Home page logo
/
snort logo
Snort Mailing List

Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

List Archives

Jan–MarApr–JunJul–SepOct–Dec
20149161101435
2013123814311251825
201280773112451527
20111399829660657
201086410008921152
2009352616423604
2008277264220278
2007218295379283
2006393476403333
20051684725777616
20041913180517291399
20033113303423072165
20022884250425702572
2001148830852640

Latest Posts

AUTO: AYYILDIZ, Cihan is out of the office. (returning 11.08.2014) Cihan AYYILDIZ (Jul 26)
I am out of the office until 11.08.2014.

11 Ağustos tarihine kadar ofis dışındayım. İnternet Erişimim Kısıtlı
Olacaktır. Acil Durumlarda SMS atınız. Saygılarımla.

Note: This is an automated response to your message "Snort-users Digest,
Vol 98, Issue 110" sent on 7/25/2014 5:13:52 PM.

This is the only notification you will receive while this person is away.

Bu e-posta mesajı ve ekleri gönderildiği kişi ya da...

Snort database cannot update. Joseph Boo (Jul 26)
Dear all today l found that my snort update status not respond got error code 220. Anyone here facing same problem with
me.

Thank you

Joseph------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh,...

Can I install the latest version of Snort on Centos 7? Jutichai Thongkrachai (Jul 26)
Hello,

Can I install the latest version of Snort on Centos 7 by using the
installation guide of CentOS 6.X? Snort is work properly on CentOS 7?

Tar
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on...

Re: finding which rule waldo kitty (Jul 26)
how did snort know? because three digit GIDs are all coded in the binary
modules... the rules file for them does not have to exist but if it does, it is
easier to enable/disable the rules as well as a few other options with them...

HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 26)
Yes..the pap was captured in the same box running snort.
The capture was on the port configured on mirror.

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it...

Re: Having trouble editing the configuration file for Windows Trevor Thompson (Jul 25)
I managed to fix the problem. I commented out all of the different rules
files that were included in the configuration file in Snort and after doing
so I was able to run Snort using the snort.conf file as a argument. Thanks,
everyone, for helping me solve this configuration issues that I am having.
Here are the edits that I made in case anyone else manages to run into the
same problem:

# site specific rules
# include $RULE_PATH\local.rules
#...

Re: Having trouble editing the configuration file for Windows waldo kitty (Jul 25)
ok... and there's not one in your rules directory? if there is it should not be
being read according to your snort.conf...

the only other thing i can think of right now is file permissions and
ownership... do they allow snort to read that file as the user it is running as?

arpspoof preprocessor for offline PCAPs Michael Psaila (Jul 25)
Hi all,

Can the arpspoof preprocessor be used while running a PCAP file through
Snort?
Or does this preprocessor only work when sniffing traffic in real-time?

I've gone through the SNORT Users Manual and did quite a bit of googling,
but couldn't find an answer to my question.
If anyone could point me to a reference where this is documented, it would
be greatly appreciated.

I'm asking because I have enabled the arpspoof...

IP address check to anonymous-servers.com Tony Robinson (Jul 25)
Hello,

Got some interesting indicators from MalwareMustDie that there are
some malware variants that check anonymous-servers.com/ip/ip.php to
figure out where they're at. I wrote a couple of snort rules.
Apologies if these have already been submitted.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI possible IP address check to anonymous-servers.com";
flow:to_server,established; content:"GET";...

Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 25)

Re: Snort-users Digest, Vol 98, Issue 97 Rowell Dionicio (Jul 25)
Okay I gotcha there. My snort output is being dumped into a unified2 format. I added this line:

Output log_tcpdump: tcpdump.log

I'll watch for that traffic again and analyze in Wireshark to determine what's going on. Is there a better output to
use?

-Rowell

one thing to do would be to look at the pcap that snort captured of the traffic
and see exactly what that traffic is from... i see a lot of it myself and it
seems to be where...

Re: question about rule detect nmap scan lists () packetmail net (Jul 25)
This will end up matching on more than just NMAP, consider adding an MSS value
of zero as well.

Cheers,
Nathan

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try...

Re: finding which rule Joel Esler (jesler) (Jul 25)
Try:

snort -c /path/to/snort.conf -A console -i eth0

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds...

Re: finding which rule Richard Smollett (Jul 25)
Yes. The file indicated in the snort.conf file is the empty one. I used
#locate to to see if there were any others, and there was one in my source
package that was loaded with rules. I've moved that one to where the
snort.conf file says it should be. Now I guess it's just a question of
finding the correct rule and grooming it. I guess the only question from
here is... how did snort have awareness of the rule if it wasn't where...

MailPoet Vulnerability Júlio César Melo (Jul 25)
.
http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

.
http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html

-
Julio

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]