (which is latest beta for today)

it still doesn't work

----- Original Message -----
From: <roman at ...438...>
To: "alexus" <ml at ...1718...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 11:18 AM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)


> One observation:
>
> - ACID 0.9.5 does not use ADODB.  This DB abstraction was
> introduced in 0.9.6b2 (Jan 2001).  Hence, this addition into
> acid_conf.php will be ignored.
>
> Two recommendations:
>
> - are you sure that you have CREATE permissions on the DB
> user set in acid_conf.php?  If all else fails, try using the
> "create_acid_tbls_mysql.sql" to manually create the ACID
> tables.
>
> - upgrade to a more recent version of ACID => 0.9.6b9.  There
> are significant feature improvements as well as bug fixes.  If you
> prefer an older version, upgrade to at least 0.9.6b1 for it has
> a number of important bug fixes
>
> cheers,
> Roman
>
> > I'm using the following:
> >
> > FreeBSD 4.3 - RELEASE (STABLE)
> > ACID-0.9.5 - RELEASE (STABLE)
> > ADODB v1.0.1 - RELEASE (STABLE)
> > PHP - 4.0.5 - RELEASE (STABLE)
> > APACHE - 1.3.19 - RELEASE (STABLE)
> > SNORT - 1.7 - RELEASE (STABLE)
> >
> > to compile snort i used following line:
> > ../configure --with-mysql=/usr/local/mysql;make;make install
> >
> > i did change acid_conf.php i put path to adodb
> >
> > in adodb
> >
> > i put local path in adodb.inc.php
> >
> > when i go to http://localhost/acid it redirects me to acid_main.php and
when
> > it gets there i get this:
> >
> > The underlying database alexus at ...274... apears to be invalid.
> >
> > The database version is valid, but the ACID DB structure (table:
acid_ag) is
> > not present. Use the Setup page to configure and optimize the DB
> >
> > when i click on "Setup page"
> >
> > in status window i get "DONE" for "Search Indexes" and i have "Create
ACID
> > AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
> > I do that nothing happenes, it won't disappear or it won't change status
to
> > "DONE".. what am i missing?
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
>
>
>


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

Message: 4
From: "alexus" <ml at ...1718...>
To: <snort-users at lists.sourceforge.net>
Date: Thu, 10 May 2001 17:49:38 -0400
Subject: [Snort-users] Snort won't run

i'm using snort 1.7 with latest set of rules

for some reason it won't run, any ideas?

su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf

        --== Initializing Snort ==--

Initializing Network Interface fxp0
Decoding Ethernet on interface fxp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

*WARNING*: unknown preprocessor "stream2", ignoring!


*WARNING*: unknown preprocessor "rpc_decode", ignoring!


*WARNING*: unknown preprocessor "bo", ignoring!


*WARNING*: unknown preprocessor "telnet_decode", ignoring!

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = alexus
database: database name = alexus
database: password is set
database:          host = localhost
database:   sensor name = 64.81.208.245
database:     sensor id = 1
database: using the "log" facility
Error: Unknown config: classification
su-2.04# 

what am i doin wrong now?



--__--__--

Message: 5
Date: Thu, 10 May 2001 14:56:12 -0700
From: Kevin Brown <Kevin.M.Brown at ...1022...>
Subject: RE: [Snort-users] Snort won't run
To: 'alexus' <ml at ...1718...>, snort-users at lists.sourceforge.net

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0D99C.07192D70
Content-Type: text/plain;
	charset="iso-8859-1"

looks like you are missing a file.  do you have a classification.config file
in the directory with your .rules files.  If yes, then do you have it
included in snort.conf along with the rules?

-----Original Message-----
From: alexus [mailto:ml at ...1718...]
Sent: Thursday, May 10, 2001 14:50
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort won't run


i'm using snort 1.7 with latest set of rules

for some reason it won't run, any ideas?

su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf

        --== Initializing Snort ==--

Initializing Network Interface fxp0
Decoding Ethernet on interface fxp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

*WARNING*: unknown preprocessor "stream2", ignoring!


*WARNING*: unknown preprocessor "rpc_decode", ignoring!


*WARNING*: unknown preprocessor "bo", ignoring!


*WARNING*: unknown preprocessor "telnet_decode", ignoring!

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = alexus
database: database name = alexus
database: password is set
database:          host = localhost
database:   sensor name = 64.81.208.245
database:     sensor id = 1
database: using the "log" facility
Error: Unknown config: classification
su-2.04# 

what am i doin wrong now?


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------_=_NextPart_001_01C0D99C.07192D70
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] Snort won't run</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>looks like you are missing a file.  do you have =
a classification.config file in the directory with your .rules =
files.  If yes, then do you have it included in snort.conf along =
with the rules?</FONT></P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: alexus [<A =
HREF=3D"mailto:ml at ...1718...">mailto:ml at ...1718...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 14:50</FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Snort won't run</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>i'm using snort 1.7 with latest set of rules</FONT>
</P>

<P><FONT SIZE=3D2>for some reason it won't run, any ideas?</FONT>
</P>

<P><FONT SIZE=3D2>su-2.04# /usr/local/bin/snort -c =
/usr/local/bin/rules/snort.conf</FONT>
</P>

<P><FONT SIZE=3D2>        --=3D=3D =
Initializing Snort =3D=3D--</FONT>
</P>

<P><FONT SIZE=3D2>Initializing Network Interface fxp0</FONT>
<BR><FONT SIZE=3D2>Decoding Ethernet on interface fxp0</FONT>
<BR><FONT SIZE=3D2>Initializing Preprocessors!</FONT>
<BR><FONT SIZE=3D2>Initializing Plug-ins!</FONT>
<BR><FONT SIZE=3D2>Initializating Output Plugins!</FONT>
</P>

<P><FONT =
SIZE=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT>
<BR><FONT SIZE=3D2>Initializing rule chains...</FONT>
</P>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "stream2", =
ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor =
"rpc_decode", ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "bo", =
ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor =
"telnet_decode", ignoring!</FONT>
</P>

<P><FONT SIZE=3D2>database: compiled support for ( mysql )</FONT>
<BR><FONT SIZE=3D2>database: configured to use mysql</FONT>
<BR><FONT =
SIZE=3D2>database:         =
 user =3D alexus</FONT>
<BR><FONT SIZE=3D2>database: database name =3D alexus</FONT>
<BR><FONT SIZE=3D2>database: password is set</FONT>
<BR><FONT =
SIZE=3D2>database:         =
 host =3D localhost</FONT>
<BR><FONT SIZE=3D2>database:   sensor name =3D =
64.81.208.245</FONT>
<BR><FONT SIZE=3D2>database:     sensor id =3D =
1</FONT>
<BR><FONT SIZE=3D2>database: using the "log" facility</FONT>
<BR><FONT SIZE=3D2>Error: Unknown config: classification</FONT>
<BR><FONT SIZE=3D2>su-2.04# </FONT>
</P>

<P><FONT SIZE=3D2>what am i doin wrong now?</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or =
unsubscribe:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://lists.sourceforge.net/lists/listinfo/snort-users" =
TARGET=3D"_blank">http://lists.sourceforge.net/lists/listinfo/snort-user=
s</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C0D99C.07192D70--


--__--__--

Message: 6
From: "alexus" <ml at ...1718...>
To: "Kevin Brown" <Kevin.M.Brown at ...1022...>,
	<snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort won't run
Date: Thu, 10 May 2001 18:10:38 -0400

This is a multi-part message in MIME format.

------=_NextPart_000_0035_01C0D97C.84409150
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

RE: [Snort-users] Snort won't runyes I do, I belive it came with =
snortrules.tgz file

su-2.04# ls -al /usr/local/bin/rules/classification.config=20
-rw-r--r--  1 root  users  1899 Apr 20 08:11 =
/usr/local/bin/rules/classification.config
su-2.04#=20

just in case in snort.conf i change

following line from this=20
include classification.config
to this
include /usr/local/bin/rules/classification.config
still same error
  ----- Original Message -----=20
  From: Kevin Brown=20
  To: 'alexus' ; snort-users at lists.sourceforge.net=20
  Sent: Thursday, May 10, 2001 5:56 PM
  Subject: RE: [Snort-users] Snort won't run


  looks like you are missing a file.  do you have a =
classification.config file in the directory with your .rules files.  If =
yes, then do you have it included in snort.conf along with the rules?

  -----Original Message-----=20
  From: alexus [mailto:ml at ...1718...]=20
  Sent: Thursday, May 10, 2001 14:50=20
  To: snort-users at lists.sourceforge.net=20
  Subject: [Snort-users] Snort won't run=20



  i'm using snort 1.7 with latest set of rules=20

  for some reason it won't run, any ideas?=20

  su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf=20

          --=3D=3D Initializing Snort =3D=3D--=20

  Initializing Network Interface fxp0=20
  Decoding Ethernet on interface fxp0=20
  Initializing Preprocessors!=20
  Initializing Plug-ins!=20
  Initializating Output Plugins!=20

  +++++++++++++++++++++++++++++++++++++++++++++++++++=20
  Initializing rule chains...=20

  *WARNING*: unknown preprocessor "stream2", ignoring!=20



  *WARNING*: unknown preprocessor "rpc_decode", ignoring!=20



  *WARNING*: unknown preprocessor "bo", ignoring!=20



  *WARNING*: unknown preprocessor "telnet_decode", ignoring!=20

  database: compiled support for ( mysql )=20
  database: configured to use mysql=20
  database:          user =3D alexus=20
  database: database name =3D alexus=20
  database: password is set=20
  database:          host =3D localhost=20
  database:   sensor name =3D 64.81.208.245=20
  database:     sensor id =3D 1=20
  database: using the "log" facility=20
  Error: Unknown config: classification=20
  su-2.04#=20

  what am i doin wrong now?=20



  _______________________________________________=20
  Snort-users mailing list=20
  Snort-users at lists.sourceforge.net=20
  Go to this URL to change user options or unsubscribe:=20
  http://lists.sourceforge.net/lists/listinfo/snort-users=20
  Snort-users list archive:=20
  http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20


------=_NextPart_000_0035_01C0D97C.84409150
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [Snort-users] Snort won't run</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4613.1700" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>yes I do, I belive it came with snortrules.tgz=20
file</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>su-2.04# ls -al =
/usr/local/bin/rules/classification.config=20
<BR>-rw-r--r--  1 root  users  1899 Apr 20 08:11=20
/usr/local/bin/rules/classification.config<BR>su-2.04# </FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>just in case in snort.conf i change</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>following line from this </FONT></DIV>
<DIV><FONT size=3D2>include classification.config</FONT></DIV>
<DIV><FONT size=3D2>to this</FONT></DIV>
<DIV><FONT size=3D2>include=20
/usr/local/bin/rules/classification.config</FONT></DIV>
<DIV><FONT size=3D2>still same error</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3DKevin.M.Brown at ...1022... =
href=3D"mailto:Kevin.M.Brown at ...1022...">Kevin=20
  Brown</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dml at ...1718... =

  href=3D"mailto:ml at ...1718...">'alexus'</A> ; <A=20
  title=3Dsnort-users at lists.sourceforge.net=20
  =
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...635...=
eforge.net</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, May 10, 2001 =
5:56=20
PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: [Snort-users] =
Snort won't=20
  run</DIV>
  <DIV><BR></DIV>
  <P><FONT size=3D2>looks like you are missing a file.  do you have =
a=20
  classification.config file in the directory with your .rules =
files.  If=20
  yes, then do you have it included in snort.conf along with the=20
  rules?</FONT></P>
  <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT =
size=3D2>From:=20
  alexus [<A =
href=3D"mailto:ml at ...1718...">mailto:ml at ...1718...</A>]</FONT>=20
  <BR><FONT size=3D2>Sent: Thursday, May 10, 2001 14:50</FONT> <BR><FONT =

  size=3D2>To: <A=20
  =
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...635...=
eforge.net</A></FONT>=20
  <BR><FONT size=3D2>Subject: [Snort-users] Snort won't run</FONT> =
</P><BR>
  <P><FONT size=3D2>i'm using snort 1.7 with latest set of rules</FONT> =
</P>
  <P><FONT size=3D2>for some reason it won't run, any ideas?</FONT> </P>
  <P><FONT size=3D2>su-2.04# /usr/local/bin/snort -c=20
  /usr/local/bin/rules/snort.conf</FONT> </P>
  <P><FONT size=3D2>        --=3D=3D =
Initializing=20
  Snort =3D=3D--</FONT> </P>
  <P><FONT size=3D2>Initializing Network Interface fxp0</FONT> <BR><FONT =

  size=3D2>Decoding Ethernet on interface fxp0</FONT> <BR><FONT=20
  size=3D2>Initializing Preprocessors!</FONT> <BR><FONT =
size=3D2>Initializing=20
  Plug-ins!</FONT> <BR><FONT size=3D2>Initializating Output =
Plugins!</FONT> </P>
  <P><FONT =
size=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT>=20
  <BR><FONT size=3D2>Initializing rule chains...</FONT> </P>
  <P><FONT size=3D2>*WARNING*: unknown preprocessor "stream2", =
ignoring!</FONT>=20
  </P><BR>
  <P><FONT size=3D2>*WARNING*: unknown preprocessor "rpc_decode", =
ignoring!</FONT>=20
  </P><BR>
  <P><FONT size=3D2>*WARNING*: unknown preprocessor "bo", =
ignoring!</FONT>=20
</P><BR>
  <P><FONT size=3D2>*WARNING*: unknown preprocessor "telnet_decode",=20
  ignoring!</FONT> </P>
  <P><FONT size=3D2>database: compiled support for ( mysql )</FONT> =
<BR><FONT=20
  size=3D2>database: configured to use mysql</FONT> <BR><FONT=20
  =
size=3D2>database:          =
user =3D=20
  alexus</FONT> <BR><FONT size=3D2>database: database name =3D =
alexus</FONT>=20
  <BR><FONT size=3D2>database: password is set</FONT> <BR><FONT=20
  =
size=3D2>database:          =
host =3D=20
  localhost</FONT> <BR><FONT size=3D2>database:   sensor name =
=3D=20
  64.81.208.245</FONT> <BR><FONT =
size=3D2>database:     sensor=20
  id =3D 1</FONT> <BR><FONT size=3D2>database: using the "log" =
facility</FONT>=20
  <BR><FONT size=3D2>Error: Unknown config: classification</FONT> =
<BR><FONT=20
  size=3D2>su-2.04# </FONT></P>
  <P><FONT size=3D2>what am i doin wrong now?</FONT> </P><BR>
  <P><FONT =
size=3D2>_______________________________________________</FONT>=20
  <BR><FONT size=3D2>Snort-users mailing list</FONT> <BR><FONT=20
  size=3D2>Snort-users at lists.sourceforge.net</FONT> <BR><FONT =
size=3D2>Go to this=20
  URL to change user options or unsubscribe:</FONT> <BR><FONT =
size=3D2><A=20
  target=3D_blank=20
  =
href=3D"http://lists.sourceforge.net/lists/listinfo/snort-users">http://l=
ists.sourceforge.net/lists/listinfo/snort-users</A></FONT>=20
  <BR><FONT size=3D2>Snort-users list archive:</FONT> <BR><FONT =
size=3D2><A=20
  target=3D_blank=20
  =
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http:=
//www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A></FONT>=20
  </P></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0035_01C0D97C.84409150--




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list