Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode
208 views
Skip to first unread message
Jutichai Thongkrachai
Aug 17, 2014, 3:10:49 AM8/17/14
to
Hello
I would like to turn on Sniffer mode of Snort 2.9.6 on Centos 7 but I got the error below:------------------------------------------------
./snort -v
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "nflog".
ERROR: Cannot decode data link type 239
Fatal Error, Quitting..
-------------------------------------------------
waldo kitty
Aug 17, 2014, 12:52:55 PM8/17/14
to
On 8/17/2014 3:10 AM, Jutichai Thongkrachai wrote:
> ------------------------------------------------
> ./snort -v
> Running in packet dump mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> pcap DAQ configured to passive.
> Acquiring network traffic from "nflog".
> ERROR: Cannot decode data link type 239
> Fatal Error, Quitting..
> -------------------------------------------------
is this self compiled or a binary you downloaded from somewhere?
> ------------------------------------------------
> ./snort -v
> Running in packet dump mode
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> pcap DAQ configured to passive.
> Acquiring network traffic from "nflog".
> ERROR: Cannot decode data link type 239
> Fatal Error, Quitting..
> -------------------------------------------------
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jutichai Thongkrachai
Aug 19, 2014, 12:29:01 AM8/19/14
to
To Waldo kitty
I install from .tar.gz (source not binary)
2014-08-19 0:52 GMT+07:00 <snort-use...@lists.sourceforge.net>:
Send Snort-users mailing list submissions to
snort...@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-use...@lists.sourceforge.net
You can reach the person managing the list at
snort-us...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
When responding, please don't respond with the entire Digest. Please trim your response.
Today's Topics:
1. Re: May be wrong error msg (waldo kitty)
2. Re: May be wrong error msg (Balasubramaniam Natarajan)
3. Got the "ERROR: Cannot decode data link type 239" message
when turn on sniffer mode (Jutichai Thongkrachai)
4. Tcp session hijacking (Meysam Farazmand)
5. Re: Got the "ERROR: Cannot decode data link type 239" message
when turn on sniffer mode (waldo kitty)
6. Re: Tcp session hijacking (waldo kitty)
7. Snort Blog: Snort Subscriber Ruleset: Re-categorization of
the Shared Object Rules (Joel Esler (jesler))
---------- จดหมายที่ถูกส่งต่อ ----------
From: waldo kitty <wkit...@windstream.net>
To: snort...@lists.sourceforge.net
Cc:
Date: Sat, 16 Aug 2014 13:23:59 -0400
Subject: Re: [Snort-users] May be wrong error msg
On 8/16/2014 2:54 AM, Balasubramaniam Natarajan wrote:
Hi
While installing snort, I included a particular rule in its conf file. Later
when I ran snort against a pcap I found that snort's error message was not
completely correct (Or my understanding about it is wrong) about pointing the
absolute RULE_PATH. Attached is a screenshot for your reference.
snort automatically adds etc/ to paths when it cannot access the specified file... are your permissions correct for the file in question so that snort can load it??
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
---------- จดหมายที่ถูกส่งต่อ ----------
From: Balasubramaniam Natarajan <bala1...@gmail.com>
To: waldo kitty <wkit...@windstream.net>
Cc: "snort...@lists.sourceforge.net" <snort...@lists.sourceforge.net>
Date: Sat, 16 Aug 2014 23:31:13 +0530
Subject: Re: [Snort-users] May be wrong error msgOn Sat, Aug 16, 2014 at 10:53 PM, waldo kitty <wkit...@windstream.net> wrote:
snort automatically adds etc/ to paths when it cannot access the specified
file... are your permissions correct for the file in question so that snort can
load it??
Well I figured out that there was no file with that name in the rules directory and I had removed that rule line from the snort.conf file. However why would snort add /sec/snort/etc/ to the path without which I could have spotted the error more easily. Does it signify the place from where my conf file is getting loaded ? If yes, I would not understand the reason for that.
---------- จดหมายที่ถูกส่งต่อ ----------
From: Jutichai Thongkrachai <thsec...@gmail.com>
To: snort...@lists.sourceforge.net
Cc:
Date: Sun, 17 Aug 2014 14:10:49 +0700
Subject: [Snort-users] Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode
HelloI would like to turn on Sniffer mode of Snort 2.9.6 on Centos 7 but I got the error below:
------------------------------------------------
./snort -v
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "nflog".
ERROR: Cannot decode data link type 239
Fatal Error, Quitting..
-------------------------------------------------
Please help.
---------- จดหมายที่ถูกส่งต่อ ----------
From: Meysam Farazmand <farazman...@gmail.com>
To: snort...@lists.sourceforge.net
Cc:
Date: Sun, 17 Aug 2014 14:07:51 +0430
Subject: [Snort-users] Tcp session hijackingHi all,
I used "check_session_hijacking" in stream5 preprocessor for session hijacking attacks detection and launched a mitm attack. But snort did not detect it. I also checked preprocessor rules for detecting this type of attack and there was some rules in my ruleset.
Does anyone know how to configure snort to detect session hijacking and mitm attacks?
---------- จดหมายที่ถูกส่งต่อ ----------
From: waldo kitty <wkit...@windstream.net>
To: snort...@lists.sourceforge.net
Cc:
Date: Sun, 17 Aug 2014 12:52:55 -0400
Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode
On 8/17/2014 3:10 AM, Jutichai Thongkrachai wrote:
------------------------------------------------
./snort -v
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "nflog".
ERROR: Cannot decode data link type 239
Fatal Error, Quitting..
-------------------------------------------------
is this self compiled or a binary you downloaded from somewhere?
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
---------- จดหมายที่ถูกส่งต่อ ----------
From: waldo kitty <wkit...@windstream.net>
To: snort...@lists.sourceforge.net
Cc:
Date: Sun, 17 Aug 2014 12:55:48 -0400
Subject: Re: [Snort-users] Tcp session hijacking
On 8/17/2014 5:37 AM, Meysam Farazmand wrote:
Hi all,
I used "check_session_hijacking" in stream5 preprocessor for session hijacking
attacks detection and launched a mitm attack. But snort did not detect it.
session hijacking and mitm are not the same...
session hijacking is where you take over or continue with someone's existing or previous session...
mitm is where you are in the middle and have valid sessions with both parties and pass their traffic across while doing what you want with it in the middle...
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
---------- จดหมายที่ถูกส่งต่อ ----------
From: "Joel Esler (jesler)" <jes...@cisco.com>
To: snort-sigs <snort...@lists.sourceforge.net>, snort-devel mailinglist <snort...@lists.sourceforge.net>, snort-users <snort...@lists.sourceforge.net>, "snort-o...@lists.sourceforge.net" <snort-o...@lists.sourceforge.net>
Cc:
Date: Mon, 18 Aug 2014 17:52:30 +0000
Subject: [Snort-users] Snort Blog: Snort Subscriber Ruleset: Re-categorization of the Shared Object Rules
Snort Subscriber Ruleset: Re-categorization of the Shared Object Rules
In 2012, the VRT (now Talos) performed a massive restructuring of the plaintext ruleset from the old category structure to a new category structure. Since then we've received overwhelmingly positive feedback about them, so we will continue the effort by moving the Shared Object Rules into a similar category structure.
Read more here:
http://blog.snort.org/2014/08/snort-subscriber-ruleset-re.html
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
waldo kitty
Aug 19, 2014, 1:40:52 PM8/19/14
to
On 8/19/2014 12:29 AM, Jutichai Thongkrachai wrote:
> To Waldo kitty
>
> I install from .tar.gz (source not binary)
what are your snort build options??
> To Waldo kitty
>
> I install from .tar.gz (source not binary)
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
0 new messages