|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Seth Dunn (seth
d2ms.com)
Date: Thu May 02 2013 - 09:39:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ok, doing my command line like this::
C:\>d:\snort\bin\snort -c d:\snort\etc\snort2.conf -i2 'not net 10.10.0.0/24 and
dst host 10.75.45.1 && dst port 80 or not net 10.30.0.0/24 and dst host 10.75.4
5.1 && dst port 80' -T
I get this::
The DAQ version does not support reload.
Acquiring network traffic from "\Device\NPF_{62D05284-3337-4ED4-8151-E1D6D292691
8}".
ERROR: Can't set DAQ BPF filter to ''not net 10.10.0.0/24 and dst host 10.75.45.
1' (╠πQ)!
Fatal Error, Quitting..
-----Original Message-----
From: James Lay [mailto:jlayslave-tothe-box.net]
Sent: Thursday, May 02, 2013 10:31 AM
To: Snort
Subject: Re: [Snort-users] Network Variables
This worked like a champ for me:
[08:19:26 mebox:~/snort$ sudo snort -c snort.conf 'not net
10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not net
10.30.0.0/24 and dst host 10.75.45.1 && dst port 80'
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
<snip>
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.4.6 GRE (Build 73)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3.4
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.17 <Build 18>
Preprocessor Object: SF_SDF Version 1.1 <Build 1> <snip>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Commencing packet processing (pid=28871)
James
On 2013-05-02 08:16, Seth Dunn wrote:
> Same.
> It doesn't matter if the call is using the .conf file, or through the
> -F command line switch
>
> -----Original Message-----
> From: James Lay [mailto:jlayslave-tothe-box.net]
> Sent: Thursday, May 02, 2013 10:12 AM
> To: Snort
> Subject: Re: [Snort-users] Network Variables
>
> What happens when you try it via command line?
>
> On 2013-05-02 08:09, Seth Dunn wrote:
>> Also of note.
>> It seems that if snort starts with a bpf file configured....then for
>> whatever reason, all traffic is no longer monitored, even though
>> snort has started.
>> So while this rule::
>> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not
>> net
>> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>>
>> is pretty specific.....
>> I have another rule set in my local.rules file that should alert on
>> any FTP attempt to IP 10.76.65.1....and if the bpf file is configured
>> for snort, then the attempt is not alerted by snort.
>> If I remove the bpf file from being used, then any FTP attempt is
>> again alerted.
>>
>> FROM: James Lay [mailto:jlayslave-tothe-box.net]
>> SENT: Thursday, May 02, 2013 8:10 AM
>> TO: Snort
>> SUBJECT: Re: [Snort-users] Network Variables
>>
>> Quotation marks may be needed…try appending via command line as well.
>>
>> James
>>
>> On May 2, 2013, at 5:50 AM, Seth Dunn <sethd2ms.com [1]> wrote:
>>
>> What is DAQ? I have seen that, but have no idea what that is.
>>
>> As far as my bpf file goes, if it is like this::
>>
>> #not net 10.10.0.0/24 and not net 10.30.0.0/24
>>
>> not net 10.10.0.0/24 and dst host 10.75.45.1 && dst port 80 or not
>> net
>> 10.30.0.0/24 and dst host 10.75.45.1 && dst port 80
>>
>> It will fail with::
>>
>> Reading filter from bpf file: D:Snortetcignore2.bpf
>>
>> ERROR: short read D:Snortetcignore2.bpf (169 != 170)
>>
>> Fatal Error, Quitting..
>>
>> If I remove the commented line, then snort starts fine.
>> If I try to have multiple lines in the file, (all being rules, no
>> comments) the it will fail with a similar error as above.
>> I have never seen a DAQ error.
>>
>> FROM: Russ Combs [mailto:rcombssourcefire.com [2]]
>> SENT: Thursday, May 02, 2013 12:08 AM
>> TO: waldo kitty
>> CC: snort-userslists.sourceforge.net [3]
>> SUBJECT: Re: [Snort-users] Network Variables
>>
>> Snort does allow comments in the BPF file, starting with # to end of
>> line. If there is a syntax error, you should see something like:
>>
>> ERROR: Can't set DAQ BPF filter to '
>>
>> ...
>>
>> ' (pcap_daq_set_filter: pcap_compile: syntax error)!
>>
>> Fatal Error, Quitting..
>>
>> What DAQ are you using? Please send the BPF file that fails and the
>> error that you get.
>>
>> On Wed, May 1, 2013 at 10:07 PM, waldo kitty <wkitty42windstream.net
>> [4]> wrote:
>>
>> On 5/1/2013 13:09, Seth Dunn wrote:
>>> But any ideas why snort fails to start if I add in a '#' to comment
>> a
>>> line??
>>
>> i have no clue but it sounds like a coding error not allowing comment
>> lines i the BPF file... only joel or one of the snort dev guys can
>> tell us that... or possibly a code diver who can root around in the
>> snort code ;)
>>
>> --
>> NOTE: No off-list assistance is given without prior approval.
>> Please keep mailing list traffic on the list unless private contact
>> is specifically requested and granted.
>>
>>
>>
>> ----------------------------------------------------------------------
>> -------- Introducing AppDynamics Lite, a free troubleshooting tool
>> for
>> Java/.NET Get 100% visibility into your production application - at
>> no
>> cost.
>> Code-level diagnostics for performance bottlenecks with <2% overhead
>> Download for free and get started troubleshooting in minutes.
>> http://p.sf.net/sfu/appdyn_d2d_ap1 [5]
>> _______________________________________________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net [6]
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users [7]
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [8]
>>
>> Please visit http://blog.snort.org [9] to stay current on all the
>> latest Snort news!
>>
>>
>>
>> ----------------------------------------------------------------------
>> -------- Introducing AppDynamics Lite, a free troubleshooting tool
>> for
>> Java/.NET Get 100% visibility into your production application - at
>> no
>> cost.
>> Code-level diagnostics for performance bottlenecks with <2% overhead
>> Download for free and get started troubleshooting in minutes.
>>
>>
>> http://p.sf.net/sfu/appdyn_d2d_ap1____________________________________
>> ___________
>> [10]
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net [11] Go to this URL to change user
>> options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users [12]
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [13]
>>
>> Please visit http://blog.snort.org [14] to stay current on all the
>> latest Snort news!
>>
>>
>>
>> Links:
>> ------
>> [1] mailto:sethd2ms.com
>> [2] http://sourcefire.com
>> [3] mailto:snort-userslists.sourceforge.net
>> [4] mailto:wkitty42windstream.net
>> [5] http://p.sf.net/sfu/appdyn_d2d_ap1
>> [6] mailto:Snort-userslists.sourceforge.net
>> [7] https://lists.sourceforge.net/lists/listinfo/snort-users
>> [8]
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [9] http://blog.snort.org
>> [10]
>>
>>
>> http://p.sf.net/sfu/appdyn_d2d_ap1____________________________________
>> ___________ [11] mailto:Snort-userslists.sourceforge.net
>> [12] https://lists.sourceforge.net/lists/listinfo/snort-users
>> [13]
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [14] http://blog.snort.org
>
>
>
> ------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for
> Java/.NET Get 100% visibility into your production application - at
> no
> cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]