[Snort-users] Snort-users Digest, Vol 85, Issue 25

soukaina mzerda soukaina.mz at ...11827...
Fri Jun 7 10:18:02 EDT 2013


here's my debug :

(gdb) set args -v
(gdb) r
Starting program: /usr/local/snort-2.9.4.6/src/snort -v

Program received signal SIGSEGV, Segmentation fault.
0x00000002 in ?? ()
(gdb) bt
#0  0x00000002 in ?? ()
(gdb)




On Fri, Jun 7, 2013 at 11:25 AM,
<snort-users-request at lists.sourceforge.net>wrote:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Re: Snort with IPtables (Steven McLaughlin)
>    2. Re: Snort with IPtables (Jeremy Hoel)
>    3. Re: Snort with IPtables (waldo kitty)
>    4. Re: Snort-users Digest, Vol 85, Issue 24 (soukaina mzerda)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 7 Jun 2013 14:13:58 +1000
> From: Steven McLaughlin <steve at ...16368...>
> Subject: Re: [Snort-users] Snort with IPtables
> To: Jeremy Hoel <jthoel at ...11827...>
> Cc: "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID:
>         <CAC06-HX2GmkRTJvTCmWL_0pLj9P7UTX=
> NKEob8GsULPtrboF-g at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> That sort of makes sense since it is only listening in promisc mode, but
> not actually allowing traffic in destined for its interface. I guess
> IPtables works at L3 and without an IP it doesn't really matter if IPtables
> is on or off then. Would this be a true statement? (I am only running as a
> sniffer and not switching inline)
>
> I'm interested to hear more feedback on this.
>
>
> On 7 June 2013 14:08, Jeremy Hoel <jthoel at ...11827...> wrote:
>
> > we run iptables on all our sensors, but we don't give the sniffing
> > port an ip and have no iptables entries for it.
> >
> > It works like a champ.
> >
> > On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve at ...16390...>
> > wrote:
> > > Hi All,
> > >
> > > Whats the take on running a snort sensor with IPtables running. In
> first
> > > instance I would think this interferes with sensor detection
> capability.
> > >
> > > Is anyone running IPtables on the same host as their Snort sensor? If
> so,
> > > what is the best way to nail this? The reason I ask is that I have two
> > > interfaces. One is the management interface which will have an IP
> > address.
> > > This interface will deny all incoming traffic except for tcp/22 and
> > tcp/443
> > > inbound connections.
> > >
> > > The other interface is the snort sensor on eth1. The sensor is
> listening
> > > only. So is a rule allowing all incoming like so sufficient for Snort
> > > sniffing:
> > >
> > > -A INPUT -i eth1 -j ACCEPT
> > >
> > > Or should I also allow all outbound as follows:
> > >
> > > -A INPUT -i eth1 -j ACCEPT
> > > -A OUTPUT -i eth1 -j ACCEPT
> > >
> > > Alternatively, is there a best practice IPtables configuration for
> snort
> > > sensors?
> > >
> > > thanks,
> > >
> > > Steve
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > How ServiceNow helps IT people transform IT departments:
> > > 1. A cloud service to automate IT design, transition and operations
> > > 2. Dashboards that offer high-level views of enterprise services
> > > 3. A single system of record for all IT processes
> > > http://p.sf.net/sfu/servicenow-d2d-j
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > Snort
> > > news!
> >
>
>
>
> --
> Best Regards,
> Steven McLaughlin
> steve at ...16368...
> 0459 351 266
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Thu, 6 Jun 2013 22:32:21 -0600
> From: Jeremy Hoel <jthoel at ...11827...>
> Subject: Re: [Snort-users] Snort with IPtables
> To: Steven McLaughlin <steve at ...16390...>
> Cc: "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID:
>         <
> CAH_p-VPs5prKh5OkkER9J_dYtAD94hDZELZFtFADbPs+h2ZdBQ at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
>
> well i can tell you it works for me.  I imagine that yes, iptables
> would require an IP to be effective on that interface.  So yes, I
> would say that iptables on works on L3 and not L2.
>
> When i get to work i can paste a quick copy of the iptables we use so
> you can see an example.
>
> On Thu, Jun 6, 2013 at 10:13 PM, Steven McLaughlin <steve at ...16390...>
> wrote:
> > That sort of makes sense since it is only listening in promisc mode, but
> not
> > actually allowing traffic in destined for its interface. I guess IPtables
> > works at L3 and without an IP it doesn't really matter if IPtables is on
> or
> > off then. Would this be a true statement? (I am only running as a sniffer
> > and not switching inline)
> >
> > I'm interested to hear more feedback on this.
> >
> >
> > On 7 June 2013 14:08, Jeremy Hoel <jthoel at ...11827...> wrote:
> >>
> >> we run iptables on all our sensors, but we don't give the sniffing
> >> port an ip and have no iptables entries for it.
> >>
> >> It works like a champ.
> >>
> >> On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve at ...16390...>
> >> wrote:
> >> > Hi All,
> >> >
> >> > Whats the take on running a snort sensor with IPtables running. In
> first
> >> > instance I would think this interferes with sensor detection
> capability.
> >> >
> >> > Is anyone running IPtables on the same host as their Snort sensor? If
> >> > so,
> >> > what is the best way to nail this? The reason I ask is that I have two
> >> > interfaces. One is the management interface which will have an IP
> >> > address.
> >> > This interface will deny all incoming traffic except for tcp/22 and
> >> > tcp/443
> >> > inbound connections.
> >> >
> >> > The other interface is the snort sensor on eth1. The sensor is
> listening
> >> > only. So is a rule allowing all incoming like so sufficient for Snort
> >> > sniffing:
> >> >
> >> > -A INPUT -i eth1 -j ACCEPT
> >> >
> >> > Or should I also allow all outbound as follows:
> >> >
> >> > -A INPUT -i eth1 -j ACCEPT
> >> > -A OUTPUT -i eth1 -j ACCEPT
> >> >
> >> > Alternatively, is there a best practice IPtables configuration for
> snort
> >> > sensors?
> >> >
> >> > thanks,
> >> >
> >> > Steve
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > How ServiceNow helps IT people transform IT departments:
> >> > 1. A cloud service to automate IT design, transition and operations
> >> > 2. Dashboards that offer high-level views of enterprise services
> >> > 3. A single system of record for all IT processes
> >> > http://p.sf.net/sfu/servicenow-d2d-j
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> >
> >> > Please visit http://blog.snort.org to stay current on all the latest
> >> > Snort
> >> > news!
> >
> >
> >
> >
> > --
> > Best Regards,
> > Steven McLaughlin
> > steve at ...16368...
> > 0459 351 266
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 07 Jun 2013 04:07:54 -0400
> From: waldo kitty <wkitty42 at ...14940...>
> Subject: Re: [Snort-users] Snort with IPtables
> To: snort-users at lists.sourceforge.net
> Message-ID: <51B194DA.80704 at ...14940...>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 6/7/2013 00:08, Jeremy Hoel wrote:
> > we run iptables on all our sensors, but we don't give the sniffing
> > port an ip and have no iptables entries for it.
> >
> > It works like a champ.
>
> i can confirm that there's no conflict... our devices also use iptables and
> snort listens "outside" of them... it sees the traffic before iptables
> gets a
> chance to twiddle with it...
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 7 Jun 2013 11:25:17 +0200
> From: soukaina mzerda <soukaina.mz at ...11827...>
> Subject: Re: [Snort-users] Snort-users Digest, Vol 85, Issue 24
> To: snort-users at lists.sourceforge.net
> Message-ID:
>         <CABCqq+7wmsYwtPm7aQg-Y=ieyWSo5iPaaPMmy3n3Sd2G1=
> 6Gvw at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Yeas I rebuilt with --enable-dubug and I got the same error
> segmentation fault
> NB : first I have configured snort2.9.1 and snort rules 2940 without
> libdnet and daq but at least I was able to run successfuly snort -v
> but once I changed the bersion of snort snort rules and installed daq and
> libdnet I started getting the error in question .
>
>
> On Fri, Jun 7, 2013 at 6:08 AM,
> <snort-users-request at lists.sourceforge.net>wrote:
>
> > Send Snort-users mailing list submissions to
> >         snort-users at lists.sourceforge.net
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         https://lists.sourceforge.net/lists/listinfo/snort-users
> > or, via email, send a message with subject or body 'help' to
> >         snort-users-request at lists.sourceforge.net
> >
> > You can reach the person managing the list at
> >         snort-users-owner at lists.sourceforge.net
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Snort-users digest..."
> >
> >
> > When responding, please don't respond with the entire Digest.  Please
> trim
> > your response.
> >
> > Today's Topics:
> >
> >    1. Re: troubleshooting snort (waldo kitty)
> >    2. Snort.org Blog: Snort FAQ is open for community   involvement!
> >       (Joel Esler)
> >    3. segmentation fault (soukaina mzerda)
> >    4. Re: segmentation fault (Russ Combs)
> >    5. Snort with IPtables (Steven McLaughlin)
> >    6. Re: Snort with IPtables (Jeremy Hoel)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Thu, 06 Jun 2013 14:08:15 -0400
> > From: waldo kitty <wkitty42 at ...14940...>
> > Subject: Re: [Snort-users] troubleshooting snort
> > To: snort-users at lists.sourceforge.net
> > Message-ID: <51B0D00F.9070505 at ...14940...>
> > Content-Type: text/plain; charset=UTF-8; format=flowed
> >
> > On 6/6/2013 08:34, soukaina mzerda wrote:
> > > Hi ,
> > > I configured snort-2.9.4.6 with snortrule 2941 , libdnet-1.12 and daq
> > and all
> > > the pakages needed but I just can't run snort
> > > I did snort -v and I get segmentation default , at least plz tell me
> > what dooes
> > > it comming from plz
> >
> > you are not using the SO rules from that 2.9.4.1 rules package, are you??
> >
> > --
> > NOTE: No off-list assistance is given without prior approval.
> >        Please keep mailing list traffic on the list unless
> >        private contact is specifically requested and granted.
> >
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 6 Jun 2013 15:59:58 -0400
> > From: Joel Esler <jesler at ...1935...>
> > Subject: [Snort-users] Snort.org Blog: Snort FAQ is open for community
> >         involvement!
> > To: "snort-users at lists.sourceforge.net mailinglist"
> >         <snort-users at lists.sourceforge.net>,
> >         "snort-sigs at lists.sourceforge.net list"
> >         <snort-sigs at lists.sourceforge.net>,     Snort Developpers
> support
> >         <snort-devel at lists.sourceforge.net>
> > Message-ID: <45C4F2F5-95EE-4DF8-952C-53A269F847BF at ...1935...>
> > Content-Type: text/plain; charset=us-ascii
> >
> >
> > http://blog.snort.org/2013/06/snort-faq-is-open-for-community.html
> >
> > Snort FAQ is open for community involvement!
> >
> > Following the success of our ClamAV FAQ being placed on Github, we
> decided
> > to do the same thing to the Snort FAQ in hopes that it will make the
> > content available to community users to submit content to and make it
> > easily manageable.
> >
> > So, now available:
> > https://github.com/vrtadmin/snort-faq/blob/master/README.md
> >
> > The reason we put it on Github is it makes it simple to edit (in Markdown
> > format), it's easy to audit, it's easy to clone and import, etc.  When we
> > did this with the ClamAV FAQ, we found it made the content super easy to
> > keep up to date, allows for several users to work on it and allows for
> > community involvement.
> >
> > So this is what we are hoping you will do.  I took the old FAQ that was
> on
> > http://www.snort.org, made it into Markdown and moved it to Github.
> >
> > Now we can add things like "Having a problem capturing TCP traffic?  Have
> > you tried "-k none" in your testing?"
> >
> > So, have at it.  We'll review all content and approve it as it comes in
> > through your pull requests.
> >
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Thu, 6 Jun 2013 23:46:18 +0200
> > From: soukaina mzerda <soukaina.mz at ...11827...>
> > Subject: [Snort-users] segmentation fault
> > To: snort-users at lists.sourceforge.net
> > Message-ID:
> >         <CABCqq+4E0SM+Jboiqm3BOiak9Wqvye3wujmvOuSyJ=
> > j1CG7RAw at ...11828...>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > I reconfigured snort-2946 ,snort rules-2946 , libdnet-1.12 and daq-2.0.0
> > very successfuly
> > I run snort -v and I get an horrible error
> > segmentation fault
> > knowing that my ldd so not show any missing file , so any idea about
> where
> > does this come from ?
> plllllllllllllllllllllllllllllllllllllllllllllllllz I
> > need your help :/
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Thu, 6 Jun 2013 18:09:51 -0400
> > From: Russ Combs <rcombs at ...1935...>
> > Subject: Re: [Snort-users] segmentation fault
> > To: soukaina mzerda <soukaina.mz at ...11827...>
> > Cc: snort-users at lists.sourceforge.net
> > Message-ID:
> >         <
> > CAN8FaB_cWd4pUMirXZhF-Zi9+NENVQmy7ArKN3HGp5sEKWcAUw at ...11828...>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > On Thu, Jun 6, 2013 at 5:46 PM, soukaina mzerda <soukaina.mz at ...11827...
> > >wrote:
> >
> > > I reconfigured snort-2946 ,snort rules-2946 , libdnet-1.12 and
> daq-2.0.0
> > > very successfuly
> > > I run snort -v and I get an horrible error
> > > segmentation fault
> > > knowing that my ldd so not show any missing file , so any idea about
> > where
> > > does this come from ?
> > plllllllllllllllllllllllllllllllllllllllllllllllllz I
> > > need your help :/
> > >
> >
> > What does snort -V give you?
> >
> > Can you rebuild with --enable-debug and send a back trace?  We will also
> > need, at least, `head config.log`.
> >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > How ServiceNow helps IT people transform IT departments:
> > > 1. A cloud service to automate IT design, transition and operations
> > > 2. Dashboards that offer high-level views of enterprise services
> > > 3. A single system of record for all IT processes
> > > http://p.sf.net/sfu/servicenow-d2d-j
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> > >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Fri, 7 Jun 2013 14:03:07 +1000
> > From: Steven McLaughlin <steve at ...16368...>
> > Subject: [Snort-users] Snort with IPtables
> > To: "snort-users at lists.sourceforge.net"
> >         <snort-users at lists.sourceforge.net>
> > Message-ID:
> >         <CAC06-HV2tn_hgFgJzh+oyEg8=_
> > sL+WFmAABSBoCQuOiUSTecFg at ...11828...>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Hi All,
> >
> > Whats the take on running a snort sensor with IPtables running. In first
> > instance I would think this interferes with sensor detection capability.
> >
> > Is anyone running IPtables on the same host as their Snort sensor? If so,
> > what is the best way to nail this? The reason I ask is that I have two
> > interfaces. One is the management interface which will have an IP
> address.
> > This interface will deny all incoming traffic except for tcp/22 and
> tcp/443
> > inbound connections.
> >
> > The other interface is the snort sensor on eth1. The sensor is listening
> > only. So is a rule allowing all incoming like so sufficient for Snort
> > sniffing:
> >
> > -A INPUT -i eth1 -j ACCEPT
> >
> > Or should I also allow all outbound as follows:
> >
> > -A INPUT -i eth1 -j ACCEPT
> > -A OUTPUT -i eth1 -j ACCEPT
> >
> > Alternatively, is there a best practice IPtables configuration for snort
> > sensors?
> >
> > thanks,
> >
> > Steve
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> > Message: 6
> > Date: Thu, 6 Jun 2013 22:08:16 -0600
> > From: Jeremy Hoel <jthoel at ...11827...>
> > Subject: Re: [Snort-users] Snort with IPtables
> > To: Steven McLaughlin <steve at ...16390...>
> > Cc: "snort-users at lists.sourceforge.net"
> >         <snort-users at lists.sourceforge.net>
> > Message-ID:
> >         <CAH_p-VNt2BgmPhARNYP8_fP0mJ3ckq5-tOW=
> > wfukbRRx_dibeg at ...11828...>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > we run iptables on all our sensors, but we don't give the sniffing
> > port an ip and have no iptables entries for it.
> >
> > It works like a champ.
> >
> > On Thu, Jun 6, 2013 at 10:03 PM, Steven McLaughlin <steve at ...16390...>
> > wrote:
> > > Hi All,
> > >
> > > Whats the take on running a snort sensor with IPtables running. In
> first
> > > instance I would think this interferes with sensor detection
> capability.
> > >
> > > Is anyone running IPtables on the same host as their Snort sensor? If
> so,
> > > what is the best way to nail this? The reason I ask is that I have two
> > > interfaces. One is the management interface which will have an IP
> > address.
> > > This interface will deny all incoming traffic except for tcp/22 and
> > tcp/443
> > > inbound connections.
> > >
> > > The other interface is the snort sensor on eth1. The sensor is
> listening
> > > only. So is a rule allowing all incoming like so sufficient for Snort
> > > sniffing:
> > >
> > > -A INPUT -i eth1 -j ACCEPT
> > >
> > > Or should I also allow all outbound as follows:
> > >
> > > -A INPUT -i eth1 -j ACCEPT
> > > -A OUTPUT -i eth1 -j ACCEPT
> > >
> > > Alternatively, is there a best practice IPtables configuration for
> snort
> > > sensors?
> > >
> > > thanks,
> > >
> > > Steve
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > How ServiceNow helps IT people transform IT departments:
> > > 1. A cloud service to automate IT design, transition and operations
> > > 2. Dashboards that offer high-level views of enterprise services
> > > 3. A single system of record for all IT processes
> > > http://p.sf.net/sfu/servicenow-d2d-j
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > Snort
> > > news!
> >
> >
> >
> > ------------------------------
> >
> >
> >
> ------------------------------------------------------------------------------
> > How ServiceNow helps IT people transform IT departments:
> > 1. A cloud service to automate IT design, transition and operations
> > 2. Dashboards that offer high-level views of enterprise services
> > 3. A single system of record for all IT processes
> > http://p.sf.net/sfu/servicenow-d2d-j
> >
> > ------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >
> >
> > End of Snort-users Digest, Vol 85, Issue 24
> > *******************************************
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 85, Issue 25
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130607/421157a7/attachment.html>


More information about the Snort-users mailing list