[Snort-users] Lets talk about ....

Jeremy Hoel jthoel at ...11827...
Tue Oct 9 11:51:57 EDT 2012


Honestly.. instead of going back and forth over and over and saying
that the tools don't work, when everyone else here knows they do you
should probably install security onion, see hows it works, including
the settings,  options, integration's with databases and all that, see
that it does work, and then use it to figure out why your system isn't
working. Plus they you can try changes on a known good working system
and see how they effect things and then integrate them into whatever
scripts you keep talking about using.

The tools work and it's not nearly as hard as you are making it.

And BTW - criticizing the people that write the tools, that's probably
not going to help your case.


On Tue, Oct 9, 2012 at 3:43 PM, AllowOverride <allowoverride at ...11827...> wrote:
> reply, ok pcap got it. thanks. makes sense now.
>
> mine however does not say decoding when i start snort...
>
> like i have been saying something is not working...
>
> lots of little things are not working....
>
> thanks for hanging in there.
>
>
>
>
> ---------- Forwarded message ----------
> From: Peter Bates <peter.bates at ...15381...>
> To:
> Cc: <snort-users at lists.sourceforge.net>
> Date: Tue, 9 Oct 2012 09:10:54 +0100
> Subject: Re: [Snort-users] Lets talk about ....
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 08/10/2012 23:28, AllowOverride wrote:
>> next topic, revisited:
>>
>> u2spewfoo snort.log.1349734894
>> get_record: (2) Failed to read all of record data.
>>       Read 14476 of 33555456 bytes
>>
>> why?
>>
>> i run snort/barnyard2 this way: should i change?
>>
>> /usr/local/bin/snort -A fast -c /etc/snort/etc/snort.conf -i eth0 &
>
> I should have made it clearer in my previous email, but you should drop
> the -A fast.
>
> # snort -A fast -c /etc/snort/snort.conf -i eth1
> <snip>
> Commencing packet processing (pid=7855)
> Decoding Ethernet
>
> # ls -hl
> total 12K
> - -rw-r--r-- 1 root  snort  448 Oct  9 09:05 alert
> - -rw------- 1 snort snort  480 Oct  9 09:05 snort.log.1349769868
>
> # file snort.log.1349769868
> snort.log.1349769868: tcpdump capture file (little-endian) - version 2.4
> (Ethernet, capture length 1514)
>
> Again, Snort is creating a pcap file and not a unified2 log.
>
> # snort -c /etc/snort/snort.conf -i eth1
> <snip>
> Commencing packet processing (pid=7882)
> Decoding Ethernet
>
> # ls -hl
> total 8.0K
> - -rw------- 1 snort snort 1.2K Oct  9 09:07 snort.log.1349770017
>
> # file snort.log.1349770017
> snort.log.1349770017: data
>
> # u2spewfoo snort.log.1349770017 |grep sig
>         sig id: 10000001        gen id: 1       revision: 0
> classification: 0
>
> Obviously when all is running fine you can daemonize with -D.
> Using & you're backgrounding any startup errors you might see.
>
> After this I suspect barnyard2 will work fine as it
> will have the unified2 input it is expecting.
>
> - --
> Peter Bates
> Senior Information Security Officer   Phone: +44(0)2076792049
> Information Services Division         Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJQc9wOAAoJELhVoVpEMS6RjaQH/3da/us0zZr+Pvn5fqZRN8lX
> NVncLkQxX4KviNd/WgedSksIkNEtUCDROK6e5dWqHuX6mq2udEPTCmv0/nDOxY2a
> wePhaGsdkgPkNEdn3OWBUQzpuolOf/QYfqVM3WgyS/jMIbyNkLKK251Sln3epvwX
> 7MHTgNJTe02wsmLeteMbSAZPtkpMoQskqyhuBaI3ecAw5IuMDIjMWZIwXnlx+MZf
> dZ+qjVOsR5P7n53WBSji5IuHSALjWZv/M+i8DnkwMSXiIepeajnhMN20BxJilWQL
> 3g3dNn8XneM43sMsX6ZI5KLY9TDIzk5ZxrA6j9cJbYjmjPs6PV2GaE3X5lDrJIM=
> =ABRW
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list