[Snort-Users] Patching Snort with SnortSAM
This is a discussion on [Snort-Users] Patching Snort with SnortSAM within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_010B_01C39401.86CC9B20 Content-Type: multipart/alternative; boundary="----=_NextPart_001_010C_01C39401.86CC9B20" ------=...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-19-2003
|
|||
|
|||
[Snort-Users] Patching Snort with SnortSAM
This is a multi-part message in MIME format.
------=_NextPart_000_010B_01C39401.86CC9B20 Content-Type: multipart/alternative; boundary="----=_NextPart_001_010C_01C39401.86CC9B20" ------=_NextPart_001_010C_01C39401.86CC9B20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi .. I've sent this message in error directly to frank knobbe before, please forgive me :) There's a problem here while patching snort with snortsam.. this is what I do - and the problem too...: ---------------------------------------------------------- # ./patchsnort.sh ../../ (my snort sources are two directories = higher..) Patching Snort version 2.0... Looks like a unified context diff. File to patch: _ ---------------------------------------------------------- here it wants me to give input - but I don't know what and I couldn't = find it=20 in any howto on the snortsam webpage, on howto's which describe how to do the patch-work there is no need to=20 enter information like the systems asks here ... My environment: snort Version 2.02 (it didn't work out on 2 and 2.01 too to get further = than now..) actual SnortSam release Sun Solaris 8 (5.8 on an ultra-sparc) it would be GREAT if ya could help me!.. many thanks, Dani=E9l Dani=E9l Haslinger Security & Engineering=20 -------------------------------------------------------------------------= ------- :: Rotheneder GmbH Schillerplatz 1 - A 3100 St.P=F6lten=20 :: eMail daniel.haslinger@rotheneder.com=20 :: website http://www.rotheneder.com=20 ----- Original Message -----=20 From: snort@van-wijnen.net=20 To: 'John Hally' ; snort-users@lists.sourceforge.net=20 Sent: Wednesday, October 15, 2003 10:58 PM Subject: RE: [Snort-users] byte_test and Snortcenter Hi John, It's a bug in snortcenter with rule 1882. Have a look at this previous post: (search google on snortcenter byte_test) = http://groups.google.com/groups?q=3D...rt=3D10&hl=3D= nl&l = r=3D&ie=3DUTF-8&oe=3DUTF-8&selm=3Dbef4ej%241itj%241%40FreeBSD.csie.NCTU.e = du.tw&r num=3D12 This explains how to solve the problem. Cheers, Rick. -----Oorspronkelijk bericht----- Van: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] Namens John Hally Verzonden: dinsdag 14 oktober 2003 22:28 Aan: 'snort-users@lists.sourceforge.net' Onderwerp: [Snort-users] byte_test and Snortcenter Hello, I just installed snort-2.0.2 along with snortcenter. I updated the snort-sigs from the internet and push the rules fine, but when I try restarting the sensor, it fails because of the byte_test operator. = Why would v2.0.2 not accept the byte_test operator? Has anyone else run into this? Thanks in advance! John Hally ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ------=_NextPart_001_010C_01C39401.86CC9B20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hi ..</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I've sent this message in error = directly to frank=20 knobbe before,</FONT></DIV> <DIV><FONT face=3DArial size=3D2>please forgive me :)</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2> <DIV><FONT face=3DArial size=3D2>There's a problem here while patching = snort with=20 snortsam..</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>this is what I do - and the problem=20 too...:</FONT></DIV> <DIV><FONT face=3DArial=20 size=3D2>----------------------------------------------------------</FONT= ></DIV> <DIV><FONT face=3DArial size=3D2># ./patchsnort.sh = .../../ =20 (my snort sources are two directories = higher..)<BR>Patching=20 Snort version 2.0...<BR> Looks like a unified context = diff.<BR>File to=20 patch: _</FONT></DIV> <DIV><FONT face=3DArial=20 size=3D2>----------------------------------------------------------</FONT= ></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>here it wants me to give input - but I = don't know=20 what and I couldn't find it </FONT></DIV> <DIV><FONT face=3DArial size=3D2>in any howto on the=20 snortsam webpage,</FONT></DIV> <DIV>on howto's which describe how to do the patch-work there is no need = to=20 </DIV> <DIV>enter information like the systems asks here ...</DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>My environment:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>snort Version 2.02 (it didn't work out = on 2 and=20 2.01 too to get further than now..)</FONT></DIV> <DIV><FONT face=3DArial size=3D2>actual SnortSam release</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Sun Solaris 8 (5.8 on an = ultra-sparc)</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>it would be GREAT if ya could help=20 me!..</FONT></DIV> <DIV>many thanks,</DIV> <DIV>Dani=E9l</DIV></FONT></DIV> <DIV><BR> <DIV align=3Dleft> <TABLE cellSpacing=3D0 cellPadding=3D0 width=3D405 border=3D0> <TBODY> <TR> <TD width=3D180 rowSpan=3D2><B><IMG alt=3D""=20 src=3D"http://www.bunshee.com/imgs/signature.gif" = border=3D0></B></TD> <TD><B><FONT face=3DVerdana size=3D2>Dani=E9l = Haslinger<BR></FONT></B><FONT=20 face=3DVerdana color=3D#696969 size=3D2><I>Security &=20 Engineering</I></FONT></TD></TR></TBODY></TABLE> <HR align=3Dleft width=3D400 noShade> </DIV> <TABLE cellSpacing=3D0 cellPadding=3D0 width=3D406 border=3D0> <TBODY> <TR> <TD width=3D180><FONT face=3DVerdana color=3Dnavy = size=3D2><B>::</B></FONT><FONT=20 face=3DVerdana color=3Dblack size=3D2><B> Rotheneder = GmbH</B></FONT></TD> <TD><FONT face=3DVerdana size=3D2>Schillerplatz 1 - A 3100=20 St.P=F6lten</FONT></TD></TR> <TR> <TD width=3D180><FONT face=3DVerdana color=3Dnavy = size=3D2><B>::</B></FONT><FONT=20 face=3DVerdana size=3D2><B> </B></FONT><FONT face=3DVerdana = color=3Dnavy=20 size=3D2><B>e</B></FONT><FONT face=3DVerdana = size=3D2><B>Mail</B></FONT></TD> <TD><FONT face=3DVerdana size=3D2><A=20 = href=3D"mailto:daniel.haslinger@rotheneder.com">da niel.haslinger@rothened= er.com</A></FONT></TD></TR> <TR> <TD width=3D180><FONT face=3DVerdana color=3Dnavy = size=3D2><B>::</B></FONT><FONT=20 face=3DVerdana size=3D2><B> website</B></FONT></TD> <TD><FONT face=3DVerdana color=3D#00008b size=3D2><A=20 href=3D"http://www.rotheneder.com"=20 = target=3D_blank>http://www.rotheneder.com</A></FONT></TD></TR></TBODY></T= ABLE></DIV> <BLOCKQUOTE=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Dsnort@van-wijnen.net=20 href=3D"mailto:snort@van-wijnen.net">snort@van-wijnen.net</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3DJHally@epnet.com = href=3D"mailto:JHally@epnet.com">'John Hally'</A> ; <A=20 title=3Dsnort-users@lists.sourceforge.net=20 = href=3D"mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourc= eforge.net</A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Wednesday, October 15, = 2003 10:58=20 PM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: [Snort-users] = byte_test and=20 Snortcenter</DIV> <DIV><BR></DIV>Hi John,<BR><BR>It's a bug in snortcenter with rule=20 1882.<BR>Have a look at this previous post: (search google on=20 snortcenter<BR>byte_test)<BR><A=20 = href=3D"http://groups.google.com/groups?q=3Dsnortcenter+byte_test&sta= rt=3D10&hl=3Dnl&l">http://groups.google.com/groups?q=3Dsnortcente= r+byte_test&start=3D10&hl=3Dnl&l</A><BR>r=3D&ie=3DUTF-8&a= mp;oe=3DUTF-8&selm=3Dbef4ej%241itj%241%40FreeBSD.csie.NCTU .edu.tw&= ;r<BR>num=3D12<BR><BR>This=20 explains how to solve the=20 problem.<BR><BR>Cheers,<BR>Rick.<BR><BR><BR><BR>-----Oorspronkelijk=20 bericht-----<BR>Van: <A=20 = href=3D"mailto:snort-users-admin@lists.sourceforge.net">snort-users-admin= @lists.sourceforge.net</A><BR>[mailto:snort-users-admin@lists.sourceforge= ..net]=20 Namens John Hally<BR>Verzonden: dinsdag 14 oktober 2003 22:28<BR>Aan: = <A=20 = href=3D"mailto:'snort-users@lists.sourceforge.net'">'snort-users@lists.so= urceforge.net'</A><BR>Onderwerp:=20 [Snort-users] byte_test and Snortcenter<BR><BR>Hello,<BR><BR>I just = installed=20 snort-2.0.2 along with snortcenter. I updated the<BR>snort-sigs = from the=20 internet and push the rules fine, but when I try<BR>restarting the = sensor, it=20 fails because of the byte_test operator. Why<BR>would v2.0.2 not = accept=20 the byte_test operator? Has anyone else=20 run<BR>into<BR>this?<BR><BR>Thanks in advance!<BR><BR>John=20 = Hally<BR><BR><BR>-------------------------------------------------------<= BR>This=20 SF.net email is sponsored by: SF.net Giveback = Program.<BR>SourceForge.net=20 hosts over 70,000 Open Source Projects.<BR>See the people who have = HELPED US=20 provide better services:<BR>Click here: <A=20 = href=3D"http://sourceforge.net/supporters.php">http://sourceforge.net/sup= porters.php</A><BR>____________________________________________ ___<BR>Sno= rt-users=20 mailing list<BR><A=20 = href=3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourc= eforge.net</A><BR>Go=20 to this URL to change user options or unsubscribe:<BR><A=20 = href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:/= /lists.sourceforge.net/lists/listinfo/snort-users</A><BR>Snort-users=20 list archive:<BR><A=20 = href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http:= //www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR><BR><BR><BR>= <BR>-------------------------------------------------------<BR>This=20 SF.net email is sponsored by: SF.net Giveback = Program.<BR>SourceForge.net=20 hosts over 70,000 Open Source Projects.<BR>See the people who have = HELPED US=20 provide better services:<BR>Click here: <A=20 = href=3D"http://sourceforge.net/supporters.php">http://sourceforge.net/sup= porters.php</A><BR>____________________________________________ ___<BR>Sno= rt-users=20 mailing list<BR><A=20 = href=3D"mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourc= eforge.net</A><BR>Go=20 to this URL to change user options or unsubscribe:<BR><A=20 = href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users">https:/= /lists.sourceforge.net/lists/listinfo/snort-users</A><BR>Snort-users=20 list archive:<BR><A=20 = href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">http:= //www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</A><BR></BLOCKQUOTE= ></BODY></HTML> ------=_NextPart_001_010C_01C39401.86CC9B20-- ------=_NextPart_000_010B_01C39401.86CC9B20 Content-Type: image/gif; name="signature.gif" Content-Transfer-Encoding: base64 Content-Location: http://www.bunshee.com/imgs/signature.gif R0lGODlhVQAhAKIAAJycnP///wAAAE1NTSsrK8bGxnNzc+jo6CwAAAAAVQAhAAAD/xi6vPclyteq vTjrHQoYA0GEJBiOIFBwbOsuhSEOhkodDP4An2isr6BQYRAMAD jhQUYADJ+cEBCqKISc1OwCIJhq A4CR9xs8NMmNogEtLBCS7KoIHt986mkBFp8xrPlbAn+AFjSEMI KHFQYDinKNjkSQjm6TimF0hwWJ jmZjh1x7hyCAEB4Afqk0jKk8KhGZGgWxZqJKB6eMIgQCvb27Jq ypw348mQeotpuWCzKxGrgfAry/ I8WvFM1vQgO+XkVdhduyPb69AxEuXJ8cPx5eBDKDDXMYMuc/2UOcXzRczwF42aqih40hMiDcsCMy zZYzg8yoyNi0sEo3QUmKHAHILbQilE0PZYE7gqrbmSwHjJzi2M KMkZbSpoX4VbHBg2g8/HQ7UvMC wG4DOXjQRc2IiaMmUASrEUGEAh7Q4KwTx5LFjl81crqakMlNlw MXkfFa4UdBykljbapBs6QhCytG HhQ1yeuiCmo0eI3DBa7Xip4u2gpaiMzk36K91mwyYm7mNL1Fm+ A6R4CNYGuq8O7R/LLDyw8qAuAC 8sGflxi98JTcZQ0Jg8WNrABBVjUSFLBBbevmkwAAOw== ------=_NextPart_000_010B_01C39401.86CC9B20-- ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 01:14 PM.
