OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Snort-users] help

From: jiangzhw2008 (jiangzhw2008yeah.net)
Date: Wed Jul 15 2009 - 20:00:33 CDT


2009-07-16?02:41:56snort-users-requestlists.sourceforge.net?д
>Send?Snort-users?mailing?list?submissions?to
> snort-userslists.sourceforge.net
>
>To?subscribe?or?unsubscribe?via?the?World?Wide?Web,?visit
> https://lists.sourceforge.net/lists/listinfo/snort-users
>or,?via?email,?send?a?message?with?subject?or?body?'help'?to
> snort-users-requestlists.sourceforge.net
>
>You?can?reach?the?person?managing?the?list?at
> snort-users-ownerlists.sourceforge.net
>
>When?replying,?please?edit?your?Subject?line?so?it?is?more?specific
>than?"Re:?Contents?of?Snort-users?digest..."
>
>
>Today's?Topics:
>
>???1.?Joel?Esler?Speaking?in?Augusta?Georgia?-?Tonight?(Mike?Guiterman)
>???2.?Speaking?tonight?at?the?CSRA?Snort?Users?Group?(Joel?Esler)
>???3.?Re:?Web?UI?(JJ?Cummings)
>???4.?Re:?Web?UI?(Russell?Fulton)
>???5.?Re:?Web?UI?(Joel?Esler)
>???6.?Re:?New?netbios?rules??(craig?bowser)
>
>
>----------------------------------------------------------------------
>
>Message:?1
>Date:?Tue,?14?Jul?2009?16:28:46?-0400
>From:?Mike?Guiterman?<mguitermansourcefire.com>
>Subject:?[Snort-users]?Joel?Esler?Speaking?in?Augusta?Georgia?-
> Tonight
>To:?Snort?Users?List?<snort-userslists.sourceforge.net>,
> emerging-sigsemergingthreats.net
>Message-ID:
> <9ff4f37d0907141328v23c4727exa49e70fc8212ff63mail.gmail.com>
>Content-Type:?text/plain;?charset="iso-8859-1"
>
>Hi?all,
>
>Sorry?for?the?late?notice,?Sourcefire's?Joel?Esler?speaking?tonight?at?the
>CSRA?Snort?Users?group?in?Augusta,?Georgia?at?6:30pm.??If?you?are?in?the
>area,?and?would?like?to?attend,?the?meeting?will?be?held?in?downtown
>Augusta,?please?contact?Joel?Esler??joel.esler?[at]?sourcefire.com?for
>directions.
>
>Regards,
>
>Mike
>--------------?next?part?--------------
>An?HTML?attachment?was?scrubbed...
>
>------------------------------
>
>Message:?2
>Date:?Tue,?14?Jul?2009?16:35:56?-0400
>From:?Joel?Esler?<jeslersourcefire.com>
>Subject:?[Snort-users]?Speaking?tonight?at?the?CSRA?Snort?Users?Group
>To:?Snort?Users?<snort-userslists.sourceforge.net>
>Message-ID:
> <314cf0830907141335t612d134exf68ba9e300910fd7mail.gmail.com>
>Content-Type:?text/plain;?charset="iso-8859-1"
>
>Wanted?to?let?you?all?know,?and?sorry?that?it's?on?short?notice,?but?I?will
>be?speaking?tonight?at?the?CSRA?(Augusta,?Georgia?and?surrounding?area)
>Snort?Users?Group.
>
>The?meeting?is?being?held?in?downtown?Augusta,?Georgia,?so?if?you?are?the
>area?and?would?like?to?attend,?I?plan?to?start?around?6:30-6:45,?several?of
>us?will?probably?go?to?dinner?afterwards.??All?are?invited.
>
>If?you?are?interested?in?coming,?like?I?said,?I?know?it's?short?notice,
>email?me?for?directions.??(The?location?has?asked?that?their?address?isn't
>posted.)??Thanks!
>
>Joel?Esler
>SOURCEfire
>--------------?next?part?--------------
>An?HTML?attachment?was?scrubbed...
>
>------------------------------
>
>Message:?3
>Date:?Tue,?14?Jul?2009?14:50:00?-0600
>From:?JJ?Cummings?<cummingsjgmail.com>
>Subject:?Re:?[Snort-users]?Web?UI
>To:?"Burks,?Doug"?<doug.burksmorris.com>
>Cc:?SElgramverifpoint.com, Snort?Users?List
> <snort-userslists.sourceforge.net>
>Message-ID:
> <1c79c7b70907141350x58e1a01fn723f8fbaa66bf49dmail.gmail.com>
>Content-Type:?text/plain;?charset="windows-1252"
>
>There?is?also?Snorby?(google?will?help?you?there),?I?have?been?playing?with
>it?a?bit?lately..?it's?still?BETA?/?Brand?new..
>
>you?can?also?always?go?the?route?of?syslog?etc...
>
>On?Tue,?Jul?14,?2009?at?1:57?PM,?Burks,?Doug?<doug.burksmorris.com>?wrote:
>
>>??Hi?Scott,
>>
>>?ACID?should?not?be?used?anymore.??BASE?is?definitely?more?current.
>>
>>?A?brand?new?web?front-end?called?Snorby?(http://www.snorby.org/)?just
>>?appeared.??It's?still?in?Beta?and?may?not?be?ready?for?production?use.
>>
>>?If?you?don't?require?a?web?front-end,?I?would?recommend?looking?at?Sguil?(
>>?http://sguil.sourceforge.net/).??It?can?be?installed?very?quickly?and
>>?easily?using?NSMnow?(http://www.securixlive.com/nsmnow/index.php).??If
>>?you'd?like?to?try?Sguil?from?a?LiveCD?environment,?please?take?a?look?at?my
>>?Security?Onion?LiveCD?(http://securityonion.blogspot.com/).
>>
>>?Thanks,
>>?Doug?Burks
>>
>>??------------------------------
>>??*From:*?Scott?Elgram?[mailto:SElgramVerifPoint.com]
>>?*Sent:*?Tuesday,?July?14,?2009?2:38?PM
>>?*To:*?'Snort?Users?List'
>>?*Subject:*?[Snort-users]?Web?UI
>>
>>??Hello,
>>
>>?????????????I?am?looking?to?setup?a?new?SNORT?IDS.??I?set?one?up?a?while
>>?back?with?ACID?as?my?UI,?I?liked?it?very?much?but?now?I?m?looking?to?build?a
>>?brand?new?one?and?it?would?seem?that?many?things?have?changed?sense?I?did
>>?this?last.??Most?notably,?it?looks?like?the?ACID?project?has?been?dropped.
>>?Is?ACID?still?a?good?web?based?UI?for?SNORT?or?is?there?a?better?one?these
>>?days???I?d?also?appreciate?your?opinion?on?BASE?which?looks?pretty?much?like
>>?ACID?but?seems?to?be?more?current.
>>
>>
>>
>>?-Scott
>>
>>
>>
>>
>>?------------------------------------------------------------------------------
>>?Enter?the?BlackBerry?Developer?Challenge
>>?This?is?your?chance?to?win?up?to?$100,000?in?prizes!?For?a?limited?time,
>>?vendors?submitting?new?applications?to?BlackBerry?App?World(TM)?will?have
>>?the?opportunity?to?enter?the?BlackBerry?Developer?Challenge.?See?full?prize
>>?details?at:?http://p.sf.net/sfu/Challenge
>>?_______________________________________________
>>?Snort-users?mailing?list
>>?Snort-userslists.sourceforge.net
>>?Go?to?this?URL?to?change?user?options?or?unsubscribe:
>>?https://lists.sourceforge.net/lists/listinfo/snort-users
>>?Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list?archive:
>>?http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>--------------?next?part?--------------
>An?HTML?attachment?was?scrubbed...
>
>------------------------------
>
>Message:?4
>Date:?Wed,?15?Jul?2009?14:42:13?+1200
>From:?Russell?Fulton?<r.fultonauckland.ac.nz>
>Subject:?Re:?[Snort-users]?Web?UI
>To:?Joel?Esler?<jeslersourcefire.com>
>Cc:?"SElgramverifpoint.com"?<SElgramverifpoint.com>, Snort?Users
> List?<snort-userslists.sourceforge.net>
>Message-ID:?<ED79CCB0-B556-4B7F-A1F8-9E6F40580B3Aauckland.ac.nz>
>Content-Type:?text/plain;?charset=US-ASCII;?format=flowed;?delsp=yes
>
>
>On?15/07/2009,?at?8:01?AM,?Joel?Esler?wrote:
>
>>?It's?much?better?than?ACID?ever?was.
>>
>>?It's?the?biggest?web?gui?there?is?for?Snort.?With?over?20k?users.
>
>Anyone?have?a?feeling?for?how?many?events?it?will?handle?in?the??
>database???Last?time?I?looked?(a?long?time?ago)?it?would?go?very?soggy??
>if?I?tried?to?keep?more?than?a?weeks?worth?of?alerts?in?the?DB.???My??
>current?(Placid?*)?system?works?fine?with?about?6?million?events.??But??
>has?very?limited?functionality.
>
>R
>
>*?Phil?(Denault)?Loaths?ACID??:)
>
>
>
>------------------------------
>
>Message:?5
>Date:?Wed,?15?Jul?2009?01:27:02?-0400
>From:?Joel?Esler?<jeslersourcefire.com>
>Subject:?Re:?[Snort-users]?Web?UI
>To:?Russell?Fulton?<r.fultonauckland.ac.nz>
>Cc:?"SElgramverifpoint.com"?<SElgramverifpoint.com>, Snort?Users
> List?<snort-userslists.sourceforge.net>
>Message-ID:?<F210085A-80AF-4F90-9096-F33CCCF984D6sourcefire.com>
>Content-Type:?text/plain; charset=us-ascii; format=flowed; delsp=yes
>
>I've?seen?systems?with?14?million?events?on?a?very?powerful?machine.
>
>--
>Sent?from?my?iPhone
>
>On?Jul?14,?2009,?at?10:42?PM,?Russell?Fulton?<r.fultonauckland.ac.nz>??
>wrote:
>
>>
>>?On?15/07/2009,?at?8:01?AM,?Joel?Esler?wrote:
>>
>>>?It's?much?better?than?ACID?ever?was.
>>>
>>>?It's?the?biggest?web?gui?there?is?for?Snort.?With?over?20k?users.
>>
>>?Anyone?have?a?feeling?for?how?many?events?it?will?handle?in?the??
>>?database???Last?time?I?looked?(a?long?time?ago)?it?would?go?very??
>>?soggy?if?I?tried?to?keep?more?than?a?weeks?worth?of?alerts?in?the??
>>?DB.???My?current?(Placid?*)?system?works?fine?with?about?6?million??
>>?events.??But?has?very?limited?functionality.
>>
>>?R
>>
>>?*?Phil?(Denault)?Loaths?ACID??:)
>
>
>
>------------------------------
>
>Message:?6
>Date:?Wed,?15?Jul?2009?14:41:48?-0400
>From:?craig?bowser?<reswob10gmail.com>
>Subject:?Re:?[Snort-users]?New?netbios?rules?
>To:?Snort?<snort-userslists.sourceforge.net>
>Message-ID:
> <cfec1a3a0907151141y17abe160i642cbabeb16c31d5mail.gmail.com>
>Content-Type:?text/plain;?charset="iso-8859-1"
>
>I?just?got?the?same?problem?as?jlay?<jlayslave-tothe-box.net>.??I've?had
>v2.8.4.1?running?just?fine?for?a?while,?but?today?I?updated?the?rules?(both
>from?Snort?and?from?Emerging?threats)?and?performed?an?'apt-get?upgrade'?and
>suddenly?I'm?getting?this?error.??I?don't?have?either?"preprocessor?dcerpc2"
>or?"?preprocessor?dcerpc_server:?default"?in?my?snort.conf?and?the?entry?for
>dce/rpc?is?as?follows:
>
>#?Per?Step?#2,?set?the?following?to?load?the?dcerpc?preprocessor
>#?dynamicpreprocessor?file?<full?path?to?libsf_dcerpc_preproc.so>
>#?or?use?commandline?option
>#?--dynamic-preprocessor-lib?<full?path?to?libsf_dcerpc_preproc.so>
>
>preprocessor?dcerpc:?\
>????autodetect?\
>????max_frag_size?3000?\
>????memcap?100000
>
>So?it?appears?to?be?enabled.
>
>However,?I?looked?for?libsf_dcerpc_preproc.so,?but?that?file?is?not
>present.??Do?I?need?to?create?one???The?README.dcerpc?file?does?not?say?how
>to?format?such?a?file.
>
>OTOH,?did?I?screw?up?something?updating?the?rules?
>
>Thanks.
>
>Craig?Bowser
>
>
>
>On?Tue,?Jun?16,?2009?at?10:45?AM,?Griffin,?Chris?Andrew?(Chris)?<
>cg58alcatel-lucent.com>?wrote:
>
>>?I'm?having?the?same?problem
>>
>>?+++++++++++++++++++++++++++++++++++++++++++++++++++
>>?Initializing?rule?chains...
>>?ERROR:?Warning:?/etc/snort/rules/netbios.rules(24)?=>?Unknown?keyword?'
>>?dce_iface'?in?rule!
>>?Fatal?Error,?Quitting..
>>
>>?and?I?found?this?post:
>>
>>
>>?https://forums.snort.org/forums/snort-newbies/topics/snort-error-when-starting-snort-unknown-keyword-dce_iface
>>
>>?I?can't?find?"preprocessor?dcerpc_server:?default"?in?snort.conf?to
>>?disable,?but?I?think?it's?because?my?snort.conf?is?old.??I'm?going?to?try
>>?and?upgrade?my?snort.conf?to?the?latest?version?(v2.8.4.1).??If?you?haven't
>>?upgraded?your?snort.conf?in?a?while?I?may?suggest?you?try?the?same.
>>
>>
>>
>>
>>?________________________________
>>
>>?From:?Joel?Esler?[mailto:jeslersourcefire.com]
>>?Sent:?Tuesday,?June?16,?2009?10:31?AM
>>?To:?jlayslave-tothe-box.net
>>?Cc:?Snort
>>?Subject:?Re:?[Snort-users]?New?netbios?rules?
>>
>>
>>
>>?On?Jun?16,?2009,?at?10:17?AM,?jlayslave-tothe-box.net?wrote:
>>
>>
>>????????After?updating?this?morning?I?see:
>>
>>????????Jun?16?08:12:25?10.21.10.2?snort[7899]:?FATAL?ERROR:?Warning:
>>????????/usr/local/etc/snort/rules/netbios.rules(24)?=>?Unknown?keyword?'
>>????????dce_iface'?in?rule!
>>
>>????????Version?is:
>>
>>????????Version?2.8.4.1?(Build?38)
>>
>>????????Do?I?need?to?update?snort???Thanks.
>>
>>
>>?No,?but?you?do?need?to?enable?the?dce/rpc2?preprocesor?in?your?snort.conf
>>
>>
>>?--
>>?joel?esler?|?Sourcefire?|?gtalk:?jeslersourcefire.com?|?302-223-5974
>>?[m]
>>
>>
>>
>>?------------------------------------------------------------------------------
>>?Crystal?Reports?-?New?Free?Runtime?and?30?Day?Trial
>>?Check?out?the?new?simplified?licensing?option?that?enables?unlimited
>>?royalty-free?distribution?of?the?report?engine?for?externally?facing
>>?server?and?web?deployment.
>>?http://p.sf.net/sfu/businessobjects
>>?_______________________________________________
>>?Snort-users?mailing?list
>>?Snort-userslists.sourceforge.net
>>?Go?to?this?URL?to?change?user?options?or?unsubscribe:
>>?https://lists.sourceforge.net/lists/listinfo/snort-users
>>?Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list?archive:
>>?http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>--------------?next?part?--------------
>An?HTML?attachment?was?scrubbed...
>
>------------------------------
>
>------------------------------------------------------------------------------
>Enter?the?BlackBerry?Developer?Challenge??
>This?is?your?chance?to?win?up?to?$100,000?in?prizes!?For?a?limited?time,?
>vendors?submitting?new?applications?to?BlackBerry?App?World(TM)?will?have
>the?opportunity?to?enter?the?BlackBerry?Developer?Challenge.?See?full?prize??
>details?at:?http://p.sf.net/sfu/Challenge
>
>------------------------------
>
>_______________________________________________
>Snort-users?mailing?list
>Snort-userslists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
>End?of?Snort-users?Digest,?Vol?38,?Issue?13
>*******************************************

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users