Home page logo
/
snort logo
Snort Mailing List

Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

List Archives

Jan–MarApr–JunJul–SepOct–Dec
20149161101954
2013123814311251825
201280773112451527
20111399829660657
201086410008921152
2009352616423604
2008277264220278
2007218295379283
2006393476403333
20051684725777616
20041913180517291399
20033113303423072165
20022884250425702572
2001148830852640

Latest Posts

Re: Snort Rules Issues waldo kitty (Sep 23)
generally speaking, this is due to the lack of classification.conf being where
snort can find and read it... in some cases, it is because the classification
file being used does not contain the specified classification type...

what include file?

please, as a start, post your snort.conf or whatever configuration file you are
using...

please also keep your posts and responses on the list... it may help others in
the future when they search...

Snort Rules Issues Tarzan538 NONO (Sep 23)
Hi,
I am new to Snort and having this issue which I cannot overcome.

ERROR: <33> Unknown ClassType: web-application-attack
Things I have done:
Make sure the include file is pointing to the correct locationI think I have the latest classsifiocation file "# $Id:
classification.config,v 1.5 2013/05/28 16:19:02 jesler Exp $"
Not sure what is going on. Can somebody help?
Thank you,
Felix...

Sourcefire VRT Certified Snort Rules Update 2014-09-23 Research (Sep 23)
Sourcefire VRT Certified Snort Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
The VRT has added and modified multiple rules in the blacklist,
exploit-kit, file-java, malware-cnc, server-mail and server-webapp rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
Hi Sharif,

I figured it out; I had “nostamp” set on the unified2 output
configuration. Once I removed that, it added the timestamp to the
snort.log filename and barnyard2 picked up the file and started sending
alerts to MySQL.

Thanks for the help!

John.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with...

Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
I see its erroring on your waldo file

'/var/log/barnyard2/barnyard2.waldo'

Change the waldo file path to point to /var/log/snort/

Make sure permission are all correct on /var/log/snort/

-----Original Message-----
From: John Hally [mailto:JHally () EBSCO COM]
Sent: 23 September 2014 11:18
To: Sharif Uddin; Shirkdog
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.6.2 unified2

I've tried all...

Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
I’ve tried all different filenames, nothing seems to work.

barnyard2 will recognize files with snort.log.##### format (which snort
logs to when starting with -A), but does not recognize the file if started
w/o -A:

# ps -aef |grep snort
snort 10516 1 67 Sep22 ? 09:04:04 /usr/local/bin/snort -D -i
eth1 -u snort -g snort -c /etc/snort/etc/snort.conf

# ls -l /var/log/snort/
total 1096
-rw------- 1 snort snort 1120079 Sep 23 05:54...

Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
Have you tried changing log file name?

Im assuming the log file gets filled up, since you can process batch files?

-----Original Message-----
From: John Hally [mailto:JHally () EBSCO COM]
Sent: 23 September 2014 10:41
To: Sharif Uddin; Shirkdog
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.6.2 unified2

Thanks Sharif,

That line is there, just a type-o:
config archivedir: /var/log/barnyard2/archive config...

Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
Thanks Sharif,

That line is there, just a type-o:
config archivedir: /var/log/barnyard2/archive config
process_new_records_only input unified2 output database: log, mysql,
user=snort password=###### dbname=###### host=####.####.com

Should have been:

config archivedir: /var/log/barnyard2/archive config
process_new_records_only
input unified2
output database: log, mysql, user=snort password=###### dbname=######
host=####.####.com

I’ve also...

Re: snort 2.9.6.2 unified2 Sharif Uddin (Sep 23)
In barnyard add

output database: log, mysql, user=root password=*** dbname=snorby host=localhost

make sure mysql is started.

In snort config change the logfile name

output unified2: filename snort.u2, limit 128

start barnyard2 after you have started snort

with

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /tmp/barnyard2.waldo

-----Original Message-----
From: John Hally [mailto:JHally () EBSCO COM]
Sent: 23...

Re: memcap maxed out Sharif Uddin (Sep 23)
I believe the default configuration picks up large amount of false positives that is why it is maxing out cpu.

I would recommend you install pulledpork and use a policy, balanced or security.

Then start customising rules from there

To install pulled pork on centos

http://www.rivy.org/2013/03/updating-snort-rules-using-pulled-pork/

yum install perl-Crypt-SSLeay perl-LWP-Protocol-https perl-Sys-Syslog perl-Archive-Tar
cd /usr/local/bin
wget...

Re: snort 2.9.6.2 unified2 John Hally (Sep 23)
Hi Michael,

Barnyard config:

config reference_file: /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file: /etc/snort/etc/gen-msg.map
config sid_file: /etc/snort/etc/sid-msg.map
config daemon
config logdir: /var/log/snort
config hostname: snort1
config interface: eth1
config alert_with_interface_name
config waldo_file: /tmp/barnyard2.waldo
config...

Re: snort 2.9.6.2 unified2 Shirkdog (Sep 23)
Now we need your barnyard config to show that it is reading unified2
format. If your barnyard is 2.1-13 BETA (current git checkout), you
should have this in your conf file

# this is not hard, only unified2 is supported ;)
input unified2

---
Michael Shirk

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with...

snort 2.9.6.2 unified2 John Hally (Sep 23)
Hi All,

I’m having an issue that I just cant figure out.

I’m trying to combine alerts and logs in uniified2 format which I have the following in my snort.conf file:

output unified2: filename snort.log, limit 128, nostamp

The issue is when I try to get barnyard2 to process the file. It seems that if I run snort like the following,
barnyard2 reports that its waiting for a spool file:

/usr/local/bin/snort -D -i eth1 -u snort -g snort -c...

Re: memcap maxed out Khanh Tran (Sep 22)
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk...

Re: memcap maxed out Sharif Uddin (Sep 22)
After the changes I made provided by khanh it has reduced the messages a lot, however I do still get a few of the
following

Sep 20 20:07:11 snort dbus-daemon: dbus[580]: [system] Activating via systemd: service
name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Sep 20 20:07:11 snort systemd: Starting Network Manager Script Dispatcher Service...
Sep 20 20:07:11 snort dbus-daemon:...

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault