[Snort-users] Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode

Jutichai Thongkrachai thsecmaniac at ...11827...
Tue Aug 19 00:29:01 EDT 2014


To Waldo kitty

I install from .tar.gz (source not binary)



2014-08-19 0:52 GMT+07:00 <snort-users-request at lists.sourceforge.net>:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
> Today's Topics:
>
>    1. Re: May be wrong error msg (waldo kitty)
>    2. Re: May be wrong error msg (Balasubramaniam Natarajan)
>    3. Got the "ERROR: Cannot decode data link type 239" message
>       when turn on sniffer mode (Jutichai Thongkrachai)
>    4. Tcp session hijacking (Meysam Farazmand)
>    5. Re: Got the "ERROR: Cannot decode data link type 239" message
>       when turn on sniffer mode (waldo kitty)
>    6. Re: Tcp session hijacking (waldo kitty)
>    7. Snort Blog: Snort Subscriber Ruleset: Re-categorization of
>       the Shared Object Rules (Joel Esler (jesler))
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: waldo kitty <wkitty42 at ...14940...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Sat, 16 Aug 2014 13:23:59 -0400
> Subject: Re: [Snort-users] May be wrong error msg
> On 8/16/2014 2:54 AM, Balasubramaniam Natarajan wrote:
>
>> Hi
>>
>> While installing snort, I included a particular rule in its conf file.
>> Later
>> when I ran snort against a pcap I found that snort's error message was not
>> completely correct (Or my understanding about it is wrong) about pointing
>> the
>> absolute RULE_PATH.  Attached is a screenshot for your reference.
>>
>
> snort automatically adds etc/ to paths when it cannot access the specified
> file... are your permissions correct for the file in question so that snort
> can load it??
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        Please *keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
>
>
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: Balasubramaniam Natarajan <bala150985 at ...11827...>
> To: waldo kitty <wkitty42 at ...14940...>
> Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Date: Sat, 16 Aug 2014 23:31:13 +0530
> Subject: Re: [Snort-users] May be wrong error msg
>
>
>
> On Sat, Aug 16, 2014 at 10:53 PM, waldo kitty <wkitty42 at ...14940...>
> wrote:
>
>>
>> snort automatically adds etc/ to paths when it cannot access the specified
>> file... are your permissions correct for the file in question so that
>> snort can
>> load it??
>>
>>
> Well I figured out that there was no file with that name in the rules
> directory and I had removed that rule line from the snort.conf file.
> However why would snort add */sec/snort/etc/* to the path without which I
> could have spotted the error more easily.  Does it signify the place from
> where my conf file is getting loaded ?  If yes, I would not understand the
> reason for that.
>
> --
> Regards,
> Balasubramaniam Natarajan
> http://blog.etutorshop.com
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: Jutichai Thongkrachai <thsecmaniac at ...11827...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Sun, 17 Aug 2014 14:10:49 +0700
> Subject: [Snort-users] Got the "ERROR: Cannot decode data link type 239"
> message when turn on sniffer mode
> Hello
>
> I would like to turn on Sniffer mode of Snort 2.9.6 on Centos 7 but I got
> the error below:
>
> ------------------------------------------------
> ./snort -v
> Running in packet dump mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> pcap DAQ configured to passive.
> Acquiring network traffic from "nflog".
> ERROR: Cannot decode data link type 239
> Fatal Error, Quitting..
> -------------------------------------------------
>
> Please help.
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: Meysam Farazmand <farazmand.meisam at ...11827...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Sun, 17 Aug 2014 14:07:51 +0430
> Subject: [Snort-users] Tcp session hijacking
>
> Hi all,
>
> I used "check_session_hijacking" in stream5 preprocessor for session
> hijacking attacks detection and launched a mitm attack. But snort did not
> detect it. I also checked preprocessor rules for detecting this type of
> attack and there was some rules in my ruleset.
>
> Does anyone know how to configure snort to detect session hijacking and
> mitm attacks?
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: waldo kitty <wkitty42 at ...14940...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Sun, 17 Aug 2014 12:52:55 -0400
> Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link type
> 239" message when turn on sniffer mode
> On 8/17/2014 3:10 AM, Jutichai Thongkrachai wrote:
>
>> ------------------------------------------------
>> ./snort -v
>> Running in packet dump mode
>>
>>          --== Initializing Snort ==--
>> Initializing Output Plugins!
>> pcap DAQ configured to passive.
>> Acquiring network traffic from "nflog".
>> ERROR: Cannot decode data link type 239
>> Fatal Error, Quitting..
>> -------------------------------------------------
>>
>
> is this self compiled or a binary you downloaded from somewhere?
>
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        Please *keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
>
>
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: waldo kitty <wkitty42 at ...14940...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Sun, 17 Aug 2014 12:55:48 -0400
> Subject: Re: [Snort-users] Tcp session hijacking
> On 8/17/2014 5:37 AM, Meysam Farazmand wrote:
>
>> Hi all,
>>
>> I used "check_session_hijacking" in stream5 preprocessor for session
>> hijacking
>> attacks detection and launched a mitm attack. But snort did not detect it.
>>
>
> session hijacking and mitm are not the same...
>
> session hijacking is where you take over or continue with someone's
> existing or previous session...
>
> mitm is where you are in the middle and have valid sessions with both
> parties and pass their traffic across while doing what you want with it in
> the middle...
>
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        Please *keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
>
>
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: "Joel Esler (jesler)" <jesler at ...589...>
> To: snort-sigs <snort-sigs at lists.sourceforge.net>, snort-devel
> mailinglist <snort-devel at lists.sourceforge.net>, snort-users <
> snort-users at lists.sourceforge.net>, "snort-openappid at ...3893...t"
> <snort-openappid at lists.sourceforge.net>
> Cc:
> Date: Mon, 18 Aug 2014 17:52:30 +0000
> Subject: [Snort-users] Snort Blog: Snort Subscriber Ruleset:
> Re-categorization of the Shared Object Rules
>
>  Snort Subscriber Ruleset: Re-categorization of the Shared Object Rules
>
> In 2012, the VRT (now Talos) performed a massive restructuring of the
> plaintext ruleset from the old category structure to a new category
> structure.  Since then we've received overwhelmingly positive feedback
> about them, so we will continue the effort by moving the Shared Object
> Rules into a similar category structure.
>
>
> Read more here:
>
> http://blog.snort.org/2014/08/snort-subscriber-ruleset-re.html
>
>
>  --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140819/36e1748d/attachment.html>


More information about the Snort-users mailing list