[Snort-users] Snort-users Digest, Vol 132, Issue 20

Nicholas Vigneur nvigneur at ...11827...
Thu May 18 21:13:25 EDT 2017


Specifying the policy will a "null" state is not necessary unless you add a preprocessor.  Policy needs to be # if not needed to stop the Error. Policies can be pre-defined by the user or from a known "list".

Very Respectfully,

Nicholas E. Vigneur
210-862-8678
A+(CE), SEC+(CE), CASP, CEH, CISSP
nvigneur at ...11827...



> On May 18, 2017, at 4:20 PM, snort-users-request at lists.sourceforge.net wrote:
> 
> Send Snort-users mailing list submissions to
>    snort-users at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>    snort-users-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
>    snort-users-owner at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
> 
> 
> When responding, please don't respond with the entire Digest.  Please trim your response.
> 
> Today's Topics:
> 
>   1. what is snort policy? ( ???? )
>   2. How to get the previous black_list.rules (Asad, Hafiz ul)
>   3. Re: How to get the previous black_list.rules (Joel Esler (jesler))
>   4. Help! Newbie Needs Help (Dionne Queen)
>   5. Re: Help! Newbie Needs Help (wkitty42 at ...14940...)
>   6. (no subject) (?moon sun? ?)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 16 May 2017 11:11:33 +0800
> From: " ???? " <85358830 at ...15456...>
> Subject: [Snort-users] what is snort policy?
> To: " Snort-users " <snort-users at lists.sourceforge.net>
> Message-ID: <tencent_6BC60F73387DBA540ED6326B at ...15456...>
> Content-Type: text/plain;    charset="gb18030"
> 
> Hello everyone.
> I tried to read the snort source code,I'm reading the snort/src/dynamic_preprocessor/reputation/spp_reputation.c 
> I can't understand the meaning of policy in the source code.
> In the init function ReputationInit(The 447 line):
> 
> 
> static void ReputationInit(struct _SnortConfig *sc, char *argp)
> {
>    tSfPolicyId policy_id = _dpd.getParserPolicy(sc);     ?????What is  tSfPolicyId?Why should we use it?
>    ReputationConfig *pDefaultPolicyConfig = NULL;     ?????what is the policy?
>    ReputationConfig *pPolicyConfig = NULL;                 ?????what is the policy?
> 
> 
> 
> 
>    if (reputation_config == NULL)
>    {
>        /*create a context*/
>        reputation_config = sfPolicyConfigCreate();                
>        if (reputation_config == NULL)
>        {
>            DynamicPreprocessorFatalMessage("Failed to allocate memory "
>                    "for Reputation config.\n");
>        }
> 
> 
>        _dpd.addPreprocConfCheck(sc, ReputationCheckConfig);
>        _dpd.registerPreprocStats(REPUTATION_NAME, ReputationPrintStats);
>        _dpd.addPreprocExit(ReputationCleanExit, NULL, PRIORITY_LAST, PP_REPUTATION);
> 
> 
> #ifdef PERF_PROFILING
>        _dpd.addPreprocProfileFunc("reputation", (void *)&reputationPerfStats, 0, _dpd.totalPerfStats, NULL);
> #endif
> 
> 
>    }
> 
> 
>    sfPolicyUserPolicySet (reputation_config, policy_id);         ?????what is the policy?
>    pDefaultPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetDefault(reputation_config);           ?????what is the policy?
>    pPolicyConfig = (ReputationConfig *)sfPolicyUserDataGetCurrent(reputation_config);           ?????what is the policy?
> 
> 
>    if ((policy_id != 0) && (pDefaultPolicyConfig == NULL))
>    {
>        DynamicPreprocessorFatalMessage("%s(%d) => Reputation configuration may only"
>                " be enabled in default configuration\n",
>                *_dpd.config_file, *_dpd.config_line);
>    }
> 
> 
>    if (pPolicyConfig != NULL)
>    {
>        DynamicPreprocessorFatalMessage("%s(%d) => Reputation preprocessor can only be "
>                "configured once.\n",  *_dpd.config_file, *_dpd.config_line);
>    }
> 
> 
>    pPolicyConfig = (ReputationConfig *)calloc(1, sizeof(ReputationConfig));
>    if (!pPolicyConfig)
>    {
>        DynamicPreprocessorFatalMessage("Could not allocate memory for "
>                "Reputation preprocessor configuration.\n");
>    }
> 
> 
>    sfPolicyUserDataSetCurrent(reputation_config, pPolicyConfig);
> 
> 
>    ParseReputationArgs(pPolicyConfig, (u_char *)argp);
> 
> 
>    if ((0 == pPolicyConfig->numEntries)&&(!pPolicyConfig->sharedMem.path))           ?????what is the policy?
>    {
>        return;
>    }
> 
> 
>    if (policy_id != 0)
>        pPolicyConfig->memcap = pDefaultPolicyConfig->memcap;           ?????what is the policy?
> 
> 
>    if (!pPolicyConfig->sharedMem.path && pPolicyConfig->localSegment)
>        IPtables = &pPolicyConfig->localSegment;
> 
> 
> #ifdef SHARED_REP
>    if (pPolicyConfig->sharedMem.path && (!_dpd.isTestMode()))         ?????what is the policy?
>        _dpd.addPostConfigFunc(sc, initShareMemory, pPolicyConfig);
> #endif
> 
> 
> }
> 
> 
> 
> There are a lot of policy, but I can't understand what they mean.
> 
> 
> Who can explain their meaning?
> 
> 
> Thanks in advance.
> 
> 
> 
> 
> 
> 
> minggang
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 17 May 2017 11:54:09 +0000
> From: "Asad, Hafiz ul" <Hafiz-ul.Asad at ...17478...>
> Subject: [Snort-users] How to get the previous black_list.rules
> To: "snort-users at lists.sourceforge.net"
>    <snort-users at lists.sourceforge.net>
> Message-ID:
>    <HE1PR0302MB265213DF0752CC584311D78F90E70 at ...17776...>
>    
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Snort Users,
> 
> 
> The "black_list.rules" is updated everyday by the pulledpork. I am interested in to monitor it's evaluation and for that reason I need these rules, let say, for the last one week. I can start saving them now, but I wonder, is there a way or place, where all previous "black_list.rules" are stored and I can instantly access it for the last one week?
> 
> 
> Asad
> 
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 17 May 2017 13:09:38 +0000
> From: "Joel Esler (jesler)" <jesler at ...589...>
> Subject: Re: [Snort-users] How to get the previous black_list.rules
> To: "Asad, Hafiz ul" <Hafiz-ul.Asad at ...17478...>
> Cc: "snort-users at lists.sourceforge.net"
>    <snort-users at lists.sourceforge.net>
> Message-ID: <836359F1-89E6-4607-90E5-FC5CE8946FE6 at ...589...>
> Content-Type: text/plain; charset="utf-8"
> 
> There is not.  This list is updated every 15 minutes, and we don?t keep around old copies.
> 
> --
> Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>
> 
> 
> 
> 
> 
> 
> On May 17, 2017, at 7:54 AM, Asad, Hafiz ul <Hafiz-ul.Asad at ...17478...<mailto:Hafiz-ul.Asad at ...17478...>> wrote:
> 
> Snort Users,
> 
> 
> The "black_list.rules" is updated everyday by the pulledpork. I am interested in to monitor it's evaluation and for that reason I need these rules, let say, for the last one week. I can start saving them now, but I wonder, is there a way or place, where all previous "black_list.rules" are stored and I can instantly access it for the last one week?
> 
> 
> Asad
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 18 May 2017 03:09:32 +0000 (UTC)
> From: Dionne Queen <ddd1236 at ...131...>
> Subject: [Snort-users] Help! Newbie Needs Help
> To: "snort-users at lists.sourceforge.net"
>    <snort-users at lists.sourceforge.net>
> Message-ID: <1376333049.334726.1495076972805 at ...17079...>
> Content-Type: text/plain; charset="utf-8"
> 
> I installed Snort and used the following to create alert:
> c:\Snort\bin> snort -i 2 -c c:\Snort\etc\snort.conf - A console
> 
> ?However, I keep getting the above Error message displaying no such file or directory - log/snort.log.1495074784
> This is what is on my C: Drive -
> 
> 
> I am using the following alert:
> alert icmp any any -> any any (msg: "icmp testing rule"; sid: 1000001;)
> Snort won't allow any alerts due to the Error Message. Please Help.
> I am a "newbie".
> 
> Thanks.
> Dionneddd1235 at ...131...
> 
> |  | Virus-free. www.avast.com  |
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 18 May 2017 02:34:35 -0400
> From: wkitty42 at ...14940...
> Subject: Re: [Snort-users] Help! Newbie Needs Help
> To: snort-users at lists.sourceforge.net
> Message-ID: <1853816d-b3af-f39a-8372-737791764aea at ...14940...>
> Content-Type: text/plain; charset=utf-8; format=flowed
> 
>> On 05/17/2017 11:09 PM, Dionne Queen wrote:
>> I installed Snort and used the following to create alert:
>> c:\Snort\bin> snort -i 2 -c c:\Snort\etc\snort.conf - A console
>> 
>> However, I keep getting the above Error message displaying no such file or directory - log/snort.log.1495074784
>> This is what is on my C: Drive -
> 
> hunh?? above error??? there's not even one below...
> 
>> I am using the following alert:
>> alert icmp any any -> any any (msg: "icmp testing rule"; sid: 1000001;)
>> Snort won't allow any alerts due to the Error Message. Please Help.
>> I am a "newbie".
> 
> but i believe you might be better served by using a more rounded testing suit of 
> rules instead of shoving everything into the ICMP protocol...
> 
> -- 
>  NOTE: No off-list assistance is given without prior approval.
>        *Please keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Thu, 18 May 2017 20:17:51 +0000 (UTC)
> From: ?moon sun? ? <msun489 at ...131...>
> Subject: [Snort-users] (no subject)
> To: "snort-users at lists.sourceforge.net"
>    <snort-users at lists.sourceforge.net>
> Message-ID: <180624959.1549981.1495138671909 at ...17079...>
> Content-Type: text/plain; charset=UTF-8
> 
> Hello,
> I'm trying to use linux shell script to perform multiple snort commands , i put them in a vi editor and save it and then make this file executable:
> 
> 
> $ cd ~/snort5_src
> $ cd snort-2.9.9.0
> $ snort -dev -n 20? -l /home/hduser/log7 -b -c /etc/snort5/snort.conf
> $ chmod a+rwx /home/hduser/log7/snort.log.*
> $ tcpdump -n -tttt -r /home/hduser/log7/snort.log.* > /home/hduser/log7/bigfile2.txt
> when i execute this file in terminal it give me this message :
> ./snort-command: line 1: $: command not found
> ./snort-command: line 2: $: command not found
> ./snort-command: line 3: $: command not found
> ./snort-command: line 4: $: command not found
> ./snort-command: line 5: $: command not found
> 
> Is this the right way to use snort commands in shell script ? or there is something else to do in snort ?
> 
> 
> ------------------------------
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> ------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> 
> End of Snort-users Digest, Vol 132, Issue 20
> ********************************************




More information about the Snort-users mailing list