Lamont, Brian A. | 31 Jul 23:51 2015

Solaris 10 service not running, stuck in maintenance.

Many of our Solaris 10 systems have dual NICs configured with LACP.   I have specified the interface name of bge0 in snort.sh from one of our Solaris 10 workstation as well as, removing from snort.sh and putting in snort.conf as var HOME_NET bge0, but the service continues to remain in "maintenance" regardless of any enable, disable or clear of the service.     The script seems to start without the –daq –pcap parameters (below. 

 

Please help if you have configured snort for Solaris 10 thank you.

 

 

Output of svcs –xv

==================

svc:/site/snort:default (snort Intrusion Detection)

State: maintenance since Fri Jul 24 09:31:00 2015

Reason: Completes a dependency cycle.

   See: http://sun.com/msg/SMF-8000-HP

Impact: This service is not running.

 

 

 

From /var/adm/messages file.

=============================

FATAL ERROR: Failed to lookup interface: no suitable device found. Please specify one with -i switch

 

Transitioning svc:/site/snort:default to maintenance because it completes a dependency cycle

 

 

 

Snort –V

=========

<payson-root># ./snort -V

 

   ,,_     -*> Snort! <*-

  o"  )~   Version 2.9.4.5 GRE (Build 71)

   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.

           Using libpcap version 1.7.3

           Using PCRE version: 8.37 2015-04-28

           Using ZLIB version: 1.2.3

 

 

 

From solaris service manifest:   ./svc/method/snort.sh

-------------------------------------------------------------------

<payson-root># cat snort.sh

#!/bin/sh

case $1 in

'start')

        LD_LIBRARY_PATH=/opt/snort/lib:/opt/snort/lib/snort_dynamicpreprocessor:/opt/snort/lib/snort_dynamicengine:/opt/snort/mysql/lib:/opt/snort/ssl/lib;

        export LD_LIBRARY_PATH;

        /opt/snort/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf --daq pcap;

#      /opt/snort/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf ;

;;

'stop')

kill -1 `ps -ef | grep snort | grep -v grep | awk '{print $2}'`

;;

*)

echo "Usage: $0 start|stop" >&2

exit 1

;;

esac

exit 0

 

 

 

 

Brian Lamont

 

Unix Systems Admin

GENERAL DYNAMICS - Mission Systems

Desk:  480 586-9986

Cell:  480 209-8751

----------------------------

This message and/or attachments may include information subject to GD Corporate Policies 07-103 and 07-105 and is intended to be accessed only by authorized recipients.  Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties.  Recipients should refer to the policies or contract to determine proper handling.  Unauthorized review, use, disclosure or distribution is prohibited.  If you are not an intended recipient, please contact the sender and destroy all copies of the original message.

 

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
xinland66 | 31 Jul 23:14 2015
Picon

Flowbit IDs exceeds maximum

Hi,

I could not find any info about this in the document. Can somebody please explain what this means and what to
do to resolve the issue?

/etc/snort/rules/etp/exploit.rules(2105) The number of flowbit IDs in the current ruleset exceeds the
maximum number of IDs that are allowed (1024).
Fatal Error, Quitting..

Thanks in advance!

Kelly
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Charlie | 31 Jul 08:03 2015
Picon

barnyard2: WARNING: Can't extract timestamp extension from 'merged.log'using base ''

 Hi

I am trying to use Snort with barnyard2-1.13 on Linux RaspberryPI2 3.18.11-v7+

barnyard2 is logging into the mySQL db ok; I know that because when I enable mysql general query log. barnyard2 is updating the table 'sensor'.

I called the file that snort generate & barnyard2 reads: "merged.log".  Some people I read calls it "something.u2" but it is just a name? barnyard2 is looking at the 'merged.log' file generated by Snort as you will see from this log:

Jul 30 19:44:32 RasberryPI barnyard2: WARNING: Can't extract timestamp extension from 'snort_eth0.pid'using base ''
Jul 30 19:44:32 RasberryPI barnyard2: WARNING: Can't extract timestamp extension from 'merged.log'using base ''
Jul 30 19:44:32 RasberryPI barnyard2: WARNING: Can't extract timestamp extension from '..'using base ''
Jul 30 19:44:32 RasberryPI barnyard2: WARNING: Can't extract timestamp extension from 'barnyard2.alert'using base ''
Jul 30 19:44:32 RasberryPI barnyard2: WARNING: Can't extract timestamp extension from 'alert'using base ''

Q1) However because of this " Can't extract timestamp extension" warning, it is not writing into the event table, why?
Q2) What does this using base '' mean?

In snort.conf, I have tried:
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
then
output unified2: filename merged.log, limit 128
but it did not help.

Thanks in advance


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Research | 30 Jul 19:46 2015

Negative timestamp in PCAP from Snort

Hello,

I am currently running Snort 2.9.7.2 on a Linux host.  I checked the PCAP today and noticed an entry with a
negative timestamp.  This showed up AFTER an entry with a timestamp of 0.

I understand that the first event is valid with the 0 timestamp, but I am confused by the negative one.  AFAIK
Snort does not buffer the output to PCAP’s but writes in real-time.  What would cause a negative
timestamp on an event ?

Thanks
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

basant subba | 30 Jul 15:45 2015
Picon

Adding a new preprocessor in SNORT

I want to build a Hybrid IDS using open source tool SNORT. I read few good papers on that. But still I am not able to get a lead on how to mount PHAD (an anomaly based IDS) as a preprocessor to SNORT. In general how would one add a new preprocessor in a SNORT? Any help would be highly appreciated.
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Victoria Lee | 29 Jul 23:00 2015

Getting snort to block something

Hello everyone,

I just set up snort and am trying to test it using the
emerging-games.rule to block battle.net
However, I am not able to get it to block battle.net 
I have my snort interface enabled, and in the alert settings I have
everything checked off. (Send Alerts to system log, block offenders,
kill states) I also have the Which ip to block set to both. 
In the categories I have the use IPS policy checked off and the IPS
policy set as balanced.
In the rule sets I have Snort community rules and emerging-games.rule
checked off too.
I have also enabled the emerging-games rules in the rules tab. Next to
the rules there are little yellow boxes with x's in them.
The emerging threat rules were also updated recently. 

Could someone advise me on what to do next?
Please let me know if you need more information or any images for
further clarification.

An additional question. I recently purchased the snort business rule
subscription. Am I supposed to get a code to activate that or is it
activated another way?
Thank you for your time!

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Charlie | 29 Jul 18:42 2015
Picon

Fwd: ./configure correct with-mysql-libraries for Rasberry PI 3.18.11-v7+


Hi

I am trying to install barnyard2-1.13 on Linux RaspberryPI2 3.18.11-v7+ 
. I realise this is a Snort forum BUT there is no response from

barnyard2-users <at> googlegroups.com.

Q1) Is barnyard2 still supported? If not what is the alternative?

Q2) When I run:
sudo ./configure --with-mysql 
--with-mysql-libraries=/usr/lib/arm-linux-gnueabihf
sudo make
sudo make install

It configures then compiles ok BUT is /usr/lib/arm-linux-gnueabihf correct?

Thanks in advance

PS I loaded the following pre-req:
sudo apt-get install mysql-server
sudo apt-get install libpcap-dev libmysqld-dev
sudo apt-get install php5-mysql

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Xander | 29 Jul 17:55 2015
Picon

Snort in a Home Network

Hello everyone,
I have a simple question regarding Snort.
If I want to use it in my private home network (which consists of a
couple of laptops and smartphones) is it reasonable to disable some
preprocessors (and the rules related to them)?

Here is what I mean: since I do not have any kind of server, just a
couple of laptops and smartphones, can I just disable their dedicated
preprocessors (e.g. ftp preprocessor, sip preprocessor, smtp
preprocessor, http preprocessor and so on)?

>From my understanding of Snort, the preprocessors and the IPVARs (e.g.
$HTTP_SERVERS, $SSH_SERVERS, $TELNET_SERVERS....) that you set in the
snort.conf are aimed to analyze the traffic directed to your servers
in your network. But, as I said, I don't have any, hence my question
about turning the preprocessors off.

Also, to disable them, do I just have to comment them out in the snort.conf?

Thank you very much for your help.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Robert Cotter | 29 Jul 00:59 2015

Update to REAME.decode on Snort.org request

Would it be possible to make it clearer which decode  ‘Options’ are enabled/disabled by default.

 

At the moment you need to read down the list to item number 7. ‘enable_decode_oversized_alerts’ to see the text that says.

 

“Note that this is the only decoder alert option that is disabled by default.”

 

This would help making it easier to point out to the not so experienced what the original setting were without referring to the default snort.conf in the ruleset.

 

Thanks in advance.

 

 

Regards

 

Robert Cotter

Field Application Engineer – Endace, a division of Avago

 

robert.cotter <at> avagotech.com

DDI: +64 9 926 2931 Mob: +64 21 67 5550

LinkedIn: Robert Cotter; Skype: endace.robert.cotter

 

Level 2, Building A

600 Great South Road

Ellerslie, Auckland 1051, New Zealand

 

Postal :-

PO Box 12894 Penrose

Auckland 1642, New Zealand

 

http://www.endace.com/; LinkedIn; follow us on Twitter

 

This message contains Avago confidential information intended only for specific recipients and is not to be forwarded to anyone else. If you have received this message in error, please delete it immediately. Thank you

 

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
usa ims | 28 Jul 18:08 2015
Picon

New to snort (inline mode not rejecting)

Inline mode not rejecting. I'm trying to reject 'ICMP' in my network and the pings are still successful (I know - it's an overkill).  I'm still able to ping any nodes in the subnet that Snort is protecting.

Snort Version: 2.9.7.3
Netgear Layer 2 Switch with mirroring enabled.

Snort seems to be starting fine:
Jul 28 11:30:41 snort snort[810]: afpacket DAQ configured to inline.
...
Jul 28 11:30:41 snort snort[811]: Commencing packet processing (pid=811)
Jul 28 11:30:41 snort snort[811]: Decoding Ethernet

I started snort with this command:
snort -Q -D -c /etc/snort/snort.conf -i eth1:eth2 --daq afpacket --daq-mode inline --daq-var buffer_size_mb=1024 -l /var/log/snort

I have this rule enabled local.rules:
reject icmp any any -> any any (msg:"You're doomed!"; sid:478; rev:3;)

My snort.conf has the some of the following:

#config policy_mode:inline
config daq: afpacket
config daq_mode: inline
config daq_var: buffer_size_mb=1024

var HOME_NET 192.168.0.0/24
var EXTERNAL_NET any

Here is the output from u2:

IPv6 Event)
sensor id: 0 event id: 1496 event second: 1438098558 event microsecond: 471655
sig id: 478 gen id: 1 revision: 3 classification: 0
priority: 0 ip source: fe80::851b:3b6b:9ef3:1ff8 ip destination: ff02::1:ff98:f8eb
src port: 0 dest port: 0 protocol: 58 impact_flag: 32 blocked: 1

Packet
sensor id: 0 event id: 1496 event second: 1438098558
packet second: 1438098558 packet microsecond: 471655
linktype: 1 packet_length: 86
[ 0] 33 33 FF 98 F8 EB 28 D2 44 71 3A 63 86 DD 60 00 33....(.Dq:c..`.
[ 16] 00 00 00 20 3A FF FE 80 00 00 00 00 00 00 85 1B ... :...........
[ 32] 3B 6B 9E F3 1F F8 FF 02 00 00 00 00 00 00 00 00 ;k..............
[ 48] 00 01 FF 98 F8 EB 87 00 47 39 00 00 00 00 FE 80 ........G9......
[ 64] 00 00 00 00 00 00 E1 C3 6F 7E CA 98 F8 EB 01 01 ........o~......
[ 80] 28 D2 44 71 3A 63 (.Dq:c


What am I missing? Thanks in advance.


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Turnbough, Bradley E. | 28 Jul 14:54 2015

Re: Daemonlogger -- Response to Marty Roesch

Ok.  I'll get a line of script included into the init script.

Thanks for all of your help!  I appreciate it.  Daemonlogger is a handy little tool to have in our environment.

To my knowledge, I don't see anything else that needs attention.  Maybe an update of the param listing from
the '--help' screen, but that's about it.

Again, thank you.

Brad

________________________________________
From: Marty Roesch (maroesch) [maroesch <at> cisco.com]
Sent: Monday, July 27, 2015 5:36 PM
To: Turnbough, Bradley E.
Subject: Re: Daemonlogger -- Response to Marty Roesch

Ok…

So, clearing logs from past runs is typically something for your startup
script to handle.  I remember this came up in the past and that’s kind of
where we left things.  Clearing out the logging directory before starting
seems like a lot of code to replicate functions that shell scripts can do,
you know? :)

Sorry about the undocumented features, it is documented in the README
file.  I’ve been finding a few things that probably could stand updating
as I’ve been looking around in the code for DaemonLogger so maybe there
will be a new version sooner rather than later.

Assuming scripting gets the job done, are there other problems you’re
running into?

Marty

--
Martin Roesch - maroesch <at> cisco.com
VP/Chief Architect, Security Business Group
   ,,_
  o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
   ''''

On 7/27/15, 10:53 AM, "Turnbough, Bradley E." <bturnbough <at> belcan.com>
wrote:

>
>-Z :
>daemonlogger: invalid option -- 'Z'
>
>-z :
>[-] Pruning behavior set to oldest THIS RUN
>
>Undocumented flags are always fun :)
>
>Closer, but still no solution.
>
>If *no* -z flag is set, I see this:
>
>[-] Pruning behavior set to oldest IN DIRECTORY
>
>
>But, its not working as advertised.
>
>
>
>________________________________________
>From: Marty Roesch (maroesch) [maroesch <at> cisco.com]
>Sent: Friday, July 24, 2015 4:19 PM
>To: Turnbough, Bradley E.
>Cc: snort-users <at> lists.sourceforge.net
>Subject: Re: Daemonlogger -- Response to Marty Roesch
>
>Try the -z option and see if that helps out...
>
>
>Please Sent from my iPhone
>
>> On Jul 24, 2015, at 4:46 PM, Turnbough, Bradley E.
>><bturnbough <at> belcan.com> wrote:
>>
>> I think I've recreated the issue.
>>
>> running:
>> daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3
>>-p daemonlogger-p5p3.pid -r -m 5 -s 1g
>>
>> I let it run for a while.  The process was working just fine.  (5
>>files, rotated every 1 gig)
>>
>> I then stopped the process by issuing a ctrl-c, and then restarted it
>>again.
>>
>> Now I have more than 5 files:
>>
>> -rw-r--r--  1 root root 1.1G Jul 24 15:51 daemonlogger-p5p3.1437766803
>> -rw-r--r--  1 root root 1.1G Jul 24 16:00 daemonlogger-p5p3.1437767505
>> -rw-r--r--  1 root root 1.1G Jul 24 16:09 daemonlogger-p5p3.1437768022
>> -rw-r--r--  1 root root 1.1G Jul 24 16:21 daemonlogger-p5p3.1437768591
>> -rw-r--r--  1 root root 184M Jul 24 16:23 daemonlogger-p5p3.1437769280
>> -rw-r--r--  1 root root 1.1G Jul 24 16:32 daemonlogger-p5p3.1437769403
>> -rw-r--r--  1 root root 420M Jul 24 16:37 daemonlogger-p5p3.1437769947
>>
>> I have some scripts that stop the snort / barnyard / daemonlogger
>>processes every night.  They're all restarted again once backups are
>>finished and whatnot.
>>
>> I believe this is why I have so many extra files hanging around.  I
>>don't believe the program should work this way, but I can't say for
>>cartain, as you wrote it  :)  I would think that the program would load
>>the filenames into in array and drop the first one off of the list,
>>regardless of whether it actually wrote out the file during its
>>invocation.
>>
>> Thoughts?
>>
>>
>> ________________________________________
>> From: Marty Roesch (maroesch) [maroesch <at> cisco.com]
>> Sent: Friday, July 24, 2015 2:27 PM
>> To: Turnbough, Bradley E.; snort-users <at> lists.sourceforge.net
>> Subject: Re: Daemonlogger -- Response to Marty Roesch
>>
>> In theory it shouldn’t make a difference, let it run and see if there’s
>>a
>> difference in fact.  It used to work when 1.2.1 was released but I
>>haven’t
>> done tech support thing for my own OSS in a while so maybe something is
>> broken on newer systems and I need to dig into it a little deeper and
>>see
>> what’s going on.
>>
>> Let me know if it prunes properly now that the size limiter is working.
>>
>> --
>> Martin Roesch - maroesch <at> cisco.com
>> VP/Chief Architect, Security Business Group
>>   ,,_
>>  o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
>>   ''''
>>
>>
>>
>>
>>
>>
>>> On 7/24/15, 3:19 PM, "Turnbough, Bradley E." <bturnbough <at> belcan.com>
>>>wrote:
>>>
>>> That's what I was thinking as well.  Yes, x86_64
>>>
>>> uname -a:
>>> Linux awidssen01 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51
>>> UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> Running this:
>>> daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n daemonlogger-p5p3
>>> -p daemonlogger-p5p3.pid -r -m 5 -s 1g
>>>
>>>
>>> Produced this:
>>> [-] Interface set to p5p3
>>> [-] Logpath set to /var/log/daemonlogger/p5p3
>>> [-] Max files to write set to 5
>>> [-] Log filename set to "daemonlogger-p5p3"
>>> [-] Pidfile configured to "daemonlogger-p5p3.pid"
>>> [-] Pidpath configured to "/var/run"
>>> [-] Ringbuffer active
>>> [-] Rollover configured for 1 gigabytes
>>> [-] Rollover configured for 0 none
>>> [-] Pruning behavior set to oldest IN DIRECTORY
>>>
>>> -*> DaemonLogger <*-
>>> Version 1.2.1
>>> By Martin Roesch
>>> (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
>>>
>>> Checking partition stats for log directory
>>>"/var/log/daemonlogger/p5p3/."
>>> sniffing on interface p5p3
>>> start_sniffing() device p5p3 network lookup:    p5p3: no IPv4 address
>>> assigned
>>>
>>>
>>> It appears to be working (as I'm seeing files broken at 1gig marks),
>>>but
>>> the problem I was having before was that the files weren't being purged
>>> as they should.  The initial message I sent out stated I had 156+
>>>(1gig)
>>> files.
>>>
>>> Would the flags "-s 1g" / "-s 1000000000" make a difference
>>>functionality
>>> wise?
>>> ________________________________________
>>> From: Marty Roesch (maroesch) [maroesch <at> cisco.com]
>>> Sent: Friday, July 24, 2015 2:03 PM
>>> To: Turnbough, Bradley E.; snort-users <at> lists.sourceforge.net
>>> Subject: Re: Daemonlogger -- Response to Marty Roesch
>>>
>>> Well there’s your problem right there.  Looks like there’s some sort of
>>> signage/wraparound issue going on.  Is this on x86?
>>>
>>> Try
>>>
>>> daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n
>>>daemonlogger-p5p3 -p
>>> daemonlogger-p5p3.pid -r -m 5 -s 1g
>>>
>>>
>>> And send me the runtime output from that run.
>>>
>>>
>>> --
>>> Martin Roesch - maroesch <at> cisco.com
>>> VP/Chief Architect, Security Business Group
>>>  ,,_
>>> o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
>>>  ''''
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 7/24/15, 2:55 PM, "Turnbough, Bradley E." <bturnbough <at> belcan.com>
>>> wrote:
>>>
>>>> cat /etc/centos-release:
>>>> CentOS release 6.5 (Final)
>>>>
>>>> Running this:
>>>> daemonlogger -i p5p3 -l /var/log/daemonlogger/p5p3 -n
>>>>daemonlogger-p5p3
>>>> -p daemonlogger-p5p3.pid -r -m 5
>>>>
>>>> Produced this:
>>>> [-] Interface set to p5p3
>>>> [-] Logpath set to /var/log/daemonlogger/p5p3
>>>> [-] Max files to write set to 5
>>>> [-] Log filename set to "daemonlogger-p5p3"
>>>> [-] Pidfile configured to "daemonlogger-p5p3.pid"
>>>> [-] Pidpath configured to "/var/run"
>>>> [-] Ringbuffer active
>>>> [-] Rollover size set to 18446744071562067968 bytes
>>>> [-] Rollover time configured for 0 seconds
>>>> [-] Pruning behavior set to oldest IN DIRECTORY
>>>>
>>>> -*> DaemonLogger <*-
>>>> Version 1.2.1
>>>> By Martin Roesch
>>>> (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved
>>>>
>>>> Checking partition stats for log directory
>>>>"/var/log/daemonlogger/p5p3/."
>>>> sniffing on interface p5p3
>>>> start_sniffing() device p5p3 network lookup:    p5p3: no IPv4 address
>>>> assigned
>>>> Logging packets to
>>>> /var/log/daemonlogger/p5p3/daemonlogger-p5p3.1437764092
>>>>
>>>>
>>>>
>>>> ________________________________________
>>>> From: Marty Roesch (maroesch) [maroesch <at> cisco.com]
>>>> Sent: Friday, July 24, 2015 1:52 PM
>>>> To: Turnbough, Bradley E.; snort-users <at> lists.sourceforge.net
>>>> Subject: Re: Daemonlogger -- Response to Marty Roesch
>>>>
>>>> What platform is this on?
>>>>
>>>> Can you grab the configuration output that it dumps to the screen
>>>>when it
>>>> runs and send that over too?
>>>>
>>>> Marty
>>>>
>>>> --
>>>> Martin Roesch - maroesch <at> cisco.com
>>>> VP/Chief Architect, Security Business Group
>>>>  ,,_
>>>> o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
>>>>  ''''
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 7/24/15, 2:39 PM, "Turnbough, Bradley E." <bturnbough <at> belcan.com>
>>>> wrote:
>>>>
>>>>> FYI -- I'm running Version 1.2.1, if that helps.
>>>>>
>>>>> ________________________________________
>>>>> From: Turnbough, Bradley E. [bturnbough <at> belcan.com]
>>>>> Sent: Friday, July 24, 2015 1:37 PM
>>>>> To: snort-users <at> lists.sourceforge.net
>>>>> Cc: maroesch <at> cisco.com
>>>>> Subject: [Snort-users] Daemonlogger -- Response to Marty Roesch
>>>>>
>>>>> Hi Marty,
>>>>>
>>>>> Sorry, but I accidentally deleted our thread.
>>>>>
>>>>>
>>>>> I did as you requested, but daemonlogger is not rolling over to a new
>>>>> file after 1Gb.
>>>>>
>>>>> Here is the file:
>>>>> -rw-r--r--  1 root root 2.1G Jul 24 14:34
>>>>>daemonlogger-p5p3.1437762253
>>>>>
>>>>> Here is the command:
>>>>> daemonlogger -d -i p5p3 -l /var/log/daemonlogger/p5p3 -n
>>>>> daemonlogger-p5p3 -p daemonlogger-p5p3.pid -r -m 5
>>>>>
>>>>>
>>>>> _____________________________________________________________ This
>>>>> e-mail
>>>>> transmission contains information that is confidential and may be
>>>>> privileged. It is intended only for the addressee(s) named above. If
>>>>>you
>>>>> receive this e-mail in error, please do not read, copy or
>>>>>disseminate it
>>>>> in any manner. If you are not the intended recipient, any disclosure,
>>>>> copying, distribution or use of the contents of this information is
>>>>> prohibited. Please reply to the message immediately by informing the
>>>>> sender that the message was misdirected. After replying, please
>>>>>erase it
>>>>> from your computer system. Your assistance in correcting this error
>>>>>is
>>>>> appreciated.
>>>>>
>>>>>
>>>>>----------------------------------------------------------------------
>>>>>--
>>>>> -
>>>>> -
>>>>> ----
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users <at> lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>> _____________________________________________________________ This
>>>>> e-mail
>>>>> transmission contains information that is confidential and may be
>>>>> privileged. It is intended only for the addressee(s) named above. If
>>>>>you
>>>>> receive this e-mail in error, please do not read, copy or
>>>>>disseminate it
>>>>> in any manner. If you are not the intended recipient, any disclosure,
>>>>> copying, distribution or use of the contents of this information is
>>>>> prohibited. Please reply to the message immediately by informing the
>>>>> sender that the message was misdirected. After replying, please
>>>>>erase it
>>>>> from your computer system. Your assistance in correcting this error
>>>>>is
>>>>> appreciated.
>>>>
>>>> _____________________________________________________________ This
>>>>e-mail
>>>> transmission contains information that is confidential and may be
>>>> privileged. It is intended only for the addressee(s) named above. If
>>>>you
>>>> receive this e-mail in error, please do not read, copy or disseminate
>>>>it
>>>> in any manner. If you are not the intended recipient, any disclosure,
>>>> copying, distribution or use of the contents of this information is
>>>> prohibited. Please reply to the message immediately by informing the
>>>> sender that the message was misdirected. After replying, please erase
>>>>it
>>>> from your computer system. Your assistance in correcting this error is
>>>> appreciated.
>>>
>>> _____________________________________________________________ This
>>>e-mail
>>> transmission contains information that is confidential and may be
>>> privileged. It is intended only for the addressee(s) named above. If
>>>you
>>> receive this e-mail in error, please do not read, copy or disseminate
>>>it
>>> in any manner. If you are not the intended recipient, any disclosure,
>>> copying, distribution or use of the contents of this information is
>>> prohibited. Please reply to the message immediately by informing the
>>> sender that the message was misdirected. After replying, please erase
>>>it
>>> from your computer system. Your assistance in correcting this error is
>>> appreciated.
>>
>> _____________________________________________________________ This
>>e-mail transmission contains information that is confidential and may be
>>privileged. It is intended only for the addressee(s) named above. If you
>>receive this e-mail in error, please do not read, copy or disseminate it
>>in any manner. If you are not the intended recipient, any disclosure,
>>copying, distribution or use of the contents of this information is
>>prohibited. Please reply to the message immediately by informing the
>>sender that the message was misdirected. After replying, please erase it
>>from your computer system. Your assistance in correcting this error is
>>appreciated.
>_____________________________________________________________ This e-mail
>transmission contains information that is confidential and may be
>privileged. It is intended only for the addressee(s) named above. If you
>receive this e-mail in error, please do not read, copy or disseminate it
>in any manner. If you are not the intended recipient, any disclosure,
>copying, distribution or use of the contents of this information is
>prohibited. Please reply to the message immediately by informing the
>sender that the message was misdirected. After replying, please erase it
>from your computer system. Your assistance in correcting this error is
>appreciated.

_____________________________________________________________ This e-mail transmission
contains information that is confidential and may be privileged. It is intended only for the
addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the
contents of this information is prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it from your computer system. Your
assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Gmane