[Snort-users] Snort-users Digest, Vol 28, Issue 4

Viswanathan R viswa_jang at ...131...
Mon Sep 15 10:00:18 EDT 2008


Team

I am supposed to give a presentation about Lastes Snort, to my team.  Is there any Powerpoint presentation readymade for this, which covers all the aspect of Snort. 

Thanks in advance for pointing me to right place/giving presentation
Regards
Viswanathan R



--- On Mon, 9/15/08, snort-users-request at lists.sourceforge.net <snort-users-request at lists.sourceforge.net> wrote:

> From: snort-users-request at lists.sourceforge.net <snort-users-request at lists.sourceforge.net>
> Subject: Snort-users Digest, Vol 28, Issue 4
> To: snort-users at lists.sourceforge.net
> Date: Monday, September 15, 2008, 7:10 PM
> Send Snort-users mailing list submissions to
> 	snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body
> 'help' to
> 	snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-users-owner at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Deploying snorts on Mac OS 10.4 (Joel Esler)
>    2. Anybody know how to fix this error? (Tommy Cansanay)
>    3. Re: Anybody know how to fix this error? (Tommy
> Cansanay)
>    4. Snort on Leopard 10.5.4...getting there (James Lay)
>    5. Re: Snort on Leopard 10.5.4...getting there (James
> Lay)
>    6. Snort generates alerts when I use rsync to
> download	files
>       (carlopmart)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 10 Sep 2008 20:36:01 -0400
> From: Joel Esler <eslerj at ...11827...>
> Subject: Re: [Snort-users] Deploying snorts on Mac OS 10.4
> To: Nix Hanwei <wannab78 at ...5310...>
> Cc: snort-users at lists.sourceforge.net
> Message-ID:
> <52B45494-7F98-4123-A926-5C7793B65387 at ...11827...>
> Content-Type: text/plain; charset="utf-8"
> 
> Did you check out the readme that came with the Snort
> tarball, it has  
> some special compile instructions for OSX.  Check those
> out.
> 
> Joel
> 
> On Sep 10, 2008, at 8:24 PM, Nix Hanwei wrote:
> 
> > Hi Gurus,
> >
> > I'm new to here.  I had encounter the following
> > problem while installing snorts.  Please assist me
> > here.
> >
> > When I hit ./configure on snort-2.8.3
> > I get the following error.
> >
> >   ERROR!  Libpcre header not found.
> >   Get it from http://www.pcre.org
> >
> > I went on to download pcre-7.8
> > When I hit ./configure on pcre-7.8, attached is the
> > config.log.  Please assist me here to install
> > snort-2.8.3.
> >
> > Thanks & Regards,
> > wannabe
> >
> >
> >
> >      New Email addresses available on Yahoo!
> > Get the Email name you've always wanted on the
> new @ymail and  
> > @rocketmail.
> > Hurry before someone else does!
> > http://mail.promotions.yahoo.com/newdomains/sg/ 
> > < 
> > config 
> > .log 
> > > 
> >
> -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move
> Developer's  
> > challenge
> > Build the coolest Linux based applications with Moblin
> SDK & win  
> > great prizes
> > Grand prize is a trip for two to an Open Source event
> anywhere in  
> > the world
> >
> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> --
> Joel Esler
> ?  http://blog.joelesler.net
> ?  http://www.dearcupertino.com
> [m]
> 
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 12 Sep 2008 15:39:18 -0400
> From: "Tommy Cansanay" <toortog at ...11827...>
> Subject: [Snort-users] Anybody know how to fix this error?
> To: snort-users at lists.sourceforge.net
> Message-ID:
> 	<f0bee75f0809121239g79303734w13ccd9f444557e1b at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> I was updating rules, restarted and got this...
> 
> FATAL ERROR: ***Rule--PortVar Parse error: (pos=4,error=not
> a number) >>ANY
> >>   ^
> 
> 
> Anybody run into this? Better yet, how to fix it?
> 
> thanks
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 12 Sep 2008 16:44:07 -0400
> From: "Tommy Cansanay" <toortog at ...11827...>
> Subject: Re: [Snort-users] Anybody know how to fix this
> error?
> To: "Paul Schmehl"
> <pschmehl_lists_nada at ...14358...>
> Cc: snort-users at lists.sourceforge.net
> Message-ID:
> 	<f0bee75f0809121344l23b25554t1168b6db59f5364c at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> John,
>   Thank you for the suggestion. cat -v * (on the rules dir)
> didn't really
> help me much since it gave me a slew of entries that looked
> normal.
> 
> Paul,
>    Obviously.. IT IS NOT OBVIOUS since I'm asking for
> help. I did not assign
> the PORTVAR variable with/to "ANY". I do the
> normal routine of pushing VRT
> rules that has worked before and I did not do anything
> special this time
> other than review and uncomment a few rules that the VRT
> team commented. I
> also did NOT modify the snort.conf, which I may add... the
> same snort.conf
> file (that's been working) that I've been using for
> a while now!
> 
> Magic fix... removed previously tar'd dirs, untarred it
> again, and somehow
> it's good to go. Somehow something got corrupted and
> since doing an egrep
> for PORTVAR didn't show squat and I need the stuff to
> be up, I had to just
> redo the procedure and push each categorized rule[s] one at
> a time (hoping
> it will at least point me to a rule that was syntactically
> incorrect) --
> which fortunately it didn't.
> 
> Thanks
>  Tom
> 
> On Fri, Sep 12, 2008 at 4:09 PM, Paul Schmehl
> <pschmehl_lists at ...14358...>wrote:
> 
> > --On Friday, September 12, 2008 3:39 PM -0400 Tommy
> Cansanay <
> > toortog at ...11827...> wrote:
> >
> >
> >> I was updating rules, restarted and got this...
> >>
> >> FATAL ERROR: ***Rule--PortVar Parse error:
> (pos=4,error=not a number)
> >> >>ANY >>   ^
> >>
> >>
> >> Anybody run into this? Better yet, how to fix it?
> >>
> >>
> > It's pretty obvious, isn't it?  You can't
> use "ANY" as the value of
> > PORTVAR.  It must be a number or number, comma or dash
> separated.
> >
> > Somewhere in the snort.conf file there is a line with
> the following:
> > PORTVAR = ANY
> >
> > That line is invalid.
> >
> > Paul Schmehl
> > As if it wasn't already obvious,
> > my opinions are my own and not
> > those of my employer.
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 4
> Date: Sat, 13 Sep 2008 07:56:04 -0600
> From: James Lay <jlay at ...13475...>
> Subject: [Snort-users] Snort on Leopard 10.5.4...getting
> there
> To: Snort <snort-users at lists.sourceforge.net>
> Message-ID: <C4F12294.39A48%jlay at ...13475...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> So I?ve got snort 2.8.3 running right now on Leo 10.5.4
> (YaY).  Dynamic
> preprocessors tank with a Bus Error however.  Who do I send
> the crash log
> to?  Also, does anyone have a good plist startup file for
> snort on OS X?
> Everything works but the filter option (example:  ?ip and
> not host bleh?)
> doesn?t seem to get passed correctly to snort:
> 
> Sep  9 19:51:30 slave-tothe-box snort[346]: FATAL ERROR:
> OpenPcap() FSM
> compilation failed: \n        illegal token:
> "\nPCAP command: "ip and not
> port 21746"
> 
> Of course, running command line it works just fine (have I
> mentioned how
> much I loathe launchd?).
> 
> Danke folks
> 
> James
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 5
> Date: Sat, 13 Sep 2008 12:26:07 -0600
> From: James Lay <jlay at ...13475...>
> Subject: Re: [Snort-users] Snort on Leopard
> 10.5.4...getting there
> To: Martin Roesch <mroesch at ...1935...>
> Message-ID: <E1Keapb-00007a-4B at ...13567...>
> Content-Type: text/plain;	charset="US-ASCII"
> 
> 
> 
> 
> On 9/13/08 10:59 AM, "Martin Roesch"
> <mroesch at ...1935...> wrote:
> 
> > What's the command line and snort.conf file
> you're using with Snort
> > when it errors out?  If you look in the BUGS file that
> comes with the
> > source distro you'll see all the info we need and
> where to send it to
> > diagnose your problem.
> > 
> > Marty
> > 
> > On Sat, Sep 13, 2008 at 9:56 AM, James Lay
> <jlay at ...13475...> wrote:
> >> So I've got snort 2.8.3 running right now on
> Leo 10.5.4 (YaY).  Dynamic
> >> preprocessors tank with a Bus Error however.  Who
> do I send the crash log
> >> to?  Also, does anyone have a good plist startup
> file for snort on OS X?
> >>  Everything works but the filter option (example: 
> "ip and not host bleh")
> >> doesn't seem to get passed correctly to snort:
> >> 
> >> Sep  9 19:51:30 slave-tothe-box snort[346]: FATAL
> ERROR: OpenPcap() FSM
> >> compilation failed: \n        illegal token:
> "\nPCAP command: "ip and not
> >> port 21746"
> >> 
> >> Of course, running command line it works just fine
> (have I mentioned how
> >> much I loathe launchd?).
> >> 
> >> Danke folks
> >> 
> >> James
> 
> The command line is:
> 
> /usr/snort/bin/snort -i ppp0 -D -u nobody -g nobody  -o -c
> /usr/snort/etc/snort/snort.conf -l /usr/snort/var/log 
> "ip and not port
> 21746"
> 
> I used Lingon to create a .plist file and after removing
> the ""'s from the
> filter it works now.  This changed from:
> 
>          <string>/usr/snort/var/log</string>
>         <string>"ip</string>
>         <string>and</string>
>         <string>not</string>
>         <string>port</string>
>         <string>21746"</string>
>     </array>
> 
> To
> 
>         <string>ip and not port 21746</string>
>     </array>
> 
> This works fine now.
> 
> As for the snort.conf, I had to comment out all the dynamic
> preprocessor
> jazz to get it to run without a Bus Error:
> 
> #dynamicpreprocessor directory
> /usr/snort/lib/snort_dynamicpreprocessor/
> #dynamicengine
> /usr/snort/lib/snort_dynamicengine/libsf_engine.dylib
> #dynamicdetection directory
> /usr/snort/lib/snort_dynamicrule/
> 
> and the dns, smtp, dce, and telnet/ftp dynamic
> preprocessors.  Once that was
> done it came up with no error.  I'll look through the
> BUGS and send along,
> but here's some of the info from the crash file:
> 
> Process:         snort [72780]
> Path:            /usr/snort/bin/snort
> Identifier:      snort
> Version:         ??? (???)
> Code Type:       PPC (Native)
> Parent Process:  bash [71934]
> 
> Exception Type:  EXC_BAD_ACCESS (SIGBUS)
> Exception Codes: KERN_PROTECTION_FAILURE at
> 0x0000000000000000
> Crashed Thread:  0
> 
> Thread 0 Crashed:
> 0   ???                               0000000000 0 + 0
> 1   libsf_ssl_preproc.0.0.0.dylib     0x022c27d0
> InitializePreprocessor +
> 432
> 2   snort                             0x0004d194
> InitDynamicPreprocessorPlugins + 84
> 3   snort                             0x0004d50c
> InitDynamicPreprocessors +
> 588
> 4   snort                             0x0001da84 SnortMain
> + 2276
> 5   snort                             0x000024b4 start + 68
> 6   ???                               0000000000 0 + 0
> 
> Thanks Marty,
> 
> James
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Mon, 15 Sep 2008 15:41:10 +0200
> From: carlopmart <carlopmart at ...11827...>
> Subject: [Snort-users] Snort generates alerts when I use
> rsync to
> 	download	files
> To: Snort Users <Snort-users at lists.sourceforge.net>
> Message-ID: <48CE65F6.8020309 at ...11827...>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Hi all,
> 
>   I am using snort on my laptop as a test lab. When I try
> to download files from 
> Internet, Snort displays this alert:
> 
> 09/15-14:44:36.373001  [Drop] [**] [1:1390:6] SHELLCODE x86
> inc ebx NOOP [**] 
> [Classification: Executable code was detected] [Priority:
> 1] {TCP} 
> 193.109.191.9:873 -> 10.38.55.4:53662
> 
> Why is this alert genereated?? I am downloading .rpm, .xml,
> and .gz files ...
> 
> 
> -- 
> CL Martinez
> carlopmart {at} gmail {d0t} com
> 
> 
> 
> ------------------------------
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move
> Developer's challenge
> Build the coolest Linux based applications with Moblin SDK
> & win great prizes
> Grand prize is a trip for two to an Open Source event
> anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> 
> ------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest, Vol 28, Issue 4
> ******************************************


      




More information about the Snort-users mailing list