[Snort-users] FW: AW: Libovar Man info.

Rameez Qureshi rameez_q at ...16117...
Thu Apr 10 11:37:33 EDT 2014


I'm not quite sure what you mean in relation to touch them
Would I be changing the following for example

Whitelist $WHITE_LIST/white_list.rules
To the following 
> touch /path/to/directory/black_list.rules

I don't seem to have any white or black list rules?

Thanks
Rameez 

Sent from my iPhone

On 10 Apr 2014, at 04:32 PM, "Y M" <snort at ...15979...> wrote:

> I was about to reply, but you figured it out.
> 
> For the list files, you will need to "touch" them in the respective directory as configured in your snort.conf file
> 
> touch /path/to/directory/black_list.rules
> 
> YM
> 
> Sent from Mobile
> From: Rameez Qureshi
> Sent: ‎4/‎10/‎2014 6:27 PM
> To: Y M
> Cc: Snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] FW: AW: Libovar Man info.
> 
> Hello
> 
> Please ignore my last email I have now made a directory for the dynamic rules and copied all the required files into that directory
> I
> 
> I n now have a new error which is error:507 unable to open address file which is the white_list.rule and also I suspect the black_list.rule file will throw up the same error
> 
> 
> 
> Sent from my iPhone
> 
> On 10 Apr 2014, at 04:25 PM, "Rameez Qureshi" <rameez_q at ...16117...> wrote:
> 
>> Hello
>> 
>> I've started my snort.conf from scratch and have an error 249 snort couldn't start dynamic module path dynamic rules
>> I've took the rules out n # them n that still produces the error where may I find this file I have downloaded snort and the ruleset again and can't find the dynamic rules
>> 
>> Thanks
>> Rameez 
>> 
>> Sent from my iPhone
>> 
>> On 10 Apr 2014, at 05:20 AM, "Y M" <snort at ...15979...> wrote:
>> 
>>> line 540 from your snort.conf file says:
>>>  
>>> include $RULE_PATH/usr/src/rulesfile-identify.rules
>>>  
>>> It is missing the "/" after the "rules", compared to the other include statements. Another note is that since your RULE_PATH variable is defined at the beginning of your snort.conf file, you just simply append the rule name to that variable, for example:
>>>  
>>> RULE_PATH /path/to/rules/
>>>  
>>> then your include statement would look something like:
>>>  
>>> include $RULE_PATH/local.rules
>>>  
>>> From: rameez_q at ...16117...
>>> To: wkitty42 at ...14940...
>>> Date: Thu, 10 Apr 2014 01:59:04 +0100
>>> CC: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] FW: AW: Libovar Man info.
>>> 
>>> the error I get is as follows:
>>> 
>>> root at ...11994...:/usr/src# snort -dev -l ./log -h 192.168.0.10/24 -c snort.conf
>>> Running in IDS mode
>>> 
>>>         --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> Parsing Rules file "snort.conf"
>>> PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>>> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
>>> PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
>>> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
>>> ERROR: snort.conf(540) Undefined variable name: RULE_PATH.
>>> Fatal Error, Quitting..
>>> 
>>> When i add in # before the rule path in line 540 of the snort.conf then it does not throw up any error but it reads 0 rules when initializing as follows: 
>>> 
>>> root at ...11994...:/usr/src# snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
>>> Running in IDS mode
>>> 
>>>         --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> Parsing Rules file "snort.conf"
>>> PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>>> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
>>> PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
>>> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
>>> Tagged Packet Limit: 256
>>> Log directory = ./log
>>> 
>>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>> Initializing rule chains...
>>> 0 Snort rules read
>>>     0 detection rules
>>>     0 decoder rules
>>>     0 preprocessor rules
>>> 0 Option Chains linked into 0 Chain Headers
>>> 0 Dynamic rules
>>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>> 
>>> +-------------------[Rule Port Counts]---------------------------------------
>>> |             tcp     udp    icmp      ip
>>> |     src       0       0       0       0
>>> |     dst       0       0       0       0
>>> |     any       0       0       0       0
>>> |      nc       0       0       0       0
>>> |     s+d       0       0       0       0
>>> +----------------------------------------------------------------------------
>>> 
>>> +-----------------------[detection-filter-config]------------------------------
>>> | memory-cap : 1048576 bytes
>>> +-----------------------[detection-filter-rules]-------------------------------
>>> | none
>>> -------------------------------------------------------------------------------
>>> 
>>> +-----------------------[rate-filter-config]-----------------------------------
>>> | memory-cap : 1048576 bytes
>>> +-----------------------[rate-filter-rules]------------------------------------
>>> | none
>>> -------------------------------------------------------------------------------
>>> 
>>> +-----------------------[event-filter-config]----------------------------------
>>> | memory-cap : 1048576 bytes
>>> +-----------------------[event-filter-global]----------------------------------
>>> +-----------------------[event-filter-local]-----------------------------------
>>> | none
>>> +-----------------------[suppression]------------------------------------------
>>> | none
>>> -------------------------------------------------------------------------------
>>> Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
>>> Verifying Preprocessor Configurations!
>>> pcap DAQ configured to passive.
>>> Acquiring network traffic from "eth0".
>>> Reload thread starting...
>>> Reload thread started, thread 0xb6cb8b70 (4388)
>>> Decoding Ethernet
>>> 
>>>         --== Initialization Complete ==--
>>> 
>>>    ,,_     -*> Snort! <*-
>>>   o"  )~   Version 2.9.6.0 GRE (Build 47) 
>>>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>>>            Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>            Using libpcap version 1.2.1
>>>            Using PCRE version: 8.30 2012-02-04
>>>            Using ZLIB version: 1.2.7
>>> 
>>> Commencing packet processing (pid=4383)
>>> 
>>> 
>>> I have attached my snort.conf 
>>> Thanks
>>> Rameez
>>>  
>>> 
>>> > Date: Wed, 9 Apr 2014 20:42:35 -0400
>>> > From: wkitty42 at ...14940...
>>> > To: snort-users at lists.sourceforge.net
>>> > Subject: Re: [Snort-users] FW: AW: Libovar Man info.
>>> > 
>>> > On 4/9/2014 6:19 PM, Rameez Qureshi wrote:
>>> > > for my snort.conf file when taking out the # out of the rule paths for rules and
>>> > > for including individual rules it throws up and error and this led me to taking
>>> > > out the # where snort seemed to fire correctly but did not load any rules
>>> > 
>>> > what error???
>>> > 
>>> > > So im still stuck on how to load rules without getting any errors
>>> > > I have attached my snort.conf
>>> > >
>>> > > Thanks
>>> > > Rameez
>>> > >
>>> > > > Date: Wed, 9 Apr 2014 14:16:35 -0400
>>> > > > From: wkitty42 at ...14940...
>>> > > > To: snort-users at lists.sourceforge.net
>>> > > > Subject: Re: [Snort-users] FW: AW: Libovar Man info.
>>> > > >
>>> > > > On 4/9/2014 1:35 PM, Rameez Qureshi wrote:
>>> > > > > Hello
>>> > > > >
>>> > > > > There is only one config file, am I correct in saying that the # comments
>>> > > the files out and therefore i should take these out for part 7, 8 & 9
>>> > > >
>>> > > > YES! '#' are comment indicators... lines starting with them are commented out...
>>> > > >
>>> > > > i was wondering why you had so many lines starting with '#' characters... in
>>> > > > effect you barely have a working config with it in its current state...
>>> > 
>>> > 
>>> > 
>>> > -- 
>>> > NOTE: No off-list assistance is given without prior approval.
>>> > Please keep mailing list traffic on the list unless
>>> > private contact is specifically requested and granted.
>>> > 
>>> > ------------------------------------------------------------------------------
>>> > Put Bad Developers to Shame
>>> > Dominate Development with Jenkins Continuous Integration
>>> > Continuously Automate Build, Test & Deployment 
>>> > Start a new project now. Try Jenkins in the cloud.
>>> > http://p.sf.net/sfu/13600_Cloudbees
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> > 
>>> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
>>> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> ------------------------------------------------------------------------------
>> Put Bad Developers to Shame
>> Dominate Development with Jenkins Continuous Integration
>> Continuously Automate Build, Test & Deployment 
>> Start a new project now. Try Jenkins in the cloud.
>> http://p.sf.net/sfu/13600_Cloudbees
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140410/e48ff5da/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
-------------- next part --------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list