Snort - [Snort-users] Upgrade of Snort

Author

[Snort-users] Upgrade of Snort

O'Flynn, Derek

2004-09-24, 5:46 pm

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C4A27D.EAB58896
Content-Type: text/plain

I just did an upgrade for 2.0 to 2.2. I rebuilt it and overlayed the old
binary. I also utilized the new snort.conf and ported my specific
configurations over to it. I dropped the tables in mysql and rebuilt them
using the create_mysql and snortdb-extra configs. Updated the .config and
..map files to my etc directory.

Anyway, it looks like it comes up fine, and then crashes out with a file
size error. Anyone know how to correct it?

rpc_decode arguments:

Ports to decode RPC on: 111 32771

alert_fragments: INACTIVE

alert_large_fragments: ACTIVE

alert_incomplete: ACTIVE

alert_multiple_requests: ACTIVE

telnet_decode arguments:

Ports to decode telnet on: 21 23 25 119

database: compiled support for ( mysql )

database: configured to use mysql

database: user = snort

database: password is set

database: database name = snort

database: host = localhost

database: sensor name = 192.168.100.100

database: sensor id = 1

database: schema version = 106

database: using the "log" facility

1889 Snort rules read...

1889 Option Chains linked into 196 Chain Headers

0 Dynamic rules

++++++++++++++++++++++++++++++++++++++++
+++++++++++

Warning: flowbits key 'realplayer.playlist' is checked but not ever set.

+-----------------------[thresholding-config]-------------------------------
---

| memory-cap : 1048576 bytes

+-----------------------[thresholding-global]-------------------------------
---

| none

+-----------------------[thresholding-local]--------------------------------
---

| gen-id=1 sig-id=2495 type=Both tracking=dst count=20
seconds=60

| gen-id=1 sig-id=2523 type=Both tracking=dst count=10
seconds=10

| gen-id=1 sig-id=2494 type=Both tracking=dst count=20
seconds=60

| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5
seconds=60

| gen-id=1 sig-id=2496 type=Both tracking=dst count=20
seconds=60

+-----------------------[suppression]---------------------------------------
---

----------------------------------------------------------------------------
---

Rule application order: ->activation->dynamic->alert->pass->log

--== Initialization Complete ==--

-*> Snort! <*-

Version 2.2.0 (Build 30)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

File size limit exceeded

Thanks,

Derek O'Flynn

------_=_NextPart_001_01C4A27D.EAB58896
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">

<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>

</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

I just did an upgrade for 2.0 to 2.2.  I =
rebuilt it and
overlayed the old binary.  I also utilized the new snort.conf and =
ported my
specific configurations over to it.  I dropped the tables in mysql =
and rebuilt
them using the create_mysql and snortdb-extra configs.  Updated =
the .config and
..map files to my etc directory.<o:p></o:p>

<o:p> </o:p>

Anyway, it looks like it comes up fine, and then =
crashes out
with a file size error.  Anyone know how to correct =
it?<o:p></o:p>

<o:p> </o:p>

rpc_decode arguments:<o:p></o:p>

    Ports to decode RPC on: 111 32771 =
<o:p></o:p>

    alert_fragments: =
INACTIVE<o:p></o:p>

    alert_large_fragments: =
ACTIVE<o:p></o:p>

    alert_incomplete: =
ACTIVE<o:p></o:p>

    alert_multiple_requests: =
ACTIVE<o:p></o:p>

telnet_decode =
arguments:<o:p></o:p>

    Ports to decode telnet on: 21 23 =
25 119 <o:p></o:p>

database: compiled support for ( mysql =
)<o:p></o:p>

database: configured to use =
mysql<o:p></o:p>

database:       &n=
bsp;  user =3D snort<o:p></o:p>

database: password is =
set<o:p></o:p>

database: database name =3D =
snort<o:p></o:p>

database:       &n=
bsp;  host =3D localhost<o:p></o:p>

database:   sensor name =3D =
192.168.100.100<o:p></o:p>

database:     sensor id =3D =
1<o:p></o:p>

database: schema version =3D =
106<o:p></o:p>

database: using the "log" =
facility<o:p></o:p>

1889 Snort rules =
read...<o:p></o:p>

1889 Option Chains linked into 196 Chain =
Headers<o:p></o:p>

0 Dynamic rules<o:p></o:p>

 ++++++++++++++++++++++++++++++++++++++++
+++++++++++<o=
:p></o:p>

<o:p> </o:p>

Warning: flowbits key 'realplayer.playlist' is =
checked but
not ever set.<o:p></o:p>

<o:p> </o:p>

+-----------------------[thresholding-config]--------=
--------------------------<o:p></o:p>

| memory-cap : 1048576 =
bytes<o:p></o:p>

+-----------------------[thresholding-global]--------=
--------------------------<o:p></o:p>

| none<o:p></o:p>

+-----------------------[thresholding-local]---------=
--------------------------<o:p></o:p>

| gen-id=3D1      =
sig-id=3D2495      =
type=3DBoth      
tracking=3Ddst count=3D20  seconds=3D60 =
<o:p></o:p>

| gen-id=3D1      =
sig-id=3D2523      =
type=3DBoth      
tracking=3Ddst count=3D10  seconds=3D10 =
<o:p></o:p>

| gen-id=3D1      =
sig-id=3D2494      =
type=3DBoth      
tracking=3Ddst count=3D20  seconds=3D60 =
<o:p></o:p>

| gen-id=3D1      sig-id=3D2=
275       type=3DThreshold
tracking=3Ddst count=3D5   seconds=3D60 =
<o:p></o:p>

| gen-id=3D1      =
sig-id=3D2496      =
type=3DBoth      
tracking=3Ddst count=3D20  seconds=3D60 =
<o:p></o:p>

+-----------------------[suppression]----------------=
--------------------------<o:p></o:p>

-----------------------------------------------------=
--------------------------<o:p></o:p>

Rule application order:
->activation->dynamic->alert->pass->log<o:p></o:p>=


<o:p> </o:p>

        --=3D=3D =
Initialization Complete =3D=3D--<o:p></o:p>

<o:p> </o:p>

-*> Snort! <*-<o:p></o:p>

Version 2.2.0 (Build =
30)<o:p></o:p>

By Martin Roesch (roesch@sourcefire.com, =
www.snort.org)<o:p></o:p>

File size limit =
exceeded<o:p></o:p>

<o:p> </o:p>

Thanks,<o:p></o:p>

Derek O'Flynn<o:p></o:p>

</div>

</body>

</html>

------_=_NextPart_001_01C4A27D.EAB58896--

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users

O'Flynn, Derek

2004-09-24, 5:46 pm

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C4A281.53BB1C0E
Content-Type: text/plain

An update,

I found the problem, on a hunch I checked /var/log/snort and noticed a big
ol' file sitting there. So I deleted it...problem fixed. Why is snort
logging to this file when I have it configured to replicate the events to a
db?

Derek O'Flynn

Enterprise Information Security

LSU Health Sciences Center

doflyn@lsuhsc.edu <mailto:doflyn@lsuhsc.edu> (504)568-6130

_____

From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of O'Flynn, Derek
Sent: Friday, September 24, 2004 4:33 PM
To: 'snort-users@lists.sourceforge.net'
Subject: [Snort-users] Upgrade of Snort

I just did an upgrade for 2.0 to 2.2. I rebuilt it and overlayed the old
binary. I also utilized the new snort.conf and ported my specific
configurations over to it. I dropped the tables in mysql and rebuilt them
using the create_mysql and snortdb-extra configs. Updated the .config and
..map files to my etc directory.

Anyway, it looks like it comes up fine, and then crashes out with a file
size error. Anyone know how to correct it?

rpc_decode arguments:

Ports to decode RPC on: 111 32771

alert_fragments: INACTIVE

alert_large_fragments: ACTIVE

alert_incomplete: ACTIVE

alert_multiple_requests: ACTIVE

telnet_decode arguments:

Ports to decode telnet on: 21 23 25 119

database: compiled support for ( mysql )

database: configured to use mysql

database: user = snort

database: password is set

database: database name = snort

database: host = localhost

database: sensor name = 192.168.100.100

database: sensor id = 1

database: schema version = 106

database: using the "log" facility

1889 Snort rules read...

1889 Option Chains linked into 196 Chain Headers

0 Dynamic rules

++++++++++++++++++++++++++++++++++++++++
+++++++++++

Warning: flowbits key 'realplayer.playlist' is checked but not ever set.

+-----------------------[thresholding-config]-------------------------------
---

| memory-cap : 1048576 bytes

+-----------------------[thresholding-global]-------------------------------
---

| none

+-----------------------[thresholding-local]--------------------------------
---

| gen-id=1 sig-id=2495 type=Both tracking=dst count=20
seconds=60

| gen-id=1 sig-id=2523 type=Both tracking=dst count=10
seconds=10

| gen-id=1 sig-id=2494 type=Both tracking=dst count=20
seconds=60

| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5
seconds=60

| gen-id=1 sig-id=2496 type=Both tracking=dst count=20
seconds=60

+-----------------------[suppression]---------------------------------------
---

----------------------------------------------------------------------------
---

Rule application order: ->activation->dynamic->alert->pass->log

--== Initialization Complete ==--

-*> Snort! <*-

Version 2.2.0 (Build 30)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

File size limit exceeded

Thanks,

Derek O'Flynn

------_=_NextPart_001_01C4A281.53BB1C0E
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">

<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place" downloadurl=3D"http://www.5iantlavalamp.com/"/>

<style>

</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

An =
update,<o:p></o:p>

<o:p> </o:p>=

I found the problem, on a hunch I =
checked
/var/log/snort and noticed a big ol' file sitting there.  So I =
deleted it...problem
fixed.  Why is snort logging to this file when I have it =
configured to
replicate the events to a db?<o:p></o:p>

<o:p> </o:p>=

<div>

Derek O'Flynn<o:p></o:p>

<st1:City w:st=3D"on"><st1:place w:st=3D"on">Enterprise</st1:place></st1:City> Information Security<o:p></o:p>

<st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on">LSU</st1:PlaceName> <st1:PlaceName
w:st=3D"on">Health</st1:PlaceName> <st1:PlaceName =
w:st=3D"on">Sciences</st1:PlaceName>
<st1:PlaceType w:st=3D"on">Center</st1:PlaceType></st1:pl=
ace><o:p></o:p>

<a =
href=3D"mailto:doflyn@lsuhsc.edu">doflyn@lsuhsc.edu</a>
(504)568-6130<o:p></o:p>

</div>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</div>

From:
snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of O'Flynn, Derek 
Sent: Friday, September =
24, 2004
4:33 PM 
To: =
'snort-users@lists.sourceforge.net' 
Subject: [Snort-users] =
Upgrade of
Snort<o:p></o:p>

</div>

<o:p> </o:p>

I just did an upgrade for 2.0 to 2.2.  I =
rebuilt it and
overlayed the old binary.  I also utilized the new snort.conf and =
ported
my specific configurations over to it.  I dropped the tables in =
mysql and
rebuilt them using the create_mysql and snortdb-extra configs.  =
Updated
the .config and .map files to my etc =
directory.<o:p></o:p>

<o:p> </o:p>

Anyway, it looks like it comes up fine, and then =
crashes out
with a file size error.  Anyone know how to correct =
it?<o:p></o:p>

<o:p> </o:p>

rpc_decode arguments:<o:p></o:p>

    Ports to decode RPC on: 111 32771 =
<o:p></o:p>

    alert_fragments: =
INACTIVE<o:p></o:p>

    alert_large_fragments: =
ACTIVE<o:p></o:p>

    alert_incomplete: =
ACTIVE<o:p></o:p>

    alert_multiple_requests: =
ACTIVE<o:p></o:p>

telnet_decode =
arguments:<o:p></o:p>

    Ports to decode telnet on: 21 23 =
25 119 <o:p></o:p>

database: compiled support for ( mysql =
)<o:p></o:p>

database: configured to use =
mysql<o:p></o:p>

database:       &n=
bsp; 
user =3D snort<o:p></o:p>

database: password is =
set<o:p></o:p>

database: database name =3D =
snort<o:p></o:p>

database:       &n=
bsp; 
host =3D localhost<o:p></o:p>

database:   sensor name =3D =
192.168.100.100<o:p></o:p>

database:     sensor id =3D =
1<o:p></o:p>

database: schema version =3D =
106<o:p></o:p>

database: using the "log" =
facility<o:p></o:p>

1889 Snort rules =
read...<o:p></o:p>

1889 Option Chains linked into 196 Chain =
Headers<o:p></o:p>

0 Dynamic rules<o:p></o:p>

 ++++++++++++++++++++++++++++++++++++++++
+++++++++++<o=
:p></o:p>

<o:p> </o:p>

Warning: flowbits key 'realplayer.playlist' is =
checked but
not ever set.<o:p></o:p>

<o:p> </o:p>

+-----------------------[thresholding-config]--------=
--------------------------<o:p></o:p>

| memory-cap : 1048576 =
bytes<o:p></o:p>

+-----------------------[thresholding-global]--------=
--------------------------<o:p></o:p>

| none<o:p></o:p>

+-----------------------[thresholding-local]---------=
--------------------------<o:p></o:p>

| gen-id=3D1     
sig-id=3D2495     
type=3DBoth       tracking=3Ddst =
count=3D20 
seconds=3D60 <o:p></o:p>

| gen-id=3D1     
sig-id=3D2523     
type=3DBoth       tracking=3Ddst =
count=3D10 
seconds=3D10 <o:p></o:p>

| gen-id=3D1     
sig-id=3D2494     
type=3DBoth       tracking=3Ddst =
count=3D20  seconds=3D60
<o:p></o:p>

| gen-id=3D1     
sig-id=3D2275       type=3DThreshold =
tracking=3Ddst
count=3D5   seconds=3D60 <o:p></o:p>

| gen-id=3D1     
sig-id=3D2496     
type=3DBoth       tracking=3Ddst =
count=3D20 
seconds=3D60 <o:p></o:p>

+-----------------------[suppression]----------------=
--------------------------<o:p></o:p>

-----------------------------------------------------=
--------------------------<o:p></o:p>

Rule application order:
->activation->dynamic->alert->pass->log<o:p></o:p>=


<o:p> </o:p>

        --=3D=3D
Initialization Complete =3D=3D--<o:p></o:p>

<o:p> </o:p>

-*> Snort! <*-<o:p></o:p>

Version 2.2.0 (Build =
30)<o:p></o:p>

By Martin Roesch (roesch@sourcefire.com, =
www.snort.org)<o:p></o:p>

File size limit =
exceeded<o:p></o:p>

<o:p> </o:p>

Thanks,<o:p></o:p>

Derek O'Flynn<o:p></o:p>

</div>

</body>

</html>

------_=_NextPart_001_01C4A281.53BB1C0E--

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users

Bamm Visscher

2004-09-24, 5:46 pm

Snort has two output facilities: "alert" and "log". Each facility is
assigned a default output format if none is specified. For the alert
facility the default is the /var/log/snort/alert file, for the log
facility, it is those funky addr:port files in /var/log/snort. By
using "output database: log" you have changed the log facility from
the default, to using the DB, but you have done nothing with the alert
facility. Since alert calls log (as long as the function was called
with a pointer to a packet), you can safely turn off any alert output
by using '-A none' (and -N would turn off any log output).

Bammkkkk

----- Original Message -----
From: O'Flynn, Derek <doflyn@lsuhsc.edu>
Date: Fri, 24 Sep 2004 16:57:35 -0500
Subject: RE: [Snort-users] Upgrade of Snort
To: "snort-users@lists.sourceforge.net" <snort-users@lists.sourceforge.net>

An update,

I found the problem, on a hunch I checked /var/log/snort and noticed a
big ol' file sitting there. So I deleted it...problem fixed. Why is
snort logging to this file when I have it configured to replicate the
events to a db?

Derek O'Flynn

Enterprise Information Security

LSU Health Sciences Center

doflyn@lsuhsc.edu (504)568-6130

________________________________

--
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users