[Snort-users] RE: Snort-users digest, Vol 1 #2112 - 11 msgs

Peter Karhatsu peterk at ...6436...
Wed Jul 24 09:52:02 EDT 2002


For Dave Oswald:
I am doing this using Winpcap 2.3. I think what you're looking for is to
install this program, then under the NIC configuration ,add the sniffer
driver as a new protocol. This will put you card into sniffer mode.(no
TCP/IP stack used)

Anyone who would like to see a Snort 1.87/Acid/MySQL box running live on
Windows 2000 can visit my test box at 24.216.244.26. Please feel free to
poke around and send me anymails with questions or mistakes.

I can't seem to get GD working with Acid, not sure why.

Thanks to everyone posting and writing the good stuff!

Sniff ya later,

Peter Karhatsu

http://www.janusmanagedservers.com





Message: 10
To: snort-users at lists.sourceforge.net
From: doswald at ...6357...
Date: Wed, 24 Jul 2002 10:43:29 -0500
Subject: [Snort-users] (no subject)

I have setup snort on a Windows 2K server and I am trying to get my
second
ethernet card (IDS Listener) to work without  a DHCP or static IP
address.
Can anyone tell me if they have been able to do this ?

Dave Oswald
Network Engineer



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of
snort-users-request at lists.sourceforge.net
Sent: Wednesday, July 24, 2002 10:49 AM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #2112 - 11 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: newbie configuration issues (John Sage)
   2. Re: running snort questions (Stefan Schleifer)
   3. Re: static compilation (Andreas Krennmair)
   4. Re: static compilation (funky)
   5. Re: static compilation (Chris Green)
   6. Re: static compilation (funky)
   7. Re: Snort setting (Ian Macdonald)
   8. Re: newbie configuration issues (Paul Greene)
   9. Jacked rules (was: New rules in exp) (Kreimendahl, Chad J)
  10. (no subject) (doswald at ...6357...)
  11. Snort Install Problems (Abraham, Elliott)

--__--__--

Message: 1
Date: Tue, 23 Jul 2002 22:14:12 -0700
From: John Sage <jsage at ...2022...>
To: Paul Greene <pauljgreene at ...5068...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] newbie configuration issues

Paul:

On Tue, Jul 23, 2002 at 09:58:01PM -0400, Paul Greene wrote:
> Hello All;
>
> I recently installed Snort on an "IDS bridge" using OpenBSD.

So the "IDS bridge" is a box with -- what? -- two NIC's? Are the NIC's
assigned IP addresses, or are they address-less?

If this is the case, you may want to check the list archives, and the
FAQ's 3.1 and 3.2...

How do you have $HOME_NET and $EXTERNAL_NET set?

> The setup is a cable modem. The "IDS bridge" is between the cable modem
and
> the NAT box (another openbsd box). The NAT box is dynamically assigned an
> IP address in the 68.48.xxx.xxx range by the cable company. The internal
> network is a 192.168.0.0/24 network.

If you're getting a dynamically-assigned IP address back on the NAT
box, /* somehow I'm having a hard time picturing this: the modem and
the "IDS bridge" are just acting as though they're wire: packets just
pass through with their IP addresses unexamined? */ how do you account
for that relative to $HOME_NET?

Do you have some equivalent to:

var HOME_NET $ppp0_ADDRESS

<snippage>


- John
--
"Cowardly refusing to create an empty archive."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


--__--__--

Message: 2
Date: Wed, 24 Jul 2002 09:05:49 +0200
From: Stefan Schleifer <stefan.schleifer at ...6267...>
Organization: Linbit Information Technologies GmbH
To: Daniel Lopez <dlopez at ...6134...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] running snort questions

hi,

you can still use the interfaces file:

[root at ...6425...:/etc/network]# cat interfaces

<snip>

iface eth0 inet static

iface eth1 inet static

iface eth2 inet static

<snip>

works for me:

[root at ...6425...:/etc/network]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:80:C8:B9:F9:C9
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:450630038 errors:9 dropped:0 overruns:0 frame:15
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:209873534 (200.1 MiB)  TX bytes:0 (0.0 b)
           Interrupt:10 Base address:0xa800


the only thing that doesn't work for me on this machine is snort -i any.
that only puts eth0 in promiscuous mode (using snort-mysql Version 1.8.7
(Build 128)). on another machine with ip adresses it works (using
snort-mysql Version 1.8.4-beta1 (Build 91)).

if you want it to start on system boot, just install the *debs
(snort-common, snort or snort-mysql,... and the snort-rules-default).
init script is included. i suggest then to update the rules from the
snort homepage. maybe you have to do a "update-rc.d snort default" the
get the links in the rc?.d dirs.

stefan.



Daniel Lopez wrote:
> Hello,
>
> I would like to start Snort when my computer boots.
> Thus, I have to configure it to run in daemon mode, haven't I?
>
> Then, I would like to run it on a Debian 3.0 machine in promiscuous
> mode.
> The problem that I have is that in order to configure my network card
> without
> an ip-address I cannot use the standard's Debian /etc/network/interfaces
> since
> the ifup and ifdown expect some more information there than it is
> needed.
>
> Thus, should I use a script? If it is right, do you know if somebody has
> already written one? :)
> Thanks a lot for your help!
>
>
> Daniel Lopez
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>


--

: Stefan Schleifer                            Tel +43-1-8974897-754 :
: LINBIT Information Technologies GmbH        Fax +43-1-8974897-111 :
: Sechshauserstr 48, A-1150 Vienna/Europe     http://www.linbit.com :




--__--__--

Message: 3
Date: Wed, 24 Jul 2002 10:02:25 +0200
From: Andreas Krennmair <ak at ...3855...>
To: funky <azimlinux at ...131...>
CC: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] static compilation

funky wrote:
> I already tried that but nothing has changed. I've
> made the CFLAGS "-static" in "Makefile" but the size
> of the file is still 1053882 bytes . When i control
> with "file snort" , it still says "dynamically
> compiled" :((((
>
> Where can be the mistake!??!?!

You cannot "statically compile" a program, you compile it and then
statically _link_ it. So, first you have to use LDFLAGS instead of
CFLAGS, and another good trick with autoconf based source trees is
setting this already during the configure process, e.g.:

LDFLAGS="-static" ./configure

and then go on just as before, i.e. make && make install. Before make
install, you can check the binary with ldd and file whether it is really
statically linked, but it should be anyway (I tried it out right now).

HTH,
Andreas Krennmair



--__--__--

Message: 4
Date: Wed, 24 Jul 2002 04:04:43 -0700 (PDT)
From: funky <azimlinux at ...131...>
Subject: Re: [Snort-users] static compilation
To: Andreas Krennmair <ak at ...3855...>
Cc: Snort-users at lists.sourceforge.net


Hi,

I tried to set the LDFLAGS to "-static" as you said,
but nothing has changed. The snort binary file seems
to be still dynamically linked.

I exactly did as below:
1 - ./configure
2 - I edited the "Makefile" and changed LDFLAGS to
"-static" (also tried yours, in fact they are same:)
3 - make
4 - make install
5 - still dynamically linked :((((

I also tried to set the both CFLAGS & LDFLAGS to
"-static" but no difference :(

Which version of snort are you using? Maybe there's a
bug related with that in 1.8.7

thanx

funky
IStanbul



--- Andreas Krennmair <ak at ...3855...> wrote:
> funky wrote:
> > I already tried that but nothing has changed. I've
> > made the CFLAGS "-static" in "Makefile" but the
> size
> > of the file is still 1053882 bytes . When i
> control
> > with "file snort" , it still says "dynamically
> > compiled" :((((
> >
> > Where can be the mistake!??!?!
>
> You cannot "statically compile" a program, you
> compile it and then
> statically _link_ it. So, first you have to use
> LDFLAGS instead of
> CFLAGS, and another good trick with autoconf based
> source trees is
> setting this already during the configure process,
> e.g.:
>
> LDFLAGS="-static" ./configure
>
> and then go on just as before, i.e. make && make
> install. Before make
> install, you can check the binary with ldd and file
> whether it is really
> statically linked, but it should be anyway (I tried
> it out right now).
>
> HTH,
> Andreas Krennmair
>
>
>
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
>
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


--__--__--

Message: 5
Date: Wed, 24 Jul 2002 07:19:16 -0400
From: Chris Green <cmg at ...1935...>
Subject: Re: [Snort-users] static compilation
To: funky <azimlinux at ...131...>
Cc: Snort-users at lists.sourceforge.net
Reply-to: snort-users at lists.sourceforge.net

funky <azimlinux at ...131...> writes:

F> Hi,
>
> I tried to set the LDFLAGS to "-static" as you said,
> but nothing has changed. The snort binary file seems
> to be still dynamically linked.
>
> I exactly did as below:
> 1 - ./configure
> 2 - I edited the "Makefile" and changed LDFLAGS to
> "-static" (also tried yours, in fact they are same:)
> 3 - make
> 4 - make install
> 5 - still dynamically linked :((((
>

The easiest way (albiet brute force way) to do this is to replace all
the -ljunk with /usr/lib/libjunk.a in the linking stage of snort

and link by hand.
--
Chris Green <cmg at ...1935...>
Let not the sands of time get in your lunch.


--__--__--

Message: 6
Date: Wed, 24 Jul 2002 04:52:32 -0700 (PDT)
From: funky <azimlinux at ...131...>
Subject: Re: [Snort-users] static compilation
To: snort-users at lists.sourceforge.net
Cc: cmg at ...1935...


Hi,

I just tried to static compile the 1.8.6 version of
snort, it did!!!!!! There must be a bug in the
"Makefile" of 1.8.7 ...

Can you explain me more briefly the solution that you
mention Chris please?

thanx

funky
Istanbul


--- Chris Green <cmg at ...1935...> wrote:
> funky <azimlinux at ...131...> writes:
>
> F> Hi,
> >
> > I tried to set the LDFLAGS to "-static" as you
> said,
> > but nothing has changed. The snort binary file
> seems
> > to be still dynamically linked.
> >
> > I exactly did as below:
> > 1 - ./configure
> > 2 - I edited the "Makefile" and changed LDFLAGS to
> > "-static" (also tried yours, in fact they are
> same:)
> > 3 - make
> > 4 - make install
> > 5 - still dynamically linked :((((
> >
>
> The easiest way (albiet brute force way) to do this
> is to replace all
> the -ljunk with /usr/lib/libjunk.a in the linking
> stage of snort
>
> and link by hand.
> --
> Chris Green <cmg at ...1935...>
> Let not the sands of time get in your lunch.
>
>
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


--__--__--

Message: 7
From: "Ian Macdonald" <secsnort at ...5528...>
To: "jo cam" <jo.cam at ...6346...>, <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort setting
Date: Wed, 24 Jul 2002 09:02:16 -0400

The sensor name is what ever you would like use to identify your sensor. You
could just use your machine name.  You do not need to have the mysql client
installed. For the output module, get a copy of the latest rules from
snort.org (Not the -current set they are for 1.9) and then edit the
snort.conf with your favorite text editor. I would also read the
documentation on snort.org for more details

Ian
----- Original Message -----
From: "jo cam" <jo.cam at ...6346...>
To: <snort-users at lists.sourceforge.net>
Sent: Wednesday, July 17, 2002 12:16 PM
Subject: [Snort-users] Snort setting


> Hi,
>
> I want to use snort and MySQL in the following
> configuration:
> - the first snort sensor on linux station. The database
> MySQL also running on this sensor
> - the second sensor on Win 95
> - the third sensor on Win NT.
>
> QUESTIONS:
>
> 1. What is the sensor name ?
> 2. On Win95 and WinNT stations, is that necessary to have
> MySQL client installed ?
> 3. In each station how can i setup the output module part
> of snort.conf ?
>
> Regards,
>
> Jo
>
> _________________________________________________________
> Envoyez des messages musicaux sur le portable de vos amis
>  http://mobile.lycos.fr/mobile/local/sms_musicaux/
>
>



--__--__--

Message: 8
Date: Wed, 24 Jul 2002 09:16:00 -0400
From: Paul Greene <pauljgreene at ...5068...>
Subject: Re: [Snort-users] newbie configuration issues
To: John Sage <jsage at ...2022...>
Cc: snort-users at lists.sourceforge.net

At 10:14 PM 7/23/2002 -0700, John Sage wrote:
>Paul:
>
>On Tue, Jul 23, 2002 at 09:58:01PM -0400, Paul Greene wrote:
> > Hello All;
> >
> > I recently installed Snort on an "IDS bridge" using OpenBSD.
>
>So the "IDS bridge" is a box with -- what? -- two NIC's? Are the NIC's
>assigned IP addresses, or are they address-less?
>
>If this is the case, you may want to check the list archives, and the
>FAQ's 3.1 and 3.2...

Two NICS with no IP addresses. The intention is to make the box invisible
on the network, and also put it in front of the gateway box running NAT so
that it sees all incoming traffic, not just the traffic that makes it past
the gateway/NAT box. As a bridge it seems to work fine; there's no problem
with traffic getting in and out. I'm basing this on the concept of a
"bridging firewall", but I don't want to block any traffic at this point;
so I'm trying to modify the concept to be a "bridging IDS".

>How do you have $HOME_NET and $EXTERNAL_NET set?

These haven't been changed from the default snort.conf file. Frankly I
wasn't sure what to do with these.

var HOME_NET any
var EXTERNAL_NET $HOME_NET

> > The setup is a cable modem. The "IDS bridge" is between the cable modem
> and
> > the NAT box (another openbsd box). The NAT box is dynamically assigned
an
> > IP address in the 68.48.xxx.xxx range by the cable company. The internal
> > network is a 192.168.0.0/24 network.
>
>If you're getting a dynamically-assigned IP address back on the NAT
>box, /* somehow I'm having a hard time picturing this: the modem and
>the "IDS bridge" are just acting as though they're wire: packets just
>pass through with their IP addresses unexamined? */ how do you account
>for that relative to $HOME_NET?

The ISP changes the IP number about every 4-6 weeks, but I haven't used
that IP number in any configuration files yet anyway

>Do you have some equivalent to:
>
>var HOME_NET $ppp0_ADDRESS

Just the default listed above. I have to plead ignorance on this point,
though this is likely where the problem lies.

>- John

Paul




--__--__--

Message: 9
Date: Wed, 24 Jul 2002 09:38:35 -0500
From: "Kreimendahl, Chad J" <Chad.Kreimendahl at ...4716...>
To: <snort-devel at lists.sourceforge.net>
Cc: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Jacked rules (was: New rules in exp)


Since I seem to have no response from the sigs list... Maybe someone
over here will notice :)

-----Original Message-----
From: Kreimendahl, Chad J=20
Sent: Monday, July 22, 2002 11:11 AM
To: snort-sigs at lists.sourceforge.net
Subject: New rules in exp



The following rules and revisions have no classifications:
((1817->1835)-(1833))
1817, 1; 1818, 1; 1819, 1; 1820, 1;
1821, 1; 1822, 1; 1823, 1; 1824, 1;
1825, 1; 1826, 1; 1827, 1; 1828, 1;
1829, 1; 1830, 1; 1831, 1; 1832, 1;
1834, 1; 1835, 1;

My assumption as to their categories:

1817: attempted-admin
1818: attempted-admin
1819: attempted-recon?attempted-admin?bad-unknown?misc-activity
1820: web-application-activity
1821: system-call-detect
1822: web-application-attack
1823: web-application-attack
1824: web-application-activity
1825: web-application-activity
1826: web-application-activity
1827: web-application-attack
1828: web-application-attack
1829: web-application-activity
1830: web-application-activity
1831: attempted-dos
1832: misc-activity
1834: web-application-attack
1835: web-application-attack


--__--__--

Message: 10
To: snort-users at lists.sourceforge.net
From: doswald at ...6357...
Date: Wed, 24 Jul 2002 10:43:29 -0500
Subject: [Snort-users] (no subject)

I have setup snort on a Windows 2K server and I am trying to get my second
ethernet card (IDS Listener) to work without  a DHCP or static IP address.
Can anyone tell me if they have been able to do this ?

Dave Oswald
Network Engineer




--__--__--

Message: 11
From: "Abraham, Elliott" <Elliot.Abraham at ...6432...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Date: Wed, 24 Jul 2002 11:47:51 -0400
Subject: [Snort-users] Snort Install Problems

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C23329.779F27B0
Content-Type: text/plain

Has anyone experienced problems installing Snort with FlexResp on OpenBSD
3.1.  I'm experiencing some issues during the 'make' process.  The conflicts
are appearing with /usr/include/netinet/ip.h and the IP options.  Any
assistance or pointers would be greatly appreciated.

Thanks

L. Elliott Abraham, CISSP
BTSI Security Specialist
(678) 969-8578 work
abrahame at ...6429... - ipager



****************************************************************************
**********************************************************************
"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from all
computers."

------_=_NextPart_001_01C23329.779F27B0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml at ...6430...">
<!--[if gte mso 9]><xml>
 <o:OfficeDocumentSettings>
  <o:DoNotRelyOnCSS/>
 </o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:SpellingState>Clean</w:SpellingState>
  <w:GrammarState>Clean</w:GrammarState>
  <w:DocumentKind>DocumentEmail</w:DocumentKind>
  <w:EnvelopeVis/>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
  </w:Compatibility>
  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
 </w:WordDocument>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Impact;
	panose-1:2 11 8 6 3 9 2 5 2 4;
	mso-font-charset:0;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:647 0 0 0 159 0;}
@font-face
	{font-family:"Monotype Corsiva";
	panose-1:3 1 1 1 1 2 1 1 1 1;
	mso-font-charset:0;
	mso-generic-font-family:script;
	mso-font-pitch:variable;
	mso-font-signature:647 0 0 0 159 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;
	text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;
	text-underline:single;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
	{margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Times New Roman";
	mso-fareast-font-family:"Times New Roman";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	mso-style-noshow:yes;
	mso-ansi-font-size:10.0pt;
	mso-bidi-font-size:10.0pt;
	font-family:Arial;
	mso-ascii-font-family:Arial;
	mso-hansi-font-family:Arial;
	mso-bidi-font-family:Arial;
	color:windowtext;}
span.SpellE
	{mso-style-name:"";
	mso-spl-e:yes;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
 /* Style Definitions */=20
 table.MsoNormalTable
	{mso-style-name:"Table Normal";
	mso-tstyle-rowband-size:0;
	mso-tstyle-colband-size:0;
	mso-style-noshow:yes;
	mso-style-parent:"";
	mso-padding-alt:0in 5.4pt 0in 5.4pt;
	mso-para-margin:0in;
	mso-para-margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:10.0pt;
	font-family:"Times New Roman";}
</style>
<![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Has anyone experienced problems installing Snort =
with <span
class=3DSpellE>FlexResp</span> on <span class=3DSpellE>OpenBSD</span> =
3.1.<span
style=3D'mso-spacerun:yes'>  </span>I'm experiencing some issues =
during the
'make' process.<span style=3D'mso-spacerun:yes'>  </span>The
conflicts are appearing with /<span =
class=3DSpellE>usr/include/netinet/ip.h</span>
and the IP options.<span style=3D'mso-spacerun:yes'>  </span>Any =
assistance or
pointers would be greatly appreciated.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thanks<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D5 color=3Dblue face=3D"Monotype =
Corsiva"><span
style=3D'font-size:18.0pt;font-family:"Monotype =
Corsiva";color:blue;mso-no-proof:
yes'>L. Elliott Abraham</span></font><font size=3D5 =
color=3D"#ff6600"><span
style=3D'font-size:18.0pt;color:#FF6600;mso-no-proof:yes'>, =
</span></font><font
size=3D5 color=3D"#ff6600" face=3DImpact><span =
style=3D'font-size:18.0pt;font-family:
Impact;color:#FF6600;mso-no-proof:yes'>CISSP</span></font><span
style=3D'mso-no-proof:yes'><o:p></o:p></span></p>

<p class=3DMsoAutoSig><font size=3D4 face=3D"Times New Roman"><span =
style=3D'font-size:
14.0pt;mso-no-proof:yes'>BTSI Security =
Specialist<o:p></o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D4 face=3D"Times New Roman"><span =
style=3D'font-size:
14.0pt;mso-no-proof:yes'>(678) 969-8578 =
work<o:p></o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D4 face=3D"Times New Roman"><span =
style=3D'font-size:
14.0pt;mso-no-proof:yes'>abrahame at ...6429... - =
ipager<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>

</div>

</body>

</html>
<BR>
<BR>

<P><B><I><FONT SIZE=3D2 =
FACE=3D"Arial">*********************************************************=
************************************************************************=
*****************</FONT></I></B></P>

<P><B><I><FONT SIZE=3D2 FACE=3D"Arial">"The information transmitted is =
intended only for the person or entity to which it is addressed and may =
contain confidential, proprietary, and/or privileged material. Any =
review, retransmission, dissemination or other use of, or taking of any =
action in reliance upon, this information by persons or entities other =
than the intended recipient is prohibited. If you received this in =
error, please contact the sender and delete the material from all =
computers."</FONT></I></B></P>

------_=_NextPart_001_01C23329.779F27B0--



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest





More information about the Snort-users mailing list