Snort mailing list archives
Re: Can't read IDS Log
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 27 Oct 2015 21:25:57 +0000
Error 422 means: The version of rules you are attempting to download doesn't exist anymore as a result of our EOL policy. Please see it here: https://www.snort.org/eol -- Joel Esler Manager, Talos Group On Oct 27, 2015, at 5:20 PM, Victor Roemer (viroemer) <viroemer () cisco com<mailto:viroemer () cisco com>> wrote: Aaron, I am not familiar with `pulledpork` as a user so much- I'm adding the Snort-users back to the CC; someone more knowledgeable then myself on this subject exists there. "Error 422 when fetching ..." is an HTTP server response code, so I would guess old version of pulled pork or perhaps you dont have the whatever we call it APIkey thing (OINKCODE?)... On 10/21/15 18:53, Aaron Brown wrote: Thanks. I have installed everything per the manual but am having trouble getting PulledPork to download rules. "Checking latest MD5 for snortrules-snapshot-2976.tar.gz.... Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2976.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 463. main::md5file('<d502ece18d1feea16344bf3c74f881b257856938>', 'snortrules-snapshot-2976.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /u" On Monday, October 19, 2015 3:20 PM, Victor Roemer <viroemer () cisco com><mailto:viroemer () cisco com> wrote: Aaron, you're missing an large part of the build chain... In lieu of this, let me point you at some literature contributed by the opensource community: https://snort.org/documents/snort-2-9-7-x-on-ubuntu-12-lts-and-14-lts This one is specific to Ubuntu; however additional resources can be found @ <https://snort.org/documents> https://snort.org/documents On 10/16/15 19:27, Aaron Brown wrote: Hmmm. ...... I am seeing that it is telling me below, but no telling me what exactly or where to get it: "checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking for gcc... gcc checking whether the C compiler works... no configure: error: in `/home/jethro/daq-2.0.6': configure: error: C compiler cannot create executables See `config.log' for more details " On Friday, October 16, 2015 6:41 PM, Victor Roemer <viroemer () cisco com><mailto:viroemer () cisco com> wrote: Aaron, did you install snort via 'apt-get'? If so- then you'll need to take a few steps back and do the following 1. Uninstall via aptitude 2. download the Snort tar.gz from https://www.snort.org<https://www.snort.org/> 3. download the DAQ tar.gz from same site 4. Install the 'build-essentials' packaged via aptitude repos take a break 5. untar DAQ tar.gz (cd into directory) 6. Execute `./configure` 7. Wait for its failure messages- it will tell you what you need to install, and where to get it. 8. Repeat 6 and 7 until it succeeds, and `make install` then, go back to step 5, and do the same thing with the Snort tar.gz On 10/16/15 18:36, Aaron Brown wrote: Trying to use u2spewfoo. It is not part of my snort. I used apt-get install. Is there some trusted place to download that 1 tool? On Thursday, October 15, 2015 9:22 PM, Victor Roemer <mailto:viroemer () cisco com> <viroemer () cisco com><mailto:viroemer () cisco com> wrote: Aaron, IIRC, "snort.log" is the default name for the "log_unified2" output format- and considering your log text looks like unicode vomit (typical of raw binary); try reading the logs with the provided tool "u2spewfoo". Execute like so $ u2spewfoo /var/snort/snort.log If that does nothing useful for you, then your snort.conf and the command line options used to run snort will be needed. --- FWIW, if you are not using unified2 output, then you should seriously consider switching. It is our preferred format, it is capable of providing additional meta-informations, and allows easy correlation of snort alerts and the culprit packets. u2spewfoo is a tool we provide with snort to dump this data into a readable text format- but not much else. The serious deployments make heavy use of "barnyard2" for spooling the logs and doing the magics to log to databases, etc.. -Victor On 10/15/15 19:11, Aaron Brown wrote: Hi, I am new to snort. Just set it up and ran in intrusion detection mode. All seems well it reports and when I stop it seems to have a bunch of good statistics. But, when I cat the /var/snort/snort.log I get this stuff below(alot more than posted): When I import it into Wireshark, it says the packet is too big to be imported. I just want to read the logs: ,./!y��+�iT�Vۢ �� ��:j�VۢVۢ N33� ��L �I����`:��� �؇����Ƹ�� ��iT�Vۢ T�� ��:j�VۢVۢ TN33� ��L �I����`:��� �؇8�&Q��h�Ƹ�� ��h<�Vܓ �����DC��VܓVܓ �p������L �9ZqL �I�Eb1�������DCN �I��c�Sc5=L �I��2 ,./!y��+�iT�Vܓ�� ��:j�VܓVܓN33� ��L �I����`:��� �؇����Ƹ�� ��iT�VܓV�� ��:j�VܓVܓVN33� ��L �I����`:��� �؇8�&Q��h�Ƹ����h<�V�'�>����DC��V�'V�'�>p������L �I�Eb1�������DCN8���%+L �I��c�Sc5=L �I��2 ,./!y��+�iT�V����� ��:j�V�'V���N33� ��L �I����`:��� �؇����Ƹ�� ��iT�V����� ��:j�V�'V���N33� ��L �I����`:��� �؇8�&Q��h�Ƹ����h<h�p������L��V��V�� �I�Eb1�������DCNO��J��L �I��c�Sc5=L �I��2 ,./!y��+�iT�V������ ��:j�V��V����N33� ��L �I����`:��� �؇����Ƹ�� ��iT�V������ ��:j�V��V����N33� ��L �I����`:��� �؇8�&Q��h�Ƹ�� ��h<�V ��r����DC��V �V ��rp������L �I�Eb1�������DCNw����L �I��c�Sc5=L �I��2 ,./!y��+�iT�V ��?�� ��:j�V �V ��?N33� ��L �I����`:��� �؇����Ƹ�� ��iT�V ����� ��:j�V �V ���N33� ��L �I����`:��� �؇8�&Q��h�Ƹ����h<�V�������DC��V�V���p������L �I�Eb1�������DCNtn/]L �I��c�Sc5=L �I��2 ,./!y��+�iT�V��p�� ��:j�V�V��pN33� ��L �I����`:��� �؇����Ƹ�� ��iT�V�V�� ��:j�V�V�VN33� ��L �I����`:��� �؇8�&Q��h�Ƹ�� ��h<�V �����DC��V �V �d��������ŬQEV�V@�A����DCB��P �3��ŬQ�c�Sc5=��ŬQ�2 9�< dhcpcd-5.5.6 android-59d86c59354bd4b27 !3:;�h<�V � ML����DC��V �V � MLd��������ŬQEVD�@5����DCB��P �3��ŬQ�c�Sc5=��ŬQ�2 9�< dhcpcd-5.5.6 android-59d86c59354bd4b27 !3:;�iT�V F�����Q�iT�V �6�:��V V �6n33��ŬQц�`8�: ����� ���Q�iT�V �l���Q�:j�V V �lN33��Q���ŬQц�`:����Qч8!&Q��h������Q�iT�ZZ33��ŬQц�`$�: o ����N33��Q���ŬQц�`:����Qч\��������Q�iT�V iT�V /Q���� :j�V V /QN33��� ��ŬQц�`:����� ��&Q��h!�4�@�� This body part will be downloaded on demand. This body part will be downloaded on demand. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- mohamed elqaissy invited you to check out Dropbox Dropbox (Oct 01)