H i | 15 Jul 19:45 2014
Picon

snort Installer not copying over

Hello all, I am a new snort enthusiast and I'm having trouble downloading it, when I copy it down, the .exe gets stripped away and when I go to install ,it's looking for an application to open it. I never ran into this problem before, can someone assist in this matter?
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Joel Esler (jesler | 15 Jul 16:39 2014
Picon

Snort Blog: OpenAppId Detector Developer Guide has been posted!

OpenAppId Detector Developer Guide has been posted!


If you take a look at the new dedicated section to OpenAppId on Snort.org, at https://www.snort.org/downloads, you will see that we include a new OpenAppId Detector Developer Guide.

Take a look at the below:
http://blog.snort.org/2014/07/openappid-detector-developer-guide-has.html


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Anshuman Anil Deshmukh | 15 Jul 13:34 2014

[SOLVED] RE: HTTP 422 when trying to download rulesets with pulledpork

Thanks Joel for pointing out the issue. I have upgraded to latest version of Snort and now there are no issues updating the rules.

 

Regards,

Anshuman

 

From: Joel Esler (jesler) [mailto:jesler <at> cisco.com]
Sent: Sunday, July 13, 2014 6:20 PM
To: Anshuman Anil Deshmukh
Cc: snort-users mailinglist
Subject: Re: [Snort-users] HTTP 422 when trying to download rulesets with pulledpork

 

Downloading 2956 rules should work for you until you can upgrade. 

--

Joel Esler

Sent from my iPhone


On Jul 13, 2014, at 6:32, "Anshuman Anil Deshmukh" <anshuman <at> cybage.com> wrote:

Yes Joel I am still on 2950

Regards,
Anshuman

Sent from Handheld

On 13-Jul-2014 12:19 pm, "Joel Esler (jesler)" <jesler <at> cisco.com> wrote:

Ah, you are trying to download 2950.  That version is EOL. 

--

Joel Esler

Sent from my iPhone


On Jul 13, 2014, at 1:29, "Anshuman Anil Deshmukh" <anshuman <at> cybage.com> wrote:

Hi Joel,

 

I am still getting the error. Below is the detailed log of pulledpork just for you to check what should have gone wrong. Please note that I have removed my oinkcode from the log. As said in my previous mail I was able to update the rules previously with no issues. I am getting this error since the time the website snort.org was migrated to the newer version.

 

Command –

perl pulledpork.pl -c /etc/pulledpork070/pulledpork-0.7.0/etc/pulledpork.conf -m /etc/snort/sid-msg.map -I security -P -vv

 

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.0 - Swine Flu!

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings

  <at> _/        /  66\_  cummingsj <at> gmail.com

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Use of uninitialized value $Value in pattern match (m//) at pulledpork.pl line 108, <CONFIG> line 175.

Config File Variable Debug /etc/pulledpork070/pulledpork-0.7.0/etc/pulledpork.conf

                snort_path = /usr/sbin/snort

                black_list = /etc/snort/rules/default.blacklist

                pid_path = /var/run/snort_eth2.pid,/var/run/barnyard2.pid

                IPRVersion = /etc/snort/rules/default.blacklist

                rule_path = /etc/snort/rules/snort.rules

                ignore = deleted.rules,experimental.rules,local.rules

                rule_url = ARRAY(0x1aecbb0)

                snort_version = 2.9.5.0

                sid_msg_version = 1

                sid_changelog = /var/log/sid_changes.log

                sid_msg = /etc/snort/sid-msg.map

                backup_file = /tmp/pp070_backup

                config_path = /etc/snort/snort.conf

                temp_path = /etc/snort/tmp/

                distro = Centos-5-4

                version = 0.7.0

                sorule_path = /usr/local/lib/snort_dynamicrules/

                disablesid = /etc/pulledpork070/pulledpork-0.7.0/etc/disablesid.conf

MISC (CLI and Autovar) Variable Debug:

                Process flag specified!

                arch Def is: x86-64

                Config Path is: /etc/pulledpork070/pulledpork-0.7.0/etc/pulledpork.conf

                Distro Def is: Centos-5-4

                security policy specified

                Rules file is: /etc/snort/rules/snort.rules

                Path to disablesid file: /etc/pulledpork070/pulledpork-0.7.0/etc/disablesid.conf

                sid changes will be logged to: /var/log/sid_changes.log

                sid-msg.map Output Path is: /etc/snort/sid-msg.map

                Snort Version is: 2.9.5.0

                Snort Config File: /etc/snort/snort.conf

                Snort Path is: /usr/sbin/snort

                SO Output Path is: /usr/local/lib/snort_dynamicrules/

                Will process SO rules

                Extra Verbose Flag is Set

                Verbose Flag is Set

                Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|oinkcode https://www.snort.org/reg-rules/|opensource.gz|oinkcode https://rules.emergingthreats.net/|emerging.rules.tar.gz|open https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open

Checking latest MD5 for snortrules-snapshot-2950.tar.gz....

                Fetching md5sum for: snortrules-snapshot-2950.tar.gz.md5

** GET https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5/oinkcode ==> 422 Unprocessable Entity (1s)

                Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5 at pulledpork.pl line 463

                main::md5file('oinkcode', 'snortrules-snapshot-2950.tar.gz', '/etc/snort/tmp/', 'https://www.snort.org/reg-rules/') called at pulledpork.pl line 1847

 

 

Regards,

Anshuman

 

From: Joel Esler (jesler) [mailto:jesler <at> cisco.com]
Sent: Sunday, July 13, 2014 5:31 AM
To: Joel Esler (jesler)
Cc: snort-users mailinglist
Subject: Re: [Snort-users] HTTP 422 when trying to download rulesets with pulledpork

 

BTW — This has been fixed.  Don’t remember if I addressed this with the list yesterday, but if anyone is seeing any more issues with downloads and purchases or if you just want to provide some feedback on the new Snort.org, please let us know!

 

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

 

On Jul 11, 2014, at 11:52 AM, Joel Esler (jesler) <jesler <at> cisco.com> wrote:

 

We’ve identified the issue with opensource.gz.  This should be fixed shortly.


On Jul 11, 2014, at 10:37 AM, Avery Rozar <Avery.Rozar <at> i-techsupport.com> wrote:

I was getting the same thing on opensource.gz. I had to comment that out for it to work.

From: Anshuman Anil Deshmukh <anshuman <at> cybage.com<mailto:anshuman <at> cybage.com>>
Date: Friday, July 11, 2014 at 10:02 AM
To: "'Joel Esler (jesler)'" <jesler <at> cisco.com<mailto:jesler <at> cisco.com>>
Cc: snort-users mailinglist <snort-users <at> lists.sourceforge.net<mailto:snort-users <at> lists.sourceforge.net>>
Subject: Re: [Snort-users] HTTP 422 when trying to download rulesets with pulledpork

Hi Joel,

Here is where I am downloading from-

rule_url=https://www.snort.org/reg-rules/|opensource.gz|e5454e32094dd017be5907b5cacb387eb55d2152
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open

Just to let you know I was able to download the rules till day before yesterday.


Regards,
Anshuman

From: Joel Esler (jesler) [mailto:jesler <at> cisco.com]
Sent: Friday, July 11, 2014 5:42 PM
To: Anshuman Anil Deshmukh
Cc: snort-users mailinglist
Subject: Re: [Snort-users] HTTP 422 when trying to download rulesets with pulledpork

What file are you trying to download?

--
Joel Esler
Sent from my iPhone

On Jul 11, 2014, at 3:21, "Anshuman Anil Deshmukh" <anshuman <at> cybage.com<mailto:anshuman <at> cybage.com>> wrote:
Hi,

We are still having issues downloading the rules. Is this going to take some more time to fix?


Regards,
Anshuman

From: Joel Esler (jesler) [mailto:jesler <at> cisco.com]
Sent: Friday, July 11, 2014 12:10 AM
To: Starner, Mark
Cc: snort-users mailinglist
Subject: Re: [Snort-users] HTTP 422 when trying to download rulesets with pulledpork

It’s an error on our side, you shouldn’t have to change a thing.


On Jul 10, 2014, at 2:15 PM, Starner, Mark <mark.starner <at> unisys.com<mailto:mark.starner <at> unisys.com>> wrote:



So, once it is working on the snort.org<http://snort.org/> website, the new rule_url line should be as you specified below, with no |, ignoring the rules specified?
# note that the url, rule file, and oinkcode itself are separated by a pipe |
# i.e. url|tarball|123456789

Very confused!

Thanks
Mark


From: Shirkdog [mailto:shirkdog <at> gmail.com]
Sent: Thursday, July 10, 2014 8:46 AM
To: Anshuman Anil Deshmukh
Cc: snort-users mailinglist
Subject: Re: [Snort-users] HTTP 422 when trying to download rulesets with pulledpork


I will work on updating the default for pulled pork, but use the following URL, per the new website:

https://www.snort.org/rules/snortrules-snapshot-29xx-tar.gz?<oinkcode>
On Jul 10, 2014 8:40 AM, "Anshuman Anil Deshmukh" <anshuman <at> cybage.com<mailto:anshuman <at> cybage.com>> wrote:

Hi,



Even I am getting such error. in my case the only difference is that I am on the older version. Is it something to do with the recent changes that happened on the website?



Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<https://www.snort.org/reg-rules/%7Csnortrules-snapshot.tar.gz%7C><my oinkcode>https://www.snort.org/reg-rules/|opensource.gz|<https://www.snort.org/reg-rules/%7Copensource.gz%7C><my oinkcode>https://rules.emergingthreats.net/|emerging.rules.tar.gz|open<https://rules.emergingthreats.net/%7Cemerging.rules.tar.gz%7Copen> https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community<https://s3.amazonaws.com/snort-org/www/rules/community/%7Ccommunity-rules.tar.gz%7CCommunity> http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open<http://labs.snort.org/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen>

Checking latest MD5 for snortrules-snapshot-2950.tar.gz....

              Fetching md5sum for: snortrules-snapshot-2950.tar.gz.md5

** GET https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5/<my oinkcode> ==> 422 Unprocessable Entity (2s)

              Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz.md5 atpulledpork.pl<http://pulledpork.pl/> line 463

              main::md5file('<my oinkcode>', 'snortrules-snapshot-2950.tar.gz', '/etc/snort/tmp/', 'https://www.snort.org/reg-rules/') called at pulledpork.pl<http://pulledpork.pl/> line 1847





Regards,

Anshuman





-----Original Message-----
From: Laszlo Toth [mailto:laszlo.toth <at> linguamatics.com<mailto:laszlo.toth <at> linguamatics.com>]
Sent: Thursday, July 10, 2014 5:00 PM
To: snort-users <at> lists.sourceforge.net<mailto:snort-users <at> lists.sourceforge.net>
Subject: [Snort-users] HTTP 422 when trying to download rulesets with pulledpork



Hi,



I'm trying to download the registered rules with pulledpork but I'm getting the following error message:



Rules tarball download of snortrules-snapshot-2961.tar.gz....

       Error 422 when fetching snortrules-snapshot-2961.tar.gz at ./pulledpork.pl<http://pulledpork.pl/> line 408

       main::rulefetch('oinkcode', 'snortrules-snapshot-2961.tar.gz',

'/tmp/', 'https://www.snort.org/reg-rules/') called at ./pulledpork.pl<http://pulledpork.pl/> line 1856



Pulledpork rule config:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|oinkcode<https://www.snort.org/reg-rules/%7Csnortrules-snapshot.tar.gz%7Coinkcode>





I get the same HTTP response code when I try to manually download the rules fromhttps://www.snort.org/reg-rules/snortrules-snapshot-2961.tar.gz/oinkcode



Am I missing something?

Thanks,

Laszlo



--

Laszlo Toth

Systems administrator

Linguamatics

324 Cambridge Science Park

Milton Road

Cambridge

CB4 0WG

UK

Telephone number:

+44 (0)1223 651910<tel:%2B44%20%280%291223%20651910>

www.linguamatics.com<http://www.linguamatics.com/>





------------------------------------------------------------------------------

Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft_______________________________________________

Snort-users mailing list

Snort-users <at> lists.sourceforge.net<mailto:Snort-users <at> lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!




"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net<mailto:Snort-users <at> lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net<mailto:Snort-users <at> lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com>
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net<mailto:Snort-users <at> lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

 


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
cfp | 15 Jul 07:16 2014
Picon

Ruxcon 2014 Final Call For Presentations

______________________________________________________________ _._) (_._ | .%$$% .. | ' __________. ._____ ________.&&$ '$$%$.__________ ' ._\ /___.___\ \_____/ ____/$ &&$\ /_ -:-\ \_____\ | /____/ /________\'$#%. .$&&'/____/ /-:- /____/ \________/ \____\ ' %$$$%' /_____/ . www.ruxcon.org.au . _|_ _|_ '(______________________________________________________________)'
Introduction

The Ruxcon team is pleased to announce the Final Call For Presentations for Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and 12th of October at the CQ Function Centre, Melbourne, Australia.

The deadline for submissions is the 15th of September, 2014.

About Ruxcon

Ruxcon is the premier technical computer security conference in Australia. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations.

The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security.

Live presentations and activities will cover a full range of defensive and offensive security topics, varying from previously unpublished research to required reading for the security community.

Important Dates

  • September 15 - Call For Presentations Close
  • October 6-7 - Ruxcon/Breakpoint Training
  • October 8-9 - Breakpoint Conference
  • October 11-12 - Ruxcon Conference

Topic Scope

Topics of interest include, but are not limited to:

  • Mobile Device Security
  • Virtualization, Hypervisor, and Cloud Security
  • Malware Analysis
  • Reverse Engineering
  • Exploitation Techniques
  • Rootkit Development
  • Code Analysis
  • Forensics and Anti-Forensics
  • Embedded Device Security
  • Web Application Security
  • Network Traffic Analysis
  • Wireless Network Security
  • Cryptography and Cryptanalysis
  • Social Engineering
  • Law Enforcement Activities
  • Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)
Submission Guidelines

In order for us to process your submission we require the following information:

1. Presentation title
2. Detailed summary of your presentation material
3. Name/Nickname
4. Mobile phone number
5. Brief personal biography
6. Description of any demonstrations involved in the presentation
7. Information on where the presentation material has or will be presented before Ruxcon

As a general guideline, Ruxcon presentations are between 45 and 60 minutes, including question time.

Please note that Ruxcon isn't able to cover any travel expenses for speakers. Speakers in the past have had success in having their employer cover conference related expenses. Our other conference Breakpoint does cover travel expenses and runs 3 days before Ruxcon.

If you have any enquiries about submissions, or would like to make a submission, please send an email to presentations <at> ruxcon.org.au

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Tony Reusser | 14 Jul 20:09 2014

FW: Multiple instances of snort -G option

I also run multiple instances of Snort on one box.  However, the reason I’m doing it is to have two distinct sensors.  My “sensors” are just two GigE interfaces on the box.  For each one I’m running a separate instance of Snort with a distinct config file along with two instances of barnyard.

 

I don’t bother with the ‘-G’ option.  My startup commands just reflect each conf file and I use the ‘-i’ option for each interface.  Examples follow:

 

/usr/local/bin/snort –dD –c /etc/snort/snort_eth0.conf –i eth0

/usr/local/bin/snort –dD –c /etc/snort/snort_eth1.conf –i eth1

#

/usr/local/bin/barnyard2 –D –f snort_eth0.u2 –d /var/log/snort/eth0_logs –c /etc/snort/barnyard2_eth0.conf

/usr/local/bin/barnyard2 –D –f snort_eth1.u2 –d /var/log/snort/eth1_logs –c /etc/snort/barnyard2_eth1.conf

 

This doesn’t really apply to your situation as it seems you want to run two instances of snort on one interface using one config file.  But this is what I’ve figured out FWIW.

 

Tony Reusser

Filer Mutual Telephone Co.

 

From: Robert Millott [mailto:robm <at> millottandassociates.com]
Sent: Monday, July 14, 2014 8:37 AM
To: snort-users
Subject: [Snort-users] Multiple instances of snort -G option

 

I am running two instances of snort on one machine, to handle the traffic load.  I have split the traffic using BPF Filters, so one instance see just web traffic, while the second instance handles everything else.  I am running snort 2.9.6 on a Gentoo 3.14.4 host

  I have read in the snort manual about using the -G multiple instance identifier.  I added this to my command line when starting up snort, using "-G 1" on the first instance and "-G 2" on the second instance. Snort starts up and run just fine, but I don't see anything different in my output.  I am logging to /var/log/messages and I don't see any "1" or "2" added in.  I compared snort output with the -G switch to snort output without the -G output and I don't see a difference.

 

Anyone out there using this option?  If so, where does that instance identifier show up?  

 

Thanx

 

--
Robert Millott
President, Millott and Associates
(443) 255-3588

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck&#174;
Code Sight&#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck&#174;
Code Sight&#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Joel Esler (jesler | 14 Jul 17:23 2014
Picon

Snort Blog: Snort Subscriber Rule Set Update

Snort Subscriber Rule Set Update


In the post about the new website, I had a section about our new rule packaging structure.  Let me expand on it a bit so that everyone understands.

Please take click below for more details on the recent changes to the Snort Subscriber Rule Set


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck&#174;
Code Sight&#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Millott | 14 Jul 16:36 2014

Multiple instances of snort -G option

I am running two instances of snort on one machine, to handle the traffic load.  I have split the traffic using BPF Filters, so one instance see just web traffic, while the second instance handles everything else.  I am running snort 2.9.6 on a Gentoo 3.14.4 host
  I have read in the snort manual about using the -G multiple instance identifier.  I added this to my command line when starting up snort, using "-G 1" on the first instance and "-G 2" on the second instance. Snort starts up and run just fine, but I don't see anything different in my output.  I am logging to /var/log/messages and I don't see any "1" or "2" added in.  I compared snort output with the -G switch to snort output without the -G output and I don't see a difference.

Anyone out there using this option?  If so, where does that instance identifier show up?  

Thanx

--
Robert Millott
President, Millott and Associates
(443) 255-3588
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck&#174;
Code Sight&#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Alojzy Kleks | 12 Jul 05:00 2014

Alojzy Kleks - 7/12/2014 3:00:16 PM

http://diabetesdietplan.org/xvnlva/pvwvnyjblbdrustaohdnqgjvrfcrv.ripvtlryfk




Alojzy Kleks
7/12/2014 3:00:16 PM
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Majed | 11 Jul 15:52 2014
Picon

SMTP_Header_Name_Overfolw

Dears ,

I am getting too many events after enabling the SMTP Preprocessors.

here is a sample event capture :


Transmission Control Protocol (Src Port: 51803 (51803), Dst Port: 25 (25), Seq: 1, Ack: 1, Len: 1460)

Source portDestination portStream indexSequence numberNext sequence numberAcknowledgment numberHeader lengthFlagsWindow size valueCalculated window sizeWindow size scaling factorChecksum
51803 (51803)
25 (25)
0
1 (relative sequence number)
1461 (relative sequence number)
1 (relative ack number)
20 bytes
000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set
255
255
-1 (unknown)
Good Checksum: False Bad Checksum: False
Bytes in flight: 1460

Simple Mail Transfer Protocol

Command LineCommand LineCommand LineCommand LineCommand Line
Command: \003\265\030\266 Request parameter [truncated]: \215o&I\336\332\213\267\367\203j\311w <at> \263D\300\333\336\201\215\220\273\263v\207\330\005 8\331\353$\2707\220u\255\b\272G\020\312\255\033i\205$4X\004\033\223\305\3743\204\210\343k\222\352L\022>\300aB\371'\260\
Command: \230\213\034z Request parameter: V_\247Wq\3035\224y <at> 6c\341\211;\345\205\323\242\347\\235\257\006\352=\377\316C <at> !\362\345q.|\213\271\204:\357\362\347M\265\346\341\006\251X
Command: \257\277\376\202 Request parameter: U\371\362\236\177D\205\b\224\302,\350Q\250\355%\375\363^D
Command: 1\336\a6 Request parameter: 2\004\214\034,\310#\254Hg^\207\037\375\262j\360-\205\035\266\371\v\230a\335\373pf\305\360!\aST\273_P\375\001\004\376\200\277\202\337g*\316\210\024[&*\213_$\a}\250\335\217\244\357\342\274\206q\t\235\220\357\267
Command: \245\024\217o Request parameter: \272\300\326\255\245\247\243z)J\352d\351\v\337\206\333\367>\364\250\253\261\026~\335r=\342itz\024\204\001w\207\2422\004\326\206\210\f\234\247` C
Command: I\263\017m Request parameter:




I am wondering if there is any way to get rid of this alerts with out disabling the Prep.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Mike Patterson | 10 Jul 23:06 2014
Picon
Picon

BPF problem

I had a look through recent posts on the list and saw other people had issues, but their solutions don’t
seem to be mine.
The situation is I have two machines running Snort; the older one is at 2.9.5.3, the newer one is at 2.9.6.

I copied relevant pieces of config from the older install to the newer one, and I’m running them both more
or less identically (it’s not completely identically because their hardware differs).

My problem is everything seems hunky dory on the new box, except it’s not respecting my BPF filters. On the
older machine, I pass them on the command line: -F /etc/snort/snort-bpfexclusions.conf. On the newer
one, I tried that, and it claims to be reading the exclusions:

Jul 10 13:31:03 snort[21071]: Reading filter from bpf file: /etc/snort/snort-bpfexclusions.conf

But it’s triggering alerts on hosts in my ranges. My exclusions looks like this, with IPs somewhat
anonymized (RFC1918 addresses are internal, others are external):

!(net 1.2.3.4/8) and !(net 10.20.0.0/23) and !(host 9.10.11.12) and !(host 9.10.11.13) and !(host
10.0.0.1) and !(host 10.0.0.2) and !(host 10.0.0.3) and !(host 10.0.0.4) and !(host 10.0.0.5) and
!(host 10.0.0.6) and !(host 10.0.0.7) and !(net 172.16.0.0/12) and !(net 10.50.0.0/24) and !(net 10.60.0.0/24)

All one line, of course.

When that didn’t seem to work, I uncommented and set:
config bpf_file: /etc/snort/snort-bpfexclusions.conf

Same deal.

Unlike another more recent poster, I do not believe that my sensor is seeing those IPs within a GRE tunnel - or
rather, if it is, then *both* hosts should be firing, and the older install definitely isn’t.

I can see how well 2.9.5.3 does on the newer machine, but I’d rather not.

I’m calling snort as such:

/usr/local/bin/snort -D -u snort -g snort -F /etc/snort/snort-bpfexclusions.conf -c
/etc/snort/snort.conf --pid-path /fsys1/snortpids --create-pidfile -y
--daq-dir=/usr/local/lib/daq --daq pfring_dna --daq-mode passive -i dna1 <at> 15 --daq-var bindcpu=15
-l /fsys1/snort-dna-15 --perfmon-file /fsys1/snort-dna-15/snort-dna-15.stats -G 15 -l /fsys1/snort-dna-15

(times 16 with differing values for interface, bindcpu, etc.)

If it matters, and I don’t think it should but who knows - the older machine is built around an Endace DAG,
the newer one on an Intel X520. The newer one seems to be otherwise behaving exactly as I’d like.

Any suggestions?

Thanks,

Mike

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Turnbough, Bradley E. | 10 Jul 19:41 2014

Rule Downloads Failing

 wget -v
http://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/blahblahblah<http://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/blah>
-O /opt/pulledpork/tmp/sigs/snortrules-snapshot-2960.tar.gz

Produces:

--2014-07-10 13:39:16--  http://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/blahblahblah
Resolving blahblah.blah.com... x.y.z.a
Connecting to blahblah.blah.com|x.y.z.a|:3128... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: https://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/blahblahblah [following]
--2014-07-10 13:39:16--  https://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/blahblahblah
Connecting to blahblah.blah.com|x.y.z|:3128... connected.
Proxy request sent, awaiting response... 422 Unprocessable Entity
2014-07-10 13:39:16 ERROR 422: Unprocessable Entity.

I'm not sure when this broke.  Can someone please help me out here?

Brad
_____________________________________________________________ This e-mail transmission
contains information that is confidential and may be privileged. It is intended only for the
addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it
in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the
contents of this information is prohibited. Please reply to the message immediately by informing the
sender that the message was misdirected. After replying, please erase it from your computer system. Your
assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Gmane