Re: [Cooker] snort is crippled...
måndagen den 3 februari 2003 21.01 skrev Ben Reser: > On Wed, Jan 29, 2003 at 09:32:39AM +0100, Oden Eriksson wrote: > > > Use bzme for .gz -> .bz2 > > > > "bzme - recompress gziped, ziped, ... files into bzip2" > > > > Ha ha ha, didn't know that ;) > > FYI bzme is a Mandrake thing. It's just a shell script Thierry Vignaud > wrote. Aha, ok. Thanks. -- Regards // Oden Eriksson, Deserve-IT.com
Re: [Cooker] snort is crippled...
On Wed, Jan 29, 2003 at 09:32:39AM +0100, Oden Eriksson wrote: > > Use bzme for .gz -> .bz2 > > "bzme - recompress gziped, ziped, ... files into bzip2" > > Ha ha ha, didn't know that ;) FYI bzme is a Mandrake thing. It's just a shell script Thierry Vignaud wrote. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org "America does not go abroad in search of monsters to destroy. She is the well-wisher to the freedom and independence of all. She is the champion only of her own." -- John Quincy Adams, July 4th, 1821
Re: [Cooker] snort is crippled...
lördagen den 1 februari 2003 19.41 skrev Florin: > there are conflicts between libnet-snmp50-devel-5.0.7-2mdk > and libsnmp0-devel-4.2.3-4mdk from main ... Yes I know this is happening on the file base level. I could not have the net-snmp obsolete ucd-snmp as I belive that would have made the gendistrib(?) stuff crazy on the mirrors. There are uncommented stuff in my net-snmp spec file that fixes this rpm magic. I think net-snmp could replace ucd-snmp now, there's not that many applications to rebuild against it. But then this may be too late for 9.1. I tried to have the ucd-snmp packager update to net-snmp in perfect timing just before 9.0, but that never happened. This is why I packed net-snmp myself, as it's a totally different name I could do it, so why not, so I did it ;) > >Oden Eriksson <[EMAIL PROTECTED]> writes: > > > > Hi. > > > > I just remembered there's missing crucial stuff in the snort package. > > This is very important, please get this right for 9.1 > > > > Fix attached. > > > > Chears. -- Regards // Oden Eriksson, Deserve-IT.com
Re: [Cooker] snort is crippled...
there are conflicts between libnet-snmp50-devel-5.0.7-2mdk and libsnmp0-devel-4.2.3-4mdk from main ... >Oden Eriksson <[EMAIL PROTECTED]> writes: > Hi. > > I just remembered there's missing crucial stuff in the snort package. This is > very important, please get this right for 9.1 > > Fix attached. > > Chears. -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] snort is crippled...
lördagen den 1 februari 2003 18.47 skrev Florin: > Oden Eriksson <[EMAIL PROTECTED]> writes: > > Hi. > > > > I just remembered there's missing crucial stuff in the snort package. > > This is very important, please get this right for 9.1 > > > > Fix attached. > > > > Chears. > > the last snort soes noty compile on the cluster ... I have to have a > closer look : > > something like > > gcc -g -O2 -g -O2 -Wall -L/usr/lib -L/usr/lib -o snort codes.o debug.o > decode.o log.o mstring.o parser.o plugbase.o snort.o snprintf.o strlcatu.o > strlcpyu.o tag.o ubi_BinTree.o ubi_SplayTree.o util.o detect.o substr.o > trie.o signature.o mempool.o sf_sdlist.o perf.o perf-flow.o perf-base.o > perf-event.o threshold.o output-plugins/libspo.a detection-plugins/libspd.a > preprocessors/libspp.a -lpcap -lm -lnsl -lssl -lcrypto -lsnmp > /usr/lib/libsnmp.so: undefined reference to `des_cbc_encrypt' > /usr/lib/libsnmp.so: undefined reference to `des_key_sched' > /usr/lib/libsnmp.so: undefined reference to `des_ncbc_encrypt' > > or I might remove the snmp part for the moment Or build it against my new net-snmp packages? It builds just fine on klama. -- Regards // Oden Eriksson, Deserve-IT.com
Re: [Cooker] snort is crippled...
Oden Eriksson <[EMAIL PROTECTED]> writes: > Hi. > > I just remembered there's missing crucial stuff in the snort package. This is > very important, please get this right for 9.1 > > Fix attached. > > Chears. the last snort soes noty compile on the cluster ... I have to have a closer look : something like gcc -g -O2 -g -O2 -Wall -L/usr/lib -L/usr/lib -o snort codes.o debug.o decode.o log.o mstring.o parser.o plugbase.o snort.o snprintf.o strlcatu.o strlcpyu.o tag.o ubi_BinTree.o ubi_SplayTree.o util.o detect.o substr.o trie.o signature.o mempool.o sf_sdlist.o perf.o perf-flow.o perf-base.o perf-event.o threshold.o output-plugins/libspo.a detection-plugins/libspd.a preprocessors/libspp.a -lpcap -lm -lnsl -lssl -lcrypto -lsnmp /usr/lib/libsnmp.so: undefined reference to `des_cbc_encrypt' /usr/lib/libsnmp.so: undefined reference to `des_key_sched' /usr/lib/libsnmp.so: undefined reference to `des_ncbc_encrypt' or I might remove the snmp part for the moment -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] snort is crippled...
onsdagen den 29 januari 2003 09.10 skrev Sebastian Dransfeld: > On Wed, 2003-01-29 at 08:56, Oden Eriksson wrote: > > Hi. > > > > I just remembered there's missing crucial stuff in the snort package. > > This is very important, please get this right for 9.1 > > > > Fix attached. > > > > Chears. > > Use bzme for .gz -> .bz2 "bzme - recompress gziped, ziped, ... files into bzip2" Ha ha ha, didn't know that ;) Thanks for the tip! -- Regards // Oden Eriksson, Deserve-IT.com
Re: [Cooker] snort is crippled...
On Wed, 2003-01-29 at 08:56, Oden Eriksson wrote: > Hi. > > I just remembered there's missing crucial stuff in the snort package. This is > very important, please get this right for 9.1 > > Fix attached. > > Chears. Use bzme for .gz -> .bz2 -- Sebastian Dransfeld <[EMAIL PROTECTED]>
Re: [Cooker] snort-1.9
[EMAIL PROTECTED] (Oden Eriksson) writes: > onsdagen den 16 oktober 2002 12.06 skrev Florin: > > [EMAIL PROTECTED] (Oden Eriksson) writes: > > > Oct 16 13:59:48 localhost snort: FATAL ERROR: ERROR: Unable to open rules > > > file: ../rules/bad-traffic.rules or /etc/snort/../rules/bad-traffic.r > > > > you'll have to adjust your snort.conf file > > > > one should remove the "../" part ... > > Yes I know, just wanted to report this. the package is recompiling ... it will be uploaded in a few minutes ... -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] snort-1.9
onsdagen den 16 oktober 2002 12.06 skrev Florin: > [EMAIL PROTECTED] (Oden Eriksson) writes: > > Oct 16 13:59:48 localhost snort: FATAL ERROR: ERROR: Unable to open rules > > file: ../rules/bad-traffic.rules or /etc/snort/../rules/bad-traffic.r > > you'll have to adjust your snort.conf file > > one should remove the "../" part ... Yes I know, just wanted to report this. -- Regards // Oden Eriksson - Deserve-IT Networks http://d-srv.com Check the "Modules For Apache2" status page at: http://d-srv.com/modules_for_apache2.html
Re: [Cooker] snort-1.9
[EMAIL PROTECTED] (Oden Eriksson) writes: > Oct 16 13:59:48 localhost snort: FATAL ERROR: ERROR: Unable to open rules > file: ../rules/bad-traffic.rules or /etc/snort/../rules/bad-traffic.r you'll have to adjust your snort.conf file one should remove the "../" part ... I might rebuild the packages and remove it myself ... cheers, -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
Re: [Cooker] snort and alternatives?
[EMAIL PROTECTED] (Borsenkow Andrej) writes: > Any reason (except time, I know) to not replace this with alternatives? > > 0ost plain+flexresp >... because there are no priorities on these packages and the post code has quite the same length. The packages are almost independent ... alternatives wouldn't do any harm though .. -- Florin http://www.mandrakesoft.com
Re: [Cooker] snort update error
[EMAIL PROTECTED] (RA) writes: > In my snortd (and in original one too): > INTERFACE=eth0 > and PID file is > /var/run/snort_eth0.pid > > you're right and this is teh actual case for mandrake snort packages. > and not snort.pid. So snortd is started in multiple instances when changing > runlevel e.g. from 3 to 5. my mistake, I was thinking about the snort lock file in /var/lock/subsys/snort so, without running snort twice, only by changing levels from say 3 to 5 one will find two instances of snort ? > > > > I don't get it here ... what do you mean by that ? > > snort is the name of the initscript ... what will do INTERFACE here ? > > > > > And what about > modify it e.g. for snort-mysql > > > > ok for this one, fair enough > -- Florin http://www.mandrakesoft.com
Re: [Cooker] snort update error
On Monday, 18. February 2002 17:26, you wrote: > [EMAIL PROTECTED] (RA) writes: > > In my snortd (and in original one too): > > INTERFACE=eth0 > > > > and PID file is > > /var/run/snort_eth0.pid > > you're right and this is teh actual case for mandrake snort packages. > > > and not snort.pid. So snortd is started in multiple instances when > > changing runlevel e.g. from 3 to 5. > > my mistake, I was thinking about the snort lock file in > /var/lock/subsys/snort > > so, without running snort twice, only by changing levels from say 3 to 5 > one will find two instances of snort ? Indeed! > > > I don't get it here ... what do you mean by that ? > > > snort is the name of the initscript ... what will do INTERFACE here ? > > > > > > > And what about > modify it e.g. for snort-mysql > > > > > > ok for this one, fair enough
Re: [Cooker] snort update error
On Monday, 18. February 2002 16:37, you wrote: > [EMAIL PROTECTED] (RA) writes: > > On Monday, 18. February 2002 16:56, you wrote: > > > [root@cooker bor]# urpmi snort > > > installing > > > /home/bor/dist/cooker/i586/Mandrake/RPMS/snort-1.8.3-1mdk.i586.rpm > > > Preparing... > > > ## > > > snort > > > ## > > > ln: `/usr/sbin/snort': File exists > > > > > > -andrej > > > > and another one: Could the init script changed to recognize the PID file > > correctly, > > i.e.: daemon --check=snort_$INTERFACE ... In my snortd (and in original one too): INTERFACE=eth0 and PID file is /var/run/snort_eth0.pid and not snort.pid. So snortd is started in multiple instances when changing runlevel e.g. from 3 to 5. > > I don't get it here ... what do you mean by that ? > snort is the name of the initscript ... what will do INTERFACE here ? > > > And what about > modify it e.g. for snort-mysql > > ok for this one, fair enough
Re: [Cooker] snort update error
[EMAIL PROTECTED] (RA) writes: > On Monday, 18. February 2002 16:56, you wrote: > > [root@cooker bor]# urpmi snort > > installing > > /home/bor/dist/cooker/i586/Mandrake/RPMS/snort-1.8.3-1mdk.i586.rpm > > Preparing... > > ## > > snort > > ## > > ln: `/usr/sbin/snort': File exists > > > > -andrej > > and another one: Could the init script changed to recognize the PID file > correctly, > i.e.: daemon --check=snort_$INTERFACE ... I don't get it here ... what do you mean by that ? snort is the name of the initscript ... what will do INTERFACE here ? > > And what about > modify it e.g. for snort-mysql > ok for this one, fair enough -- Florin http://www.mandrakesoft.com
Re: [Cooker] snort update error
On Monday, 18. February 2002 16:56, you wrote: > [root@cooker bor]# urpmi snort > installing > /home/bor/dist/cooker/i586/Mandrake/RPMS/snort-1.8.3-1mdk.i586.rpm > Preparing... > ## > snort > ## > ln: `/usr/sbin/snort': File exists > > -andrej and another one: Could the init script changed to recognize the PID file correctly, i.e.: daemon --check=snort_$INTERFACE ... And what about %config(noreplace) for init.d/snortd, because you have to modify it e.g. for snort-mysql
Re: [Cooker] snort
fredagen den 16 november 2001 13.14 Florin wrote: > [EMAIL PROTECTED] (Oden Eriksson) writes: > > Well, I thought it would be nice to have a new "/etc/sysconfig/snort" > > file, instead of making the softlinks in "/usr/sbin/*". Very much like > > the other config files in "/etc/sysconfig/*" for the daemons. > > > > A bad idea? > > The snort conf file does not deal with the binary ... but the intitscript > does. The /etc/snort/conf file will be the same for all cases. > Of course, one could use an /etc/sysconfig/snort file with a contents > like: > > BINARY="snort-bloat" and then use that in the initscript with > daemon /usr/sbin/$BINARY -u snort -g snort -s -d -D \ ... > > or, we could extend that even for the snort config file used and use a > different conf file in /etc/sysconfig/snort ... > > so, in the post section of every package one should parse and update the > /etc/sysconfig/snort file ... > > I thing it's more complicated than the actual case when one uses only one > config file and we only replace actual links in post section ... > > just my thoughts ... Yeah, you're right. A bad idea. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Oden Eriksson, Deserve-IT Networks, Jokkmokk, Sweden. | Mandrake Linux release 8.2 (Cooker) for i586 | Current uptime with kernel 2.4.13-7mdksmp: 5 hours 6 minutes | cpu0 @ 814.28 bm, fan 4192 rpm, temp +33.0°C | cpu1 @ 815.92 bm, fan 4141 rpm, temp +32°C
Re: [Cooker] snort
[EMAIL PROTECTED] (Oden Eriksson) writes: > Well, I thought it would be nice to have a new "/etc/sysconfig/snort" file, > instead of making the softlinks in "/usr/sbin/*". Very much like the other > config files in "/etc/sysconfig/*" for the daemons. > > A bad idea? The snort conf file does not deal with the binary ... but the intitscript does. The /etc/snort/conf file will be the same for all cases. Of course, one could use an /etc/sysconfig/snort file with a contents like: BINARY="snort-bloat" and then use that in the initscript with daemon /usr/sbin/$BINARY -u snort -g snort -s -d -D \ ... or, we could extend that even for the snort config file used and use a different conf file in /etc/sysconfig/snort ... so, in the post section of every package one should parse and update the /etc/sysconfig/snort file ... I thing it's more complicated than the actual case when one uses only one config file and we only replace actual links in post section ... just my thoughts ... -- Florin http://www.mandrakesoft.com
Re: [Cooker] snort
fredagen den 16 november 2001 10.46 Florin wrote: > [EMAIL PROTECTED] (Oden Eriksson) writes: > > I like this modular approach very much (credits to you), but wouldn't it > > be much better and simpler to introduce a new "/etc/sysconfig/snort" > > file, stating what to fire up, when running "/etc/rc.d/init.d/snortd > > start"? > > > > I think this makes much more sense, or? ie, a new > > "/etc/rc.d/init.d/snortd" and "/etc/sysconfig/snort" file. > > > > Do I make sense here? > > Hello, > > I wasn't the one who created this modular approach. I simply followed the > direction taken by the original web site. > > One should use only one type of binary,for example snort-plain-flexresp. > The initscript and the config file is the same: why change it ? Well, I thought it would be nice to have a new "/etc/sysconfig/snort" file, instead of making the softlinks in "/usr/sbin/*". Very much like the other config files in "/etc/sysconfig/*" for the daemons. A bad idea? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Oden Eriksson, Deserve-IT Networks, Jokkmokk, Sweden. | Mandrake Linux release 8.2 (Cooker) for i586 | Current uptime with kernel 2.4.13-7mdksmp: 2 hours 11 minutes | cpu0 @ 814.28 bm, fan 4166 rpm, temp +29.0°C | cpu1 @ 815.92 bm, fan 4141 rpm, temp +29°C
Re: [Cooker] snort
[EMAIL PROTECTED] (Oden Eriksson) writes: > I like this modular approach very much (credits to you), but wouldn't it be > much better and simpler to introduce a new "/etc/sysconfig/snort" file, > stating what to fire up, when running "/etc/rc.d/init.d/snortd start"? > > I think this makes much more sense, or? ie, a new "/etc/rc.d/init.d/snortd" > and "/etc/sysconfig/snort" file. > > Do I make sense here? Hello, I wasn't the one who created this modular approach. I simply followed the direction taken by the original web site. One should use only one type of binary,for example snort-plain-flexresp. The initscript and the config file is the same: why change it ? cheers, -- Florin http://www.mandrakesoft.com
Re: [Cooker] snort
torsdagen den 15 november 2001 17.13 Florin wrote: > [EMAIL PROTECTED] (Oden Eriksson) writes: > > Hmm, it seems this is not working..., or is it the "rpm -Uvh snort-*" > > thing? > > > > rpm -Uvh snort-* > > Preparing...### > > [100%] 1:snort > > ### [ 11%] ln: `/usr/sbin/snort': > > File exists > > Stopping snort: [FAILED] > >2:snort-bloat### [ > > 22%] 3:snort-mysql+flexresp ### > > [ 33%] 4:snort-mysql > > ### [ 44%] 5:snort-plain+flexresp > > ### [ 55%] > > 6:snort-postgresql+flexre### [ > > 66%] 7:snort-postgresql ### > > [ 77%] 8:snort-snmp+flexresp > > ### [ 88%] 9:snort-snmp > > ### [100%] > > > > /etc/rc.d/init.d/snortd start > > Starting snort: execvp: No such file or directory > >[FAILED] > > oups, > > I forgot to do a ln -sf in post (I forgot the f to be more precise) ... > > the new snort creates links to some binaries: make sur you have > /usr/sbin/snort, if not create a link like ln -sf /usr/sbin/snort-bloat > /usr/sbin/snort or to the one you want. I like this modular approach very much (credits to you), but wouldn't it be much better and simpler to introduce a new "/etc/sysconfig/snort" file, stating what to fire up, when running "/etc/rc.d/init.d/snortd start"? I think this makes much more sense, or? ie, a new "/etc/rc.d/init.d/snortd" and "/etc/sysconfig/snort" file. Do I make sense here? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Oden Eriksson, Deserve-IT Networks, Jokkmokk, Sweden. | Mandrake Linux release 8.2 (Cooker) for i586 | Current uptime with kernel 2.4.13-7mdksmp: 20 hours 49 minutes | cpu0 @ 814.28 bm, fan 4090 rpm, temp +31.0°C | cpu1 @ 815.92 bm, fan 4166 rpm, temp +30°C
Re: [Cooker] snort
[EMAIL PROTECTED] (Oden Eriksson) writes: > Hmm, it seems this is not working..., or is it the "rpm -Uvh snort-*" thing? > > rpm -Uvh snort-* > Preparing...### [100%] >1:snort ### [ 11%] > ln: `/usr/sbin/snort': File exists > Stopping snort: [FAILED] >2:snort-bloat### [ 22%] >3:snort-mysql+flexresp ### [ 33%] >4:snort-mysql### [ 44%] >5:snort-plain+flexresp ### [ 55%] >6:snort-postgresql+flexre### [ 66%] >7:snort-postgresql ### [ 77%] >8:snort-snmp+flexresp### [ 88%] >9:snort-snmp ### [100%] > > /etc/rc.d/init.d/snortd start > Starting snort: execvp: No such file or directory >[FAILED] oups, I forgot to do a ln -sf in post (I forgot the f to be more precise) ... the new snort creates links to some binaries: make sur you have /usr/sbin/snort, if not create a link like ln -sf /usr/sbin/snort-bloat /usr/sbin/snort or to the one you want. cheers, -- Florin http://www.mandrakesoft.com
Re: [Cooker] snort - requires postgresql?
[EMAIL PROTECTED] (RA) writes: > On Wednesday, 29. August 2001 10:00, you wrote: > > [EMAIL PROTECTED] (Alexander Skwar) writes: > > > Hi! > > > > > > Why does snort require postgresql-libs? > > > > > > [root@teich root]# urpmi snort > > > To satisfy dependencies, the following packages are going to be > > > installed (1 MB): > > > libpcap0-0.6.2-1mdk snort-1.8p1-1mdk postgresql-libs-7.1.2-11mdk > > > > Hello, > > > > ... because it has a plugin that is able to send attack results to a > > database and this plugin is activated as default. > > and you could use mysql (as I do). So you have to recompile. - Or a deluxe > version: someone makes two packages ;-) > > BTW: you should upgrade - even if it is only contrib! > From snort.org:1.8.1-RELEASE -- Description: This version fixes all of the > outstanding bugs from the 1.8 release and is far more stable than that > release. > > > > > cheers, > florin@my ~ $ rpm -qpi /contrib/RPMS/snort-1.8p1-1mdk.i586.rpm Name: snortRelocations: /usr Version : 1.8p1 Vendor: MandrakeSoft Release : 1mdk Build Date: Fri Aug 10 16:28:08 2001 Install date: (not installed) Build Host: bi.mandrakesoft.com Group : Networking/Other Source RPM: snort-1.8p1-1mdk.src.rpm Size: 744631 License: GPL Packager: Florin <[EMAIL PROTECTED]> URL : http://www.snort.org Summary : packet-sniffer/logger Description : Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has a real-time alerting capabilty, with alerts being sent to syslog, a separate "alert" file, or as a WinPopup message via Samba's smbclient florin@my ~ $ rpm -qpR /contrib/RPMS/snort-1.8p1-1mdk.i586.rpm libpcap >= 0.4 /bin/sh /bin/sh /bin/sh /bin/sh rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 ld-linux.so.2 libc.so.6 libcrypt.so.1 libcrypto.so.0 libdl.so.2 libm.so.6 libmysqlclient.so.10 libnsl.so.1 libpcap.so.0 libpq.so.2 libresolv.so.2 libssl.so.0 libz.so.1 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) libm.so.6(GLIBC_2.0) so, -- Florin http://www.mandrakesoft.com
Re: [Cooker] snort - requires postgresql?
On Wednesday, 29. August 2001 10:00, you wrote: > [EMAIL PROTECTED] (Alexander Skwar) writes: > > Hi! > > > > Why does snort require postgresql-libs? > > > > [root@teich root]# urpmi snort > > To satisfy dependencies, the following packages are going to be > > installed (1 MB): > > libpcap0-0.6.2-1mdk snort-1.8p1-1mdk postgresql-libs-7.1.2-11mdk > > Hello, > > ... because it has a plugin that is able to send attack results to a > database and this plugin is activated as default. and you could use mysql (as I do). So you have to recompile. - Or a deluxe version: someone makes two packages ;-) BTW: you should upgrade - even if it is only contrib! From snort.org:1.8.1-RELEASE -- Description: This version fixes all of the outstanding bugs from the 1.8 release and is far more stable than that release. > > cheers,
Re: [Cooker] snort - requires postgresql?
[EMAIL PROTECTED] (Alexander Skwar) writes: > Hi! > > Why does snort require postgresql-libs? > > [root@teich root]# urpmi snort > To satisfy dependencies, the following packages are going to be > installed (1 MB): > libpcap0-0.6.2-1mdk snort-1.8p1-1mdk postgresql-libs-7.1.2-11mdk Hello, ... because it has a plugin that is able to send attack results to a database and this plugin is activated as default. cheers, -- Florin http://www.mandrakesoft.com