Re: Can't read IDS Log

[Victor Roemer <viroemer () cisco com>]

Aaron,

I am not familiar with `pulledpork` as a user so much- I'm adding the 
Snort-users back to the CC; someone
more knowledgeable then myself on this subject exists there.

 "Error 422 when fetching ..." is an HTTP server response code, so I 
would guess old version of pulled pork or
perhaps you dont have the whatever we call it APIkey thing (OINKCODE?)...



On 10/21/15 18:53, Aaron Brown wrote:
> Thanks. I have installed everything per the manual  but am having 
> trouble getting PulledPork to download rules.
>
> "Checking latest MD5 for snortrules-snapshot-2976.tar.gz....
>     Error 422 when fetching 
> https://www.snort.org/reg-rules/snortrules-snapshot-2976.tar.gz.md5 at 
> /usr/local/bin/pulledpork.pl line 463.
> main::md5file('<d502ece18d1feea16344bf3c74f881b257856938>', 
> 'snortrules-snapshot-2976.tar.gz', '/tmp/', 
> 'https://www.snort.org/reg-rules/&apos;) called at /u"
>
>
>
> On Monday, October 19, 2015 3:20 PM, Victor Roemer 
> <viroemer () cisco com> wrote:
>
>
> Aaron, you're missing an large part of the build chain... In lieu of 
> this, let me point you at some literature contributed by the 
> opensource community:
>
> https://snort.org/documents/snort-2-9-7-x-on-ubuntu-12-lts-and-14-lts
>
> This one is specific to Ubuntu; however additional resources can be 
> found @ https://snort.org/documents
>
>
>
>
> On 10/16/15 19:27, Aaron Brown wrote:
> Hmmm. ......   I am seeing that it is telling me below, but no telling 
> me what exactly or where to get it:
>
> "checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... /bin/mkdir -p
> checking for gawk... gawk
> checking whether make sets $(MAKE)... yes
> checking whether make supports nested variables... yes
> checking for gcc... gcc
> checking whether the C compiler works... no
> configure: error: in `/home/jethro/daq-2.0.6':
> configure: error: C compiler cannot create executables
> See `config.log' for more details
> "
>
>
>
> On Friday, October 16, 2015 6:41 PM, Victor Roemer 
> <viroemer () cisco com> <mailto:viroemer () cisco com> wrote:
>
>
> Aaron, did you install snort via 'apt-get'?
>
> If so- then you'll need to take a few steps back and do the following
>
> 1. Uninstall via aptitude
> 2. download the Snort tar.gz from https://www.snort.org 
> <https://www.snort.org/>
> 3. download the DAQ tar.gz from same site
> 4. Install the 'build-essentials' packaged via aptitude repos
>
> take a break
>
> 5. untar DAQ tar.gz (cd into directory)
> 6. Execute `./configure`
> 7. Wait for its failure messages- it will tell you what you need to 
> install, and where to get it.
> 8. Repeat 6 and 7 until it succeeds, and `make install`
>
> then, go back to step 5, and do the same thing with the Snort tar.gz
>
>
> On 10/16/15 18:36, Aaron Brown wrote:
> Trying to use u2spewfoo.  It is not part of my snort.   I used apt-get 
> install. Is there some trusted place to download that 1 tool?
>
>
>
> On Thursday, October 15, 2015 9:22 PM, Victor Roemer 
> <viroemer () cisco com> <mailto:viroemer () cisco com> wrote:
>
>
> Aaron,
>
> IIRC, "snort.log" is the default name for the "log_unified2" output 
> format- and considering your log text looks like unicode vomit 
> (typical of raw binary); try reading the logs with
> the provided tool "u2spewfoo".
>
> Execute like so
>
> $ u2spewfoo /var/snort/snort.log
>
> If that does nothing useful for you, then your snort.conf and the 
> command line options used to run snort will be needed.
>
> ---
>
> FWIW, if you are not using unified2 output, then you should seriously 
> consider switching. It is our preferred format, it is capable of 
> providing additional meta-informations, and allows easy correlation of 
> snort alerts and the culprit packets.
>
> u2spewfoo is a tool we provide with snort to dump this data into a 
> readable text format- but not much else. The serious deployments make 
> heavy use of "barnyard2" for spooling the logs and doing the magics
> to log to databases, etc..
>
>
> -Victor
>
>
>
> On 10/15/15 19:11, Aaron Brown wrote:
> Hi, I am new to snort.  Just set it up and ran in intrusion detection 
> mode.  All seems well it reports and when I stop it seems to have a 
> bunch of good statistics. But, when I cat the /var/snort/snort.log I 
> get this stuff below(alot more than posted): When I import it into 
> Wireshark, it says the packet is too big to be imported.    I just 
> want to read the logs:
>
>
> ,./!y��+�iT�Vۢ �� ��:j�VۢVۢ N33� ��L
> �I����`:��� �؇����Ƹ�� ��iT�Vۢ T�� ��:j�VۢVۢ TN33� ��L
> �I����`:��� �؇8�&Q��h�Ƹ�� ��h<�Vܓ
> �����DC��VܓVܓ
> �p������L
> �9ZqL �I�Eb1�������DCN
> �I��c�Sc5=L
> �I��2
>
>
> ,./!y��+�iT�Vܓ�� ��:j�VܓVܓN33� ��L
> �I����`:��� �؇����Ƹ�� ��iT�VܓV�� ��:j�VܓVܓVN33� ��L
> �I����`:��� �؇8�&Q��h�Ƹ�� ��h<�V�'�>����DC��V�'V�'�>p������L
> �I�Eb1�������DCN8���%+L
> �I��c�Sc5=L
>       �I��2
>
>
> ,./!y��+�iT�V����� ��:j�V�'V���N33� ��L
> �I����`:��� �؇����Ƹ�� ��iT�V����� ��:j�V�'V���N33� ��L
> �I����`:��� �؇8�&Q��h�Ƹ�� ��h<h�p������L��V��V��
> �I�Eb1�������DCNO��J��L
> �I��c�Sc5=L
> �I��2
>
>
> ,./!y��+�iT�V������ ��:j�V��V����N33� ��L
> �I����`:��� �؇����Ƹ�� ��iT�V������ ��:j�V��V����N33� ��L
> �I����`:��� �؇8�&Q��h�Ƹ�� ��h<�V ��r����DC��V �V ��rp������L
> �I�Eb1�������DCNw����L
> �I��c�Sc5=L
> �I��2
>
>
> ,./!y��+�iT�V ��?�� ��:j�V �V ��?N33� ��L
> �I����`:��� �؇����Ƹ�� ��iT�V ����� ��:j�V �V ���N33� ��L
> �I����`:��� �؇8�&Q��h�Ƹ�� ��h<�V�������DC��V�V���p������L
> �I�Eb1�������DCNtn/]L
> �I��c�Sc5=L
>       �I��2
>
>
> ,./!y��+�iT�V��p�� ��:j�V�V��pN33� ��L
> �I����`:��� �؇����Ƹ�� ��iT�V�V�� ��:j�V�V�VN33� ��L
> �I����`:��� �؇8�&Q��h�Ƹ�� ��h<�V �����DC��V �V 
> �d��������ŬQEV�V@�A����DCB��P
> �3��ŬQ�c�Sc5=��ŬQ�2
> 9�<
> dhcpcd-5.5.6
> android-59d86c59354bd4b27 !3:;�h<�V �
> ML����DC��V �V �
> MLd��������ŬQEVD�@5����DCB��P
> �3��ŬQ�c�Sc5=��ŬQ�2
> 9�<
> dhcpcd-5.5.6
> android-59d86c59354bd4b27 !3:;�iT�V F�����Q�iT�V �6�:��V V 
> �6n33��ŬQц�`8�: �����
> ���Q�iT�V �l���Q�:j�V V 
> �lN33��Q���ŬQц�`:����Qч8!&Q��h������Q�iT�ZZ33��ŬQц�`$�: o 
> ����N33��Q���ŬQц�`:����Qч\��������Q�iT�V
> iT�V /Q����
> :j�V V /QN33���
> ��ŬQц�`:�����
> ��&Q��h!�4�@��
>
>
>
> This body part will be downloaded on demand.
>
>
> This body part will be downloaded on demand.
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!