[Snort-users] Snort-users Digest, Vol 93, Issue 13

Aditya Prakash adipra90 at ...11827...
Tue Feb 11 23:06:49 EST 2014


plz can anybody tell how to trim the snort alert that is in timestamp i do
not want the microsecond field .i just want date n time in hr nin sec
format .


On Wed, Feb 12, 2014 at 4:11 AM,
<snort-users-request at lists.sourceforge.net>wrote:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Re: sudo snort -Tc snort.conf failure (Nicholas Mavis (nmavis))
>    2. sfportscan not writing to BASE (Richard Smollett)
>    3. Getting Incorrect URL Error Message for a working URL
>       (MMartin at ...16693...)
>    4. Re: Getting Incorrect URL Error Message for a working     URL
>       (MMartin at ...16693...)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 11 Feb 2014 15:20:51 +0000
> From: "Nicholas Mavis (nmavis)" <nmavis at ...589...>
> Subject: Re: [Snort-users] sudo snort -Tc snort.conf failure
> To: David Montgomery <davidmontgomery at ...11827...>,
>         "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID: <CF1FA8D1.E4D9%nmavis at ...589...>
> Content-Type: text/plain; charset="us-ascii"
>
> David,
>
> As Y M mentioned, if you are installing snort via the Ubuntu repositories
> it is going to be outdated. I would recommend downloading an updated
> release (2.9.6) from snort.org. The errors you are seeing are fairly
> straight forward.
>
>  Initializing rule chains...
> WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated;
> use detection_filter instead.
>
> ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed:
> !$DNS_SERVERS
>
> As seen in the error above, you have $DNS_SERVERS variable set to "!any"
> within your snort.conf which is not allowed.
>
> From: David Montgomery <davidmontgomery at ...11827...<mailto:
> davidmontgomery at ...11827...>>
> Date: Tuesday, February 11, 2014 8:03 AM
> To: "snort-users at lists.sourceforge.net<mailto:
> snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>>
> Subject: Re: [Snort-users] sudo snort -Tc snort.conf failure
>
> Initializing rule chains...
> WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated;
> use detection_filter instead.
>
> ERROR: /etc/snort/rules/community-virus.rules(19) !any is not allowed:
> !$DNS_SERVERS
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Tue, 11 Feb 2014 15:59:14 -0500
> From: Richard Smollett <yawningdogge at ...11827...>
> Subject: [Snort-users] sfportscan not writing to BASE
> To: snort-users at lists.sourceforge.net
> Message-ID:
>         <CAC=
> Gbs6VQwRNGoOC2F1PR-CfQaXNFZKjZU5+7tmRsnAVfDHojg at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> After a portscan, my log file contains the following.
>
> Time: 02/11-14:49:22.006688
> event_ref: 0
> 172.28.61.88 -> 172.28.61.39 (portscan) TCP Portscan
> Priority Count: 5
> Connection Count: 5
> IP Count: 1
> Scanner IP Range: 172.28.61.88:172.28.61.88
> Port/Proto Count: 5
> Port/Proto Range: 23:993
>
> So it looks like the preprocessor is working. But in the BASE interface,
> portscan traffic remains 0%. My rules are reporting to BASE just fine.
> Preprocessor config looks like this.
>
> preprocessor sfportscan: proto  { all } scan_type { all } memcap { 10000000
> } sense_level { low } logfile { /etc/snort/sfportscan.log }
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Tue, 11 Feb 2014 16:54:28 -0500
> From: MMartin at ...16693...
> Subject: [Snort-users] Getting Incorrect URL Error Message for a
>         working URL
> To: snort-users at lists.sourceforge.net
> Message-ID:
>         <
> OF5E480AC0.AF542C41-ON85257C7C.00745DD7-85257C7C.00785867 at ...16693...>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello All,
>
> Installed Version: Snort v2.9.6.0  --and--  Oinkmaster v2.0
>
> Let me start by saying I am new to Snort, but I have it configured and
> running in IDS mode. The issue I'm having is with Oinkmaster.pl, which is
> telling me the URL I am giving is incorrect. Sorry if this was asked
> before, but I tried checking the mail-list's archive for a similar
> situation at but without a search function it was impossible to find a
> similar case...
>
> But anyway, I am a registered User on snort.org and I generated an
> "Oinkcode" from My Account page in order to get a URL configured for
> oinkmaster to update my rules.
>
> I added the following URL from my "My Oinkcode" page, under "Registered
> User Release", which was generated using my specific code that was given
> to me, which I added  to my "/etc/oinkmaster.conf" file: (*FYI, I hid my
> OinkCode with 'xxx....' below)
>
>
> http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> This link was the default one given as an example so I tried the
> ".../snortrules-snapshot-2960.tar.gz/..." because that is the Snort
> version I currently have installed, and when I open that in a browser I
> get this error below..:
>
> Snort.org Rule Pack Download Error:
>       --------------------------
>       Subscription: false
>       --------------------------
>       No rule pack with this filename is available to you.
>       --------------------------
>
> I assume since this is the newest version of Snort available, the rules
> are not yet ready for download...?
> So I tried the next newest release, which was -->
> "snortrules-snapshot-2956.tar.gz"
>
>
> http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> I entered that URL above into a browser, and when the page loads I'm
> prompted with a download dialog to download the snortrules-snapshot.
> Since I got a download prompt I assume this is the correct URL for me to
> use. So I entered the following line in my oinkmaster.conf file:
>
> url =
>
> http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> Now, when I run the oinkmaster command to update/download the newest
> rule's file I get an error about the URL, see below:
>
> # oinkmaster -o /etc/snort/rules
> Loading /etc/oinkmaster.conf
>
> /usr/local/bin/oinkmaster: Error: incorrect URL: "
>
> http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> "
>
> Oink, oink. Exiting...
>
> Since the URL works in a browser I'm not sure why it wouldn't work from
> the oinkmaster.pl command..?
> Does anyone know why this would be happening? Any thoughts or suggestions
> would be much appreciated.
>
>
> Thanks in Advance,
> Matt
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 4
> Date: Tue, 11 Feb 2014 17:41:22 -0500
> From: MMartin at ...16693...
> Subject: Re: [Snort-users] Getting Incorrect URL Error Message for a
>         working URL
> To: snort-users at lists.sourceforge.net
> Message-ID:
>         <
> OF92E3AC43.8A1FF157-ON85257C7C.007B4451-85257C7C.007CA3E1 at ...16693...>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hey Guys,
>
> Sorry to double post, but I think I may have found the problem...
>
> Looking at the Perl code for oinkmaster.pl I found the section that checks
> the URL by comparing it to a REGEX... You can see in the snippet of code
> below, that the regex wants the URL to end with ".tar.gz" --or-- ".tgz"...
> Which is why my URL wouldn't work...
>
>         Here is the REGEX from the Snippet below ==>
> /^((?:https*|ftp|file|scp):\/\/.+\.(?:tar\.gz|tgz))$/
>
> __________________________                      __________________________
>                                     CODE SNIPPET
> # Make sure all urls look ok, and untaint them.
> my @urls = @{$config{url}};
> $#{$config{url}} = -1;
> foreach my $url (@urls) {
>         clean_exit("incorrect URL: \"$url\"")
> unless ($url =~ /^((?:https*|ftp|file|scp):\/\/.+\.(?:tar\.gz|tgz))$/
>         || $url =~ /^(dir:\/\/.+)/);
>
> my $ok_url = $1;
> :.....MORE CODE.....
> }
> ________________________END CODE SNIPPET________________________
>
>
> The problem is my URL actually ends with my Oinkcode and  NOT the file
> name...
>
> I think I'll try to adjust the REGEX to match MY url and give it another
> try in the morning... I'll let you guys know what happens just in case
> anyone else has or had this issue and isn't familiar with Perl and/or
> REGEXs. Although, I could probably just remove the '$' at the end of the
> REGEX and it should probably work just fine since that matches the end of
> the line, and by including "^" at the start, and '$' at the end, it's
> basically saying it has to start and end exactly like this..... And
> removing the '$' will basically just make it want to see that ".tar.gz" or
> ".tgz" is included somewhere in the URL...
>
> I'll post back shortly. Again, sorry about double posting...
>
> Thanks Again,
> Matt
>
>
>
>
> From:   MMartin at ...16693...
> To:     snort-users at lists.sourceforge.net
> Date:   02/11/2014 05:12 PM
> Subject:        [Snort-users] Getting Incorrect URL Error Message for a
> working URL
>
>
>
> Hello All,
>
> Installed Version: Snort v2.9.6.0  --and--  Oinkmaster v2.0
>
> Let me start by saying I am new to Snort, but I have it configured and
> running in IDS mode. The issue I'm having is with Oinkmaster.pl, which is
> telling me the URL I am giving is incorrect. Sorry if this was asked
> before, but I tried checking the mail-list's archive for a similar
> situation at but without a search function it was impossible to find a
> similar case...
>
> But anyway, I am a registered User on snort.org and I generated an
> "Oinkcode" from My Account page in order to get a URL configured for
> oinkmaster to update my rules.
>
> I added the following URL from my "My Oinkcode" page, under "Registered
> User Release", which was generated using my specific code that was given
> to me, which I added  to my "/etc/oinkmaster.conf" file: (*FYI, I hid my
> OinkCode with 'xxx....' below)
>
>
> http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
> This link was the default one given as an example so I tried the
> ".../snortrules-snapshot-2960.tar.gz/..." because that is the Snort
> version I currently have installed, and when I open that in a browser I
> get this error below..:
>
> Snort.org Rule Pack Download Error:
>      --------------------------
>      Subscription: false
>      --------------------------
>      No rule pack with this filename is available to you.
>      --------------------------
>
> I assume since this is the newest version of Snort available, the rules
> are not yet ready for download...?
> So I tried the next newest release, which was -->
> "snortrules-snapshot-2956.tar.gz"
>
>
> http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
> I entered that URL above into a browser, and when the page loads I'm
> prompted with a download dialog to download the snortrules-snapshot.
> Since I got a download prompt I assume this is the correct URL for me to
> use. So I entered the following line in my oinkmaster.conf file:
>
> url =
>
> http://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
> Now, when I run the oinkmaster command to update/download the newest
> rule's file I get an error about the URL, see below:
>
> # oinkmaster -o /etc/snort/rules
> Loading /etc/oinkmaster.conf
>
> /usr/local/bin/oinkmaster: Error: incorrect URL: "
>
> http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> "
>
> Oink, oink. Exiting...
>
> Since the URL works in a browser I'm not sure why it wouldn't work from
> the oinkmaster.pl command..?
> Does anyone know why this would be happening? Any thoughts or suggestions
> would be much appreciated.
>
>
> Thanks in Advance,
> Matt
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 93, Issue 13
> *******************************************
>



-- 
Aditya prakash(SDDE)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140212/a9c5fe81/attachment.html>


More information about the Snort-users mailing list