Indira Kas | 2 Jul 16:21 2014
Picon

sid-msg.map file is missing

Pulledpork is running now. I checked the proper location of the sid-msg.map file in pulledpork.conf.
But when I run barnyard2 like this:
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -C /etc/snort/classification.config &

(I excluded -S and -G options, since it was throwing errors that they were included 2 times).

I get error:
ERROR: Unable to open SID file '/etc/snort/sid-msg.map' (No such file or directory)
ERROR: [Barnyard2Init()], failed while processing [/etc/snort/sid-msg.map]

Gen-msg.map file has been generated, but I can't find sid-msg.map file.
Do you know how to generate it manually maybe?

Ikas.
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Indira Kas | 2 Jul 14:20 2014
Picon

Can't run pulledpork

Hi!
When I try to run pulledpork, I get this error:

Checking latest MD5 for snortrules-snapshot-2961.tar.gz....
    Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2961.tar.gz.md5 at ./pulledpork.pl line 463
    main::md5file('<oinkcode>', 'snortrules-snapshot-2961.tar.gz', '/tmp/', 'https://www.snort.org/snort-rules/') called at ./pulledpork.pl line 1847

I tried to change it to version 2946 or 2960, but I get the same error.
Also I changed the URL to https://www.snort.org/snort-rules/snortrules-snapshot-2961.tar.gz.md5,
since there is no reg-rules under the snort.org, but the error remains.
Do you know what is the case?

Ikas.
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
conma293 | 2 Jul 06:01 2014
Picon

Fedora build

Hey guys so I'm looking at doing a build of snort using the community fedora build doc - liking the look of that
daemon script.

2 questions -  

1) how far away is 2970 I.e should I wait or goto 2961

2) which version of fedora would be recommended as most stable for that build and doc

Sent from my iPhone
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Snort Releases | 2 Jul 01:52 2014

Snort 2.9.7 Beta is now available

Snort 2.9.7 Beta is now available on snort.org at
http://www.snort.org/snort-downloads/in the Development section.

A new DAQ build is also available that updatessupport for a few operating
systems.

Snort 2.9.7 includes a major new feature for to Application Identification,
our openappid capability.

[*] New additions
* Application Identification Preprocessor, when used in conjunction with
   open app ID detector content, that will identify application protocol,
   client, server, and web applications (including those using SSL) and
   include the info in Snort alert data. In addition, a new rule option
   keyword 'appid' that can be used to constrain Snort rules based on one
   or more applications that are identified for the connection.
   See README.appid for details.

* A new protected_content rule option that is used to match against a 
content
   that is hashed.  It can be used to obscure the full context of the 
rule from
   the administrator.

* Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to
   more accurately process different portions of email messages and file
   attachments.

* Added ability to test normalization behavior without modifying network 
traffic.
   When configured using na_policy_mode:inline-test, statistics will be 
gathered
   on packet normalizations that would have occurred, allowing less 
disruptive
   testing of inline deployments.

* The HTTP Inspection preprocessor now has the ability to decompress
   DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
   content from http responses when configured with the new decompress_swf
   and decompress_pdf options. This enhancement can be used with 
existing rule
   options that already match against decompressed equivalents.

* Added improved XFF support to HttpInspect. It is now possible to 
specify custom
   HTTP headers to use in place of 'X-Fowarded-For'. In situations where 
traffic may
   contain multiple XFF-like headers, it is possible to specify which 
headers hold
   precedence.

* Added control socket command to dump packets.

* The Stream5 preprocessor functionality is now split between the new 
Session and
   Stream preprocessors.  This makes for easier tracking of sessions 
independent of
   TCP stream reassembly.

[*] Improvements
* Update active response to allow for responses of 1500+ bytes that span
   multiple TCP packets.

* Check limits of multiple configurations to not exceed a maximum ID of 
4095.

* Updated the error output of byte_test, byte_jump, byte_extract to
   including details on offending options for a given rule.

* Update build and install scripts to install preprocessor and engine 
libraries
   into user specified libdir.

* Improved performance of IP Reputation preprocessor.

* The control socket will now report success when reloading empty IP 
Reputation
whitelists/blacklists.

* All TCP normalizations can now be enabled individually. See 
README.normalize for
   details on usingthe new options. For consistency with other options, 
the "urp"
   tcp normalization keyword nowenables the normalization instead of 
disabling it.

* Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.

* Updated profiler output to remove duplicate results when using 
multiple configurations.

* Improved performance of FTP reassembly.

* Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD, 
FreeBSD, and DragonFlyBSD.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

John Gomez | 2 Jul 02:53 2014
Picon

Snort Windows 8 Pro?

Can Snort be installed on Windows 8 64-bit?  Any issues or heads-up in making this happen?

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

anagha b | 29 Jun 19:12 2014
Picon

<at> snort alert

Hi all

I have installed snort-2.9.6.1 on ubuntu12.04

unable to get snort alerts i am using  snort.u2 as o/p i tried with snort.alert and snort.log too but unable to get anything inside file .

file is showing 0 bytes even if i run snort for 15 -20 min .

Plz help to solve the issue.


Set gid to 1001
Set uid to 1001

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.1 GRE (Build 56)
   ''''    By Martin Roesch & The Snort Team: ht

is this the issue with user id n group id but i have already set the uid n gid.


I tried to use sfportscan and created portscan.log file at /var/log/snort n launched nmap decoy scan still no log in portscan.log file.



plz help.
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Nikola Vulovic | 28 Jun 15:16 2014
Picon

possable ssh attack

I am  trying snort for the first time,
 got a bit of panic.
I suspect someone was trying to bruteforce ssh
I have attached alert file, and rule that i made
and lookup from ip
$ geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat 194.102.58.6
GeoIP City Edition, Rev 1: RO, 10, Bucuresti, Bucharest, N/A, 44.433300, 26.100000, 0, 0
$ geoiplookup -d /usr/share/GeoIP/ 194.102.58.6
GeoIP Country Edition: RO, Romania
GeoIP ASNum Edition: AS2614 Agentia de Administrare a Retelei Nationale de Informatica pentru Educatie si Cercetare
Are my suspicions correct?


--
Nikola Vulovic
Attachment (alert): application/octet-stream, 369 KiB
Attachment (snort.rules): application/octet-stream, 255 bytes
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Have you build pf_ring package?

I’m having a lot of problems building PF_ring packages for my Snorts!!! I’m not sure (i’m a newbie) but i think that the spec file is not very good designed.

 

Have you deployed pf_ring in multiple machines? How???

 

Thanks a lot!!!

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jeff Meigs | 26 Jun 22:34 2014

Verifying Snort rules are updating?

Hello everyone,

 

We use to pull the rules using our own script but now we switched to using pulled pork. It seems the way its set up now with pulled pork is it dumps everything into that single file.

How are some of you verifying snort is running every day?

We have a report that used to tell us the file dates so we knew it was being updated. Anyone have any other methods?

 

Thanks,

Jeffrey Meigs

Junior Programmer

SunWest ECU

jmeigs <at> sunwestecu.com

 

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Avery Rozar | 25 Jun 22:16 2014

Event supression question, and Whitelist question

Does event suppression stop alerting, and if inline stop dropping too? Or just alerting, but still drop?

I added the below entry into threshold.conf and I don’t get alerts anymore but the app in use that was
fining this sig off (it uses wininet) is still not woking.

suppress gen_id 1, sig_id 21965, track by_src, ip x.x.x.x

Does adding a host to the white_list.rules stop preprocessor rules from being applied to this host too?

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Beenish Raza | 25 Jun 16:59 2014
Picon

Packet Number in Log file

I have to match a set of rules against a traffic trace file (pcap file). I have to report a packet which contains a specified rule. The issue is that I want to log the packet number of the packet as well while logging those packets which contain a match. E.g I have a pcap file with 10 packets and 8th packet gets matched against a certain rule. In this case, I want that the log should also specify that 8th packet contains a match. 

I used   –A alert to log to a file and get something like this in output:
08/15-17:27:48.482649  [**] [1:500020:0] Rule no.20 [**] [Priority: 0] {TCP} 244.85.5.101:443 -> 10.34.6.10:38835

Now, I am not getting it where is the packet number because the (testing) pcap file I am using just contains 14 packets.
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane