RE: [Snort-users] snort/mudpit - status
This is a discussion on RE: [Snort-users] snort/mudpit - status within the Snort forums, part of the System Security and Security Related category; This message is in MIME format. Since your mail reader does not understand this format, some or all of this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-06-2004
|
|||
|
|||
RE: [Snort-users] snort/mudpit - status
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible. ------_=_NextPart_001_01C41BF5.6BE60B05 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Are you having a problem with regards to the duplicate entry message in ACID? If so I am having the same issue. Although I seem to have traced it back to the way acid builds its cache table. I also run mudpit though so if someone can confirm that this problem only happens to users of mudpit and not everyone else that would be great. The duplicate entries don't seem to be affecting the actual alerts so it doesn't seem to be a pressing issue. Just one I would like to solve. The mudpit entries you have listed below do look ok. Far as I can tell mudpit runs a parent process and a child process for each interface you are sniffing on. In my case I have 3 mudpit entries per snort. 13803 ? S 3124:27 /usr/local/bin/snort -D -i eth1 -o -u snort -c /var/sensor/rules/snort.eth1.conf 16633 ? S 0:00 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf 16838 ? S 1682:56 /usr/local/bin/snort -D -i eth2 -o -u snort -c /var/sensor/rules/snort.eth2.conf 27168 ? S 0:20 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf 27194 ? S 0:16 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf If you do a "ps ax -H" it will sort them by hierarchy. In this format you will see them listed together and the child processes will be tabbed in under the parent as below. 13803 ? S 3124:56 /usr/local/bin/snort -D -i eth1 -o -u snort -c /var/sensor/rules/snort.eth1.conf 16633 ? S 0:00 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf 27168 ? S 0:20 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf 27194 ? S 0:16 /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf 16838 ? S 1683:05 /usr/local/bin/snort -D -i eth2 -o -u snort -c /var/sensor/rules/snort.eth2.conf Hope that all helps. Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: Steffen Maetzky (extern) [mailto:estm@gedas.de] Sent: March 31, 2004 6:42 AM To: Snort-users Subject: [Snort-users] snort/mudpit - status Because of my problem with duplicate entries I wanted to know which processes are run. I've started snort with: /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -u snort -D and mudpit with: /usr/local/bin/mudpit -c /etc/snort/mudpit.conf -D Does anyone know if it is the normal behavior? ps -ax |grep snort 2276 ? S 2:06 [snort] 2512 ? S 0:00 /usr/local/bin/mudpit -c /etc/snort/mudpit.conf -D 2513 ? S 6:31 /usr/local/bin/mudpit -c /etc/snort/mudpit.conf -D 2694 pts/2 S 0:00 grep snort ps -ax |grep mudpit 2512 ? S 0:00 /usr/local/bin/mudpit -c /etc/snort/mudpit.conf -D 2513 ? S 6:36 /usr/local/bin/mudpit -c /etc/snort/mudpit.conf -D 2697 pts/2 S 0:00 grep mudpit ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users ------_=_NextPart_001_01C41BF5.6BE60B05 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DISO-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2656.60"> <TITLE>RE: [Snort-users] snort/mudpit - status</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Are you having a problem with regards to the = duplicate entry message in ACID? If so I am having the same = issue. Although I seem to have traced it back to the way acid = builds its cache table. I also run mudpit though so if someone = can confirm that this problem only happens to users of mudpit and not = everyone else that would be great. The duplicate entries don't = seem to be affecting the actual alerts so it doesn't seem to be a = pressing issue. Just one I would like to solve.</FONT></P> <P><FONT SIZE=3D2>The mudpit entries you have listed below do look = ok. Far as I can tell mudpit runs a parent process and a child = process for each interface you are sniffing on. In my case I have = 3 mudpit entries per snort.</FONT></P> <P><FONT SIZE=3D2>13803 ? = S 3124:27 /usr/local/bin/snort -D -i eth1 -o -u snort = -c /var/sensor/rules/snort.eth1.conf</FONT> <BR><FONT SIZE=3D2>16633 ? = S 0:00 /usr/local/bin/mudpit -c = /etc/mudpit/mudpit.cf</FONT> <BR><FONT SIZE=3D2>16838 ? = S 1682:56 /usr/local/bin/snort -D -i eth2 -o -u snort = -c /var/sensor/rules/snort.eth2.conf</FONT> <BR><FONT SIZE=3D2>27168 ? = S 0:20 /usr/local/bin/mudpit -c = /etc/mudpit/mudpit.cf</FONT> <BR><FONT SIZE=3D2>27194 ? = S 0:16 /usr/local/bin/mudpit -c = /etc/mudpit/mudpit.cf</FONT> </P> <P><FONT SIZE=3D2>If you do a "ps ax -H" it will sort them by = hierarchy. In this format you will see them listed together and = the child processes will be tabbed in under the parent as = below.</FONT></P> <P><FONT SIZE=3D2>13803 ? = S 3124:56 /usr/local/bin/snort -D -i eth1 = -o -u snort -c /var/sensor/rules/snort.eth1.conf</FONT> <BR><FONT SIZE=3D2>16633 ? = S 0:00 /usr/local/bin/mudpit = -c /etc/mudpit/mudpit.cf</FONT> <BR><FONT SIZE=3D2>27168 ? = S 0:20 = /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf</FONT> <BR><FONT SIZE=3D2>27194 ? = S 0:16 = /usr/local/bin/mudpit -c /etc/mudpit/mudpit.cf</FONT> <BR><FONT SIZE=3D2>16838 ? = S 1683:05 /usr/local/bin/snort -D -i eth2 = -o -u snort -c /var/sensor/rules/snort.eth2.conf</FONT> </P> <P><FONT SIZE=3D2>Hope that all helps.</FONT> </P> <P><FONT SIZE=3D2>Shawn Truax</FONT> <BR><FONT SIZE=3D2>Security Specialist</FONT> <BR><FONT SIZE=3D2>Corporate Security</FONT> <BR><FONT SIZE=3D2>155 University Ave.</FONT> <BR><FONT SIZE=3D2>Toronto, Ontario</FONT> <BR><FONT SIZE=3D2>M5H 3B7</FONT> <BR><FONT SIZE=3D2>(416)327-1107</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Steffen Maetzky (extern) [<A = HREF=3D"mailto:estm@gedas.de">mailto:estm@gedas.de </A>]</FONT> <BR><FONT SIZE=3D2>Sent: March 31, 2004 6:42 AM</FONT> <BR><FONT SIZE=3D2>To: Snort-users</FONT> <BR><FONT SIZE=3D2>Subject: [Snort-users] snort/mudpit - status</FONT> </P> <BR> <P><FONT SIZE=3D2>Because of my problem with duplicate entries I wanted = to know which</FONT> <BR><FONT SIZE=3D2>processes are run.</FONT> </P> <P><FONT SIZE=3D2>I've started snort with: /usr/local/bin/snort -c = /etc/snort/snort.conf</FONT> <BR> = = = <FONT SIZE=3D2>-i eth1 -u = snort -D</FONT> </P> <P><FONT SIZE=3D2>and mudpit = with: /usr/local/bin/mudpit = -c /etc/snort/mudpit.conf</FONT> <BR><FONT SIZE=3D2>   ; = = = -D</FONT> </P> <P><FONT SIZE=3D2>Does anyone know if it is the normal behavior?</FONT> </P> <P><FONT SIZE=3D2>ps -ax |grep snort</FONT> </P> <P><FONT SIZE=3D2> 2276 = ? = S 2:06 [snort]</FONT> <BR><FONT SIZE=3D2> 2512 = ? = S 0:00 /usr/local/bin/mudpit -c</FONT> <BR><FONT SIZE=3D2>/etc/snort/mudpit.conf -D</FONT> <BR><FONT SIZE=3D2> 2513 = ? = S 6:31 /usr/local/bin/mudpit -c</FONT> <BR><FONT SIZE=3D2>/etc/snort/mudpit.conf -D</FONT> <BR><FONT SIZE=3D2> 2694 pts/2 = S 0:00 grep snort</FONT> </P> <P><FONT SIZE=3D2>ps -ax |grep mudpit</FONT> </P> <P><FONT SIZE=3D2> 2512 = ? = S 0:00 /usr/local/bin/mudpit -c</FONT> <BR><FONT SIZE=3D2>/etc/snort/mudpit.conf -D</FONT> <BR><FONT SIZE=3D2> 2513 = ? = S 6:36 /usr/local/bin/mudpit -c</FONT> <BR><FONT SIZE=3D2>/etc/snort/mudpit.conf -D</FONT> <BR><FONT SIZE=3D2> 2697 pts/2 = S 0:00 grep mudpit</FONT> </P> <BR> <BR> <BR> <P><FONT = SIZE=3D2>-------------------------------------------------------</FONT> <BR><FONT SIZE=3D2>This SF.Net email is sponsored by: IBM Linux = Tutorials</FONT> <BR><FONT SIZE=3D2>Free Linux tutorial presented by Daniel Robbins, = President and CEO of</FONT> <BR><FONT SIZE=3D2>GenToo technologies. Learn everything from = fundamentals to system</FONT> <BR><FONT SIZE=3D2>administration.<A = HREF=3D"http://ads.osdn.com/?ad_id=3D1470&alloc_id=3D3638&op=3Dclick" = TARGET=3D"_blank">http://ads.osdn.com/?ad_id=3D1470&al...=3D3638&op=3D= click</A></FONT> <BR><FONT = SIZE=3D2>_________________________________________ ______</FONT> <BR><FONT SIZE=3D2>Snort-users mailing list</FONT> <BR><FONT SIZE=3D2>Snort-users@lists.sourceforge.net</FONT> <BR><FONT SIZE=3D2>Go to this URL to change user options or = unsubscribe:</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"https://lists.sourceforge.net/lists/listinfo/snort-users" = TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snort-use= rs</A></FONT> <BR><FONT SIZE=3D2>Snort-users list archive:</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" = TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u= sers</A></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C41BF5.6BE60B05-- ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
