[Snort-users] Snort-users Digest, Vol 93, Issue 9

Aditya Prakash adipra90 at ...11827...
Tue Feb 11 23:42:15 EST 2014


hi all
can any one tell how to trim the snort alert output tht is timestamp
parameter trimming. i just want the timestamp in the format date ,time in
hr min sec.. i do not require milisecond field in time stamp parameter

aditya


On Tue, Feb 11, 2014 at 4:24 PM,
<snort-users-request at lists.sourceforge.net>wrote:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Snort 2.9.6.0 rpm for RHEL6.x (Feroz Basir)
>    2. Re: Snort 2.9.6.0 rpm for RHEL6.x (Jeremy Hoel)
>    3. Re: Snort 2.9.6.0 rpm for RHEL6.x (waldo kitty)
>    4. Events vs. Alerts (Thomas Hyslip)
>    5. Snort vs. Barnyard2 performance logging to a database
>       (Dubrawsky, Ido)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 11 Feb 2014 02:59:37 +0800
> From: Feroz Basir <feroz.basir at ...11827...>
> Subject: [Snort-users] Snort 2.9.6.0 rpm for RHEL6.x
> To: snort-users at lists.sourceforge.net
> Message-ID: <85C4F71B-FF24-4D46-96EB-83C0D160633C at ...11827...>
> Content-Type: text/plain;       charset=us-ascii
>
> Hi All,
>
> Where can I download snort rpm for rhel6.x? Website only for centos and
> fedora.
>
> Thanks.
>
>
> Regards,
> Feroz Basir
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Feb 2014 19:04:25 +0000
> From: Jeremy Hoel <jthoel at ...11827...>
> Subject: Re: [Snort-users] Snort 2.9.6.0 rpm for RHEL6.x
> To: Feroz Basir <feroz.basir at ...11827...>
> Cc: "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID:
>         <CAH_p-VPV50Ear5tKZO96CCXLf9bv=
> F1oR73Q0AnHy3523FA7kg at ...11828...>
> Content-Type: text/plain; charset=ISO-8859-1
>
>  CentOS is basically RedHat without the RedHat logos and it should be
> binary compatable (minus stupid scripts looking for the words RedHat
> somewhere).   Have you tried using the CentOS build?  We run CentOS,
> but we build ours from source.
>
> On Mon, Feb 10, 2014 at 6:59 PM, Feroz Basir <feroz.basir at ...11827...>
> wrote:
> > Hi All,
> >
> > Where can I download snort rpm for rhel6.x? Website only for centos and
> fedora.
> >
> > Thanks.
> >
> >
> > Regards,
> > Feroz Basir
> >
> ------------------------------------------------------------------------------
> > Androi apps run on BlackBerry 10
> > Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> > Now with support for Jelly Bean, Bluetooth, Mapview and more.
> > Get your Android app in front of a whole new audience.  Start now.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Feb 2014 18:45:07 -0500
> From: waldo kitty <wkitty42 at ...14940...>
> Subject: Re: [Snort-users] Snort 2.9.6.0 rpm for RHEL6.x
> To: snort-users at lists.sourceforge.net
> Message-ID: <52F96483.30406 at ...14940...>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 2/10/2014 1:59 PM, Feroz Basir wrote:
> > Where can I download snort rpm for rhel6.x? Website only for centos and
> > fedora.
>
> you are better off to build from the sources so you get the latest
> version...
> rpms are very likely to be out of date and their snort no longer supported
> due
> to EoL status... that means that you can't get rules for old versions,
> too...
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Feb 2014 19:32:41 -0500
> From: Thomas Hyslip <thomas.hyslip at ...11827...>
> Subject: [Snort-users] Events vs. Alerts
> To: snort-users at lists.sourceforge.net
> Message-ID:
>         <CALhgiWhJCCftw=
> RUz+9vy3W0gnZnA8UXB4gpsYNd1baeeueQug at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> not quite sure i understand the difference between an event and and alert.
> I have a threshold within a rule for 25 syn packets every second (ddos)
> egressing the network.
>
> I have tried different pcaps with tcpreplay to test the rule.  When i know
> there are more than 25 syn packets within a second, i see the alerts in
> barnyard2 and afterwards when i stop snort.  But, when I'm sure there are
> not 25 syns in one second, i get no alerts, but after stopping snort and
> barnyard, i see events were logged or filtered.
>
> so, I am little confused what Snort means be an event that is not an
> alert.  Also, FYI, I have no other rules or pre-processors running.  Here
> is the output from snort
>
>
> ===============================================================================
> Action Stats:
>      Alerts:            0 (  0.000%)
>      Logged:            0 (  0.000%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:          241
>       Alert:            0
> Verdicts:
>       Allow:       722528 (100.000%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
>
> ===============================================================================
> +-----------------------[filtered
> events]--------------------------------------
> | gen-id=1      sig-id=1000001    type=Threshold tracking=src count=25
> seconds=1   filtered=241
>
> Any idea what the 241 event and filtered could be?
>
> Thanks
> Tom
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 5
> Date: Tue, 11 Feb 2014 10:38:07 +0000
> From: "Dubrawsky, Ido" <Ido.Dubrawsky at ...16687...>
> Subject: [Snort-users] Snort vs. Barnyard2 performance logging to a
>         database
> To: "snort-users at lists.sourceforge.net"
>         <snort-users at lists.sourceforge.net>
> Message-ID:
>         <
> 68769062e01946249813eee22b925295 at ...16690...>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Has anyone done any performance tests benchmarking whether its better for
> the Snort IDS process to insert alerts directly into a database (MySQL or
> PostGREsql) or whether performance is better if Snort writes the unified2
> file and lets Barnyard2 insert alerts into a database?   A quick Google
> search hasnt easily revealed anything relevant at the moment.
>
>
>
> Thanks,
>
> Ido
>
> Description: cid:image008.png at ...16688...
>
>
>
> Description: Description:
> http://marketing.itron.com/campaign/ribbon_logo_rgb_92h.jpg <
> https://www.itron.com/>
>
> Ido Dubrawsky
>
> Sr. Principal Systems Engineer
>
> Security Engineering Team Lead
>
> Ido.Dubrawsky at ...16687... <mailto:Ido.Dubrawsky at ...16687...>
>
> 509-891-3452 (O)/301-928-0020(M)
>
> Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_twitter29.jpg <
> http://twitter.com/#!/itron>   Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_facebook29.jpg <
> http://www.facebook.com/ItronInc>   Description: Description:
> http://marketing.itron.com/campaign/social_media_icon_linkedin29.jpg <
> http://www.linkedin.com/company/7550?trk=null>   Description:
> Description:
> http://marketing.itron.com/campaign/social_media_icon_youtube29.jpg <
> http://www.youtube.com/itronsmartmedia>
>
> P Please consider the impact to the environment and your responsibility
> before printing this e-mail.
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: image/png
> Size: 124 bytes
> Desc: not available
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: image/jpeg
> Size: 4585 bytes
> Desc: not available
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: image/jpeg
> Size: 1675 bytes
> Desc: not available
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: image/jpeg
> Size: 1586 bytes
> Desc: not available
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: image/jpeg
> Size: 1696 bytes
> Desc: not available
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: image/jpeg
> Size: 1656 bytes
> Desc: not available
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: PGP.sig
> Type: application/pgp-signature
> Size: 476 bytes
> Desc: not available
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 93, Issue 9
> ******************************************
>



-- 
Aditya prakash(SDDE)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140212/5c52673e/attachment.html>


More information about the Snort-users mailing list