Marcio Guerreiro | 24 May 12:47 2015
Picon

payload to craft rules

Hi all

 

I was wondering how I could find the malware payload that can be used to craft rules in snort.

 

What I want to do ?

 

Initially I want to concentrate in payload attacks and later develop other type or rules. Is there any website that provides this type of information ?

 

The reason I want to create my own rules and learn more about SNORT.

 

Any information is welcome.

 

Thank you and have a nice day

 

Marcio

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Scott Link | 22 May 21:13 2015

Error 422 with snortrules-snapshot-2972.tar.gz

Hi,

Getting the following error message:
Running PulledPork.
    Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2972.tar.gz.md5 at /usr/bin/pulledpork.pl line 463
    main::md5file(' <oinkcode redacted>', 'snortrules-snapshot-2972.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/bin/pulledpork.pl line 1885
    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2972.tar.gz....

Searching the archive seems to point to server-side issue. Need anything else?

Thanks,
--
Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
314.977.9713
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 22 May 21:18 2015
Picon

Odp: Odp: Re: Odp: Re: Odp: Re: Odp: Re: Snort inline with Squid

Dnia Wtorek, 28 Kwietnia 2015 15:46 Robert Lasota <wrkilu <at> wp.pl> napisał(a)

Dnia Wtorek, 28 Kwietnia 2015 03:10 James Lay <jlay <at> slave-tothe-box.net> napisał(a)


 
Ah...yes with inline, drop will not pass the traffic, where as alert will.  My last bit of advice would be to change your test rule from drop to alert.  I've not used the react option, so I'll defer to someone else on the list for that bit.

James



I've changed drop to alert and nothing's change. Still just waiting.... in browser. React option AFAIK is the only way to display alert page in browser in inline mode so we must say that your ideas don't work..sorry. However many thanks for trying.

 

Generally I'm wondering... whether till now nobody use this tandem ? (Squid+Snort on Linux) because I can't find anything about this case in google - strange. Propably I'm the first.

 

Last question: do you know possibly if there is way in iptables to turning on double flow ? or is it way to inject back packets from one table to another ?

 

Robert

 



We've found some guy who figured out how to do that and it works!! I'll write here how to do that for next looking for it:

 

So the rules in iptables must be as following:

#Only allow outbound http(tcp/80) for uid 99 (squid owner/user nobody)
#Send all other http(tcp/80) to port 3128 (squid)
iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 80 -m owner --uid-owner 99 -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#Snort nfq/inline mode for http(tcp/80) traffic.
iptables -t mangle -I INPUT -i eth0 -p tcp --sport 80 -j NFQUEUE --queue-num 1
iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 80 -j NFQUEUE --queue-num 1
iptables -t mangle -I OUTPUT -o eth0 -p tcp --dport 80 -j NFQUEUE --queue-num 1

#For HTTPS
iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 443 -m owner --uid-owner 99 -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129

iptables -t mangle -I INPUT -i eth0 -p tcp --sport 443 -j NFQUEUE --queue-num 1
iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 443 -j NFQUEUE --queue-num 1
iptables -t mangle -I OUTPUT -o eth0 -p tcp --dport 443 -j NFQUEUE --queue-num 1

#For NAT'd traffic
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3129

eth0 - WAN NIC on router

eth1 - LAN NIC on router

 

And Snort is run with commands (in inline mode of course):

/opt/usr/bin/snort --daq nfq --daq-var queue=1 -D -Q -c /opt/etc/snort/snort.conf -l /var/log/snort --no-interface-pidfile

Snort works without HTTPS decrypting because it doesn't decrypt traffic itself, so you'll need possibly to use something like viewssld for that.

 

Good luck for everyone!

Robert

 

 


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 22 May 21:01 2015
Picon

Odp: Re: Rules division, divide, split

Dnia Piątek, 22 Maja 2015 20:33 Joel Esler (jesler) <jesler <at> cisco.com> napisał(a)

Sounds like you are trying to do something oddly clever.   Can you describe what you are trying to do?   
 
 
Hehe ;) , we don't want to load too much Snort by enabling all rules, this will be IPS for SOHO. So we thought, we'll turn on just malware/virus/browser rules, but sometime when it will be need we'll add rules just for needed apps e.g. SQL server and VOIP, or for HTTP and mail server - thats why..
 
Robert
 
 

On May 22, 2015, at 10:51 AM, Robert Lasota <wrkilu <at> wp.pl> wrote:

Hi,

What is the bast way to split all rules for applications, services e.g. for ftp, voip, http, dns, smtp, pop3, sql other etc. ? I know that with Pulledpork I can choose one of 3 categories: security, connectivity or balanced, but we need also to split these more deeply - for apps (as I mentioned above).

Thanks

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



 


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Picon

Re: Segregating drop alerts

Dear Anshuman,

Can you post an example of a "rule...set to drop"? I think we're probaby 
miscommunicating here.

 	-g

} I mean to say the alerts for the rules that have been set to drop. We 
} have not set it as silent.
} 
} So only some rules have been set to drop. The console should be able to 
} show if it is a alert for drop or just an
} alert. This way we can decide what other rules we can configure for 
} drop.
} 
} Hope this is preety clear.
} 
} Regards,
} Anshuman
-- 
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Robert Lasota | 22 May 16:48 2015
Picon

Rules division, divide, split

Hi,

 

What is the bast way to split all rules for applications, services e.g. for ftp, voip, http, dns, smtp, pop3, sql other etc. ? I know that with Pulledpork I can choose one of 3 categories: security, connectivity or balanced, but we need also to split these more deeply - for apps (as I mentioned above).

 

Thanks

 

 

 

 


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Picon

Re: Segregating drop alerts

Dear Anshuman,

Can you clarify what you mean by "drop alerts"?

I don't know anything about Snorby, but my experience of Snort in 
vanilla configuration is that

  - an "alert" rule will log both an alert and the packet;
  - a "drop" rule will silently ignore the packet.

Best,
-- 
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

> From: Anshuman Anil Deshmukh [mailto:anshuman <at> cybage.com]
> Sent: Friday, May 15, 2015 12:23 PM
> To: snort-users <at> lists.sourceforge.net
> Subject: [Snort-users] Segregating drop alerts
>
> Hi,
>
> We have some rules set as drop and we are using Snorby as our web 
> interface. We were trying to see if we can segregate the drop alerts but 
> couldn't find any option. Has anybody worked on this and suggest how 
> this can be done? 
>
> https://groups.google.com/forum/#!topic/snorby/YCSzsmDRAIY
>
> Regards,
> Anshuman Anil Deshmukh | Sr. IS Analyst - Security
> Cybage Software Pvt. Ltd. (An SEI-CMMI Level 5 assessed & ISO 27001 company)
> Phone : 91-20-66041700, 91-20-66044700 (Ext. 6114)
> Fax: 91-20-66041701 & 66041702
> Cell: 91-99230-51641
>
>
> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software
Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The
information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure,
copy, distribution, or use of the contents of this message is strictly prohibited. If you have received
this electronic message in error please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious
content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in
this e-mail. You should carry out your own malicious content checks before op
 ening the e-mail or attachment." www.cybage.com<http://www.cybage.com>
>
> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software
Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The
information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure,
copy, distribution, or use of the contents of this message is strictly prohibited. If you have received
this electronic message in error please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious
content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in
this e-mail. You should carry out your own malicious content checks before op
 ening the e-mail or attachment." www.cybage.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 108, Issue 41
> ********************************************
>

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Joel Cornett (jocornet | 20 May 23:51 2015
Picon

Re: RPM Build Failure for Snort 2.9.7.3-1 from source RPM (Tomas Hajek)


> Message: 4
> Date: Wed, 20 May 2015 11:54:30 -0400
> From: Tomas Hajek <hajek <at> oakland.edu>
> Subject: [Snort-users] RPM Build Failure for Snort 2.9.7.3-1 from
> 	source RPM
> To: snort-users <at> lists.sourceforge.net
> Message-ID:
> 	<CAPx-GQp8bRCvN7hvHTttQwYRMGufx9K1NGwCS1ppXUdUs+_VgQ <at> mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Has anyone tried building an rpm from the snort-openappid-2.9.7.3-1.src.rpm
> on Red Hat Enterprise Linux 6.6?
> 
> I just tried with the following:
> rpmbuild --rebuild snort-openappid-2.9.7.3-1.src.rpm
> 
> /usr/lib/rpm/debugedit: canonicalization unexpectedly shrank by one
> character

This is due to a bug in debugedit.c. (see https://bugzilla.redhat.com/show_bug.cgi?id=304121)

As a workaround, add the option: -D 'debug_package %{nil}’ to the rpmbuild command. This will disable
building of the debug package.

> 
> Any suggestions to get this to build?  I did not have any issues building
> the prior release (2.9.7.2-1).
> 
> The DAQ ( daq-2.0.5-1.src.rpm ) rebuild went fine.
> 
> thanks,
>   -Tomas
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------

Joel Cornett | Software Engineer - Cisco
jocornet <at> cisco.com




------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Miller, Mike | 20 May 20:21 2015

Re: Snort-users Digest, Vol 108, Issue 36

Yeah, I'm not finding any joy with that. Mostly because I'm using Security Onion, and it does things it wants
to do with Syslog. It's really bizarre that I can't get Barnyard to output the severity and
facility...that's a bog stock syslog format thing to do. 

I'm scripting a small fleet of these things and altering a conf file to produce the right output is do-able,
installing a second syslog facility on another port so it can filter to the right format doesn't seem like
the right way to go about it. 

-----Original Message-----
Message: 4
Date: Mon, 18 May 2015 11:14:08 -0600
From: James Lay <jlay <at> slave-tothe-box.net>
Subject: Re: [Snort-users] Barnyard2, Syslog and formatting.
To: snort-users <at> lists.sourceforge.net
Message-ID: <7ad3f42241215b9d8015a9594701306f <at> localhost>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 2015-05-18 07:50 AM, Miller, Mike wrote:
> I?m going through and modernizing our IDS fleet and am running into 
> the following problem:
> 
> The part that works:
> ================
> The first screenshot, is the production server, it's syslogging using 
> rsyslog to an RSA SIEM. The RSA sees, parses, and is happy with it.
> It?s
> using Snort to post to local syslog without Barnyard, the syslog 
> daemon then forwards it to the SIEM.
> 
> rsyslog.conf line is just *.* 10.242.3.230, and the snort.conf output 
> line looks like:
> 
> output alert_syslog: log_local7 log_alert
> 
> http://imgur.com/ckhN3vr,wxu5OyH#0
> 
> 
> The part that doesn't:
> =================
> The second grab is the test server, on the same segment, and it's 
> using
> barnyard2 to send syslog directly to the same server....it's output 
> looks like this:
> 
> http://imgur.com/ckhN3vr,wxu5OyH#1
> 
> the configs for barnyard2 look like:
> 
> output alert_syslog: host=10.242.3.230, LOG_AUTH LOG_ALERT
> 
> 
> The SIEM receives the traffic, but it doesn't know how to parse it, 
> because it doesn't appear like the syslog format it expects. (I 
> suspect because it?s missing Facility and Severity)
> 
> Any idea what I'm missing?

Mike,

In setting up barnyard2 for logstash I found that I had to have logstash just set up as a generic UDP listener. 
From there barnyard2:

output alert_syslog_full: sensor_name external, server x.x.x.x, protocol udp, port 5514

That seems to work, but did require tweaking on the receiving end.  Hope that helps.

James

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Tomas Hajek | 20 May 17:54 2015
Picon

RPM Build Failure for Snort 2.9.7.3-1 from source RPM

Has anyone tried building an rpm from the snort-openappid-2.9.7.3-1.src.rpm on Red Hat Enterprise Linux 6.6? 

I just tried with the following:
rpmbuild --rebuild snort-openappid-2.9.7.3-1.src.rpm

There are many warning such as:
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_dnp3_preproc.so.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_dnp3_preproc.so.0.0.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_modbus_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_modbus_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_dce2_preproc.so.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_dce2_preproc.so.0.0.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_sip_preproc.so.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_sip_preproc.so.0.0.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_dns_preproc.so.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_dns_preproc.so.0.0.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_imap_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_imap_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_reputation_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_reputation_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_smtp_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_smtp_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_ssh_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_ssh_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_sdf_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_sdf_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_gtp_preproc.so.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_gtp_preproc.so.0.0.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_pop_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_pop_preproc.so.0
*** WARNING: identical binaries are copied, not linked:
        /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_ssl_preproc.so.0.0.0
   and  /usr/lib64/snort-2.9.7.3_dynamicpreprocessor/libsf_ssl_preproc.so.0
/usr/lib/rpm/debugedit: canonicalization unexpectedly shrank by one character

And then it ends with the following:
error: Bad exit status from /var/tmp/rpm-tmp.rCTl8F (%install)
    user jocornet does not exist - using root
    group jocornet does not exist - using root
    user jocornet does not exist - using root
    group jocornet does not exist - using root
    Bad exit status from /var/tmp/rpm-tmp.rCTl8F (%install)

Any suggestions to get this to build?  I did not have any issues building the prior release (2.9.7.2-1).

The DAQ ( daq-2.0.5-1.src.rpm ) rebuild went fine.

thanks,
   -Tomas
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Mustafa Qasim | 20 May 17:39 2015
Picon

Security Consultant in CA

Hi,

Is there any security consultant available in CA open to an opportunity to work as a remote hand i.e. visit client site and execute the on-site consultancy requirements? 

Please approach me off the list.
------
Mustafa Qasim
GREM, GCFE


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane