Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Brian J. <bja...@ci...> - 2004-03-31 11:04:18
|
>> Could somebody else verify that uricontent matching is broken in >> snort_inline-2.1.1? I can block based on content but not uricontent. I >> tried turning on the http_inspect and http_inspect_server preprocessors, >> but snort-inline doesn't seem to match on the uricontent rules, no log, no >> drop, nothing. > >only the content keyword works with snort_inline at this time. > >Rob Rob, Could you give me some guidance on when the uricontent will be working again. I was planning on upgrading from 2.0.5 Build 98 to match my other snort sensors which are 2.1.1 and the uricontent features heavily in the subset of rules I use. Is it planned as an interim release for 2.1.1 or are you waiting for 2.1.2? regards, Brian |
|
From: Wismin E. <wi...@ya...> - 2004-03-30 06:31:01
|
Thanks Rob, I've replace the snort_inline binary with 2.0.6a the problem is fixed. -wismin- --- Rob McMillen <ro...@ho...> wrote: > > Hi Rob, > > Yes, they are (more than one content/replace > pair) > > and I'm still using ver 2.0.5 > > > > thanks, > > > > wismin > > Then the version of snort_inline you are using is > the problem. You need > to either upgrade to 2.0.6a or 2.1.1 > > Rob > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux > Tutorials > Free Linux tutorial presented by Daniel Robbins, > President and CEO of > GenToo technologies. Learn everything from > fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users ===== . ^..^ --(:)OINK! __||__(oo)___||___ ---||---"--"-----||--- _ _||_( __ )___||___ __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html |
|
From: Rob M. <ro...@ho...> - 2004-03-29 17:23:16
|
> Hi Rob, > Yes, they are (more than one content/replace pair) > and I'm still using ver 2.0.5 > > thanks, > > wismin Then the version of snort_inline you are using is the problem. You need to either upgrade to 2.0.6a or 2.1.1 Rob |
|
From: Wismin E. <wi...@ya...> - 2004-03-29 06:36:20
|
Hi Rob, Yes, they are (more than one content/replace pair) and I'm still using ver 2.0.5 thanks, wismin --- Rob McMillen <ro...@ho...> wrote: > Do the rules you are getting errors contain more > than one content/replace > pair? If so, the problem is the version of > snort_inline you are using. > Until recently (2.0.6a), there was an error handling > more than one > content/replace pair. > > ********** > * 2.0.6a * > ********** > 2004-01-24 Rob McMillen <ro...@ho...> > * Started separate snort_inline ChangeLog > * Fixed bug with handling multiple > content/replace pairs within the > same rule (sp_patternmatch.c). > * Added icmp checksum for icmp payload > replacement > (sp_patternmatch.c). > > Rob > > > Hello Everybody, > > Does anybody seen this kind of error before ? > > (see below). > > It didn't complain on each line, only some, > > when I commented it out (just for testing), it > goes > > further and stop after many lines. > > > > I've check the length of the content vs the > > replacement (number of octets are exactly the > same). > > I don't see any pattern on those lines with error. > > > > Any hints or comments ? > > > > I'm using snort_inline 2.0.5; the rule files were > > convertion from snortrules-snapshot-2_0.tar.gz > > by snortconfig-1.9 > > [ > > snortconfig -file RulesFiles.config -config > > examples/HONEYNET.config -verbose -directory > > /etc/snort_inline/rules -honeynet -inline > > ] > > > > thanks, > > > > wismin > > ......... > > Mar 27 00:39:38 gateway-1 snort_inline: FATAL > ERROR: > > ERROR /etc/snort_inline/rules/exploit.rules Line > 11 => > > The length of the replacement string must be the > same > > length as the content string. > > .... > > Mar 27 00:51:02 gateway-1 snort_inline: FATAL > ERROR: > > ERROR /etc/snort_inline/rules/exploit.rules Line > 31 => > > The length of the replacement string must be the > same > > length as the content string. > > .... > > Mar 27 00:51:50 gateway-1 snort_inline: FATAL > ERROR: > > ERROR /etc/snort_inline/rules/exploit.rules Line > 44 => > > The length of the replacement string must be the > same > > length as the content string. > > ..... > > Mar 27 00:51:52 gateway-1 snort_inline: FATAL > ERROR: > > ERROR /etc/snort_inline/rules/exploit.rules Line > 44 => > > The length of the replacement string must be the > same > > length as the content string. > > ..... > > > > ===== > > . > > ^..^ --(:)OINK! > > __||__(oo)___||___ > > ---||---"--"-----||--- > > _ _||_( __ )___||___ > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Finance Tax Center - File online. File on > time. > > http://taxes.yahoo.com/filing.html > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: IBM Linux > Tutorials > > Free Linux tutorial presented by Daniel Robbins, > President and CEO of > > GenToo technologies. Learn everything from > fundamentals to system > > > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux > Tutorials > Free Linux tutorial presented by Daniel Robbins, > President and CEO of > GenToo technologies. Learn everything from > fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users ===== . ^..^ --(:)OINK! __||__(oo)___||___ ---||---"--"-----||--- _ _||_( __ )___||___ __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html |
|
From: Rob M. <ro...@ho...> - 2004-03-27 15:00:37
|
Do the rules you are getting errors contain more than one content/replace
pair? If so, the problem is the version of snort_inline you are using.
Until recently (2.0.6a), there was an error handling more than one
content/replace pair.
**********
* 2.0.6a *
**********
2004-01-24 Rob McMillen <ro...@ho...>
* Started separate snort_inline ChangeLog
* Fixed bug with handling multiple content/replace pairs within the
same rule (sp_patternmatch.c).
* Added icmp checksum for icmp payload replacement
(sp_patternmatch.c).
Rob
> Hello Everybody,
> Does anybody seen this kind of error before ?
> (see below).
> It didn't complain on each line, only some,
> when I commented it out (just for testing), it goes
> further and stop after many lines.
>
> I've check the length of the content vs the
> replacement (number of octets are exactly the same).
> I don't see any pattern on those lines with error.
>
> Any hints or comments ?
>
> I'm using snort_inline 2.0.5; the rule files were
> convertion from snortrules-snapshot-2_0.tar.gz
> by snortconfig-1.9
> [
> snortconfig -file RulesFiles.config -config
> examples/HONEYNET.config -verbose -directory
> /etc/snort_inline/rules -honeynet -inline
> ]
>
> thanks,
>
> wismin
> .........
> Mar 27 00:39:38 gateway-1 snort_inline: FATAL ERROR:
> ERROR /etc/snort_inline/rules/exploit.rules Line 11 =>
> The length of the replacement string must be the same
> length as the content string.
> ....
> Mar 27 00:51:02 gateway-1 snort_inline: FATAL ERROR:
> ERROR /etc/snort_inline/rules/exploit.rules Line 31 =>
> The length of the replacement string must be the same
> length as the content string.
> ....
> Mar 27 00:51:50 gateway-1 snort_inline: FATAL ERROR:
> ERROR /etc/snort_inline/rules/exploit.rules Line 44 =>
> The length of the replacement string must be the same
> length as the content string.
> .....
> Mar 27 00:51:52 gateway-1 snort_inline: FATAL ERROR:
> ERROR /etc/snort_inline/rules/exploit.rules Line 44 =>
> The length of the replacement string must be the same
> length as the content string.
> .....
>
> =====
> .
> ^..^ --(:)OINK!
> __||__(oo)___||___
> ---||---"--"-----||---
> _ _||_( __ )___||___
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
|
From: Wismin E. <wi...@ya...> - 2004-03-27 06:38:17
|
Hello Everybody,
Does anybody seen this kind of error before ?
(see below).
It didn't complain on each line, only some,
when I commented it out (just for testing), it goes
further and stop after many lines.
I've check the length of the content vs the
replacement (number of octets are exactly the same).
I don't see any pattern on those lines with error.
Any hints or comments ?
I'm using snort_inline 2.0.5; the rule files were
convertion from snortrules-snapshot-2_0.tar.gz
by snortconfig-1.9
[
snortconfig -file RulesFiles.config -config
examples/HONEYNET.config -verbose -directory
/etc/snort_inline/rules -honeynet -inline
]
thanks,
wismin
.........
Mar 27 00:39:38 gateway-1 snort_inline: FATAL ERROR:
ERROR /etc/snort_inline/rules/exploit.rules Line 11 =>
The length of the replacement string must be the same
length as the content string.
....
Mar 27 00:51:02 gateway-1 snort_inline: FATAL ERROR:
ERROR /etc/snort_inline/rules/exploit.rules Line 31 =>
The length of the replacement string must be the same
length as the content string.
....
Mar 27 00:51:50 gateway-1 snort_inline: FATAL ERROR:
ERROR /etc/snort_inline/rules/exploit.rules Line 44 =>
The length of the replacement string must be the same
length as the content string.
.....
Mar 27 00:51:52 gateway-1 snort_inline: FATAL ERROR:
ERROR /etc/snort_inline/rules/exploit.rules Line 44 =>
The length of the replacement string must be the same
length as the content string.
.....
=====
.
^..^ --(:)OINK!
__||__(oo)___||___
---||---"--"-----||---
_ _||_( __ )___||___
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
|
|
From: Wismin E. <wi...@ya...> - 2004-03-27 06:24:48
|
the problem in on the snort_inline.conf (having
'CRLF') since I 'scp' it from cygwin to my Linux box.
(instead of using ftp which default to ascii)
thanks to Rob who asked for snort_inline.conf file
that make me suspicious and check it by myself first..
thanks also to Ravi who tried to help me.
I got other problems with the mismatch of original and
replacement octets, but I think it's better I start a
new thread for that.
thanks,
wismin
=====
.
^..^ --(:)OINK!
__||__(oo)___||___
---||---"--"-----||---
_ _||_( __ )___||___
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
|
|
From: Wismin E. <wi...@ya...> - 2004-03-26 03:44:42
|
Hi Rob, I've tried both combination, binary 2.0.5 with rules from Snort2.0 (convert using snortconfig). (I have perl 5.8.3 ). Same error. then I tried binary 2.1.1 with rules 2.1 (convert using snortconfig). the config file was from honeynet.org, I add the $HOME_NET variable there. (I tried compile from source, I've make sure I copied the *.config to my rules directory. btw. I'm using Redhat 9.0 (2.0.18custom) (2.0.18 + the kernel patch from ebtables). my rc.firewall worked fine (when I disabled the QUEUE, I verified it blocked after 'N' numbers), but now I activate it for snort_inline) any idea what else should I check ? thanks, wismin --- Wismin Effendi <wi...@ya...> wrote: > Hi Rob, > It's binary I downloaded from honeynet.org > (snort_inline 2.0.5) > the snort_inline.conf also from the some location. > (except I modified the files locations for rules and > add the variable $HOME_NET as I didn't see the > $HONEYNET in the rule files as result for convertion > using snortconfig-1.9). > The input rules for convertion is I get from > snort.org > ......... > > Aha, I know now the problem, I used as the based for > input to snortconfig-1.9 the rule files for snort2.1 > > while my snort_inline is 2.0.5.. > > That might explain why it didn't work. I'll have a > try > again once I get home today. > > thanks, > > wismin > > > --- Rob McMillen <ro...@ho...> wrote: > > > Hello Everybody, > > > I hope somebody could help me with the > > following > > > problem with snort_inline startup. > > > > > > after I convert the rules using snortconfig-1.9 > > > (from honeynet.org), I start the snort_inline > > > ... last lines from snort_inline.sh .. > > > > > > $SNORT -D -d -c > > /etc/snort_inline/snort_inline.conf -Q > > > -i eth0 -l $DIR/$DATE -t $DIR/$DATE > > > > > > then I check the snort_inline process is not > > running. > > > I've verified the rule files location in > > > /etc/snort_inline/snort_inline.conf (where I > > copied > > > the rules result from snortconfig-1.9). > > > I've also make sure the variable $HOME_NET is > > declared > > > in snort_inline.conf (original file has > > $HONEYNET, I > > > added also the $HOME_NET with the same value) > > > > > > from /var/log/messages, I found: > > > Mar 25 00:52:51 gateway-1 snort_inline: > > Initializing > > > daemon mode > > > Mar 25 00:52:51 gateway-1 snort_inline: PID path > > stat > > > checked out ok, PID path set to /var/run/ > > > Mar 25 00:52:51 gateway-1 snort_inline: Writing > > PID > > > "2348" to file "/var/run//snort_inline.pid" > > > Mar 25 00:52:51 gateway-1 snort_inline: FATAL > > ERROR: > > > /etc/snort_inline/snort_inline.conf(9) => NULL > > rule > > > type! > > > > A few questions. > > > > What version of snort_inline are you using? > > What method did you use to install it? (src, diff, > > binary) > > what does your snort_inline.conf look like? > > > > Rob > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: IBM Linux > > Tutorials > > Free Linux tutorial presented by Daniel Robbins, > > President and CEO of > > GenToo technologies. Learn everything from > > fundamentals to system > > > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > ===== > . > ^..^ --(:)OINK! > __||__(oo)___||___ > ---||---"--"-----||--- > _ _||_( __ )___||___ > > __________________________________ > Do you Yahoo!? > Yahoo! Finance Tax Center - File online. File on > time. > http://taxes.yahoo.com/filing.html > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux > Tutorials > Free Linux tutorial presented by Daniel Robbins, > President and CEO of > GenToo technologies. Learn everything from > fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users ===== . ^..^ --(:)OINK! __||__(oo)___||___ ---||---"--"-----||--- _ _||_( __ )___||___ __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html |
|
From: Wismin E. <wi...@ya...> - 2004-03-25 21:30:59
|
Hi Rob, It's binary I downloaded from honeynet.org (snort_inline 2.0.5) the snort_inline.conf also from the some location. (except I modified the files locations for rules and add the variable $HOME_NET as I didn't see the $HONEYNET in the rule files as result for convertion using snortconfig-1.9). The input rules for convertion is I get from snort.org ......... Aha, I know now the problem, I used as the based for input to snortconfig-1.9 the rule files for snort2.1 while my snort_inline is 2.0.5.. That might explain why it didn't work. I'll have a try again once I get home today. thanks, wismin --- Rob McMillen <ro...@ho...> wrote: > > Hello Everybody, > > I hope somebody could help me with the > following > > problem with snort_inline startup. > > > > after I convert the rules using snortconfig-1.9 > > (from honeynet.org), I start the snort_inline > > ... last lines from snort_inline.sh .. > > > > $SNORT -D -d -c > /etc/snort_inline/snort_inline.conf -Q > > -i eth0 -l $DIR/$DATE -t $DIR/$DATE > > > > then I check the snort_inline process is not > running. > > I've verified the rule files location in > > /etc/snort_inline/snort_inline.conf (where I > copied > > the rules result from snortconfig-1.9). > > I've also make sure the variable $HOME_NET is > declared > > in snort_inline.conf (original file has > $HONEYNET, I > > added also the $HOME_NET with the same value) > > > > from /var/log/messages, I found: > > Mar 25 00:52:51 gateway-1 snort_inline: > Initializing > > daemon mode > > Mar 25 00:52:51 gateway-1 snort_inline: PID path > stat > > checked out ok, PID path set to /var/run/ > > Mar 25 00:52:51 gateway-1 snort_inline: Writing > PID > > "2348" to file "/var/run//snort_inline.pid" > > Mar 25 00:52:51 gateway-1 snort_inline: FATAL > ERROR: > > /etc/snort_inline/snort_inline.conf(9) => NULL > rule > > type! > > A few questions. > > What version of snort_inline are you using? > What method did you use to install it? (src, diff, > binary) > what does your snort_inline.conf look like? > > Rob > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux > Tutorials > Free Linux tutorial presented by Daniel Robbins, > President and CEO of > GenToo technologies. Learn everything from > fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users ===== . ^..^ --(:)OINK! __||__(oo)___||___ ---||---"--"-----||--- _ _||_( __ )___||___ __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html |
|
From: Rob M. <ro...@ho...> - 2004-03-25 13:31:07
|
> Hello Everybody, > I hope somebody could help me with the following > problem with snort_inline startup. > > after I convert the rules using snortconfig-1.9 > (from honeynet.org), I start the snort_inline > ... last lines from snort_inline.sh .. > > $SNORT -D -d -c /etc/snort_inline/snort_inline.conf -Q > -i eth0 -l $DIR/$DATE -t $DIR/$DATE > > then I check the snort_inline process is not running. > I've verified the rule files location in > /etc/snort_inline/snort_inline.conf (where I copied > the rules result from snortconfig-1.9). > I've also make sure the variable $HOME_NET is declared > in snort_inline.conf (original file has $HONEYNET, I > added also the $HOME_NET with the same value) > > from /var/log/messages, I found: > Mar 25 00:52:51 gateway-1 snort_inline: Initializing > daemon mode > Mar 25 00:52:51 gateway-1 snort_inline: PID path stat > checked out ok, PID path set to /var/run/ > Mar 25 00:52:51 gateway-1 snort_inline: Writing PID > "2348" to file "/var/run//snort_inline.pid" > Mar 25 00:52:51 gateway-1 snort_inline: FATAL ERROR: > /etc/snort_inline/snort_inline.conf(9) => NULL rule > type! A few questions. What version of snort_inline are you using? What method did you use to install it? (src, diff, binary) what does your snort_inline.conf look like? Rob |
|
From: Ravi <ra...@ro...> - 2004-03-25 06:26:23
|
Wismin, How is your snort_inline built - from snort_inline or patched snort? To run snort_inline you must use option -Q -Ravi Wismin Effendi wrote: >Hello Everybody, > I hope somebody could help me with the following >problem with snort_inline startup. > >after I convert the rules using snortconfig-1.9 >(from honeynet.org), I start the snort_inline >... last lines from snort_inline.sh .. > >$SNORT -D -d -c /etc/snort_inline/snort_inline.conf -Q >-i eth0 -l $DIR/$DATE -t $DIR/$DATE > >then I check the snort_inline process is not running. >I've verified the rule files location in >/etc/snort_inline/snort_inline.conf (where I copied >the rules result from snortconfig-1.9). >I've also make sure the variable $HOME_NET is declared >in snort_inline.conf (original file has $HONEYNET, I >added also the $HOME_NET with the same value) > >from /var/log/messages, I found: >Mar 25 00:52:51 gateway-1 snort_inline: Initializing >daemon mode >Mar 25 00:52:51 gateway-1 snort_inline: PID path stat >checked out ok, PID path set to /var/run/ >Mar 25 00:52:51 gateway-1 snort_inline: Writing PID >"2348" to file "/var/run//snort_inline.pid" >Mar 25 00:52:51 gateway-1 snort_inline: FATAL ERROR: >/etc/snort_inline/snort_inline.conf(9) => NULL rule >type! > >thank you very much in advance. > >best regards, > >wismin > >__________________________________ >Do you Yahoo!? >Yahoo! Finance Tax Center - File online. File on time. >http://taxes.yahoo.com/filing.html > > >------------------------------------------------------- >This SF.Net email is sponsored by: IBM Linux Tutorials >Free Linux tutorial presented by Daniel Robbins, President and CEO of >GenToo technologies. Learn everything from fundamentals to system >administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Wismin E. <wi...@ya...> - 2004-03-25 06:14:15
|
Hello Everybody, I hope somebody could help me with the following problem with snort_inline startup. after I convert the rules using snortconfig-1.9 (from honeynet.org), I start the snort_inline ... last lines from snort_inline.sh .. $SNORT -D -d -c /etc/snort_inline/snort_inline.conf -Q -i eth0 -l $DIR/$DATE -t $DIR/$DATE then I check the snort_inline process is not running. I've verified the rule files location in /etc/snort_inline/snort_inline.conf (where I copied the rules result from snortconfig-1.9). I've also make sure the variable $HOME_NET is declared in snort_inline.conf (original file has $HONEYNET, I added also the $HOME_NET with the same value) from /var/log/messages, I found: Mar 25 00:52:51 gateway-1 snort_inline: Initializing daemon mode Mar 25 00:52:51 gateway-1 snort_inline: PID path stat checked out ok, PID path set to /var/run/ Mar 25 00:52:51 gateway-1 snort_inline: Writing PID "2348" to file "/var/run//snort_inline.pid" Mar 25 00:52:51 gateway-1 snort_inline: FATAL ERROR: /etc/snort_inline/snort_inline.conf(9) => NULL rule type! thank you very much in advance. best regards, wismin __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html |
|
From: Pawel C. <pc...@ui...> - 2004-03-24 07:28:49
|
I have a question about tftp.rules rule file conversion. When I convert it from snort to snort_inline, the first few alerts are: alert udp any any -> any 69 .... I was wondering if I should leave them like this, or change them to aler udp $HOME_NET any -> any 69 ... Is this matter of preference (allow more or less attacks to be done to your honeypots), or will it create security problems for the honeynet. Also, I used snortconfig to convert the rules, adn some of the rules looked like alert tcp $EXTERNAL_NET any -> $HOME_NET any ... I have converted them to alert tcp $HOME_NET any -> $EXTERNAL_NET any ... since I want to protect computers outsite the Honeynet. Is this just the fact that snortconfig reverses all $_NET entries it sees when using -honeynet option, or should I not touch them. I'm still novice to using the rules and just want to get it right. Thanks for any info By the way, I have fixed the problem with database time stamp logging. I have compiled snort_inline from source code instead of patching the snort. Pawel Czarnota ACM Honeynet Project http://www.cs.uic.edu/~pczarno1 |
|
From: James A. P. <ja...@pc...> - 2004-03-22 21:20:22
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William Metcalf wrote: | Hello all, | | I thought that I would start a thread to find out what flavor of linux | you guy's prefer for building a snort-inline box. The reason I'm posing | this question is that I'm once again in search of a new distro. I was | using Trustix, but it seems they have gone the way of RedHat, and have | decided to charge for a "more secure" Trustix. The problem I have had in | the past is of course "bloat", insecure initial configuration, and | nothing that had the additional security measures such as grsecurity, | and ibm's ssp patch for gcc, that a device such as this should have. I | have built LFS and various other roll-your-own's in the past, but found | portability to be a problem. I'm using Debian testing with good success. - -- James A. Pattie ja...@pc... Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ http://www.pcxperience.org/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAX1iBtUXjwPIRLVERApHeAKC5GIVHk6TTG0nzExkJbD9vKTm3BQCffjAJ AyjtNunydH37qfp9/l7l95Q= =MGwd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. |
|
From: William M. <Wil...@kc...> - 2004-03-22 20:48:36
|
Hello all, I thought that I would start a thread to find out what flavor of linux = you guy's prefer for building a snort-inline box. The reason I'm posing th= is question is that I'm once again in search of a new distro. I was using= Trustix, but it seems they have gone the way of RedHat, and have decide= d to charge for a "more secure" Trustix. The problem I have had in the past= is of course "bloat", insecure initial configuration, and nothing that had= the additional security measures such as grsecurity, and ibm's ssp patch fo= r gcc, that a device such as this should have. I have built LFS and vari= ous other roll-your-own's in the past, but found portability to be a proble= m. Regards, Will= |
|
From: Rob M. <ro...@ho...> - 2004-03-18 19:20:02
|
> Could somebody else verify that uricontent matching is broken in > snort_inline-2.1.1? I can block based on content but not uricontent. I > tried turning on the http_inspect and http_inspect_server preprocessors, > but snort-inline doesn't seem to match on the uricontent rules, no log, no > drop, nothing. only the content keyword works with snort_inline at this time. Rob |
|
From: William M. <Wil...@kc...> - 2004-03-18 18:57:18
|
Could somebody else verify that uricontent matching is broken in snort_inline-2.1.1? I can block based on content but not uricontent. = I tried turning on the http_inspect and http_inspect_server preprocessors= , but snort-inline doesn't seem to match on the uricontent rules, no log,= no drop, nothing. Regards, Will= |
|
From: Brian <bm...@sn...> - 2004-03-17 14:37:03
|
On Tue, Mar 16, 2004 at 10:22:36PM -0800, Christopher Joyce wrote: > > I am having problems using snortconfig to convert my snort rules. > > I have setup a basic test to convert one file (x11.rules) and the > > file that is created in the directory specified below is blank. > > > > Here is what I have tried: > > > > snortconfig -inline -file test.conf -config honeynet.conf -directory > > snortconfig-rules Yeah, using the exact same config, snortconfig works well for me on RH8, RH9, openbsd 3.4, and debian testing. I'm completely stumped. Can you bundle up the whole directory for me? I'd like to figure out whats going on, and right now, I'm baffled. Brian |
|
From: Christopher J. <cj...@ho...> - 2004-03-17 06:22:44
|
William, Thanks for the information. I'll give Oinkmaster a try. Thank you, Chris >From: William Metcalf <Wil...@kc...> >To: "Christopher Joyce" <cj...@ho...> >CC: >bm...@sh...,rv...@ca...,sno...@li...,sno...@li... >Subject: Re: [Snort-inline-users] Snortconfig Problem >Date: Fri, 5 Mar 2004 09:51:54 -0600 > > > > > > >use oinkmaster, it works great for me. > >http://oinkmaster.sourceforge.net/ > >Regards, > >Will > > > > "Christopher > Joyce" > <cjoyce5@hotmail. To > com> bm...@sh... > Sent by: cc > snort-inline-user rv...@ca..., > s-...@li...u sno...@li...urceforg > rceforge.net e.net > Subject > [Snort-inline-users] Snortconfig > 03/04/2004 11:14 Problem > PM > > > > > > > > > >Hello Brian, > >Thank you for your reply. Sorry for the delay. > >I have tried installing snortconfig on a new machine and have the same >problem. The result after running "snortconfig -inline -file test.conf >-config honeynet.conf -directory snortconfig-rules" are empty rules. I am >currently running RedHat 7.3 with a precompiled bridging kernel. I have >installed Net-Snort-Parser-1.14.tar.gz. > >Running "perl -MNet::Snort::Parser::Rule -e 'print >$Net::Snort::Parser::Rule::VERSION."\n";'" shows "1.14". "which >snortconfig" reflects the correct location of snortconfig: >"/usr/bin/snortconfig". > >I have manually updated my Snort rules so that snort_inline can run >properly >- but it would be nice to use your snortconfig tool because it is >convenient. > >Thank you, >Chris > > > > > > On Fri, 9 Jan 2004, Christopher Joyce wrote: > > > > Hello, > > > > > > > > I am having problems using snortconfig to convert my snort rules. I > >have > > > > setup a basic test to convert one file (x11.rules) and the file that > >is > > > > created in the directory specified below is blank. > > > > > > > > Here is what I have tried: > > > > > > > > snortconfig -inline -file test.conf -config honeynet.conf -directory > > > > snortconfig-rules > > > > > > Using the latest release of snortconfig, your exact config works as > > > expected for me. What version of snortconfig are you using? > > > > > > You can find this out by doing: > > > > > > ident `which snortconfig` > > > > > > Also, what version of the perl modules are you using? You can find >this > > > out by doing: > > > > > > perl -MNet::Snort::Parser::Rule -e 'print > >$Net::Snort::Parser::Rule::VERSION."\n";' > > > > > > Thanks, > > > Brian > > > > > > > > > ------------------------------------------------------- > > > The SF.Net email is sponsored by EclipseCon 2004 > > > Premiere Conference on Open Tools Development and Integration > > > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > > > http://www.eclipsecon.org/osdn > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > >--- > >Outgoing mail is certified Virus Free. > >Checked by AVG anti-virus system (http://www.grisoft.com). > >Version: 6.0.605 / Virus Database: 385 - Release Date: 3/1/2004 > > > >_________________________________________________________________ >Fast. Reliable. Get MSN 9 Dial-up - 3 months for the price of 1! >(Limited-time Offer) >http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/ > > > >------------------------------------------------------- >This SF.Net email is sponsored by: IBM Linux Tutorials >Free Linux tutorial presented by Daniel Robbins, President and CEO of >GenToo technologies. Learn everything from fundamentals to system >administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users _________________________________________________________________ Get rid of annoying pop-up ads with the new MSN Toolbar FREE! http://clk.atdmt.com/AVE/go/onm00200414ave/direct/01/ |
|
From: Rob M. <ro...@ho...> - 2004-03-14 17:48:30
|
List,
snort-inline-2.1.1 is now available. No new code because I am still
heavily involved in a project with a due date of April 20 2004, but
new code should be soon to come. Specifically:
1. stream4
2. portscan
3. arpspoof
The purpose of this release is to update the core snort to version 2.1.1.
You can find the new files at: http://snort-inline.sourceforge.net/
Rob
|
|
From: unor <uno...@ya...> - 2004-03-12 20:45:29
|
I believe this is covered in the FAQ: http://snort-inline.sourceforge.net/FAQ.html I tried header files from 2.6.3 and had other problems (See my previous post)... copied swab.h from 2.6.1 over and alls well. I'm still tracking the problem and believe snort_inline may not be the only thing it broke. Earl --- Youn Gonzales <is...@cl...> wrote: > I am having problems compiling on redhat 9, minimal > install. I was unable to > search the archives, but could not find much using > search engines. Any > suggestions? > > BTW, I don't necessarily have to use redhat or linux > as the platform so if > anyone has had better luck using a different os I > would be willing to > switch. > > > Making all in output-plugins > make[3]: Entering directory > `/root/snort_inline-2.1.0a/src/output-plugins' > gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. > -I../../src -I../../src/sfutil - > I/usr/include/pcap -I../../src/output-plugins > -I../../src/detection-plugins > -I../../src/preprocessors > -I../../src/preprocessors/flow -I../../src/preproc > essors/portscan > -I../../src/preprocessors/flow/int-snort > -I../../src/prepr > ocessors/HttpInspect/include -I/usr/local/include > -I/usr/include -g -O2 -W > all -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE > -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H > -DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c' > || echo > './'`spo_alert_fast.c > In file included from > /usr/include/linux/netfilter_ipv4/ip_queue.h:10, > from > /usr/local/include/libipq.h:37, > from ../../src/inline.h:8, > from ../../src/snort.h:38, > from spo_alert_fast.c:51: > /usr/include/linux/if.h:59: redefinition of `struct > ifmap' > /usr/include/linux/if.h:77: redefinition of `struct > ifreq' > /usr/include/linux/if.h:126: redefinition of `struct > ifconf' > make[3]: *** [spo_alert_fast.o] Error 1 > make[3]: Leaving directory > `/root/snort_inline-2.1.0a/src/output-plugins' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory > `/root/snort_inline-2.1.0a/src' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory > `/root/snort_inline-2.1.0a' > make: *** [all] Error 2 > > Youn Gonzales > System Administrator > Comptia A+, Network+, INET+, > Cisco CCNA/CCDA Certified Technician > Microsoft Certified Professional > > Indifference can not but be criminal, when it is > conversant about objects > which are so far from being of an indifferent > nature, that they are highest > importance. --Addison. > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux > Tutorials > Free Linux tutorial presented by Daniel Robbins, > President and CEO of > GenToo technologies. Learn everything from > fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users __________________________________ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com |
|
From: Lance S. <la...@ho...> - 2004-03-12 13:47:54
|
On Mar 12, 2004, at 1:56 AM, Pawel Czarnota wrote: > Hey all, > does anyone have a problem running snort_inline with -u option? We can > start > snort_inline with -u USERNAME option, but when the traffic goes > through the > bridge, snort_inline gives us messages for each packet and doesn't go > anything through. Removing -u option works fine. Does anyone see > connection > between this problem and the time stamp mySQL database log problem > (separate > message)? Thanks Based on my experience, you have to run snort_inline in privalleged mode (i.e. root). For some reason, when ran unprivalleged, the process will start, but not let any packets through. I'm assuming this has something to do with the fact it has to interact with individual packets. To help compensate for this security issue, you can help mitigate risk by running snort_inline in a chroot'd environment combined with a kernel security patch, such as SELinux, grsecurity, or systrace. lance |
|
From: Pawel C. <pc...@ui...> - 2004-03-12 08:15:46
|
Hey all, does anyone have a problem running snort_inline with -u option? We can start snort_inline with -u USERNAME option, but when the traffic goes through the bridge, snort_inline gives us messages for each packet and doesn't go anything through. Removing -u option works fine. Does anyone see connection between this problem and the time stamp mySQL database log problem (separate message)? Thanks Pawel Czarnota ACM Honeynet Project http://www.cs.uic.edu/~pczarno1 |
|
From: Pawel C. <pc...@ui...> - 2004-03-12 08:12:22
|
Hey all, I have a following problem with running snort_inline with the mySQL database: snort_inline correctly logs ip addresses, packet tcp dump, port numbers, etc. except the time stamp that is not entered. We are running both snort_inline and snort on the Honeywall and both log to two different databases (snort and snort_inline). We are using ACID to 'read' the data from the database. The packets logged by snort do contain the time stamps (latest snort 2.1.0 Build 9), whereas packets logged by snort_inline (2.1.0 Build a) log everything except the time stamps. Does anyone have an answer to this. Pawel Czarnota ACM Honeynet Project http://www.cs.uic.edu/~pczarno1 |
|
From: Pawel C. <pc...@ui...> - 2004-03-12 07:59:54
|
We have run into the same problem, but after upgrading to the newest version of Perl snortconfig works fine Pawel Czarnota ACM Honeynet Project http://www.cs.uic.edu/~pczarno1 From: Kris Lindgren <kidkl@ho...> snortconfig create empty rule files 2004-02-29 00:47 Hello list, After finally getting snortconfig to work I have run into a problem. All the rule files that it creates are empty. Using command: ./snortconfig -file asdf.conf -config examples/HONEYNET.config -verbose -honeynet -inline asdf.conf: var RULE_PATH /etc/snort include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules include $RULE_PATH/pop2.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/virus.rules include $RULE_PATH/nntp.rules Output from snortconfig with -verboseTried adding replace to 312. No contents Did not switch 1382. Doesn't use variables. Did not switch 271. Doesn't use variables. Did not switch 224. Doesn't use variables. Did not switch 1941. Doesn't use variables. Did not switch 2337. Doesn't use variables. Did not switch 1289. Doesn't use variables. Did not switch 1441. Doesn't use variables. Did not switch 1442. Doesn't use variables. Did not switch 1443. Doesn't use variables. Did not switch 485. Doesn't use variables. Did not switch 486. Doesn't use variables. Did not switch 487. Doesn't use variables. Did not switch 2311. Doesn't use variables. Did not switch 2348. Doesn't use variables. Did not switch 2349. Doesn't use variables. Did not switch 1415. Doesn't use variables. Did not switch 1416. Doesn't use variables. Did not switch 732. Doesn't use variables. perl -MNet::Snort::Parser::Rule -e 'print $Net::Snort::Parser::Rule::VERSION."\n";' gives 1.14 i've tried to get all the latest files from cvs but the same problem still exhists. Perl version is 5.8.0. Any help would be great. _________________________________________________________________ Stay informed on Election 2004 and the race to Super Tuesday. http://special.msn.com/msn/election2004.armx |
133 messages has been excluded from this view by a project administrator.
