[Snort-users] RE: Snort-users digest, Vol 1 #2641 - 15 msgs

חואן juan at ...7856...
Mon Jan 6 23:07:02 EST 2003


I did what u told me an know I recive allmouns the same error:


> /etc/init.d/snortd start
> :no such file or directorybin/sh
> :command not found
> :no such file or direcory.d/init.d/function
> :command not found
> :command not found
> 'etc/rc.d/init.d/snortd: line 24:syntax error near unexpected token 'i=
n
> 'etc/rc.d/init.d/snortd: line 24:'case "$1" in

Do u have any other idea?

thanks

-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Monday, January 06, 2003 5:02 PM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #2641 - 15 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Bad Protocol? (J Irving)
   2. Re: Deprecated Plugin API (Andrew R. Baker)
   3. RE: Deprecated Plugin API (Frank Reid)
   4. Snort+POstgresql (Laurent =?iso-8859-1?Q?Mesur=E9?=)
   5. Re: Snort+POstgresql (Nicholas Bachmann)
   6. problems starting snort (Greg)
   7. Re: problems starting snort (Alberto Gonzalez)
   8. Re: Syntax question (Papa Mike)
   9. Disable Snort logging to /var/log/snort (Sam Ng)
  10. hepl !cant start snort (=?ISO-8859-8?Q?=E7=E5=E0=EF?=)
  11. Re: Disable Snort logging to /var/log/snort (Dirk Geschke)
  12. Csv not logging (Sh J)
  13. Re: hepl !cant start snort (Erek Adams)
  14. Re: Disable Snort logging to /var/log/snort (Andrew R. Baker)
  15. Re: db question (Martin Roesch)

--__--__--

Message: 1
Date: Sun, 5 Jan 2003 14:01:32 -0800
From: J Irving <j at ...7839...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Bad Protocol?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mike

Could you post a tcpdump -x of the packet in question?  Many
anomalous IP tweaks can evade interpretation by tools that...uh
...interpret.  tcpdump -x should give you the actual content of
the packet (well, the headers and a bit of payload (probably)),
which you could then compare to RFCs, Richard Stevens, or
whichever authority you prefer.

cheers
j

* Mike Koponick <mike at ...7385...> [2003.01.05 09:30 -0800]:
> From: "Mike Koponick" <mike at ...7385...>
> To: <snort-users at lists.sourceforge.net>
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
> Subject: [Snort-users] Bad Protocol?
> X-BeenThere: snort-users at lists.sourceforge.net
> X-Mailman-Version: 2.0.9-sf.net
> X-Original-Date: Sun, 5 Jan 2003 09:30:20 -0800
> Date: Sun, 5 Jan 2003 09:30:20 -0800
> 
> Now that I have decent loggin working, I'm getting some messages that
appear
> to be normal packets, but SNORT seems to think that something is wrong
with
> them. I think it might be a rule problem.. has anyone else seen this?
> 
> 01/05-17:33:24.184929  [**] [118:1:1] (spp_conversation) Bad IP protocol!
> [**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514
> 
> Obviously, this is a SYSLOG message, which we do have a node on the
network
> logging to the snort box for syslog parsing.
> 
> This is what the packet looks like:
> 
> [**] (spp_conversation) Bad IP protocol! [**]
> 01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514
> UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171
> 
> Thanks in advance for your help.
> 
> Mike
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- -- 
https://erf.sh/chao.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)
Comment: Hail Eris!

iD8DBQE+GKs8UMt2z+iZNdMRAr+nAJ9ENmm3LTe8/EkTVdhMb1Jr1JQTOgCgzL2o
GbNCbqKku7sl1hz8txAdcS4=
=ulHP
-----END PGP SIGNATURE-----


--__--__--

Message: 2
Date: Sun, 05 Jan 2003 17:33:56 -0500
From: "Andrew R. Baker" <andrewb at ...950...>
To: Frank Reid <fcreid at ...691...>
CC:  snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Deprecated Plugin API

Frank Reid wrote:
> When I test my configuration with Snort -T, I get a "WARNING: Deprecated
> Plugin API..." message.  My snort.conf only has enabled those active
> plugins in the distribution etc/snort.conf, with the exception of the
> MySQL database logging facility.  Is that the deprecated plugin?


Those are mine.  I updated the CVS code to not print the messages (for 
now).  They went in while I was working on revising the plugin system 
API.  Of course, other tasks have caused me not to finish the changes, 
so *all* of the output plugins use the "deprecated" API.

-A



--__--__--

Message: 3
From: "Frank Reid" <fcreid at ...691...>
To: "'Andrew R. Baker'" <andrewb at ...950...>
Cc: <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Deprecated Plugin API
Date: Sun, 5 Jan 2003 17:55:52 -0500

Thanks, Andrew.  You had me going there removing one after the other
attempting to locate it!  :)  Thanks.  I can live with the warning, as
long as I know why.

Frank

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Andrew R.
Baker
Sent: Sunday, January 05, 2003 5:34 PM
To: Frank Reid
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Deprecated Plugin API


Frank Reid wrote:
> When I test my configuration with Snort -T, I get a "WARNING: 
> Deprecated Plugin API..." message.  My snort.conf only has enabled 
> those active plugins in the distribution etc/snort.conf, with the 
> exception of the MySQL database logging facility.  Is that the 
> deprecated plugin?


Those are mine.  I updated the CVS code to not print the messages (for 
now).  They went in while I was working on revising the plugin system 
API.  Of course, other tasks have caused me not to finish the changes, 
so *all* of the output plugins use the "deprecated" API.

-A



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

Message: 4
Date: Mon, 06 Jan 2003 00:33:21 +0100
From: Laurent =?iso-8859-1?Q?Mesur=E9?= <lmesure at ...7906...>
To: Snort Users <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort+POstgresql

Hi,

i'm a newly subscriber to this list.

I'm trying to set Snort working with PostgreSQL.

But i have a problem with the libpq.so library. 

Snort+postgresql need the libpq.so.2 but i'm using postgresql 7.3 which
need the libpq.so.3

How can i do to use Snort with the libpq.so.3 ?

Regards

Laurent


--__--__--

Message: 5
Date: Sun, 05 Jan 2003 20:45:24 -0500
From: Nicholas Bachmann <nbachmann at ...6522...>
To: =?ISO-8859-1?Q?Laurent_Mesur=E9?= <lmesure at ...7906...>,
   snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort+POstgresql

Laurent Mesur=E9 wrote:

>Hi,
>
>i'm a newly subscriber to this list.
>
>I'm trying to set Snort working with PostgreSQL.
>
>But i have a problem with the libpq.so library.=20
>
>Snort+postgresql need the libpq.so.2 but i'm using postgresql 7.3 which
>need the libpq.so.3
>
>How can i do to use Snort with the libpq.so.3 ?
> =20
>
Compile Snort yourself... see http://www.snort.org/docs/ for help.

--=20
	Regards,
	Nick

	Nicholas Bachmann, SSCP
	Tech Department
	Davison Community Schools







--__--__--

Message: 6
Date: Sun,  5 Jan 2003 21:06:35 -0500
From: Greg <snort at ...7907...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] problems starting snort

I am attempting to get snort running on an OpenBSD 3.2 system. I compiled
snort
1.9.0 with no problems, and attempting to start snort using:

snort -c /data/snort/conf/rules/snort.conf -u snort -g snort -dev -l
/data/snort/log -i fxp1 -D

I have created the user and group 'snort'. fxp1 is an interface running at
autosense, both on the switch and on my server. When I run the above command
to
start snort, I don't see anything running when I do a 'ps -ax'. Does anyone
have
any idea what I could be doing wrong? Any help would be greatly appreciated.
I
should also mention I have a couple other systems running an identical
configuration and everything is fine with those systems.

Thanks in advance,

Greg


--__--__--

Message: 7
Date: Sun, 05 Jan 2003 21:30:12 -0800
From: Alberto Gonzalez <albertg at ...7909...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] problems starting snort

Did you give user 'snort' ability to write to /data/snort/log ?

Also, try running it without '-D' (remove daemon mode) and see what 
types of errors you get, or you can
just tail /var/log/daemon to see what the errors were. I'm currently 
running it on a OpenBSD 3.2 system myself
without any problems as the user/group snort. You probably just missed a 
simple step. Bye!

Cheers,
    Alberto Gonzalez.

Greg wrote:

>I am attempting to get snort running on an OpenBSD 3.2 system. I compiled
snort
>1.9.0 with no problems, and attempting to start snort using:
>
>snort -c /data/snort/conf/rules/snort.conf -u snort -g snort -dev -l
>/data/snort/log -i fxp1 -D
>
>I have created the user and group 'snort'. fxp1 is an interface running at
>autosense, both on the switch and on my server. When I run the above
command to
>start snort, I don't see anything running when I do a 'ps -ax'. Does anyone
have
>any idea what I could be doing wrong? Any help would be greatly
appreciated. I
>should also mention I have a couple other systems running an identical
>configuration and everything is fine with those systems.
>
>Thanks in advance,
>
>Greg
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>  
>

-- 
The secret to success is to start from scratch and keep on scratching.




--__--__--

Message: 8
Date: Sun, 5 Jan 2003 23:07:12 -0500 (EST)
From: Papa Mike <online_puppy at ...4554...>
Subject: Re: [Snort-users] Syntax question
To: snort-users at lists.sourceforge.net

 --- Dustin Decker <dustind at ...7902...> wrote: >
Hello all,
> I'm new to the list, and using Snort 1.9.0 (Build
> 209). 
> 
> I'm logging to a binary file in
> /var/log/snort_dumps, and later replaying
> them into my DB by hand using -r flag.  I'm getting
> ready to make this
> somewhat automated, and have hit a minor snag.  I
> use the -L flag with
> snort to indicate I wish the binary file be named
> based on the cheezy
> variable you see displayed below:
> 
> [snippet from my shell script]
> STAMP=`/bin/date +%m%d%y-%H`
> 
> /usr/sbin/snort -b -L /var/log/snort_dumps/$STAMP -i
> eth0 -c \
> 	/etc/snort/snort.conf
> 
> This is suiting my purposes quite well, with one
> exception.  I get file 
> names such as this:	010403-09.1041693435
> 
> Any recommendations on getting rid of the additional
> ".1041693435" portion 
> of the file name?

Funny.  I'm running 1.8.6 and my default tracefile
naming convention is "snort-MMdd at ...4010...".  That's
without using the '-L' switch.  When you do, you
should just specify the filename, not the path.  Give
the path with the '-l' switch.

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca


--__--__--

Message: 9
From: "Sam Ng" <sng at ...6934...>
To: <snort-users at lists.sourceforge.net>
Date: Mon, 6 Jan 2003 16:47:59 +0800
Subject: [Snort-users] Disable Snort logging to /var/log/snort

Snort keep logging to /var/log/snort even I have enable DB output
plugin, how can I stop snort from loggin to this directory??

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Sam NG
Doctor A Security Systems (HK) Ltd.
708 Millennium City 2
378 Kwuntong Road
Kowloon
HONG KONG
Tel: +852 2342-4355
Fax: +852 2342-4310
Email: sng at ...6934... 



--__--__--

Message: 10
From: =?ISO-8859-8?Q?=E7=E5=E0=EF?= <juan at ...7856...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Date: Mon, 6 Jan 2003 11:08:56 +0200 
Subject: [Snort-users] hepl !cant start snort

whan I try to start snort I recive the follwing errors:

/etc/rc.d/init.d/snortd start
:no such file or directorybin/sh
:command not foundortd
:no such file or direcorytc/rc.d/init.d/function
:command not foundortd
:command not foundortd
'etc/rc.d/init.d/snortd: line 24:syntax error near unexpected token 'in
'etc/rc.d/init.d/snortd: line 24:'case "$1" in


of course the program dont start can someone help please?


--__--__--

Message: 11
From: Dirk Geschke <Dirk_Geschke at ...1344...>
Subject: Re: [Snort-users] Disable Snort logging to /var/log/snort
To: sng at ...6934... (Sam Ng)
Date: Mon, 6 Jan 2003 10:43:38 +0100 (CET)
Cc: snort-users at lists.sourceforge.net

Hi,

> Snort keep logging to /var/log/snort even I have enable DB output
> plugin, how can I stop snort from loggin to this directory??

use the command line option -N:

 -N     Turn  off  packet  logging.   The   program   still
        generates alerts normally.

Best regards

Dirk

+------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke at ...1344...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |
+------------------------------------------------------------+


--__--__--

Message: 12
Date: Mon, 6 Jan 2003 04:11:30 -0800 (PST)
From: Sh J <shay_work at ...131...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Csv not logging

--0-1005940906-1041855090=:48617
Content-Type: text/plain; charset=us-ascii


Hello friends,

I'm running snort 1.9 on win2000 and trying to log alerts to csv file my
line is:

output alert_CSV: c:\snort\log\csv.txt default

i get alerts but nothing shows at the file.

Any idea's????????????????????????????



---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
--0-1005940906-1041855090=:48617
Content-Type: text/html; charset=us-ascii

<P>Hello friends,</P>
<P>I'm running snort 1.9 on win2000 and trying to log alerts to
csv file my line is:</P>
<P>output alert_CSV: c:\snort\log\csv.txt default</P>
<P>i get alerts but nothing shows at the file.</P>
<P>Any idea's????????????????????????????</P><p><br><hr size=1>Do you
Yahoo!?<br>
<a href="http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com">Yahoo!
Mail Plus</a> - Powerful. Affordable. <a
href="http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com">Sign up
now</a>
--0-1005940906-1041855090=:48617--


--__--__--

Message: 13
Date: Mon, 6 Jan 2003 07:45:17 -0500 (EST)
From: Erek Adams <erek at ...950...>
To: "=?ISO-8859-8?Q?=E7=E5=E0=EF?=" <juan at ...7856...>
cc:
  "'snort-users at lists.sourceforge.net'" <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] hepl !cant start snort

On Mon, 6 Jan 2003, [ISO-8859-8] =E7=E5=E0=EF wrote:

> whan I try to start snort I recive the follwing errors:
>
> /etc/rc.d/init.d/snortd start
> :no such file or directorybin/sh
> :command not foundortd
> :no such file or direcorytc/rc.d/init.d/function
> :command not foundortd
> :command not foundortd
> 'etc/rc.d/init.d/snortd: line 24:syntax error near unexpected token 'i=
n
> 'etc/rc.d/init.d/snortd: line 24:'case "$1" in
>
>
> of course the program dont start can someone help please?

Your problem is nothing to do with Snort.  It's just simply with the she=
ll
script that starts it.

I'm going to guess and say you don't have the first line as:

=09#!/bin/sh

See if that's it.

Cheers!

-----
Erek Adams

   "When things get tough, the wierd get going."   H.S. Thompson


--__--__--

Message: 14
Date: Mon, 06 Jan 2003 08:17:23 -0500
From: "Andrew R. Baker" <andrewb at ...950...>
To: Sam Ng <sng at ...6934...>
CC: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Disable Snort logging to /var/log/snort

Dirk Geschke wrote:
> Hi,
> 
> 
>>Snort keep logging to /var/log/snort even I have enable DB output
>>plugin, how can I stop snort from loggin to this directory??
> 
> 
> use the command line option -N:
> 
>  -N     Turn  off  packet  logging.   The   program   still
>         generates alerts normally.

A bit of qualification on this, this will work if you are using "output 
database: alert ...".  However, if you are using "output database: log 
...", you will want to add "-A none" to the command line instead.

"-N" turns off packet logging output plugins, "-A none" turns of 
alerting plugins".  The database plugin can act as either alerting or 
logging.  Also, alert information is available to the packet logging 
output plugins, so you can still get alerts with "-A none" (depending on 
which output plugins you use).

-A





--__--__--

Message: 15
Date: Mon, 06 Jan 2003 10:00:30 -0500
Subject: Re: [Snort-users] db question
From: Martin Roesch <roesch at ...1935...>
To: William Bradd <wbradd at ...5068...>,
  snort-users at lists.sourceforge.net

You could write a simple Perl translator (using DBI) to copy from one DB to
the other, or you can just dump the MySQL DB out to a flat (CSV) file and
bulk load it into Oracle using sqlldr.

Check out this thread on PHP-DB:

http://www.phpbuilder.com/mail/php-db/2000111/0250.php

     -Marty


On 1/3/03 10:04 PM, "William Bradd" <wbradd at ...5068...> wrote:

> Hi,
> 
> my client wants to move from mysql to oracle.
> 
> I know snort will work, but has anyone tried re-writing ACID for Oracle.
> 
> I have searched for a reference, but have not found one.
> 
> any pointers would be greatly appreciated.
> 
> Right now, I am one deep trying to do the work of 5 with no relief in
site.
> 
> Thanks
> 
> w. Bradd
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list