headers
Peter Bates | 1 Feb 14:51
Picon
Picon
Favicon

Re: Snort 2.9.2.1 Now Available


Hello all...

Following on from a previous thread -

Just downloading 2.9.2.1 - I see the snort.conf in there has no
mention of the white/blacklist processor - and the list at
http://www.snort.org/vrt/snort-conf-configurations/
has no listed configuration for this version.

Should we be using the one in the tarball, one in the VRT rules download
or add some of the missing elements from previous configuration files?

Thanks.

--

-- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
Permalink | Reply | 1 comment |
headers
Peter Bates | 1 Feb 15:13
Picon
Picon
Favicon

Snort 2.9.2.1 compilation options


Hello all...

Yes, me again.

Going back to 2.9.1.2, an associated blog post mentioned:
"To make installation easier for our users, you simply need to compile
Snort with ./configure --enable-sourcefire" - which is also mentioned
in the one setup guide for 2.9.2 at www.snort.org/docs.

Running ./configure we see things like:
  --disable-reload          Enable reloading a configuration without
restarting
  --disable-reload-error-restart   Enable restarting on reload error

which are presumably actually the wrong way round.

Is the recommended configure standard still --enable-sourcefire
or are the most 'common' options just in plain old ./configure now?

Thanks.

--

-- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
Permalink | Reply | 1 comment |
headers
Joel Esler | 1 Feb 15:36

Re: Snort 2.9.2.1 compilation options

No, we recommend --enable-sourcefire still. That is correct. 

-- 
Joel Esler

On Feb 1, 2012, at 9:13 AM, Peter Bates <peter.bates <at> ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hello all...
> 
> Yes, me again.
> 
> Going back to 2.9.1.2, an associated blog post mentioned:
> "To make installation easier for our users, you simply need to compile
> Snort with ./configure --enable-sourcefire" - which is also mentioned
> in the one setup guide for 2.9.2 at www.snort.org/docs.
> 
> Running ./configure we see things like:
>  --disable-reload          Enable reloading a configuration without
> restarting
>  --disable-reload-error-restart   Enable restarting on reload error
> 
> which are presumably actually the wrong way round.
> 
> Is the recommended configure standard still --enable-sourcefire
> or are the most 'common' options just in plain old ./configure now?
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Joel Esler | 1 Feb 15:37

Re: Snort 2.9.2.1 Now Available

The one in the VRT downloaded tarball is correct, I'll get it up on the website. 

Thanks Peter. 

-- 
Joel Esler

On Feb 1, 2012, at 8:51 AM, Peter Bates <peter.bates <at> ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hello all...
> 
> Following on from a previous thread -
> 
> Just downloading 2.9.2.1 - I see the snort.conf in there has no
> mention of the white/blacklist processor - and the list at
> http://www.snort.org/vrt/snort-conf-configurations/
> has no listed configuration for this version.
> 
> Should we be using the one in the tarball, one in the VRT rules download
> or add some of the missing elements from previous configuration files?
> 
> Thanks.
> 
> - -- 
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
(Continue reading)

Permalink | Reply | 0 comments |
headers
Lay, James | 1 Feb 16:42
Favicon

Re: [Spam] Re: segfault - how to troubleshoot

> -----Original Message-----
> From: Doug Burks [mailto:doug.burks <at> gmail.com]
> Sent: Tuesday, January 31, 2012 11:54 AM
> To: Russ Combs
> Cc: snort-users <at> lists.sourceforge.net
> Subject: [Spam] Re: [Snort-users] segfault - how to troubleshoot
> Importance: Low
> 
> It happened at 7:01, which is the time of our daily cronjob in
> Security Onion to run PulledPork and restart Snort.  I'll look into
> it.
> 
> Thanks,
> Doug

If you've got dev tools you can use gdb...

gdb snort
handle SIGPIPE nostop noprint
run (put options here like -c bleh.conf)

after it crashes:
bt full

send that info.

James

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
(Continue reading)

Permalink | Reply | 1 comment |
headers
Martin Holste | 1 Feb 19:43
Picon

Re: [Spam] Re: segfault - how to troubleshoot

Also, when you're using gdb, I recommend wrapping it using the
"screen" utility so you can logout and still easily get the output
later.  Have a look at the manpage for more info.

On Wed, Feb 1, 2012 at 9:42 AM, Lay, James <james.lay <at> wincofoods.com> wrote:
>> -----Original Message-----
>> From: Doug Burks [mailto:doug.burks <at> gmail.com]
>> Sent: Tuesday, January 31, 2012 11:54 AM
>> To: Russ Combs
>> Cc: snort-users <at> lists.sourceforge.net
>> Subject: [Spam] Re: [Snort-users] segfault - how to troubleshoot
>> Importance: Low
>>
>> It happened at 7:01, which is the time of our daily cronjob in
>> Security Onion to run PulledPork and restart Snort.  I'll look into
>> it.
>>
>> Thanks,
>> Doug
>
> If you've got dev tools you can use gdb...
>
> gdb snort
> handle SIGPIPE nostop noprint
> run (put options here like -c bleh.conf)
>
> after it crashes:
> bt full
>
> send that info.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kloc, Alisha | 1 Feb 18:00
Picon
Favicon

Snort crossing interfaces?

Hi list,

 

I’m a new member so please let me know if I’m not doing this right.

 

We have a problem with Snort 2.9.0.5 on a Windows 2003 server that we can’t figure out. When we install Snort, it gets the machine’s interfaces wrong (i.e., we have eth0 configured as the primary interface, and eth1 as the Snort interface, but Snort only listens on eth0). We can’t figure out where Snort is setting the interfaces, or how to stop it from crossing them.

 

What makes this problem particularly scary is that it can apparently cause our machine to bluescreen. During initial troubleshooting, we tried disabling eth1 and rebooting – but the reboot bluescreened. We have no idea how Snort getting the interfaces wrong is making that happen, but it’s a pretty drastic failure and we’re very concerned.

 

A couple of troubleshooting caveats: We have a locked design, meaning that we can’t upgrade to a newer Snort; and we also can’t compile/recompile the code. (We use the Windows .exe to install.)

 

Has anyone seen this before? Do you know where/how Snort identifies the host machine’s interfaces, and how we can get it straightened out?

 

Thanks!
-Alisha Kloc

 

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 0 comments |
headers
tadios tefera | 1 Feb 23:43
Picon

Re: cannot authenticate to MSSQL database from BASE

I am new to php and base...
How exactly should I be using this test?
If I save it as testing.php in the c:\inetpub\wwwroot\base, and attempt to run it from a browser by http://ServerName/base/testing.php, i just get the text content of the testing.php displayed in the browser.
 
any suggestions?
 

 
On Mon, Jan 30, 2012 at 4:29 PM, Billy Marshall <Billy.Marshall <at> state.co.us> wrote:
tad,
 
To test MSSQL basic connect using ADOdb is:
 
include('/path/to/set/here/adodb.inc.php');     
$db =& ADONewConnection('odbc_mssql');
$dsn = "Driver={SQL Server};Server=localhost;Database=northwind;";
$db->Connect($dsn,'userid','password');

or if you prefer to use the mssql extension (which is limited to mssql 6.5 functionality):

         $db =& ADONewConnection('mssql');
         $db->Execute('localhost', 'userid', 'password', 'northwind');

>>> tadios tefera <ttefera <at> gmail.com> 1/26/2012 4:02 PM >>>

not sure if my earlier message was delivered....

I have placed the connect.php file you attached in the "base" folder on the IIS server.

I have adjusted the authencitation info (password, etc...) for our SQL server:
$serverName = "SERVER-B";
$usr="snort";
$pwd="mypassword";
$db="snort";

And then I attempted to test by going to http://SERVER-C/base/connect.php ; this is the reponse I got:
"Fatal error: Call to undefined function sqlsrv_connect() in C:\inetpub\wwwroot\base\connect.php on line 11"

In my scenario, SERVER-B is the MSSQL server and SERVER-C is the IIS server.

Am I using the connect.php DB connection test file as you anticipated?

Thanks,

Tad.

On Mon, Jan 23, 2012 at 1:34 PM, tadios tefera <ttefera <at> gmail.com> wrote:
Thank you for your response Michael,
I have placed the connect.php file you attached in the "base" folder on the IIS server.
I have adjusted the authencitation info (password, etc...) for our SQL server:
$serverName = "SERVER-B";
$usr="snort";
$pwd="mypassword";
$db="snort";
And then I attempted to test by going to http://SERVER-C/base/connect.php ; this is the reponse I got:
"Fatal error: Call to undefined function sqlsrv_connect() in C:\inetpub\wwwroot\base\connect.php on line 11"
In my scenario, SERVER-B is the MSSQL server and SERVER-C is the IIS server.
Am I using the connect.php DB connection test file as you anticipated?
Thanks,
Tad.
On Sun, Jan 22, 2012 at 10:19 AM, Michael Steele <michaels <at> winsnort.com> wrote:

You might be able to use the attached .php file to test the DB connection and users credentials to the remote MSSQL database.

Kindest regards,

Michael...

WINSNORT.com Management Team Member

--

****************** Established ~ 2001 *******************

* Visit Us <at> http://www.winsnort.com *

* ~~ FREE WinIDS Snort installation guides ~~ *

* ~~ FREE support forums ~~ *

* Snort: Open Source Network IDS - http://www.snort.org *

*********************************************************

From: tadios tefera [mailto:ttefera <at> gmail.com]
Sent: Tuesday, January 17, 2012 11:31 AM
To: snort-users <at> lists.sourceforge.net
Subject: [Snort-users] cannot authenticate to MSSQL database from BASE

Hi,

I have managed to get Snort 2.9.2 working on Windows 2008 R2 Servers.

The generated data from Snort is being placed in an mssql database.

My setup is as follows:

- Snort on a SERVER-A

- Database (MSSQL) on SERVER-B

- Web Portal (IIS7) on SERVER-C

But I am baffled as to how I can access the Snort data from the database.

I have installed and configured base, adodb, and php on IIS7 and all indications are that the installs/configurations are correct.

When I access the "base" site from a browser: http://SERVER-C/base , I get the following error:

------------------------------------------

Warning: mssql_connect() [function.mssql-connect]: Unable to connect to server: SERVER-B in C:\WinIDS\adodb\drivers\adodb-mssql.inc.php on line 556

Error connecting to DB : snort <at> SERVER-B

Check the DB connection variables in base_conf.php
= $alert_dbname : MySQL database name where the alerts are stored
= $alert_host : host where the database is stored
= $alert_port : port where the database is stored
= $alert_user : username into the database
= $alert_password : password for the username

------------------------------------------

I have verified numberous times that the dbname, host, port, user and password information are entered correctly in the base_conf.php file.

I have also tried changing hostname with IP and resetting the password on the database instance with no luck.

I looked into the SQL server logs and it shows encryption is required for this communication. The exact error message in the mssql logs is:

"Encryption is required to connect to this server but the client library does not support encryption; the connection has been closed. Please upgrade your client library. [CLIENT: 192.168.15.111]"

Client with IP 192.168.15.111 is SERVER-C.

My question is, how do I configure authentication encryption to access this database from Base?

Thanks,

Tad.




------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 11 comments |
headers
Sudarshan Raghavan | 2 Feb 14:35
Picon

Snort 2.9.1.2 exits on file upload

Snort Version: 2.9.1.2 IPv6 GRE
libpcap: 0.8.3
pcre: 7.0 18-Dec-2006
zlib: 1.2.3
Linux Kernel: 2.6.37.3 (32 bit)

We are snort exit when trying a http file upload with this error
"Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to
receive netlink message". Has anyone seen this error message before?

Regards,
Sudarshan

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 5 comments |
headers
Sudarshan Raghavan | 2 Feb 14:48
Picon

Re: Snort 2.9.1.2 exits on file upload

Do I have to increase some buffer size? Can the -1 error from ipq_read
be ignored? I am seeing this error every time I try to upload a 60MB
file over HTTP.

Regards,
Sudarshan

On Thu, Feb 2, 2012 at 7:05 PM, Sudarshan Raghavan
<sudarshan.t.raghavan <at> gmail.com> wrote:
> Snort Version: 2.9.1.2 IPv6 GRE
> libpcap: 0.8.3
> pcre: 7.0 18-Dec-2006
> zlib: 1.2.3
> Linux Kernel: 2.6.37.3 (32 bit)
>
> We are snort exit when trying a http file upload with this error
> "Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to
> receive netlink message". Has anyone seen this error message before?
>
> Regards,
> Sudarshan

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Permalink | Reply | 4 comments |

Gmane