[Snort-users] Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode

Jutichai Thongkrachai thsecmaniac at ...11827...
Thu Aug 21 05:08:30 EDT 2014


To Waldo kitty,


after run " ./configure  --enable-non-ether-decoders  --enable-sourcefire",
Should I need run " make ;make install" again?




2014-08-21 2:36 GMT+07:00 <snort-users-request at lists.sourceforge.net>:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
> Today's Topics:
>
>    1. Re: darpa dataset problem(zero alert) (waldo kitty)
>    2. Re: Got the "ERROR: Cannot decode data link type 239" message
>       when turn on sniffer mode (Jutichai Thongkrachai)
>    3. Re: Got the "ERROR: Cannot decode data link type 239" message
>       when turn on sniffer mode (waldo kitty)
>    4. Snort does not capture with PF_RINF DNA (Ivan Petrov)
>    5. Suse Linux Enterprise Server 11 (Daniel Gonnsen)
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: waldo kitty <wkitty42 at ...14940...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Tue, 19 Aug 2014 19:54:26 -0400
> Subject: Re: [Snort-users] darpa dataset problem(zero alert)
> On 8/19/2014 6:29 PM, Joel Esler (jesler) wrote:
>
>> That is from the ruleset that is available at www.snort.org/downloads
>>
>
> and just to expand on joel's reply, GID:1 are snort's textual rules... the
> shared object rules are GID:3... gen-msg.map will tell you the others...
> including those generated by internal snort modules...
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        Please *keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
>
>
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: Jutichai Thongkrachai <thsecmaniac at ...11827...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Wed, 20 Aug 2014 11:25:42 +0700
> Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link type
> 239" message when turn on sniffer mode
> To Waldo kitty
>
> ./configure --enable-sourcefire
>
>
>
>> ---------- จดหมายที่ถูกส่งต่อ ----------
>> From: waldo kitty <wkitty42 at ...14940...>
>> To: snort-users at lists.sourceforge.net
>> Cc:
>> Date: Tue, 19 Aug 2014 13:40:52 -0400
>> Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link type
>> 239" message when turn on sniffer mode
>> On 8/19/2014 12:29 AM, Jutichai Thongkrachai wrote:
>>
>>> To Waldo kitty
>>>
>>> I install from .tar.gz (source not binary)
>>>
>>
>> what are your snort build options??
>>
>> --
>>  NOTE: No off-list assistance is given without prior approval.
>>        Please *keep mailing list traffic on the list* unless
>>        private contact is specifically requested and granted.
>>
>>
>>
>>
>>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: waldo kitty <wkitty42 at ...14940...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Wed, 20 Aug 2014 01:53:38 -0400
> Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link type
> 239" message when turn on sniffer mode
> On 8/20/2014 12:25 AM, Jutichai Thongkrachai wrote:
>
>> To Waldo kitty
>>
>> ./configure --enable-sourcefire
>>
>
>
> http://seclists.org/snort/2013/q4/543
>
>
>
>      ---------- จดหมายที่ถูกส่งต่อ ----------
>>     From: waldo kitty <wkitty42 at ...14940... <mailto:
>> wkitty42 at ...14940...>>
>>     To: snort-users at lists.sourceforge.net <mailto:
>> snort-users at lists.sourceforge.net>
>>     Cc:
>>     Date: Tue, 19 Aug 2014 13:40:52 -0400
>>     Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link
>> type 239"
>>     message when turn on sniffer mode
>>     On 8/19/2014 12:29 AM, Jutichai Thongkrachai wrote:
>>
>>         To Waldo kitty
>>
>>         I install from .tar.gz (source not binary)
>>
>>
>>     what are your snort build options??
>>
>
>
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        Please *keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
>
>
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: Ivan Petrov <ipetrov80 at ...131...>
> To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Cc:
> Date: Wed, 20 Aug 2014 06:46:24 -0700
> Subject: [Snort-users] Snort does not capture with PF_RINF DNA
> Hi,
>
> I'm trying to run Snort with Pf_ring DNA driver. But i'm stuck with a
> problem.
>
> sudo /usr/sbin/snort --daq-dir=/usr/local/lib/daq --daq-list
> /usr/local/lib/daq/daq_pfring.so: dlopen: /usr/local/lib/libpfring.so:
> undefined symbol: numa_parse_nodestring
> Available DAQ modules:
> pcap(v3): readback live multi unpriv
> afpacket(v5): live inline multi unpriv
> ipfw(v3): live inline multi unpriv
> dump(v2): readback live inline multi unpriv
>
> libpfring is not in the daq list. Any ideas?
>
> Starting snort: /usr/local/lib/daq/daq_pfring.so: dlopen:
> /usr/local/lib/libpfring.so: undefined symbol: numa_parse_nodestring
> My daemon child 20303 lives...
> Daemon parent exiting (0)
>                                                            [  OK  ]
>
> Snort 2.9.6.2
> Daq 2.0.2
> PF_RING 6.0.1
> DNA driver e1000e
>
> Regards,
> Ivan
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: "Daniel Gonnsen" <DGonnsen at ...16947...>
> To: <snort-users at lists.sourceforge.net>
> Cc:
> Date: Wed, 20 Aug 2014 15:17:49 -0400
> Subject: [Snort-users] Suse Linux Enterprise Server 11
> Which binary file would I download to use on Suse Linux Enterprise Server
> 11?  Are there any specific instructions for the installation.  I found
> something for Open Suse versions but nothing for SLES.   Thanks
>  Under Florida law, email addresses are public records. If you do not
> want your email address released in response to a public records request,
> do not send electronic mail to this entity. Instead, contact this office by
> phone or in writing.
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140821/d9ce51b9/attachment.html>


More information about the Snort-users mailing list