[Snort-users] I need help in interpreting some Docs

John Draper lists at ...13962...
Thu Oct 26 18:46:45 EDT 2006


Joachim Schipper wrote:

>>I also posted this to the snort users list,  snort.user at ...11827...,  but
>>(sigh) my postings are not making it to the list.   Have they changed
>>their list mailing address?   I suppose I shouldn't ask that in this
>>forum,  but if anyone knows the snort mailing list address,  and if
>>it's different, then I need to know that.
>>    
>>
>
>I really wouldn't know what snort mailing lists are there, but are you
>*really* certain that is not just one random guy? a quick google does
>suggest so, and does suggest that
>https://lists.sourceforge.net/lists/listinfo/snort-users might be a good
>place to start (note the snort-users at lists.sourceforge.net).
>  
>
I just learned they changed the name of the mailing list,  which
I joined more then 3 years ago.   I'm still getting mail from
snort.users at ...11827... but for some reason,  sending mail
there no longer works,  but I did get a different Email,  and have
since sent this posting to them as well,  and confirmed it is
working now.

I think I've decided to download and test SnortSam and see if it meets
my needs.  It seems to only support OpenBSD 3.6 (I have 3.8),
and have joined the SnortSam mailing list so I can direct my questions
to this list as I start learning it.

>>Ok,  thanx for the info....  when I was playing with Snort,  they didn't
>>have this mode.
>>    
>>
>
>It's been around for a while, I believe, but has only recently been
>integrated with the main development branch.
>  
>
Yea - I'm learning all about these new (and very cool) features.
I wasn't expecting to see so many cool enhancements. 

I'm hoping some future effort might be done to both Snort and OpenBSD
to integrate them together in new and interesting ways.  I would participate
but I don't know these systems well yet.

>>If they can be answered in the documentation,  then please point me
>>to it...   the snort docs have more then 150 files,  most are not 
>>related with
>>what I want to do,  some are not titled with names indicitive of what they
>>talk about,  because I scanned each entry,  and read 80% of them,  and
>>NO,  I didn't find the answers to my questions by reading the docs.
>>    
>>
>
>You won't hear me say that the Snort docs are easy to read, but the
>questions you asked are, in fact, not that difficult to find an answer
>to.
>
>Q does OpenBSD have IPTables?
>	man -k iptables; ls -d /usr/ports/*/*iptables* (equivalent
>web-based systems exist; the openbsd.org page links to the man pages,
>and ports.openbsd.nu allows you to search the ports system)
>	Alternately, http://www.google.com/search?q=openbsd+iptables;
>read the synopsis of the first hit,
>http://www.openbsd.org/faq/faq9.html.
>	As to answering the question whether there is another solution,
>http://www.google.com/search?q=snort+inline+pf
>Q make devel for Snort or IPTables?
>	this is in the Snort docs, although not terribly clear
>  
>
yes - this was my perception as well - but I looked at a lot of
these docs as well,  but I'm just not quite understanding it
all yet.   It DOES take time to learn new systems,  especially
if you are over 63.  Now if I were a 15 yr old kid,  that would
most certainly be different,  and age discrimination is alive
and well....

>Q can log_tcpdump be read while Snort is running?
>	The manual also says it's in standard tcpdump format:
>http://www.snort.org/docs/snort_htmanuals/htmanual_260/node13.html#SECTION003350
>However, I'll admit that it might not be obvious that this can be read
>while Snort is running. 
>
No - there was nothing in the Snort manual that hints if this will work
and display the contents of this file,  and I sure as heck wasn't going to
try it on the only system I have access to,  which is a production system.

I haven't got everything installed yet,  as this is taking me a little 
longer then
I was expecting.   I think in few days,  I'll have an experimental 
system I can
try things with,  without shutting down a production server.

>A simple test would give you an affirmative
>answer; the other solution is to note that tcpdump's files can be read
>while tcpdump is running, and extrapolate from there.
>Q Switching modes?
>	granted, it might be hard to find a place where it is explicitly
>said that this doesn't work
>  
>
I didn't see any.

>Questions are, of course, welcome; that's what this list is for, to a
>certain extent. However, I can't believe you actually tried to find the
>answer to the IPTables question before posting. (I could see how one
>would have trouble finding the answer to the other questions.)
>  
>
I might have been looking in the wrong place - sorry!  These
things happen.

>Also, if you had actually taken a look at the port,
>/usr/ports/net/snort, you'd have noticed the flexresp option (and the
>lack of inline option, 
>
I didn't notice it,  because how would I know to look for it?
I don't even know what a "flexresp" option is....  and yes,
I agree with you that I should use the ports tree,  but I
WILL need to build snort from source,  expecially if I intend
to use SnortSam,  because I already looked at their docs,
and am putting together an installation plan.   I develop this
plan while I'm reading the archives in the mailing lists,  of
which I'm focusing on SnortSam right now, and getting it to
work with OpenBSD's "PF"...  but as I said earlier,  SnortSam
supports up to ver 3.6 of OPenBSD,  but they only said they
tested it to that version,  I'm hopeful SnortSam WOULD work
with the new 3.8.

>but the text above suggests that inline mode does
>work; perhaps this should be fixed?). On OpenBSD, you should almost
>always use the packages provided for you.
>  
>
I think I remembered reading about this,  but after closer look
I didn't see or hear anything else about it.

John





More information about the Snort-users mailing list