[Snort-users] RE: start using argus snort

חואן juan at ...7856...
Tue Jul 22 02:57:01 EDT 2003


Hi !

I installed the argus quick install of snort ,in the menual it is written
that in order to start 
I need to issue the ./snort -v connamd i recieve: -bash: ./snort: No such
file or directory

why is that?

thanks

-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net]
Sent: Tuesday, July 22, 2003 5:30 AM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #3366 - 3 msgs


Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Viewing ACID set's off P..O..R..N rules ... (Jason Whitson)
   2. RE: Viewing ACID set's off P..O..R..N rules ... (Scott Renna)
   3. Re: Problem with test script for Cisco vulnerability (Bennett Todd)

--__--__--

Message: 1
From: "Jason Whitson" <jason at ...9559...>
To: "Scott Renna" <srenna at ...9588...>, <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Viewing ACID set's off P..O..R..N rules ...
Date: Mon, 21 Jul 2003 16:12:41 -0500

So ...

/usr/local/bin/snort -U -d -D -c /etc/snort/snort.conf not \ 172.16.1.172:80
?

Because that didn't work. Do I surround my IP in ( ) ... ?


- Jason


----- Original Message -----
From: "Scott Renna" <srenna at ...9588...>
To: "'Jason Whitson'" <jason at ...9559...>;
<snort-users at lists.sourceforge.net>
Sent: Monday, July 21, 2003 3:32 PM
Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ...


> Try this from 7/8:
>
> Bryan Irvine <bryan.irvine at ...9066...> writes:
>
> > Is there a way to get snort to skip over ip's?  I keep tripping the
> > porno alerts whenever I view someone elses porno log in acid.  I'd
> > like for it to not log my ip.
>
> The easiest way is to do a bpf filter on the snort command line
>
> snort <args> not \( host <ip> and port 80 \)
> --
> Chris Green <cmg at ...1935...>
> I've had a perfectly wonderful evening. But this wasn't it.
>      -- Groucho Marx
>
>
>
> ***************************
> Scott Renna
> Head Systems Administrator
> Dynamic Animation Systems
> 703-503-0500
>
> ***************************
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason
> Whitson
> Sent: Monday, July 21, 2003 4:24 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Viewing ACID set's off P..O..R..N rules ...
>
>
> Well today I decided to turn on the P..O..R..N ruleset to see if anyone
> here wan't working on ... work.
>
> Much to my surprise, ACID "blew up" with Rule violations. This is great
> and all but when I view the rule violations in the ACID console and
> refresh to see the latest, all the rules that were listed get relisted
> because I was viewing them!
>
> Is there a way to exclude the machine I use to view the ACID console
> from the rules? I would hate to have to explain the rule violationsfrom
> my workstation. Even though the source IP is the box running snort ...
>
> - Jason
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--__--__--

Message: 2
From: "Scott Renna" <srenna at ...9588...>
To: "'Jason Whitson'" <jason at ...9559...>,
   <snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ...
Date: Mon, 21 Jul 2003 17:13:06 -0400

you forgot to add the word "host" before your IP


***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

*************************** 

-----Original Message-----
From: Jason Whitson [mailto:jason at ...9559...] 
Sent: Monday, July 21, 2003 5:13 PM
To: Scott Renna; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Viewing ACID set's off P..O..R..N rules ...


So ...

/usr/local/bin/snort -U -d -D -c /etc/snort/snort.conf not \
172.16.1.172:80 ?

Because that didn't work. Do I surround my IP in ( ) ... ?


- Jason


----- Original Message -----
From: "Scott Renna" <srenna at ...9588...>
To: "'Jason Whitson'" <jason at ...9559...>;
<snort-users at lists.sourceforge.net>
Sent: Monday, July 21, 2003 3:32 PM
Subject: RE: [Snort-users] Viewing ACID set's off P..O..R..N rules ...


> Try this from 7/8:
>
> Bryan Irvine <bryan.irvine at ...9066...> writes:
>
> > Is there a way to get snort to skip over ip's?  I keep tripping the 
> > porno alerts whenever I view someone elses porno log in acid.  I'd 
> > like for it to not log my ip.
>
> The easiest way is to do a bpf filter on the snort command line
>
> snort <args> not \( host <ip> and port 80 \)
> --
> Chris Green <cmg at ...1935...>
> I've had a perfectly wonderful evening. But this wasn't it.
>      -- Groucho Marx
>
>
>
> ***************************
> Scott Renna
> Head Systems Administrator
> Dynamic Animation Systems
> 703-503-0500
>
> ***************************
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jason 
> Whitson
> Sent: Monday, July 21, 2003 4:24 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Viewing ACID set's off P..O..R..N rules ...
>
>
> Well today I decided to turn on the P..O..R..N ruleset to see if 
> anyone here wan't working on ... work.
>
> Much to my surprise, ACID "blew up" with Rule violations. This is 
> great and all but when I view the rule violations in the ACID console 
> and refresh to see the latest, all the rules that were listed get 
> relisted because I was viewing them!
>
> Is there a way to exclude the machine I use to view the ACID console 
> from the rules? I would hate to have to explain the rule 
> violationsfrom my workstation. Even though the source IP is the box 
> running snort ...
>
> - Jason
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single 
> machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual 
> machines at the same time. Free trial click here: 
> http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single 
> machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual 
> machines at the same time. Free trial click here: 
> http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



--__--__--

Message: 3
Date: Mon, 21 Jul 2003 17:43:41 -0400
From: Bennett Todd <bet at ...6163...>
To: CMartin at ...9696...
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Problem with test script for Cisco vulnerability


--yVhtmJPUSI46BTXb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

2003-07-21T14:26:30 CMartin at ...9696...:
> I tried to implement this script to test my snort rules; however, it
appears
> that I don't have hping in my /usr/local/sbin directory or not in my /sbin
> directory.  I am running redhat v9.

As others have mentioned, download from <URL:http://www.hping.com/>
and build yourself. If you want an rpm install, I have a spec file
I'll be glad to pass you. It's trivial.

> Also I get the following error when I try to run the script (sh
> exploit.sh).
>
> exploit.sh: line 8: syntax error near unexpected token `('
> exploit.sh: line 8: `foreach protocol (53 55 77 103)'

The exploit script as posted was in tcsh, which has a different
syntax from sh.

> But also an interesting note, my whole /usr/local/sbin is empty.

/usr/local is reserved for non-packaged software. rpms are normally
properly written to install into /usr/sbin, /usr/bin, and so forth.

-Bennett

--yVhtmJPUSI46BTXb
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/HF6NHZWg9mCTffwRAk/JAKCy3T/XlSzhn1ddXuTfJ+tf0YVhGQCfSXbQ
+BQU2ebDI3BJTU81H6WxegU=
=PDRf
-----END PGP SIGNATURE-----

--yVhtmJPUSI46BTXb--



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




More information about the Snort-users mailing list