[Snort-users] flexresp and mysql

Craig Mueller cmueller at ...11019...
Thu Sep 7 13:14:23 EDT 2006


If you are installing on a FreeBSD 6.1X or later system - then you need 
libnet10-1.0.2a_1.  Get this from the BSD ports collection, or also 
installing snort_inline from sysinstall works.

Craig Mueller CISSP
Senior Consultant
Alebra Technologies
www.alebra.com


snort-users-request at lists.sourceforge.net wrote:
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> 	snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> 	snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. flexresp and mysql (Jes?s G?lvez)
>    2. Re: flexresp and mysql (Todd Wease)
>    3. (portscan) Open Port: (Mark Rohrbeck)
>    4. Re: (portscan) Open Port: (Bamm Visscher)
>    5. snort v2.6 Win32 flex? (Rich Adamson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 7 Sep 2006 13:06:10 +0200 (CEST)
> From: Jes?s G?lvez <jesuxgalvez at ...11031...>
> Subject: [Snort-users] flexresp and mysql
> To: snort-users at lists.sourceforge.net
> Message-ID: <20060907110610.53088.qmail at ...13920...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi, when I run configure  with flexresp and mysql options, configure give me error. 
>
> Then, I tried with flexresp2 and libdnet, but again i got the same result.
>
> checking for compress in -lz... yes
> checking dnet.h usability... yes
> checking dnet.h presence... yes
> checking for dnet.h... yes
> checking for eth_set in -ldnet... no
>
>    ERROR!  Libdnet header not found, go get it from
>    http://libdnet.sourceforge.net or use the --with-dnet-*
>    options, if you have it installed in an unusual place
>
>
> I run:
>
>
> ./configure  --prefix=/usr/local/snort \
>              --with-dnet-libraries=/usr/lib \
>              --with-dnet-includes=/usr/lib/include \
>              --with-mysql=/usr/local/mysql \
>              --enable-flexresp2
>
> all is in the correct directories.
>
> Any can help me? thanks.
>
>
>  		
> ---------------------------------
>
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y m?viles desde 1 c?ntimo por minuto.
> http://es.voice.yahoo.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060907/e1dbd317/attachment.html 
>
> ------------------------------
>
> Message: 2
> Date: Thu, 07 Sep 2006 10:27:27 -0400
> From: Todd Wease <twease at ...1935...>
> Subject: Re: [Snort-users] flexresp and mysql
> To: snort-users at lists.sourceforge.net
> Message-ID: <1157639247.2569.15.camel at ...13896...>
> Content-Type: text/plain
>
>   
>>              --with-dnet-includes=/usr/lib/include \
>>     
>
>
> Try --with-dnet-includes=/usr/include
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 7 Sep 2006 11:32:36 -0400
> From: Mark Rohrbeck <mark.rohrbeck at ...11827...>
> Subject: [Snort-users] (portscan) Open Port:
> To: <Snort-users at lists.sourceforge.net>
> Message-ID: <000001c6d292$da790420$a029a8c0 at ...13921...>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi all,
>
>  
>
> I am getting thousands of these portscans (Below are 3 examples) They are
> basically all from my exchange server to different IP addresses mainly on
> port 25 I have noticed a few of 53 too.  They are all going to addresses on
> the internet and I am not sure if I should be concerned or not, they are
> happening continuously all through the day. 
>
>  
>
> If I can offer any more information please let me know, I would really like
> to get to the bottom of this, I have googled away and find similar posts but
> no answers.
>
>  
>
> When I click on the link to Snort it says 
>
>
> GEN:SID 
>
> 1:27 
>
>
> Message 
>
> Sorry, no such sid-gen (1:27) 
>
>  
>
>  
>
> Any help greatly appreciated.
>
>  
>
>  
>
>
>  #624-(3-21094)
> <http://localhost/base/base_qry_alert.php?submit=%23624-%283-21094%29&sort_o
> rder=time_d>  
>
> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
> Port: 25
>
> 2006-09-06 06:08:36 
>
> 192.168.41.129
> <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>  
>
> 67.15.52.7
> <http://localhost/base/base_stat_ipaddr.php?ip=67.15.52.7&netmask32>  
>
> Raw IP 
>
>
>
>
> #625-(3-21091)
> <http://localhost/base/base_qry_alert.php?submit=%23625-%283-21091%29&sort_o
> rder=time_d>  
>
> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
> Port: 25
>
> 2006-09-06 06:08:35 
>
> 192.168.41.129
> <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>  
>
> 70.84.128.20
> <http://localhost/base/base_stat_ipaddr.php?ip=70.84.128.20&netmask32>  
>
> Raw IP 
>
>
>
>
> #626-(3-21092)
> <http://localhost/base/base_qry_alert.php?submit=%23626-%283-21092%29&sort_o
> rder=time_d>  
>
> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
> Port: 25
>
> 2006-09-06 06:08:35 
>
> 192.168.41.129
> <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32>  
>
> 67.15.143.14
> <http://localhost/base/base_stat_ipaddr.php?ip=67.15.143.14&netmask32>  
>
> Raw IP 
>
>  
>
>  
>
> Thanks
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060907/83c72c27/attachment.html 
>
> ------------------------------
>
> Message: 4
> Date: Thu, 7 Sep 2006 09:40:36 -0600
> From: "Bamm Visscher" <bamm.visscher at ...11827...>
> Subject: Re: [Snort-users] (portscan) Open Port:
> To: "Mark Rohrbeck" <mark.rohrbeck at ...11827...>
> Cc: Snort-users at lists.sourceforge.net
> Message-ID:
> 	<27492850609070840p33d39e47wb636b1cc5d4a74fb at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> That's the sfportscan preprocessor [0]
>
> Bammkkkk
>
> [0] http://www.snort.org/docs/snort_htmanuals/htmanual_260/node11.html#SECTION00317000000000000000
>
>
>
> On 9/7/06, Mark Rohrbeck <mark.rohrbeck at ...11827...> wrote:
>   
>>
>>
>>
>> Hi all,
>>
>>
>>
>> I am getting thousands of these portscans (Below are 3 examples) They are basically all from my exchange server to different IP addresses mainly on port 25 I have noticed a few of 53 too.  They are all going to addresses on the internet and I am not sure if I should be concerned or not, they are happening continuously all through the day.
>>
>>
>>
>> If I can offer any more information please let me know, I would really like to get to the bottom of this, I have googled away and find similar posts but no answers.
>>
>>
>>
>> When I click on the link to Snort it says
>>
>>
>> GEN:SID
>>
>> 1:27
>>
>>
>> Message
>>
>> Sorry, no such   sid-gen (1:27)
>>
>>
>>
>>
>>
>> Any help greatly appreciated.
>> Thanks
>>     
>
>   

-- 
Craig Mueller CISSP
Senior Consultant
Alebra Technologies
www.alebra.com
612-436-8204

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060907/78eb04bf/attachment.html>


More information about the Snort-users mailing list