[Snort-users] Snort-users Digest, Vol 85, Issue 24

soukaina mzerda soukaina.mz at ...11827...
Fri Jun 7 05:25:17 EDT 2013


Yeas I rebuilt with --enable-dubug and I got the same error
segmentation fault
NB : first I have configured snort2.9.1 and snort rules 2940 without
libdnet and daq but at least I was able to run successfuly snort -v
but once I changed the bersion of snort snort rules and installed daq and
libdnet I started getting the error in question .


On Fri, Jun 7, 2013 at 6:08 AM,
<snort-users-request at lists.sourceforge.net>wrote:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Re: troubleshooting snort (waldo kitty)
>    2. Snort.org Blog: Snort FAQ is open for community   involvement!
>       (Joel Esler)
>    3. segmentation fault (soukaina mzerda)
>    4. Re: segmentation fault (Russ Combs)
>    5. Snort with IPtables (Steven McLaughlin)
>    6. Re: Snort with IPtables (Jeremy Hoel)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 06 Jun 2013 14:08:15 -0400
> From: waldo kitty <wkitty42 at ...14940...>
> Subject: Re: [Snort-users] troubleshooting snort
> To: snort-users at lists.sourceforge.net
> Message-ID: <51B0D00F.9070505 at ...14940...>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 6/6/2013 08:34, soukaina mzerda wrote:
> > Hi ,
> > I configured snort-2.9.4.6 with snortrule 2941 , libdnet-1.12 and daq
> and all
> > the pakages needed but I just can't run snort
> > I did snort -v and I get segmentation default , at least plz tell me
> what dooes
> > it comming from plz
>
> you are not using the SO rules from that 2.9.4.1 rules package, are you??
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 6 Jun 2013 15:59:58 -0400
> From: Joel Esler <jesler at ...1935...>
> Subject: [Snort-users] Snort.org Blog: Snort FAQ is open for community
>         involvement!
> To: "snort-users at lists.sourceforge.net mailinglist"
>         <snort-users at lists.sourceforge.net>,
>         "snort-sigs at lists.sourceforge.net list"
>         <snort-sigs at lists.sourceforge.net>,     Snort Developpers support
>         <snort-devel at lists.sourceforge.net>
> Message-ID: <45C4F2F5-95EE-4DF8-952C-53A269F847BF at ...1935...>
> Content-Type: text/plain; charset=us-ascii
>
>
> http://blog.snort.org/2013/06/snort-faq-is-open-for-community.html
>
> Snort FAQ is open for community involvement!
>
> Following the success of our ClamAV FAQ being placed on Github, we decided
> to do the same thing to the Snort FAQ in hopes that it will make the
> content available to community users to submit content to and make it
> easily manageable.
>
> So, now available:
> https://github.com/vrtadmin/snort-faq/blob/master/README.md
>
> The reason we put it on Github is it makes it simple to edit (in Markdown
> format), it's easy to audit, it's easy to clone and import, etc.  When we
> did this with the ClamAV FAQ, we found it made the content super easy to
> keep up to date, allows for several users to work on it and allows for
> community involvement.
>
> So this is what we are hoping you will do.  I took the old FAQ that was on
> http://www.snort.org, made it into Markdown and moved it to Github.
>
> Now we can add things like "Having a problem capturing TCP traffic?  Have
> you tried "-k none" in your testing?"
>
> So, have at it.  We'll review all content and approve it as it comes in
> through your pull requests.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 6 Jun 2013 23:46:18 +0200
> From: soukaina mzerda <soukaina.mz at ...11827...>
> Subject: [Snort-users] segmentation fault
> To: snort-users at lists.sourceforge.net
> Message-ID:
>         <CABCqq+4E0SM+Jboiqm3BOiak9Wqvye3wujmvOuSyJ=
> j1CG7RAw at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I reconfigured snort-2946 ,snort rules-2946 , libdnet-1.12 and daq-2.0.0
> very successfuly
> I run snort -v and I get an horrible error
> segmentation fault
> knowing that my ldd so not show any missing file , so any idea about where
> does this come from ? plllllllllllllllllllllllllllllllllllllllllllllllllz I
> need your help :/
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 4
> Date: Thu, 6 Jun 2013 18:09:51 -0400
> From: Russ Combs <rcombs at ...1935...>
> Subject: Re: [Snort-users] segmentation fault
> To: soukaina mzerda <soukaina.mz at ...11827...>
> Cc: snort-users at lists.sourceforge.net
> Message-ID:
>         <
> CAN8FaB_cWd4pUMirXZhF-Zi9+NENVQmy7ArKN3HGp5sEKWcAUw at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Thu, Jun 6, 2013 at 5:46 PM, soukaina mzerda <soukaina.mz at ...11827...
> >wrote:
>
> > I reconfigured snort-2946 ,snort rules-2946 , libdnet-1.12 and daq-2.0.0
> > very successfuly
> > I run snort -v and I get an horrible error
> > segmentation fault
> > knowing that my ldd so not show any missing file , so any idea about
> where
> > does this come from ?
> plllllllllllllllllllllllllllllllllllllllllllllllllz I
> > need your help :/
> >
>
> What does snort -V give you?
>
> Can you rebuild with --enable-debug and send a back trace?  We will also
> need, at least, `head config.log`.
>
> >
> >
> >
> ------------------------------------------------------------------------------
> > How ServiceNow helps IT people transform IT departments:
> > 1. A cloud service to automate IT design, transition and operations
> > 2. Dashboards that offer high-level views of enterprise services
> > 3. A single system of record for all IT processes
> > http://p.sf.net/sfu/servicenow-d2d-j
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 5
> Date: Fri, 7 Jun 2013 14:03:07 +1000
> From: Steven McLaughlin <steve at ...16368...>
> Subject: [Snort-users] Snort with IPtables
> To: "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID:
>         <CAC06-HV2tn_hgFgJzh+oyEg8=_
> sL+WFmAABSBoCQuOiUSTecFg at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi All,
>
> Whats the take on running a snort sensor with IPtables running. In first
> instance I would think this interferes with sensor detection capability.
>
> Is anyone running IPtables on the same host as their Snort sensor? If so,
> what is the best way to nail this? The reason I ask is that I have two
> interfaces. One is the management interface which will have an IP address.
> This interface will deny all incoming traffic except for tcp/22 and tcp/443
> inbound connections.
>
> The other interface is the snort sensor on eth1. The sensor is listening
> only. So is a rule allowing all incoming like so sufficient for Snort
> sniffing:
>
> -A INPUT -i eth1 -j ACCEPT
>
> Or should I also allow all outbound as follows:
>
> -A INPUT -i eth1 -j ACCEPT
> -A OUTPUT -i eth1 -j ACCEPT
>
> Alternatively, is there a best practice IPtables configuration for snort
> sensors?
>
> thanks,
>
> Steve
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 6
> Date: Thu, 6 Jun 2013 22:08:16 -0600
> From: Jeremy Hoel <jthoel at ...11827...>
> Subject: Re: [Snort-users] Snort with IPtables
> To: Steven McLaughlin <steve at ...16390...>
> Cc: "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID:
>         <CAH_p-VNt2BgmPhARNYP8_fP0mJ3ckq5-tOW=
> wfukbRRx_dibeg at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> we run iptables on all our sensors, but we don't give the sniffing
> port an ip and have no iptables entries for it.
>
> It works like a champ.
>
> On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve at ...16390...>
> wrote:
> > Hi All,
> >
> > Whats the take on running a snort sensor with IPtables running. In first
> > instance I would think this interferes with sensor detection capability.
> >
> > Is anyone running IPtables on the same host as their Snort sensor? If so,
> > what is the best way to nail this? The reason I ask is that I have two
> > interfaces. One is the management interface which will have an IP
> address.
> > This interface will deny all incoming traffic except for tcp/22 and
> tcp/443
> > inbound connections.
> >
> > The other interface is the snort sensor on eth1. The sensor is listening
> > only. So is a rule allowing all incoming like so sufficient for Snort
> > sniffing:
> >
> > -A INPUT -i eth1 -j ACCEPT
> >
> > Or should I also allow all outbound as follows:
> >
> > -A INPUT -i eth1 -j ACCEPT
> > -A OUTPUT -i eth1 -j ACCEPT
> >
> > Alternatively, is there a best practice IPtables configuration for snort
> > sensors?
> >
> > thanks,
> >
> > Steve
> >
> >
> ------------------------------------------------------------------------------
> > How ServiceNow helps IT people transform IT departments:
> > 1. A cloud service to automate IT design, transition and operations
> > 2. Dashboards that offer high-level views of enterprise services
> > 3. A single system of record for all IT processes
> > http://p.sf.net/sfu/servicenow-d2d-j
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
>
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 85, Issue 24
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130607/e687745b/attachment.html>


More information about the Snort-users mailing list