[Snort-users] unsubscribe

Ryan McClure (Systems Admin) - United Shipping rmcclure at ...2011...
Fri May 11 10:20:08 EDT 2001


I unsubscribed from this list this morning.  Please STOP SENDING ME EMAILS!

-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Friday, May 11, 2001 7:46 AM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #635 - 7 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Slightly OT - Re: [Snort-users] My apologies (Avleen Vig)
   2. Broadscan Smurf Scanner (Jones, Benny)
   3. RE: Rules vs performance (Robinson, Ken)
   4. NetFlow output plugin? (Mayers, Philip J)
   5. FW: [Snort-users] NetFlow output plugin? (Mayers, Philip J)
   6. snort 1.7+mysql+acid == headaches.  pass the aspirin? (long) (Jason
Costomiris)
   7. unsubscribe (Ryan McClure (Systems Admin) - United Shipping)

--__--__--

Message: 1
From: "Avleen Vig" <avleen at ...396...>
To: <Kevin.Brown at ...1022...>,
	<snort-users at lists.sourceforge.net>
Subject: Slightly OT - Re: [Snort-users] My apologies
Date: Fri, 11 May 2001 09:58:44 +0100

> I don't know what happened but the mail I send from outlook gets turned
into
> html garbage when I send to this list.  I verified my options in both
outlook
> and with sourceforge, so somewhere between the two (maybe the damn
exchange
> server) is converting my plain text messages into htmlized junk.

Indeed, it IS your server:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;
=charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version
=5.5.2653.12">
<TITLE>RE: [Snort-users] Rules vs performance</TITLE>
</HEAD>
<BODY>

Recommend you hit your mail admin over the head with a large banana,
especially in days of HTML
transfered viruses - if things like this pass, how long until someone finds
a way to infect the Exchange
Server's HTML generator?

Hmmmmmmmm possibly time to create a rule that servers are adding this? I
dunno <shrug>



--__--__--

Message: 2
Date: Fri, 11 May 2001 07:39:38 -0400
From: "Jones, Benny" <Ben at ...32...>
To: "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
Subject: [Snort-users] Broadscan Smurf Scanner

What's the significance of the ICMP Broadscan
Smurf Scanner alert?  I've read about Smurf
attacks; is this one, or a precursor to one?

Thanks.

Benny


--__--__--

Message: 3
From: "Robinson, Ken" <ken.robinson at ...1563...>
To: "'Jean-Francois Zwobada'" <zwobada at ...1938...>,
   Kevin Brown
	 <Kevin.M.Brown at ...1022...>,
   "Snort List (E-mail)"
	 <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Rules vs performance
Date: Fri, 11 May 2001 08:18:27 -0400


I want to handle full duplex, 100Mbit.    We're using Ether Taps, so each
direction is actually a different NIC.  



-----Original Message-----
From: Jean-Francois Zwobada [mailto:zwobada at ...1938...]
Sent: May 11, 2001 2:55 AM
To: Kevin Brown; 'Robinson, Ken'; Snort List (E-mail)
Subject: RE: [Snort-users] Rules vs performance



Hi guys

What's the average and peak bandwidth you're trying to analyse ?

Regards

JF

At 12:53 10/05/01 -0700, Kevin Brown wrote:

>I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s 
>link the snort was clocking 40% of the cpu with absolutely no rules or 
>plugins.  I don't remember the specifics, but I was removing rules from 
>the list till snort dropped to 80% or less and of the ruleset of 400 rules 
>I had to drop all but 50 I believe to get it down.  I'm currently using a 
>Sparc 500 and it is clocking 50% of the CPU (same link) with the full 
>ruleset in place (snort1.8b5 build 20).  I downloaded top and compiled it 
>and just watch the processes and notice that with just the database and 
>spp plugins snort is slowing eating up my 1GB of memory.  I don't know if 
>that is a memory leak or just a lot of memory caching going on within
snort.
>
>-----Original Message-----
>From: Robinson, Ken 
>[<mailto:ken.robinson at ...1563...>mailto:ken.robinson at ...1563...]
>Sent: Thursday, May 10, 2001 12:42
>To: Snort List (E-mail)
>Subject: [Snort-users] Rules vs performance
>
>Hello,
>
>Are there any rule-of-thumb, or such on how the number of Snort rules
>affects the performance?
>
>In doing some lab tests, we found that has the amount of traffic went up,
we
>detected fewer and fewer test attacks.     CPU usage was high, but not
>peaked right out.     The lab boxes were PIII 800Mhz systems with 100Mbit
>NICs and 256Meg RAM.
>
>I don't know of the misses were due to an issue with the hardware (NIC
>missing packets?), or if there were too many rules to sort through for the
>Snort software, or too much logging?
>
>We've looked through the snort rules from Whitehats and found many cases
>were we could reduce the rules by either dropping them (i.e. don't care),
>reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping
>instead of detecting which OS),  or making groups of them as activate rules
>(i.e. the DeepThroat backdoor rules).    We could also use the Activate
>rules to log the next 50 packets and then run a full set or rules on those
>logged packets.
>
>So, any advise for us?   Should we use Activate rules as much as possible?
>Should we generalize rules?   Or is all of this not going to make much of a
>difference?
>
>Thanks.
>
>----
>Ken Robinson
>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
><http://lists.sourceforge.net/lists/listinfo/snort-users>http://lists.sourc
eforge.net/lists/listinfo/snort-users 
>
>Snort-users list archive:
><http://www.geocrawler.com/redir-sf.php3?list=snort-users>http://www.geocra
wler.com/redir-sf.php3?list=snort-users 
>

Jean-Francois Zwobada
Cellule Securite - Fluxus
Phone : +33.1.44.97.70.00 - Fax : +33.1.44.97.70.14
30, rue du Chateau des Rentiers - 75013 PARIS


--__--__--

Message: 4
From: "Mayers, Philip J" <p.mayers at ...1913...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Date: Fri, 11 May 2001 13:30:44 +0100
Subject: [Snort-users] NetFlow output plugin?

All,

We're successfully sniffing out 100Mb connection (and getting good data too)
with Snort 1.7 - congratulations to all for a great product. In case
anyone's interested, we're sniffing 7k packets/sec (30Mbits) on a 256Mb
PIII800 (Compaq DL380) at about 15-20% CPU usage. We're going to try a
64-bit PCI gigabit card at some point, hopefully before we move to a Gigabit
connection (eek!).

Anyway, my managers like pretty graphs so I've been investigating the
possibility of writing a preprocessor that will do things like top-N hosts
and bucket-sorting based on packet size/subnet/port number/etc. The thought
occurred to me that the best way to do this would be to have Snort generate
Cisco NetFlow stats and use some of the many tools available to pull that
data out. Has anyone thought about that, or should I give it a look?

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+  


--__--__--

Message: 5
From: "Mayers, Philip J" <p.mayers at ...1913...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Subject: FW: [Snort-users] NetFlow output plugin?
Date: Fri, 11 May 2001 14:09:59 +0100


Here's a list (no particular order) of the tools I've been looking at:

EHNT: http://sourceforge.net/projects/ehnt/

The Caida tools are good: http://www.caida.org/tools/measurement/cflowd/

Netramet: http://www2.auckland.ac.nz/net/Accounting/ntm.Release.note.html

Flowc: http://www.univ.kiev.ua/~roman/soft/flowc/

Cisco have some stuff: http://www.cisco.com/warp/public/732/netflow/

Flowscan: http://net.doit.wisc.edu/~plonka/FlowScan/

Freesite is a total billing system: http://www.sisd.com/freeside/

Some random stuff:

http://www.tsh.or.id/netflow.shtml
http://www.switch.ch/tf-tant/floma/software.html

For those of you with Extreme switches in your network, I've been hearing
rumbles that the next release of the firmware will support flow-export (like
Cisco's).

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+  

-----Original Message-----
From: Chris Schuler [mailto:cschuler at ...1139...]
Sent: 11 May 2001 13:54
To: 'p.mayers at ...1913...'
Subject: [Snort-users] NetFlow output plugin?


My managers are the same way, but Im getting ready to start my research on
what tools analyze the data.  Your email soudned like you knew of a few
tools that worked w/ netflow data... could you take a min and list a few for
me to look into?  

All,

We're successfully sniffing out 100Mb connection (and getting good data too)
with Snort 1.7 - congratulations to all for a great product. In case
anyone's interested, we're sniffing 7k packets/sec (30Mbits) on a 256Mb
PIII800 (Compaq DL380) at about 15-20% CPU usage. We're going to try a
64-bit PCI gigabit card at some point, hopefully before we move to a Gigabit
connection (eek!).

Anyway, my managers like pretty graphs so I've been investigating the
possibility of writing a preprocessor that will do things like top-N hosts
and bucket-sorting based on packet size/subnet/port number/etc. The thought
occurred to me that the best way to do this would be to have Snort generate
Cisco NetFlow stats and use some of the many tools available to pull that
data out. Has anyone thought about that, or should I give it a look?

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support |
| Centre for Computing Services |
| Imperial College |
+----------------------------------+ 

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
<http://lists.sourceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>



--__--__--

Message: 6
Date: Fri, 11 May 2001 09:24:52 -0400
From: Jason Costomiris <jcostom at ...2019...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort 1.7+mysql+acid == headaches.  pass the aspirin?
(long)

Yesterday, I brought up a shiny new RH 7.1 box specifically for testing
snort.  It's got two NICs installed, eth0 sits on my private net, behind
the firewall, eth1 is connected to the external network, is up, but has
no IP configured on it - so-called stealth mode.

The external net is @home's network in my home area.  The whole deal looks
like this:

@home----cablemodem----hub-----....

Both my firewall and the eth1 i/f from the snort box are connected to that
hub.  Pretty normal configuration, based on my previous IDS experience,
mostly deploying RealSecure.

I started by building my own RPMs for libpcap-0.6.2, so I could dump the RH
0.4 version.  Then I built snort from the RPM provided on snort.org, with 
a few subtle changes (--enable-smbalerts --with-mysql --with-openssl).

Everything installed just swimmingly and SEEMS to be in working order.
Seems
indeed.  I'm using the vision rules from whitehats, so this config is not
exactly the "stock" configuration.  However, I see no reason for it not to
work:

var INTERNAL 24.a.b.c/32
var EXTERNAL !$INTERNAL
preprocessor defrag
preprocessor http_decode: 80
preprocessor portscan: $INTERNAL 5 5 /var/log/snort/portscan.log
preprocessor stream: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
output database: alert, mysql, dbname=snort host=localhost user=snort
output log_tcpdump: log.tcpdump
include /etc/snort/vision.rules

Currently, my init scripts invoke snort as:

/usr/sbin/snort -u snort -g snort -d -D -i eth1 -l /var/log/snort \
	-c /etc/snort/vision.conf

Having read elsewhere that -D supresses errors, I invoked it myself without 
the -D and get the following:

        --== Initializing Snort ==--

Initializing Network Interface eth1
WARNING: OpenPcap() device eth1 network lookup: 
	eth1: no IPv4 address assigned
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
database: compiled support for ( mysql postgresql )
database: configured to use mysql
database: database name = snort
database:          host = localhost
database:          user = snort
database:   sensor name = <sensor-name-removed>
database:     sensor id = 1
database: using the "alert" facility
533 Snort rules read...
533 Option Chains linked into 199 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->log->pass

        --== Initialization Complete ==--

This seems to indicate that snort's cool with logging to the database.
However, it never logs anything.  I created the database using the 
create_mysql script that came as a part of snort-1.7.tar.gz, I also added
the snortdb-extra stuff as well.  Bottom line is that nothing gets logged
to the database, nor do I get anything in the tcpdump logs either.

On another note, I also installed ACID 0.9.6b8, which seemed to go in
without
any trouble, but also confirms no alerts are in the db.  ACID is also 
complaining about snort signatures not being in the database:

Database ERROR:Table 'snort.signature' doesn't exist

Thoughts?

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.


--__--__--

Message: 7
From: "Ryan McClure (Systems Admin) - United Shipping"
	 <rmcclure at ...2011...>
To: snort-users at lists.sourceforge.net
Date: Fri, 11 May 2001 07:45:36 -0600
Subject: [Snort-users] unsubscribe



-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Thursday, May 10, 2001 4:12 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #633 - 6 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: DNS Query Logging? (Steve Frank)
   2. Re: Snort + Acid w/ MySQL question(s) (alexus)
   3. Re: Snort + Acid w/ MySQL question(s) (Koaps)
   4. Snort won't run (alexus)
   5. RE: Snort won't run (Kevin Brown)
   6. Re: Snort won't run (alexus)

-- __--__-- 

Message: 1
From: Steve Frank <sfrank at ...2014...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] DNS Query Logging?
Date: Thu, 10 May 2001 16:22:05 -0500

Isn't that logged in most default DNS installations anyway?  My NSTATS are
configured to pop into my syslog all the time--you should be able to see all
your query types there--or are you looking for something more specific than
that, Jeff?

Steve Frank
Network Manager
Midcom, Inc.


-----Original Message-----
From: Richard, Jeff [mailto:Jeff-Richard at ...562...]
Sent: Thursday, May 10, 2001 3:48 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] DNS Query Logging?


I hope someone can give a hand on this.  I need to get a count of how many
DNS queries my DNS servers are receiving.  What should a rule for DNS
queries look like?  I'm not failure with DNS traffic, but realize that UDP
53, is the protocol/port, just not sure of any signature(s).

-Jeff

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- __--__-- 

Message: 2
From: "alexus" <ml at ...1718...>
To: <roman at ...438...>
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
Date: Thu, 10 May 2001 17:26:25 -0400

mysql> select * from user where user='alexus';
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| Host      | User   | Password         | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv |
Index_priv | Alter_priv |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| localhost | alexus | 34484ed463a66850 | Y           | Y           | N
| Y           | N           | N         | N           | N             | N
| N         | N          | N               | N          | N          |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
1 row in set (0.00 sec)

mysql>


i copy and paste mysql output to show you that i do have all right
privileges

i also upgrade acid to 0.9.6b9 (which is latest beta for today)

it still doesn't work

----- Original Message -----
From: <roman at ...438...>
To: "alexus" <ml at ...1718...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 11:18 AM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)


> One observation:
>
> - ACID 0.9.5 does not use ADODB.  This DB abstraction was
> introduced in 0.9.6b2 (Jan 2001).  Hence, this addition into
> acid_conf.php will be ignored.
>
> Two recommendations:
>
> - are you sure that you have CREATE permissions on the DB
> user set in acid_conf.php?  If all else fails, try using the
> "create_acid_tbls_mysql.sql" to manually create the ACID
> tables.
>
> - upgrade to a more recent version of ACID => 0.9.6b9.  There
> are significant feature improvements as well as bug fixes.  If you
> prefer an older version, upgrade to at least 0.9.6b1 for it has
> a number of important bug fixes
>
> cheers,
> Roman
>
> > I'm using the following:
> >
> > FreeBSD 4.3 - RELEASE (STABLE)
> > ACID-0.9.5 - RELEASE (STABLE)
> > ADODB v1.0.1 - RELEASE (STABLE)
> > PHP - 4.0.5 - RELEASE (STABLE)
> > APACHE - 1.3.19 - RELEASE (STABLE)
> > SNORT - 1.7 - RELEASE (STABLE)
> >
> > to compile snort i used following line:
> > ../configure --with-mysql=/usr/local/mysql;make;make install
> >
> > i did change acid_conf.php i put path to adodb
> >
> > in adodb
> >
> > i put local path in adodb.inc.php
> >
> > when i go to http://localhost/acid it redirects me to acid_main.php and
when
> > it gets there i get this:
> >
> > The underlying database alexus at ...274... apears to be invalid.
> >
> > The database version is valid, but the ACID DB structure (table:
acid_ag) is
> > not present. Use the Setup page to configure and optimize the DB
> >
> > when i click on "Setup page"
> >
> > in status window i get "DONE" for "Search Indexes" and i have "Create
ACID
> > AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
> > I do that nothing happenes, it won't disappear or it won't change status
to
> > "DONE".. what am i missing?
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
>
>
>



-- __--__-- 

Message: 3
From: "Koaps" <koaps at ...1804...>
To: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)
Date: Thu, 10 May 2001 14:48:04 -0700

I am having problems with Snort Logging to mysql too

Orginally I had Snort and MySQL on the same OpenBSD box, this caused MySQL
to crash, alot...

So I installed MySQL on a windows box, which also runs Snort Locally,


Amazingly the windows based Snort/MySQL/ACID works perfectly, and the
OpenBSD snort trying to log to MySQL on windows is failing to write
alerts...

just my two cents worth of crap....


L8rZ,

  )\_/(
 < o,0 >
    ~
   \ /

KoAps



----- Original Message -----
From: "alexus" <ml at ...1718...>
To: <roman at ...438...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 2:26 PM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)


mysql> select * from user where user='alexus';
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| Host      | User   | Password         | Select_priv | Insert_priv |
Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv |
Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv |
Index_priv | Alter_priv |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
| localhost | alexus | 34484ed463a66850 | Y           | Y           | N
| Y           | N           | N         | N           | N             | N
| N         | N          | N               | N          | N          |
+-----------+--------+------------------+-------------+-------------+-------
------+-------------+-------------+-----------+-------------+---------------
+--------------+-----------+------------+-----------------+------------+----
--------+
1 row in set (0.00 sec)

mysql>


i copy and paste mysql output to show you that i do have all right
privileges

i also upgrade acid to 0.9.6b9 (which is latest beta for today)

it still doesn't work

----- Original Message -----
From: <roman at ...438...>
To: "alexus" <ml at ...1718...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, May 10, 2001 11:18 AM
Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s)


> One observation:
>
> - ACID 0.9.5 does not use ADODB.  This DB abstraction was
> introduced in 0.9.6b2 (Jan 2001).  Hence, this addition into
> acid_conf.php will be ignored.
>
> Two recommendations:
>
> - are you sure that you have CREATE permissions on the DB
> user set in acid_conf.php?  If all else fails, try using the
> "create_acid_tbls_mysql.sql" to manually create the ACID
> tables.
>
> - upgrade to a more recent version of ACID => 0.9.6b9.  There
> are significant feature improvements as well as bug fixes.  If you
> prefer an older version, upgrade to at least 0.9.6b1 for it has
> a number of important bug fixes
>
> cheers,
> Roman
>
> > I'm using the following:
> >
> > FreeBSD 4.3 - RELEASE (STABLE)
> > ACID-0.9.5 - RELEASE (STABLE)
> > ADODB v1.0.1 - RELEASE (STABLE)
> > PHP - 4.0.5 - RELEASE (STABLE)
> > APACHE - 1.3.19 - RELEASE (STABLE)
> > SNORT - 1.7 - RELEASE (STABLE)
> >
> > to compile snort i used following line:
> > ../configure --with-mysql=/usr/local/mysql;make;make install
> >
> > i did change acid_conf.php i put path to adodb
> >
> > in adodb
> >
> > i put local path in adodb.inc.php
> >
> > when i go to http://localhost/acid it redirects me to acid_main.php and
when
> > it gets there i get this:
> >
> > The underlying database alexus at ...274... apears to be invalid.
> >
> > The database version is valid, but the ACID DB structure (table:
acid_ag) is
> > not present. Use the Setup page to configure and optimize the DB
> >
> > when i click on "Setup page"
> >
> > in status window i get "DONE" for "Search Indexes" and i have "Create
ACID
> > AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
> > I do that nothing happenes, it won't disappear or it won't change status
to
> > "DONE".. what am i missing?
> >
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
>
>
>


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- __--__-- 

Message: 4
From: "alexus" <ml at ...1718...>
To: <snort-users at lists.sourceforge.net>
Date: Thu, 10 May 2001 17:49:38 -0400
Subject: [Snort-users] Snort won't run

i'm using snort 1.7 with latest set of rules

for some reason it won't run, any ideas?

su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf

        --== Initializing Snort ==--

Initializing Network Interface fxp0
Decoding Ethernet on interface fxp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

*WARNING*: unknown preprocessor "stream2", ignoring!


*WARNING*: unknown preprocessor "rpc_decode", ignoring!


*WARNING*: unknown preprocessor "bo", ignoring!


*WARNING*: unknown preprocessor "telnet_decode", ignoring!

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = alexus
database: database name = alexus
database: password is set
database:          host = localhost
database:   sensor name = 64.81.208.245
database:     sensor id = 1
database: using the "log" facility
Error: Unknown config: classification
su-2.04# 

what am i doin wrong now?



-- __--__-- 

Message: 5
Date: Thu, 10 May 2001 14:56:12 -0700
From: Kevin Brown <Kevin.M.Brown at ...1022...>
Subject: RE: [Snort-users] Snort won't run
To: 'alexus' <ml at ...1718...>, snort-users at lists.sourceforge.net

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0D99C.07192D70
Content-Type: text/plain;
	charset="iso-8859-1"

looks like you are missing a file.  do you have a classification.config file
in the directory with your .rules files.  If yes, then do you have it
included in snort.conf along with the rules?

-----Original Message-----
From: alexus [mailto:ml at ...1718...]
Sent: Thursday, May 10, 2001 14:50
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort won't run


i'm using snort 1.7 with latest set of rules

for some reason it won't run, any ideas?

su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf

        --== Initializing Snort ==--

Initializing Network Interface fxp0
Decoding Ethernet on interface fxp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

*WARNING*: unknown preprocessor "stream2", ignoring!


*WARNING*: unknown preprocessor "rpc_decode", ignoring!


*WARNING*: unknown preprocessor "bo", ignoring!


*WARNING*: unknown preprocessor "telnet_decode", ignoring!

database: compiled support for ( mysql )
database: configured to use mysql
database:          user = alexus
database: database name = alexus
database: password is set
database:          host = localhost
database:   sensor name = 64.81.208.245
database:     sensor id = 1
database: using the "log" facility
Error: Unknown config: classification
su-2.04# 

what am i doin wrong now?


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------_=_NextPart_001_01C0D99C.07192D70
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: [Snort-users] Snort won't run</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>looks like you are missing a file.  do you have =
a classification.config file in the directory with your .rules =
files.  If yes, then do you have it included in snort.conf along =
with the rules?</FONT></P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: alexus [<A =
HREF=3D"mailto:ml at ...1718...">mailto:ml at ...1718...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 14:50</FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Snort won't run</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>i'm using snort 1.7 with latest set of rules</FONT>
</P>

<P><FONT SIZE=3D2>for some reason it won't run, any ideas?</FONT>
</P>

<P><FONT SIZE=3D2>su-2.04# /usr/local/bin/snort -c =
/usr/local/bin/rules/snort.conf</FONT>
</P>

<P><FONT SIZE=3D2>        --=3D=3D =
Initializing Snort =3D=3D--</FONT>
</P>

<P><FONT SIZE=3D2>Initializing Network Interface fxp0</FONT>
<BR><FONT SIZE=3D2>Decoding Ethernet on interface fxp0</FONT>
<BR><FONT SIZE=3D2>Initializing Preprocessors!</FONT>
<BR><FONT SIZE=3D2>Initializing Plug-ins!</FONT>
<BR><FONT SIZE=3D2>Initializating Output Plugins!</FONT>
</P>

<P><FONT =
SIZE=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT>
<BR><FONT SIZE=3D2>Initializing rule chains...</FONT>
</P>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "stream2", =
ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor =
"rpc_decode", ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor "bo", =
ignoring!</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>*WARNING*: unknown preprocessor =
"telnet_decode", ignoring!</FONT>
</P>

<P><FONT SIZE=3D2>database: compiled support for ( mysql )</FONT>
<BR><FONT SIZE=3D2>database: configured to use mysql</FONT>
<BR><FONT =
SIZE=3D2>database:         =
 user =3D alexus</FONT>
<BR><FONT SIZE=3D2>database: database name =3D alexus</FONT>
<BR><FONT SIZE=3D2>database: password is set</FONT>
<BR><FONT =
SIZE=3D2>database:         =
 host =3D localhost</FONT>
<BR><FONT SIZE=3D2>database:   sensor name =3D =
64.81.208.245</FONT>
<BR><FONT SIZE=3D2>database:     sensor id =3D =
1</FONT>
<BR><FONT SIZE=3D2>database: using the "log" facility</FONT>
<BR><FONT SIZE=3D2>Error: Unknown config: classification</FONT>
<BR><FONT SIZE=3D2>su-2.04# </FONT>
</P>

<P><FONT SIZE=3D2>what am i doin wrong now?</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or =
unsubscribe:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://lists.sourceforge.net/lists/listinfo/snort-users" =
TARGET=3D"_blank">http://lists.sourceforge.net/lists/listinfo/snort-user=
s</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C0D99C.07192D70--


-- __--__-- 

Message: 6
From: "alexus" <ml at ...1718...>
To: "Kevin Brown" <Kevin.M.Brown at ...1022...>,
	<snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort won't run
Date: Thu, 10 May 2001 18:10:38 -0400

This is a multi-part message in MIME format.

------=_NextPart_000_0035_01C0D97C.84409150
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

RE: [Snort-users] Snort won't runyes I do, I belive it came with =
snortrules.tgz file

su-2.04# ls -al /usr/local/bin/rules/classification.config=20
-rw-r--r--  1 root  users  1899 Apr 20 08:11 =
/usr/local/bin/rules/classification.config
su-2.04#=20

just in case in snort.conf i change

following line from this=20
include classification.config
to this
include /usr/local/bin/rules/classification.config
still same error
  ----- Original Message -----=20
  From: Kevin Brown=20
  To: 'alexus' ; snort-users at lists.sourceforge.net=20
  Sent: Thursday, May 10, 2001 5:56 PM
  Subject: RE: [Snort-users] Snort won't run


  looks like you are missing a file.  do you have a =
classification.config file in the directory with your .rules files.  If =
yes, then do you have it included in snort.conf along with the rules?

  -----Original Message-----=20
  From: alexus [mailto:ml at ...1718...]=20
  Sent: Thursday, May 10, 2001 14:50=20
  To: snort-users at lists.sourceforge.net=20
  Subject: [Snort-users] Snort won't run=20



  i'm using snort 1.7 with latest set of rules=20

  for some reason it won't run, any ideas?=20

  su-2.04# /usr/local/bin/snort -c /usr/local/bin/rules/snort.conf=20

          --=3D=3D Initializing Snort =3D=3D--=20

  Initializing Network Interface fxp0=20
  Decoding Ethernet on interface fxp0=20
  Initializing Preprocessors!=20
  Initializing Plug-ins!=20
  Initializating Output Plugins!=20

  +++++++++++++++++++++++++++++++++++++++++++++++++++=20
  Initializing rule chains...=20

  *WARNING*: unknown preprocessor "stream2", ignoring!=20



  *WARNING*: unknown preprocessor "rpc_decode", ignoring!=20



  *WARNING*: unknown preprocessor "bo", ignoring!=20



  *WARNING*: unknown preprocessor "telnet_decode", ignoring!=20

  database: compiled support for ( mysql )=20
  database: configured to use mysql=20
  database:          user =3D alexus=20
  database: database name =3D alexus=20
  database: password is set=20
  database:          host =3D localhost=20
  database:   sensor name =3D 64.81.208.245=20
  database:     sensor id =3D 1=20
  database: using the "log" facility=20
  Error: Unknown config: classification=20
  su-2.04#=20

  what am i doin wrong now?=20



  _______________________________________________=20
  Snort-users mailing list=20
  Snort-users at lists.sourceforge.net=20
  Go to this URL to change user options or unsubscribe:=20
  http://lists.sourceforge.net/lists/listinfo/snort-users=20
  Snort-users list archive:=20
  http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users=20


------=_NextPart_000_0035_01C0D97C.84409150
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [Snort-users] Snort won't run</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4613.1700" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>yes I do, I belive it came with snortrules.tgz=20
file</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>su-2.04# ls -al =
/usr/local/bin/rules/classification.config=20
<BR>-rw-r--r--  1 root  users  1899 Apr 20 08:11=20
/usr/local/bin/rules/classification.config<BR>su-2.04# </FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>just in case in snort.conf i change</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>following line from this </FONT></DIV>
<DIV><FONT size=3D2>include classification.config</FONT></DIV>
<DIV><FONT size=3D2>to this</FONT></DIV>
<DIV><FONT size=3D2>include=20
/usr/local/bin/rules/classification.config</FONT></DIV>
<DIV><FONT size=3D2>still same error</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3DKevin.M.Brown at ...1022... =
href=3D"mailto:Kevin.M.Brown at ...1022...">Kevin=20
  Brown</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dml at ...1718... =

  href=3D"mailto:ml at ...1718...">'alexus'</A> ; <A=20
  title=3Dsnort-users at lists.sourceforge.net=20
  =
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...635...=
eforge.net</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, May 10, 2001 =
5:56=20
PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: [Snort-users] =
Snort won't=20
  run</DIV>
  <DIV><BR></DIV>
  <P><FONT size=3D2>looks like you are missing a file.  do you have =
a=20
  classification.config file in the directory with your .rules =
files.  If=20
  yes, then do you have it included in snort.conf along with the=20
  rules?</FONT></P>
  <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT =
size=3D2>From:=20
  alexus [<A =
href=3D"mailto:ml at ...1718...">mailto:ml at ...1718...</A>]</FONT>=20
  <BR><FONT size=3D2>Sent: Thursday, May 10, 2001 14:50</FONT> <BR><FONT =

  size=3D2>To: <A=20
  =
href=3D"mailto:snort-users at lists.sourceforge.net">snort-users at ...635...=
eforge.net</A></FONT>=20
  <BR><FONT size=3D2>Subject: [Snort-users] Snort won't run</FONT> =
</P><BR>
  <P><FONT size=3D2>i'm using snort 1.7 with latest set of rules</FONT> =
</P>
  <P><FONT size=3D2>for some reason it won't run, any ideas?</FONT> </P>
  <P><FONT size=3D2>su-2.04# /usr/local/bin/snort -c=20
  /usr/local/bin/rules/snort.conf</FONT> </P>
  <P><FONT size=3D2>        --=3D=3D =
Initializing=20
  Snort =3D=3D--</FONT> </P>
  <P><FONT size=3D2>Initializing Network Interface fxp0</FONT> <BR><FONT =

  size=3D2>Decoding Ethernet on interface fxp0</FONT> <BR><FONT=20
  size=3D2>Initializing Preprocessors!</FONT> <BR><FONT =
size=3D2>Initializing=20
  Plug-ins!</FONT> <BR><FONT size=3D2>Initializating Output =
Plugins!</FONT> </P>
  <P><FONT =
size=3D2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT>=20
  <BR><FONT size=3D2>Initializing rule chains...</FONT> </P>
  <P><FONT size=3D2>*WARNING*: unknown preprocessor "stream2", =
ignoring!</FONT>=20
  </P><BR>
  <P><FONT size=3D2>*WARNING*: unknown preprocessor "rpc_decode", =
ignoring!</FONT>=20
  </P><BR>
  <P><FONT size=3D2>*WARNING*: unknown preprocessor "bo", =
ignoring!</FONT>=20
</P><BR>
  <P><FONT size=3D2>*WARNING*: unknown preprocessor "telnet_decode",=20
  ignoring!</FONT> </P>
  <P><FONT size=3D2>database: compiled support for ( mysql )</FONT> =
<BR><FONT=20
  size=3D2>database: configured to use mysql</FONT> <BR><FONT=20
  =
size=3D2>database:          =
user =3D=20
  alexus</FONT> <BR><FONT size=3D2>database: database name =3D =
alexus</FONT>=20
  <BR><FONT size=3D2>database: password is set</FONT> <BR><FONT=20
  =
size=3D2>database:          =
host =3D=20
  localhost</FONT> <BR><FONT size=3D2>database:   sensor name =
=3D=20
  64.81.208.245</FONT> <BR><FONT =
size=3D2>database:     sensor=20
  id =3D 1</FONT> <BR><FONT size=3D2>database: using the "log" =
facility</FONT>=20
  <BR><FONT size=3D2>Error: Unknown config: classification</FONT> =
<BR><FONT=20
  size=3D2>su-2.04# </FONT></P>
  <P><FONT size=3D2>what am i doin wrong now?</FONT> </P><BR>
  <P><FONT =
size=3D2>_______________________________________________</FONT>=20
  <BR><FONT size=3D2>Snort-users mailing list</FONT> <BR><FONT=20
  size=3D2>Snort-users at lists.sourceforge.net</FONT> <BR><FONT =
size=3D2>Go to this=20
  URL to change user options or unsubscribe:</FONT> <BR><FONT =
size=3D2><A=20
  target=3D_blank=20
  =
href=3D"http://lists.sourceforge.net/lists/listinfo/snort-users">http://l=
ists.sourceforge.net/lists/listinfo/snort-users</A></FONT>=20
  <BR><FONT size=3D2>Snort-users list archive:</FONT> <BR><FONT =
size=3D2><A=20
  target=3D_blank=20
  =
href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http:=
//www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A></FONT>=20
  </P></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0035_01C0D97C.84409150--




-- __--__-- 

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list