Hafez Kamal | 13 Apr 19:34 2016

[HITB-Announce] HITBGSEC CFP Closes in 2 Weeks!

REMINDER: The Call for Papers for the 2nd annual Hack In The Box GSEC
conference in Singapore closes on the 1st of May.

Call for Papers: http://gsec.hitb.org/cfp/
Event Website: http://gsec.hitb.org/sg2016/

HITB GSEC is a new single track 2-day deep knowledge security conference
where attendees get to vote on the final agenda of talks and get a
chance to meet with the speakers they voted for and fellow attendees
based on the votes they cast.

We have an all-women keynote line up this year with Erin Jacobs, Katie
Moussouris and Fabienne Serriere. We're hoping to fill at least half the
agenda with women researchers but we can't do so unless more women
submit! If you know any female researchers working on interesting stuff,
please do send this along to them.

As usual, we are looking for 60-minute, offensive focused deep-knowledge
presentations. Research that is new, novel and preferably material
that has not been presented elsewhere prior.

Submission Process:

1.) Register for an account at http://gsec.hitb.org/cfp/
2.) Send us the following:

 - Presentation abstract (1000 - 1500 words)
 - A recent photograph
 - Draft white paper (3500 - 5000 words) - OPTIONAL
 - Supporting material (poc code, slides, video etc) - OPTIONAL
(Continue reading)

Leo Nespoli | 13 Apr 12:14 2016
Picon

Snort error: Cannot decode data link type 105

Hi!

I'm trying to use the Kismet tun/tap interface with Snort 2.9.8.0

I compiled snort with --enable-non-ether-decoders --enable-sourcefire

But no way... the error is always there.

Any ideas? Thanks to all!
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Eric Martin | 13 Apr 03:28 2016

Assistance Request

I have been deploying a new pfSense machine using the core applications including SNORT.  I have the subscribed VRT rules installed, along with OpenAppID and ETOpen.

 

Today, I was finishing implementation and was unable to get out using LogMeIn and noticed the errors were coming from ET.  Then the headaches started when trying to add whitelist information.  Then I uninstalled the ET Rules.  Now, I am not convinced the VRT & OpenAppID Rules are working.  I just don’t understand the overall rules and such to apply in the way they need to be applied.  Completely different from Cisco and SonicWALL.

 

I need AND am happy to pay someone to do a review of my configuration and confirm I am not missing something.

 

I am in IT and have been using Cisco & SonicWALL UTMs in the past.  This learning curve is driving me crazy and as usual, the definitive answers on the web are subjective.  As usual, I’ve spent hours and hours on the web researching things and basically pulling out my hair.

 

Please, anyone with real world experience using pfSense 2.2.6, SNORT & SQUID3 (Which I removed today due to some basic routing problems that I just could not figure out) please reach out to me, we can work out payment and get these basic issues resolved.  If interested, this can also turn into a long term relationship as I really don’t want to become a pfsense engineer.  I am very capable for general maintenance, but don’t need another engineering degree.  LOL.

 

I am PST Time Zone AND thanks in advance for any response.

 

Sincerely,

 

Eric S. Martin

980-225-1270 (Office Direct)

704-999-1472 (Cell)

 

 

CONFIDENTIALITY NOTICE: The information contained in this e-mail transmission (including any document, file, or previous e-mail message within it), is considered confidential information and subject to non-disclosure agreements. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, please take notice that any disclosure, copying, distribution, or use of any of this information is PROHIBITED, and please immediately notify me by replying to my e-mail address - mailto:eric.martin <at> techie.com - or by calling me, and destroy the original transmission without reading or saving it. This email may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. Thank you.

 

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Shefali Prabhu (shefapra | 12 Apr 20:53 2016
Picon

Re: [Snort-devel] Does snort 2.9.8 support HTTP2?

I believe HTTP2 is supported from 2.9.9 onward.


— 
Regards,
Shefali Prabhu
ENGINEER.SOFTWARE ENGINEERING
shefapra <at> cisco.com



From: Tony Zhang <Tony.Zhang <at> esentire.com>
Date: Tuesday, April 12, 2016 at 2:30 PM
To: "snort-users <at> lists.sourceforge.net" <snort-users <at> lists.sourceforge.net>, "snort-devel <at> lists.sourceforge.net" <snort-devel <at> lists.sourceforge.net>
Subject: [Snort-devel] Does snort 2.9.8 support HTTP2?

<!-- p { margin-top: 0px; margin-bottom: 0px; }-->

Hi There


Does anybody know if snort2.9.8 support HTTP2?

Thanks.


Regards,
Tony Zhang
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Tony Zhang | 12 Apr 20:30 2016

Does snort 2.9.8 support HTTP2?

Hi There


Does anybody know if snort2.9.8 support HTTP2?

Thanks.


Regards,
Tony Zhang
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Chris Chiaverini | 11 Apr 22:56 2016

Snort with PF_RING - Compile question

Hello,

Has anyone compiled Snort w/ pfring on RHEL 7.x?  I am attempting on 7.2 and hitting an issue with libpcap linking.

I used the NTOP PF_RING RPM with snort source and it appears to be a basic linking problem but I have specified them within the configure options:

[root <at> squealer snort-2.9.8.2]# rpm -ql pfring                                                                                                                                                                                               
/etc/init.d/cluster
/etc/init.d/pf_ring
/etc/init/pf_ring.conf
/etc/ld.so.conf.d/pf_ring.conf
/lib64/libanic.so
/lib64/libntapi.so
/lib64/libntos.so
/lib64/libsnf.so
/usr/local/bin/pfcount
/usr/local/bin/pfdnabounce
/usr/local/bin/pfdnacluster_master
/usr/local/bin/pfsend
/usr/local/bin/zbalance_ipc
/usr/local/bin/zcount
/usr/local/bin/zcount_ipc
/usr/local/bin/zsend
/usr/local/include/linux/pf_ring.h
/usr/local/include/pfring.h
/usr/local/include/pfring_zc.h
/usr/local/lib/daq/daq_pfring.la
/usr/local/lib/daq/daq_pfring.so
/usr/local/lib/daq/daq_pfring_zc.la
/usr/local/lib/daq/daq_pfring_zc.so
/usr/local/lib/libpcap.a
/usr/local/lib/libpcap.so.1.6.2
/usr/local/lib/libpfring.a
/usr/local/lib/libpfring.so
/usr/local/lib/libsfbpf.so.0
/usr/local/lib/libsfbpf.so.0.0.1
/usr/local/pfring/README-DAQ.1st
/usr/local/pfring/README.FIRST
[root <at> squealer snort-2.9.8.2]# ll /usr/local/lib/libpcap.*
-rw-r--r--. 1 root root  479112 Apr  9 09:26 /usr/local/lib/libpcap.a
lrwxrwxrwx. 1 root root      16 Apr  4 14:25 /usr/local/lib/libpcap.so.1 -> libpcap.so.1.6.2
-rwxr-xr-x. 1 root root 1377998 Apr  9 09:26 /usr/local/lib/libpcap.so.1.6.2
[root <at> squealer snort-2.9.8.2]#


[root <at> squealer snort-2.9.8.2]# cat ../configure_snort.sh
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/dell/srvadmin/bin:/opt/dell/srvadmin/sbin:/root/bin:/opt/daq/bin
LD_LIBRARY_PATH=/opt/daq/lib:/usr/local/lib:/lib64:/lib:/usr/lib64:/usr/lib:/usr/local/lib/daq
export PATH LD_LIBRARY_PATH

./configure --prefix=/opt/snort-2.9.8.2 --with-dnet-includes=/usr/local/include --with-dnet-libraries=/usr/local/lib --with-libpcap-includes=/usr/local/lib/ --with-libpcap-libraries=/usr/local/lib --with-libpfring-includes=/usr/local/include/daq --with-libpfring-libraries=/usr/local/lib/daq --with-daq-libraries=/usr/local/lib --with-daq-includes=/usr/local/include \
--enable-sourcefire \
--enable-zlib \
--enable-perfprofiling \
--enable-gre \
--enable-mpls \
--enable-targetbased \
--enable-ppm \
--enable-perfprofiling \
--enable-active-response \
--enable-normalizer \
--enable-reload \
--enable-react \
--enable-flexresp3 \
--enable-linux-smp-stats \
--enable-large-pcap \
--enable-targetbased \
--enable-sourcefire
[root <at> squealer snort-2.9.8.2]#


[root <at> squealer snort-2.9.8.2]# sh ../configure_snort.sh
configure: WARNING: unrecognized options: --enable-zlib
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes

<OMMITTED>

checking for INADDR_NONE... yes
checking for __FUNCTION__... yes
checking for pcap_datalink in -lpcap... no
checking pfring.h usability... yes
checking pfring.h presence... yes
checking for pfring.h... yes
checking for pfring_open in -lpfring... no
checking for pfring_open in -lpcap... no

   ERROR!  Libpcap library/headers (libpcap.a (or .so)/pcap.h)
   not found, go get it from http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place.  Also check if your libpcap depends on another
   shared library that may be installed in an unusual place
[root <at> squealer snort-2.9.8.2]#



-- Regards, Chris Chiaverini
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Dave Corsello | 8 Apr 22:36 2016

Fwd: Re: Stream5 error

My comments below:

On 4/7/2016 5:57 PM, Al Lewis (allewi) wrote:
<!-- /* Font Definitions */ <at> font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} <at> font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} <at> font-face {font-family:Candara; panose-1:2 14 5 2 3 3 3 2 2 4;} <at> font-face {font-family:Georgia; panose-1:2 4 5 2 5 4 5 2 3 3;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif"; color:black;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.MsoAcetate, li.MsoAcetate, div.MsoAcetate {mso-style-priority:99; mso-style-link:"Balloon Text Char"; margin:0in; margin-bottom:.0001pt; font-size:8.0pt; font-family:"Tahoma","sans-serif"; color:black;} span.EmailStyle17 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:#1F497D;} span.BalloonTextChar {mso-style-name:"Balloon Text Char"; mso-style-priority:99; mso-style-link:"Balloon Text"; font-family:"Tahoma","sans-serif"; color:black;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} <at> page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} -->

Was there a reason you changed the session time_out and require_3whs fields?


I didn't change them from the values that were set by Sourcefire/Cisco.  I have now changed timeout to 30 and require_3whs to 0.

You are keeping sessions active 6 times longer than the default (30 seconds for timeout) so that may be why snort has no choice but to alert and prune them.

 

Did you change the max bytes for a session? You may need to raise the max_tcp bytes in the stream global setting. 



Again, I left the original values unchanged.  I would be inclined to leave them as they are after making the above changes unless you recommend otherwise.

 

Also did you see my previous message? If any of the conditions below are true than snort will send the message and prune the session.

 

If you don’t have a config I would think that you are hitting one of these conditions from line 7201 in “preprocessors/Stream6/snort_stream_tcp.c:”

 

 

7201         if (stream_session_config->prune_log_max && (TwoWayTraffic(tcpssn->scb) || s5TcpPolicy->log_asymmetric_traffic) && !(tcpssn->scb->ha_state.session_flags & SSNFLAG_LOGGED_QUEUE_FULL))

7202         {

7203             LogMessage("S5: Session exceeded configured max bytes to queue %d "

7204                     "using %d bytes (%s). %s %d --> %s %d "

 

 

 

 

Albert Lewis

QA Software Engineer

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046 

Phone: (office) 443.430.7112

Email: allewi <at> cisco.com 

 

From: Dave Corsello [mailto:snort-users <at> wintertreemedia.com]
Sent: Thursday, April 07, 2016 4:15 PM
To: Al Lewis (allewi)
Subject: Re: [Snort-users] Stream5 error

 

Thanks for your reply.  My snort.conf is attached.  Here's the startup command from my init script:

exec /usr/local/bin/snort -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c /etc/snort/snort.conf -D

On 4/7/2016 3:02 PM, Al Lewis (allewi) wrote:

Do you have a copy of your configuration that you can share?

 

Albert Lewis

QA Software Engineer

SOURCEfire, Inc. now part of Cisco

9780 Patuxent Woods Drive
Columbia, MD 21046 

Phone: (office) 443.430.7112

Email: allewi <at> cisco.com 

 

From: Dave Corsello [mailto:snort-users <at> wintertreemedia.com]
Sent: Thursday, April 07, 2016 2:08 PM
To: snort-users <at> lists.sourceforge.net
Subject: [Snort-users] Stream5 error

 

I'm getting a number of S5 errors like the following:

Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). xx.xx.xx.xx 13624 --> xx.xx.xx.xx 80 (0) : LWstate 0x9 LWFlags 0x6007


I typically have not seen this error.  I'm not sure when it started.  I'm concerned because in each case, the source and destination IPs are identical to one another, and because in each case the address is a public address outside of my network.  Can someone help me to understand what's happening, and if correctable, what kinds of Snort configuration changes can correct this?

Thanks,
Dave

 




------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
John Devine | 8 Apr 20:06 2016

snort not alerting on same ip ssh attack after restart

Hi all,

I am testing alerts on snort 2.9.2.2 on a box running debian by using a mock ssh attack to trigger one of snort's default rules. The rule is generated after 5 ssh attempts are made within 60 seconds. I am using snort as-is; I have created no custom rules. I can reproduce this about once a day but after a reboot of the box or restart of snort it will not generate an alert after using the same mock ssh attack even when I 'attack' it from a different IP. My guess is that there is some default local event filter for a specific rule that prevents the alert from generating again within a certain timeframe. I tried creating a global event filter (event_filter gen_id 0, sig_id 0, type both, track by_src, count -1, seconds 1) in the hope of circumventing all time limits and thresholds that could be preventing snort from alerting. Is there a way to disable any default filters that are preventing snort from generating multiples of the same alerts? If that is even the problem. Essentially, I want snort to be able to generate the same alert every time it happens which is currently does not.

Thanks.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
wgm-it | 8 Apr 16:51 2016

barnyard failing to start upon pulled pork update

Hi,

Some problems to start Barnyard2 with new Snort 2.9.8.2 installation.

 

 

Step 1

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

OK

 

Step 2

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort –D

OK

 

Step3

mysql -u snort -p -D snort -e "select count(*) from event"

OK – MySQL events number  increases (e.g. after ping)

 

Step 4

Kill snort process

kill barnyard2 process

 

Step 5

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

Errors when generating Stub Rules

 

Step 6

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort –D

barnyard2 hangs for 2 minutes

 

Step 7

mysql -u snort -p -D snort -e "select count(*) from event"

MySQL events number  remains constant (e.g. after ping)

 

 

Thanks a lot in advance for your cooperation.

 

 

Best regards

Alexej Teplitsky

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo -g snort -u snort -D
-----------------------------------------------------------------------------------------------------------------------------------

Apr  7 16:59:45 at-desktop barnyard2[2499]: Running in Continuous mode
Apr  7 16:59:45 at-desktop barnyard2[2499]: 
Apr  7 16:59:45 at-desktop barnyard2[2499]:         --== Initializing Barnyard2 ==--
Apr  7 16:59:45 at-desktop barnyard2[2499]: Initializing Input Plugins!
Apr  7 16:59:45 at-desktop barnyard2[2499]: Initializing Output Plugins!
Apr  7 16:59:45 at-desktop barnyard2[2499]: Parsing config file "/etc/snort/barnyard2.conf"
Apr  7 16:59:45 at-desktop barnyard2[2499]: #012#012+[ Signature Suppress list ]+#012----------------------------
Apr  7 16:59:45 at-desktop barnyard2[2499]: +[No entry in Signature Suppress List]+
Apr  7 16:59:45 at-desktop barnyard2[2499]: ----------------------------#012+[ Signature Suppress
list ]+#012
Apr  7 16:59:45 at-desktop barnyard2[2499]: Barnyard2 spooler: Event cache size set to [2048] 
Apr  7 16:59:45 at-desktop barnyard2[2499]: Log directory = /var/log/barnyard2
Apr  7 16:59:45 at-desktop barnyard2[2499]: INFO database: Defaulting Reconnect/Transaction Error
limit to 10 
Apr  7 16:59:45 at-desktop barnyard2[2499]: INFO database: Defaulting Reconnect sleep time to 5 second 
Apr  7 16:59:45 at-desktop barnyard2[2499]: Initializing daemon mode
Apr  7 16:59:45 at-desktop barnyard2[2500]: Daemon initialized, signaled parent pid: 2499
Apr  7 16:59:45 at-desktop barnyard2[2500]: PID path stat checked out ok, PID path set to /var/run/
Apr  7 16:59:45 at-desktop barnyard2[2499]: Daemon parent exiting
Apr  7 16:59:45 at-desktop barnyard2[2500]: Writing PID "2500" to file "/var/run//barnyard2_NULL.pid"
Apr  7 16:59:45 at-desktop barnyard2[2500]: #012[CacheSynchronize()],INFO: No system was found in
cache (from signature map file), will not process or synchronize informations found in the database #012
Apr  7 16:59:45 at-desktop barnyard2[2500]: database: compiled support for (mysql)
Apr  7 16:59:45 at-desktop barnyard2[2500]: database: configured to use mysql
Apr  7 16:59:45 at-desktop barnyard2[2500]: database: schema version = 107
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:           host = localhost
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:           user = snort
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:  database name = snort
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:    sensor name = at-desktop:NULL
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:      sensor id = 1
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:     sensor cid = 1
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:  data encoding = hex
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:   detail level = full
Apr  7 16:59:45 at-desktop barnyard2[2500]: database:     ignore_bpf = no
Apr  7 16:59:45 at-desktop barnyard2[2500]: database: using the "log" facility
Apr  7 16:59:45 at-desktop barnyard2[2500]: 
Apr  7 16:59:45 at-desktop barnyard2[2500]:         --== Initialization Complete ==--
Apr  7 16:59:45 at-desktop barnyard2[2500]: Barnyard2 initialization completed successfully (pid=2500)
Apr  7 16:59:45 at-desktop barnyard2[2500]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Apr  7 16:59:45 at-desktop barnyard2[2500]: Waiting for new spool file
Apr  7 17:02:35 at-desktop anacron[941]: Job `cron.daily' started
Apr  7 17:02:35 at-desktop anacron[2528]: Updated timestamp for job `cron.daily' to 2016-04-07

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo -g snort -u snort -D
---------------------------------------------------------------------------------------------------------------------------------

Apr  7 19:11:16 at-desktop barnyard2[2835]: Running in Continuous mode
Apr  7 19:11:16 at-desktop barnyard2[2835]: 
Apr  7 19:11:16 at-desktop barnyard2[2835]:         --== Initializing Barnyard2 ==--
Apr  7 19:11:16 at-desktop barnyard2[2835]: Initializing Input Plugins!
Apr  7 19:11:16 at-desktop barnyard2[2835]: Initializing Output Plugins!
Apr  7 19:11:16 at-desktop barnyard2[2835]: Parsing config file "/etc/snort/barnyard2.conf"
Apr  7 19:11:16 at-desktop barnyard2[2835]: #012#012+[ Signature Suppress list ]+#012----------------------------
Apr  7 19:11:16 at-desktop barnyard2[2835]: +[No entry in Signature Suppress List]+
Apr  7 19:11:16 at-desktop barnyard2[2835]: ----------------------------#012+[ Signature Suppress
list ]+#012
Apr  7 19:12:06 at-desktop barnyard2[2835]: Barnyard2 spooler: Event cache size set to [2048] 
Apr  7 19:12:06 at-desktop barnyard2[2835]: Log directory = /var/log/barnyard2
Apr  7 19:12:06 at-desktop barnyard2[2835]: INFO database: Defaulting Reconnect/Transaction Error
limit to 10 
Apr  7 19:12:06 at-desktop barnyard2[2835]: INFO database: Defaulting Reconnect sleep time to 5 second 
Apr  7 19:12:06 at-desktop barnyard2[2835]: Initializing daemon mode
Apr  7 19:12:06 at-desktop barnyard2[2840]: Daemon initialized, signaled parent pid: 2835
Apr  7 19:12:06 at-desktop barnyard2[2835]: Daemon parent exiting
Apr  7 19:12:06 at-desktop barnyard2[2840]: PID path stat checked out ok, PID path set to /var/run/
Apr  7 19:12:06 at-desktop barnyard2[2840]: Writing PID "2840" to file "/var/run//barnyard2_NULL.pid"
Apr  7 19:15:51 at-desktop barnyard2[2840]: [SystemPullDataStore()]: No System found in database ... 
Apr  7 19:15:51 at-desktop barnyard2[2840]: [ReferencePullDataStore()]: No Reference found in
database ... 
Apr  7 19:17:01 at-desktop CRON[2859]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
     https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.2 - E.Coli in your water bottle!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2015 JJ Cummings
   <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2982.tar.gz....
Rules tarball download of snortrules-snapshot-2982.tar.gz....
	They Match
	Done!
Rules tarball download of community-rules.tar.gz....
IP Blacklist download of http://talosintel.com/feeds/ip-filter.blf....
Reading IP List...
Checking latest MD5 for opensource.gz....
Rules tarball download of opensource.gz....
	They Match
	Done!
Prepping rules from snortrules-snapshot-2982.tar.gz for work....
	Done!
Prepping rules from opensource.gz for work....
	Done!
Prepping rules from community-rules.tar.gz for work....
	Done!
Reading rules...
Generating Stub Rules....
	An error occurred: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
	An error occurred: WARNING: ip4 normalizations disabled because not inline.
	An error occurred: WARNING: tcp normalizations disabled because not inline.
	An error occurred: WARNING: icmp4 normalizations disabled because not inline.
	An error occurred: WARNING: ip6 normalizations disabled because not inline.
	An error occurred: WARNING: icmp6 normalizations disabled because not inline.
	Done
Reading rules...
Reading rules...
Writing Blacklist File /etc/snort/rules/iplists/black_list.rules....
Writing Blacklist Version 929247585 to /etc/snort/rules/iplistsIPRVersion.dat....
Setting Flowbit State....
	Enabled 9 flowbits
	Done
Writing /etc/snort/rules/snort.rules....
	Done
Generating sid-msg.map....
	Done
Writing v2 /etc/snort/sid-msg.map....
	Done
Writing /var/log/sid_changes.log....
	Done
Rule Stats...
	New:-------28143
	Deleted:---0
	Enabled Rules:----8332
	Dropped Rules:----0
	Disabled Rules:---19812
	Total Rules:------28144
IP Blacklist Stats...
	Total IPs:-----38945

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Attachment (4. snort.conf): application/octet-stream, 29 KiB
Attachment (5. barnyard2.conf): application/octet-stream, 13 KiB
Attachment (6. pulledpork.conf): application/octet-stream, 11 KiB
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Y M | 8 Apr 09:30 2016

snort.conf differences in Snort 2.9.8.2

Hello all,


snort.conf in the Snort 2.9.8.2 tarball is not in sync with the snort.conf at https://www.snort.org/documents/snort-2982-conf. Of importance, the differences involve ports definitions, rules inclusion, and preprocessor configurations. The major differences are posted below. Which conf file to go by?


1. snort.conf in snort-2.9.8.2.tar.gz contains the legacy dynamic libraries only. It does not include the new ones as defined in this blog post: http://blog.snort.org/2014/08/snort-subscriber-ruleset-re.html.

2. HTTP_PORTS

3. normalize_tcp options

4. stream5_tcp options and ports

5. http_inspect_server ports

6. ssl preprocessor ports

7. rules files inclusion.


YM

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Dave Corsello | 7 Apr 20:08 2016

Stream5 error

I'm getting a number of S5 errors like the following:

Session exceeded configured max bytes to queue 1048576 using 1050000 bytes (client queue). xx.xx.xx.xx 13624 --> xx.xx.xx.xx 80 (0) : LWstate 0x9 LWFlags 0x6007

I typically have not seen this error.  I'm not sure when it started.  I'm concerned because in each case, the source and destination IPs are identical to one another, and because in each case the address is a public address outside of my network.  Can someone help me to understand what's happening, and if correctable, what kinds of Snort configuration changes can correct this?

Thanks,
Dave
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane