Home page logo
/
snort logo
Snort Mailing List

Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

List Archives

Jan–MarApr–JunJul–SepOct–Dec
20149161101710
2013123814311251825
201280773112451527
20111399829660657
201086410008921152
2009352616423604
2008277264220278
2007218295379283
2006393476403333
20051684725777616
20041913180517291399
20033113303423072165
20022884250425702572
2001148830852640

Latest Posts

Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 27)
Do you want us to file bug reports to directly you or to the github? ie:
the issue on fedora with a perl-Filter package issue

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:...

Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 27)
Hi.

In fact I've put a load of effort into ofpc recently. After a couple of requests I've moved the code to GitHub, that's
one of the reasons why you won't have seen any commits to the google code svn repo.

It's working really well for my needs right now and I've added some new cool features like searching flow data from the
cli. Once I've finished off distributed flow searching (via openfpc proxy to...

Re: Snort crash when reload rules with tag session Netanel Maman (Aug 27)
I found a way to solve the bug, with call to TagCacheReset function before
calling to FreeRuleLists.

TagCacheReset will free the pointers to old output plugins, so we lost
tagged session/host, but got reload works again.

Netanel

2014-08-17 21:58 GMT+03:00 Netanel Maman <netanelmaman0 () gmail com>:

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters....

Re: Snort 2.9.6.2 inline mode problem Y M (Aug 27)
You can drop "--daq-mode inline" from your command since you already have the mode defined in snort.conf. Does the box
running Snort do anything else other than just running Snort?

Run tcpdump to capture the traffic while running Snort and test again. See what information the capture might provide.
It's a crapshoot but you may also want to test on another distro, we have one specific case where things didn't work as...

Re: snort -> barnyard2 -> splunk VM PC (Aug 27)
Yes it can. Use the following in barnyard2.conf

output alert_syslog_full: sensor_name ips01-eth0:eth1, server 192.168.1.1,
protocol udp, port 514

P.S.
I am now using rsyslog, but cant remember why.
output log_syslog_full: sensor_name ips01-eth0:eth1, local, log_priority
LOG_INFO,log_facility LOG_LOCAL1

/etc/rsyslog.d/50-default.conf
#Alert Full
local1.info /var/log/snort/snort_full
local1.info...

Re: snort -> barnyard2 -> splunk Shirkdog (Aug 27)
The question is, do you want just alerts or pcap data?

alert_fast can just be dumped into splunk.
On Aug 27, 2014 4:19 PM, "Robert Millott" <robm () millottandassociates com>
wrote:

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users () lists...

snort -> barnyard2 -> splunk Robert Millott (Aug 27)
Anyone have some good suggestions on getting Snort into Splunk? I've seen
some directions for snort -> barnyard2 -> syslog -> syslog-ng -> splunk,
but I don't see the need for syslog. I've also seen snort -> splunk via
alert_fast, but I already have barnyard2, and from what I hear, using
barnyard2 will help optimize snort by relieveing some of the processing it
must do.

Can barnyard2 send directly to splunk in a...

Re: installation help Joel Esler (jesler) (Aug 27)
On Aug 27, 2014, at 12:52 PM, Sharif Uddin <Sharif.Uddin () spectrumasa com<mailto:Sharif.Uddin () spectrumasa com>>
wrote:

[root () snort bin]# ./snort status
Running in packet dump mode

Looks like you are trying to use an init script or something, when you are actually running the command “Snort”.

If you do a “ps aux | grep snort”, do you see a running Snort process?

Re: Snort 2.9.6.2 inline mode problem James Lay (Aug 27)
First doc:
https://github.com/vrtadmin/snort-faq/blob/master/docs/README.daq

And from the daq source README:
AFPACKET Module
===============

afpacket functions similar to the pcap DAQ but with better performance:

./snort --daq afpacket -i <device>
[--daq-var buffer_size_mb=<#MB>]
[--daq-var debug]

If you want to run afpacket in inline mode, you must set device to one
or more
interface pairs, where...

Re: Snort 2.9.6.2 inline mode problem Debason Shockre (Aug 27)
Can you please elaborate why is it an issue, and how do you setup IPS with
afpacket?
Thanks.
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:...

Re: Urgent Jeremy Hoel (Aug 27)
How often do you play this game.. and how strong IS your liver?

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users...

Re: Bad so_rules on file snortrules-snapshot-2961.tar.gz Joel Esler (jesler) (Aug 27)
All —

We have figured out the issue. We’ll be fixing it with the next release.

Subscriber or Registered?

Re: Urgent Joel Esler (jesler) (Aug 27)
I believe this to be two drinks.

http://blog.joelesler.net/p/snort-drinking-game.html

Predictive attack probability would be cool

I am in dying need of ideas regarding my thesis, which has to do with snort as an IDS (Topic is: evaluation of IDS with
Snort as case study). i have done the basic experimental setup of snort in a VMware and configured snort to generate
logs and alerts which has worked perfectly well but i was asked to dig deeper...

Re: Bug in 2.9.6.2??? Joel Esler (jesler) (Aug 27)
Cc’ing Snort-devel

A rule (ET Rule 2012647) has the following threshold in the rule: threshold: type limit, count 1, seconds 300, track
by_src

Prior to upgrading to 2.9.6.2, this worked as expected, one alert every 5 minutes.
Since upgrading to 2.9.6.2 on 8/15, now we are seeing the behavior where the rule will fire, wait 5 minutes, then fire
again, and again and again.

But, it doesn’t start out this way. After a restart of Snort (STOP...

Re: Snort 2.9.6.2 inline mode problem James Lay (Aug 27)
But your --daq-mode inline is the issue....that sets up the Snort
controlled bridge.

James

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/

More Lists

Dozens of other network security lists are archived at SecLists.Org.


[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]