Snort Mailing List

Snort Mailing List

Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

List Archives

Latest Posts

How to use alertAdd to generate a "variable" alert message? Hai Minh Nguyen (May 25)
Hi,

I'm using _dpd.alertAdd to raise an alert in my dynamic preprocessor. But I
face a problem:

I ran this code:

char alert[256];
double score = MyFunction();
sprintf(alert, "Alert: Score = %lf", score);
_dpd.alertAdd(DPX_GID, DPX_DST_SID, 1, 0, 3, alert, 0);

I'm using 2 output modules to check it: alert_fast and unified2 (to mysql
by barnyard2). I checked the result in alert_fast output file but it didn't
show the...

Re: [Dynamic Preprocessor] How to log packet and output alert: genSnortEvent or alertAdd? Hai Minh Nguyen (May 25)
Thank you Russ. My problem has been solved.

Re: rules file doesn't work properly, no DoS or portscan detected... waldo kitty (May 25)
what interface are you trying to have snort watch?

Re: rules file doesn't work properly, no DoS or portscan detected... Gijs van der Velden (May 25)
I just started snort with:

snort -c D:\Snort\etc\snort.conf -l D:\Snort\log -T –daq pcap

And it came up with the error active response: can't open ip!
Maybe this is the cause of the problem?

From: gijsvandervelden () live nl
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] rules file doesn't work properly, no DoS or portscan detected...
Date: Sat, 25 May 2013 01:08:48 +0200

Yes, snort does detect all the...

Re: Binary log capture looks incomplete. waldo kitty (May 25)
each rule that gets triggered has the packet(s) that triggered it logged... this
is not a bug or error...

Re: Binary log capture looks incomplete. beenph (May 25)
Do you want to log in unified2 format or tcpdump format?

If you want unified2 do not use -A fast or -b at the command line level :)

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers...

Re: classification.config regression? waldo kitty (May 25)
[trim]

easier would be to modify your classification.config file ;)

FWIW: we only update ours when new classifications are added...

Re: new rule waldo kitty (May 25)
is that mininova reference to an actual reference link concerning the rule
and/or its contents or it is a link to a site that provides torrent connections
or torrent catalog links?

ideally, reference links will be to pages with information concerning the rule
and why it was written...

classification.config regression? Gregory S Thomas (May 24)
The classification.config file in the snort source tarball changed in 2.9.4.5 (and 2.9.4.6 has the same one as
2.9.4.5). Most of the changes are simply in capitalization, but it also removes 3 classifications that were introduced
in 2.9.1 (file-format, malware-cnc, and client-side-exploit):

shell> diff snort-2.9.4.1/etc/classification.config snort-2.9.4.5/etc/classification.config
47,54c47,54
< config classification:...

Re: rules file doesn't work properly, no DoS or portscan detected... Gijs van der Velden (May 24)
Yes, snort does detect all the packets.
There is only one interface on the system.

The config looks like:

#--------------------------------------------------
# VRT Rule Packages Snort.conf
#
# For more information visit us at:
# http://www.snort.org Snort Website
# http://vrt-blog.snort.org/ Sourcefire VRT Blog
#
# Mailing list Contact: snort-sigs () lists sourceforge net
# False Positive reports:...

Re: Rule Management UI Michael Steele (May 24)
Not Windows compatible, as far as I know.

Best regards,

Michael...

WINSNORT.com Management Team Member

Re: rules file doesn't work properly, no DoS or portscan detected... Joel Esler (May 24)
Are you receiving any packets on the interface that Snort is sniffing?
Are you sniffing the right interface?
What does your snort.conf look like?
What does your Snort startup command line look like?
What output do you get when you run that command?

Re: Rule Management UI Dustin Webber (May 24)
Just curious. Why would you run an IDS on window. If you meant pushing data into BASE remotely. Why would you run a web
server on windows.

Not a troll is there a performance reason?

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics....

new rule Chukhaltsetseg Shijirbaatar (May 24)
Alert tcp $HOME_NET any
-> $ EXTERNAL_NET any (msg: “P2P Bittorrent Metafile”; flow: to_server,
established; content: “/announce”; offset:0; dsize:>122; reference: url, http://tracker.mininova.org;
classtype:policy-violation; priority:1;
sid: 2000507; rev:1; );
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based...

Re: Binary log capture looks incomplete. Shields, Joseph (NIH/NIEHS) [C] (May 24)
I don't think the limit comes into play when the packets count value is set to zero. If I am understanding the manual
correctly:

You can disable this packet limit for a particular rule by adding a packets metric to your tag option and setting its
count to 0 (This can be done on a global scale by setting the tagged packet limit option in snort.conf to 0).

I have each rule with this setting which ought to cause any hit to be captured in...

More Lists

Dozens of other network security lists are archived at SecLists.Org.