Re: [Snort-users] flexresp and mysql
This is a discussion on Re: [Snort-users] flexresp and mysql within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. --===============0843923737== Content-Type: MULTIPART/alternative; boundary="------------060901050803060004020105" This is ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-07-2006
|
|||
|
|||
Re: [Snort-users] flexresp and mysql
This is a multi-part message in MIME format.
--===============0843923737== Content-Type: MULTIPART/alternative; boundary="------------060901050803060004020105" This is a multi-part message in MIME format. --------------060901050803060004020105 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit If you are installing on a FreeBSD 6.1X or later system - then you need libnet10-1.0.2a_1. Get this from the BSD ports collection, or also installing snort_inline from sysinstall works. Craig Mueller CISSP Senior Consultant Alebra Technologies www.alebra.com snort-users-request@lists.sourceforge.net wrote: > Send Snort-users mailing list submissions to > snort-users@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/...fo/snort-users > or, via email, send a message with subject or body 'help' to > snort-users-request@lists.sourceforge.net > > You can reach the person managing the list at > snort-users-owner@lists.sourceforge.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Snort-users digest..." > > > Today's Topics: > > 1. flexresp and mysql (Jes?s G?lvez) > 2. Re: flexresp and mysql (Todd Wease) > 3. (portscan) Open Port: (Mark Rohrbeck) > 4. Re: (portscan) Open Port: (Bamm Visscher) > 5. snort v2.6 Win32 flex? (Rich Adamson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 7 Sep 2006 13:06:10 +0200 (CEST) > From: Jes?s G?lvez <jesuxgalvez@yahoo.es> > Subject: [Snort-users] flexresp and mysql > To: snort-users@lists.sourceforge.net > Message-ID: <20060907110610.53088.qmail@web27107.mail.ukl.yaho o.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, when I run configure with flexresp and mysql options, configure give me error. > > Then, I tried with flexresp2 and libdnet, but again i got the same result. > > checking for compress in -lz... yes > checking dnet.h usability... yes > checking dnet.h presence... yes > checking for dnet.h... yes > checking for eth_set in -ldnet... no > > ERROR! Libdnet header not found, go get it from > http://libdnet.sourceforge.net or use the --with-dnet-* > options, if you have it installed in an unusual place > > > I run: > > > ./configure --prefix=/usr/local/snort \ > --with-dnet-libraries=/usr/lib \ > --with-dnet-includes=/usr/lib/include \ > --with-mysql=/usr/local/mysql \ > --enable-flexresp2 > > all is in the correct directories. > > Any can help me? thanks. > > > > --------------------------------- > > LLama Gratis a cualquier PC del Mundo. > Llamadas a fijos y m?viles desde 1 c?ntimo por minuto. > http://es.voice.yahoo.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://sourceforge.net/mailarchive/f...ttachment.html > > ------------------------------ > > Message: 2 > Date: Thu, 07 Sep 2006 10:27:27 -0400 > From: Todd Wease <twease@sourcefire.com> > Subject: Re: [Snort-users] flexresp and mysql > To: snort-users@lists.sourceforge.net > Message-ID: <1157639247.2569.15.camel@dhcp10-12.sfeng.sourcefire.com> > Content-Type: text/plain > > >> --with-dnet-includes=/usr/lib/include \ >> > > > Try --with-dnet-includes=/usr/include > > > > > ------------------------------ > > Message: 3 > Date: Thu, 7 Sep 2006 11:32:36 -0400 > From: Mark Rohrbeck <mark.rohrbeck@gmail.com> > Subject: [Snort-users] (portscan) Open Port: > To: <Snort-users@lists.sourceforge.net> > Message-ID: <000001c6d292$da790420$a029a8c0@cuinterface.com> > Content-Type: text/plain; charset="us-ascii" > > Hi all, > > > > I am getting thousands of these portscans (Below are 3 examples) They are > basically all from my exchange server to different IP addresses mainly on > port 25 I have noticed a few of 53 too. They are all going to addresses on > the internet and I am not sure if I should be concerned or not, they are > happening continuously all through the day. > > > > If I can offer any more information please let me know, I would really like > to get to the bottom of this, I have googled away and find similar posts but > no answers. > > > > When I click on the link to Snort it says > > > GEN:SID > > 1:27 > > > Message > > Sorry, no such sid-gen (1:27) > > > > > > Any help greatly appreciated. > > > > > > > #624-(3-21094) > <http://localhost/base/base_qry_alert...1094%29&sort_o > rder=time_d> > > [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open > Port: 25 > > 2006-09-06 06:08:36 > > 192.168.41.129 > <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32> > > 67.15.52.7 > <http://localhost/base/base_stat_ipaddr.php?ip=67.15.52.7&netmask32> > > Raw IP > > > > > #625-(3-21091) > <http://localhost/base/base_qry_alert...1091%29&sort_o > rder=time_d> > > [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open > Port: 25 > > 2006-09-06 06:08:35 > > 192.168.41.129 > <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32> > > 70.84.128.20 > <http://localhost/base/base_stat_ipaddr.php?ip=70.84.128.20&netmask32> > > Raw IP > > > > > #626-(3-21092) > <http://localhost/base/base_qry_alert...1092%29&sort_o > rder=time_d> > > [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open > Port: 25 > > 2006-09-06 06:08:35 > > 192.168.41.129 > <http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32> > > 67.15.143.14 > <http://localhost/base/base_stat_ipaddr.php?ip=67.15.143.14&netmask32> > > Raw IP > > > > > > Thanks > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://sourceforge.net/mailarchive/f...ttachment.html > > ------------------------------ > > Message: 4 > Date: Thu, 7 Sep 2006 09:40:36 -0600 > From: "Bamm Visscher" <bamm.visscher@gmail.com> > Subject: Re: [Snort-users] (portscan) Open Port: > To: "Mark Rohrbeck" <mark.rohrbeck@gmail.com> > Cc: Snort-users@lists.sourceforge.net > Message-ID: > <27492850609070840p33d39e47wb636b1cc5d4a74fb@mail. gmail.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > That's the sfportscan preprocessor [0] > > Bammkkkk > > [0] http://www.snort.org/docs/snort_htma...00000000000000 > > > > On 9/7/06, Mark Rohrbeck <mark.rohrbeck@gmail.com> wrote: > >> >> >> >> Hi all, >> >> >> >> I am getting thousands of these portscans (Below are 3 examples) They are basically all from my exchange server to different IP addresses mainly on port 25 I have noticed a few of 53 too. They are all going to addresses on the internet and I am not sure if I should be concerned or not, they are happening continuously all through the day. >> >> >> >> If I can offer any more information please let me know, I would really like to get to the bottom of this, I have googled away and find similar posts but no answers. >> >> >> >> When I click on the link to Snort it says >> >> >> GEN:SID >> >> 1:27 >> >> >> Message >> >> Sorry, no such sid-gen (1:27) >> >> >> >> >> >> Any help greatly appreciated. >> Thanks >> > > -- Craig Mueller CISSP Senior Consultant Alebra Technologies www.alebra.com 612-436-8204 --------------060901050803060004020105 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> If you are installing on a FreeBSD 6.1X or later system - then you need libnet10-1.0.2a_1. Get this from the BSD ports collection, or also installing snort_inline from sysinstall works.<br> <br> Craig Mueller CISSP <br> Senior Consultant <br> Alebra Technologies <br> <a class="moz-txt-link-abbreviated" href="http://www.alebra.com">www.alebra.com</a> <br> <br> <br> <a class="moz-txt-link-abbreviated" href="mailto:snort-users-request@lists.sourceforge.net">snort-users-request@lists.sourceforge.net</a> wrote: <blockquote cite="midmailman.5654.1157644413.25959.snort-users@lists.sourceforge.net" type="cite"> <pre wrap="">Send Snort-users mailing list submissions to <a class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a> To subscribe or unsubscribe via the World Wide Web, visit <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a> or, via email, send a message with subject or body 'help' to <a class="moz-txt-link-abbreviated" href="mailto:snort-users-request@lists.sourceforge.net">snort-users-request@lists.sourceforge.net</a> You can reach the person managing the list at <a class="moz-txt-link-abbreviated" href="mailto:snort-users-owner@lists.sourceforge.net">snort-users-owner@lists.sourceforge.net</a> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. flexresp and mysql (Jes?s G?lvez) 2. Re: flexresp and mysql (Todd Wease) 3. (portscan) Open Port: (Mark Rohrbeck) 4. Re: (portscan) Open Port: (Bamm Visscher) 5. snort v2.6 Win32 flex? (Rich Adamson) ---------------------------------------------------------------------- Message: 1 Date: Thu, 7 Sep 2006 13:06:10 +0200 (CEST) From: Jes?s G?lvez <a class="moz-txt-link-rfc2396E" href="mailto:jesuxgalvez@yahoo.es"><jesuxgalvez @yahoo.es></a> Subject: [Snort-users] flexresp and mysql To: <a class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a> Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:20060907110610.53088.qmail@web27107.m ail.ukl.yahoo.com"><20060907110610.53088.qmail@ web27107.mail.ukl.yahoo.com></a> Content-Type: text/plain; charset="iso-8859-1" Hi, when I run configure with flexresp and mysql options, configure give me error. Then, I tried with flexresp2 and libdnet, but again i got the same result. checking for compress in -lz... yes checking dnet.h usability... yes checking dnet.h presence... yes checking for dnet.h... yes checking for eth_set in -ldnet... no ERROR! Libdnet header not found, go get it from <a class="moz-txt-link-freetext" href="http://libdnet.sourceforge.net">http://libdnet.sourceforge.net</a> or use the --with-dnet-* options, if you have it installed in an unusual place I run: ../configure --prefix=/usr/local/snort \ --with-dnet-libraries=/usr/lib \ --with-dnet-includes=/usr/lib/include \ --with-mysql=/usr/local/mysql \ --enable-flexresp2 all is in the correct directories. Any can help me? thanks. --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m?viles desde 1 c?ntimo por minuto. <a class="moz-txt-link-freetext" href="http://es.voice.yahoo.com">http://es.voice.yahoo.com</a> -------------- next part -------------- An HTML attachment was scrubbed... URL: <a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060907/e1dbd317/attachment.html">http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060907/e1dbd317/attachment.html</a> ------------------------------ Message: 2 Date: Thu, 07 Sep 2006 10:27:27 -0400 From: Todd Wease <a class="moz-txt-link-rfc2396E" href="mailto:twease@sourcefire.com"><twease@sou rcefire.com></a> Subject: Re: [Snort-users] flexresp and mysql To: <a class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a> Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:1157639247.2569.15.camel@dhcp10-12.sfeng.sourcefire.com"><1157639247.2569.15.ca mel@dhcp10-12.sfeng.sourcefire.com></a> Content-Type: text/plain </pre> <blockquote type="cite"> <pre wrap=""> --with-dnet-includes=/usr/lib/include \ </pre> </blockquote> <pre wrap=""><!----> Try --with-dnet-includes=/usr/include ------------------------------ Message: 3 Date: Thu, 7 Sep 2006 11:32:36 -0400 From: Mark Rohrbeck <a class="moz-txt-link-rfc2396E" href="mailto:mark.rohrbeck@gmail.com"><mark.roh rbeck@gmail.com></a> Subject: [Snort-users] (portscan) Open Port: To: <a class="moz-txt-link-rfc2396E" href="mailto:Snort-users@lists.sourceforge.net"><Snort-users@lists.sourceforge.net></a> Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:000001c6d292$da790420$a029a8c0@cuinte rface.com"><000001c6d292$da790420$a029a8c0@cuin terface.com></a> Content-Type: text/plain; charset="us-ascii" Hi all, I am getting thousands of these portscans (Below are 3 examples) They are basically all from my exchange server to different IP addresses mainly on port 25 I have noticed a few of 53 too. They are all going to addresses on the internet and I am not sure if I should be concerned or not, they are happening continuously all through the day. If I can offer any more information please let me know, I would really like to get to the bottom of this, I have googled away and find similar posts but no answers. When I click on the link to Snort it says GEN:SID 1:27 Message Sorry, no such sid-gen (1:27) Any help greatly appreciated. #624-(3-21094) <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_qry_alert.php?submit=%23624-%283-21094%29&sort_order=time_d"><http://localhost/base/base_qry_alert...%29&sort_o rder=time_d></a> [snort <a class="moz-txt-link-rfc2396E" href="http://www.snort.org/pub-bin/sigs.cgi?sid=27"><http://www.snort.org/pub-bin/sigs.cgi?sid=27></a> ] (portscan) Open Port: 25 2006-09-06 06:08:36 192.168.41.129 <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32" ><http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask =32></a> 67.15.52.7 <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_stat_ipaddr.php?ip=67.15.52.7&netmask32">< http://localhost/base/base_stat_ipaddr.php?ip=67.15.52.7&netmask32&g t;</a> Raw IP #625-(3-21091) <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_qry_alert.php?submit=%23625-%283-21091%29&sort_order=time_d"><http://localhost/base/base_qry_alert...%29&sort_o rder=time_d></a> [snort <a class="moz-txt-link-rfc2396E" href="http://www.snort.org/pub-bin/sigs.cgi?sid=27"><http://www.snort.org/pub-bin/sigs.cgi?sid=27></a> ] (portscan) Open Port: 25 2006-09-06 06:08:35 192.168.41.129 <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32" ><http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask =32></a> 70.84.128.20 <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_stat_ipaddr.php?ip=70.84.128.20&netmask32">&l t;http://localhost/base/base_stat_ipaddr.php?ip=70.84.128.20&netmask32 ></a> Raw IP #626-(3-21092) <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_qry_alert.php?submit=%23626-%283-21092%29&sort_order=time_d"><http://localhost/base/base_qry_alert...%29&sort_o rder=time_d></a> [snort <a class="moz-txt-link-rfc2396E" href="http://www.snort.org/pub-bin/sigs.cgi?sid=27"><http://www.snort.org/pub-bin/sigs.cgi?sid=27></a> ] (portscan) Open Port: 25 2006-09-06 06:08:35 192.168.41.129 <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask=32" ><http://localhost/base/base_stat_ipaddr.php?ip=192.168.41.129&netmask =32></a> 67.15.143.14 <a class="moz-txt-link-rfc2396E" href="http://localhost/base/base_stat_ipaddr.php?ip=67.15.143.14&netmask32">&l t;http://localhost/base/base_stat_ipaddr.php?ip=67.15.143.14&netmask32 ></a> Raw IP Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: <a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060907/83c72c27/attachment.html">http://sourceforge.net/mailarchive/forum.php?forum=snort-users/attachments/20060907/83c72c27/attachment.html</a> ------------------------------ Message: 4 Date: Thu, 7 Sep 2006 09:40:36 -0600 From: "Bamm Visscher" <a class="moz-txt-link-rfc2396E" href="mailto:bamm.visscher@gmail.com"><bamm.vis scher@gmail.com></a> Subject: Re: [Snort-users] (portscan) Open Port: To: "Mark Rohrbeck" <a class="moz-txt-link-rfc2396E" href="mailto:mark.rohrbeck@gmail.com"><mark.roh rbeck@gmail.com></a> Cc: <a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a> Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:27492850609070840p33d39e47wb636b1cc5d 4a74fb@mail.gmail.com"><27492850609070840p33d39 e47wb636b1cc5d4a74fb@mail.gmail.com></a> Content-Type: text/plain; charset=ISO-8859-1; format=flowed That's the sfportscan preprocessor [0] Bammkkkk [0] <a class="moz-txt-link-freetext" href="http://www.snort.org/docs/snort_htmanuals/htmanual_260/node11.html#SECTION00317000000000000000">http://www.snort.org/docs/snort_htmanuals/htmanual_260/node11.html#SECTION00317000000000000000</a> On 9/7/06, Mark Rohrbeck <a class="moz-txt-link-rfc2396E" href="mailto:mark.rohrbeck@gmail.com"><mark.roh rbeck@gmail.com></a> wrote: </pre> <blockquote type="cite"> <pre wrap=""> Hi all, I am getting thousands of these portscans (Below are 3 examples) They are basically all from my exchange server to different IP addresses mainly on port 25 I have noticed a few of 53 too. They are all going to addresses on the internet and I am not sure if I should be concerned or not, they are happening continuously all through the day. If I can offer any more information please let me know, I would really like to get to the bottom of this, I have googled away and find similar posts but no answers. When I click on the link to Snort it says GEN:SID 1:27 Message Sorry, no such sid-gen (1:27) Any help greatly appreciated. Thanks </pre> </blockquote> <pre wrap=""><!----> </pre> </blockquote> <br> <pre class="moz-signature" cols="72">-- Craig Mueller CISSP Senior Consultant Alebra Technologies <a class="moz-txt-link-abbreviated" href="http://www.alebra.com">www.alebra.com</a> 612-436-8204 </pre> </body> </html> --------------060901050803060004020105-- --===============0843923737== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642 --===============0843923737== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --===============0843923737==-- 
|
Linear Mode
