I am running macOS Sierra 10.12.3
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.12.3
BuildVersion: 16D32
I have installed snort using homebrew
$ brew install snort
$ brew ls --versions snort
snort 2.9.9.0
I am running snort and with a user config file, -s syslog switch, and a tcpdump-file
$ sudo snort -c /etc/snort/snort.conf -s -r tcpdump.pcap
my /etc/snort/snort.conf file has the following output settings:
output alert_syslog: LOG_AUTH LOG_ALERT
When I execute,a blank file gets created at /var/log/snort/snort.log.1489953549
I know that my rules are working, because if I execute snort with an alert-mode of fast
$ sudo snort -c /etc/snort/snort.conf -A fast -r tcpdump.pcap
a new blank /var/log/snort/snort.log.1489954258 is created, but a /var/log/snort/alert log file is also created, which contains the correct alert outputs.
I have seen others run into this issue because of permissions, but I don't believe that is my problem given that I am running snort as sudo and it is able to write to the alert log just fine.
I also do not have $NO_PACKET_LOG as far as I can tell. reference
It looks like brew installed some default snort config files under /usr/local/etc/snort, but I don't think that these are affecting me because I am using the -c switch to supply a user config file.
DISCLAIMER: This is my first time using snort, so it could be something very obvious that I am missing. Any and all help is much appreciated.
TL;DR
Use tcpdump, snort, tshark, or Wireshark to read snort log files (how to view snort log files)
$ sudo tcpdump -r snort.log.1489953549
My empty log file was never actually empty (note file sizes from ls)
$ ls -ltr /var/log/snort/
-rw------- 1 root admin 56018718 Mar 19 15:03 snort.log.1489954258
-rw------- 1 root admin 56018718 Mar 19 15:11 snort.log.1489953549
-rw-r--r-- 1 root admin 70202224 Mar 19 15:11 alert
Snort log files must be read using the correct application
What type of file is it?
$ sudo file snort.log.1489953549
snort.log.1489953549: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)
Read the file with tcpdump
$ sudo tcpdump -r snort.log.1489954258
06:54:16.654692 IP 192.168.5.81.amt-blc-port > 100.100.100.212.6667: Flags [P.], seq 1304973037:1304973067, ack 1425084530, win 8011, options [nop,nop,TS val 14215752 ecr 2196036272], length 30
...
Related
I'm on a mac am trying to install elasticdump. It is also worth noting that I am using zsh, but am getting the equivalent error described below when switching over to bash.
I just re-installed npm from scratch and am now using 6.12.0. After this, I ran npm install elasticdump -g which appears to have worked just fine.
$ which elasticdump
/usr/local/bin/elasticdump
It appears I am still having the same issue I was having before I tried re-installing everything.
I can run elasticdump directly with no issues. It tells me I need an input and an output as I would expect.
$ elasticdump
Sat, 09 Nov 2019 04:52:40 GMT | Error Emitted => {"errors":["`input` is a required input","`output` is a required input"]}
I can even run it with --help.
$ elasticdump --help
elasticdump: Import and export tools for elasticsearch
version: 6.15.7
...
But when I add an input and output, things fall apart!
$ elasticdump \
--input /Users/slant/Desktop/data.json \
--output http://localhost:9200/companies \
--type data
zsh: command not found: elasticdump
And in bash:
$ elasticdump \
> --input /Users/slant/Desktop/data.json \
> --output http://localhost:9200/companies \
> --type data
bash: elasticdump : command not found
I'm completely baffled as to how adding specific flags causes it to become completely inaccessible! Any help at all would be greatly appreciated.
Edit: In case anyone requests this:
$ ls -la /usr/local/bin/elasticdump
lrwxr-xr-x 1 slant admin 47 Oct 1 20:42 /usr/local/bin/elasticdump -> ../lib/node_modules/elasticdump/bin/elasticdump
Accessing the binary through the file directly behaves exactly the same way as using just elasticdump by itself.
Updated, for clarification.
/usr/local/lib/node_modules/elasticdump/bin/elasticdump
Sat, 09 Nov 2019 18:40:56 GMT | Error Emitted => {"errors":["`input` is a required input","`output` is a required input"]}
$ /usr/local/lib/node_modules/elasticdump/bin/elasticdump \
--input /Users/ryan/Desktop/data.json \
--output http://localhost:9200/companies \
--type data
zsh: no such file or directory: /usr/local/lib/node_modules/elasticdump/bin/elasticdump
Using Windows, I installed Rakudo Star and Git and ensured that C:\rakudo\bin and C:\rakudo\share\perl6\site\bin are in my Path environment variable.
Now, typing perl6 inside Git Bash afterwards gives the command not found error, while the command does work inside powershell and cmd. Typing echo $PATH inside Git Bash confirms again that the folders above are in my path variable here as well.
How can I get the perl6 command working inside Git Bash?
Note: Using moar (moar.exe) which resides in the same folder as perl6 works as well in Git Bash. Also hitting Tab show the autocomplete suggestion for moar, it does not do that for perl6.
Bash doesn't run Windows batch files, so you'll have to work around that.
An easy solution might be to add something like this you your .bashrc:
alias perl6='cmd /c perl6.bat'
Alternatively, you can convert perl6.bat to a shell script and put it somewhere in your $PATH.
I use the following:
#!/bin/sh
PATH=/cygdrive/c/rakudo/bin:/cygdrive/c/rakudo/share/perl6/site/bin:$PATH
unset HOME
moar --execname="$0" \
--libpath='C:\rakudo\share\nqp\lib' \
--libpath='C:\rakudo\share\perl6\lib' \
--libpath='C:\rakudo\share\perl6\runtime' \
'C:\rakudo\share\perl6\runtime\perl6.moarvm' \
"$#"
This is using Cygwin; you may need to adapt it a bit for Git bash (I don't know, no experience with it).
Alternatively, if you're using Windows 10, I can recommend installing WSL, and using perl6 in a WSL bash prompt instead. This runs much smoother for me than the Windows version under Cygwin.
I tried to install perl6 from the link you provided and I can confirm the same behavior on Cygwin on Windows 10.
If I type in the Cygwin terminal window:
$ perl6
-bash: perl6: command not found
$ echo $PATH
/usr/local/bin:/usr/bin:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/WINDOWS/System32/OpenSSH:/cygdrive/c/Users/Bruker/AppData/Local/Microsoft/WindowsApps:/cygdrive/c/rakudo/bin:/cygdrive/c/rakudo/share/perl6/site/bin
$ cd /cygdrive/c/rakudo/bin
$ ls -l
-rwxrwx---+ 1 SYSTEM SYSTEM 930663 May 11 2017 libgcc_s_seh-1.dll
-rwxrwx---+ 1 SYSTEM SYSTEM 136146 Mar 30 20:55 libmoar.dll.a
-rwxrwx---+ 1 SYSTEM SYSTEM 56978 May 11 2017 libwinpthread-1.dll
-rwxrwx---+ 1 SYSTEM SYSTEM 7021172 Mar 30 20:55 moar.dll
-rwxrwx---+ 1 SYSTEM SYSTEM 64066 Mar 30 20:55 moar.exe
-rwxrwx---+ 1 SYSTEM SYSTEM 126 Mar 30 20:56 nqp.bat
-rwxrwx---+ 1 SYSTEM SYSTEM 126 Mar 30 20:56 nqp-m.bat
-rwxrwx---+ 1 SYSTEM SYSTEM 242 Mar 30 20:56 perl6.bat
-rwxrwx---+ 1 SYSTEM SYSTEM 248 Mar 30 20:56 perl6-debug-m.bat
-rwxrwx---+ 1 SYSTEM SYSTEM 242 Mar 30 20:56 perl6-m.bat
$ cat perl6.bat
# "C:\rakudo\bin\moar" --execname="%~dpf0" --libpath="C:\rakudo\share\nqp\lib" --libpath="C:\rakudo\share\nqp\lib" --libpath="C:\rakudo\share/perl6/lib" --libpath="C:\rakudo\share/perl6/runtime" C:\rakudo\share\perl6\runtime\perl6.moarvm %*
Notice that the paths in the bat file are not cygwin paths. So that might explain why it does not work..
For example:
$ "C:\rakudo\bin\moar"
-bash: C:\rakudo\bin\moar: command not found
$ /cygdrive/c/rakudo/bin/moar
ERROR: Missing input file.
USAGE: moar [--crash] [--libpath=...] input.moarvm [program args]
moar --dump input.moarvm
moar --help
[...]
Update:
I also tried install Git Bash, and then from the MINGW64 terminal window:
$ echo $PATH
/c/Users/Bruker/bin:/mingw64/bin:/usr/local/bin:/usr/bin:/bin:/mingw64/bin:/usr/bin:/c/Users/Bruker/bin:/c/WINDOWS/system32:/c/WINDOWS:/c/WINDOWS/System32/Wbem:/c/WINDOWS/System32/WindowsPowerShell/v1.0:/c/WINDOWS/System32/OpenSSH:/c/Users/Bruker/AppData/Local/Microsoft/WindowsApps:/usr/bin/vendor_perl:/usr/bin/core_perl
$ PATH=/c/rakudo/bin:$PATH
$ perl6
bash: perl6: command not found
$ moar
ERROR: Missing input file.
USAGE: moar [--crash] [--libpath=...] input.moarvm [program args]
moar --dump input.moarvm
moar --help
[...]
Note that moar is an .exe file while perl6 is a .bat file.
Also it seems perl6 is not "offical" for Cygwin yet according to this issue.
I installed Puppeteer to use it in the generation of pdf / minuatures, but I can not activate and configure Chrome Linux Sandbox. Always the same error message :
(node:46) UnhandledPromiseRejectionWarning: Error: Failed to launch chrome!
[1208/055442.253403:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
I followed the steps mentioned in the official documentation, but without success
# cd to the downloaded instance
cd <project-dir-path>/node_modules/puppeteer/.local-chromium/linux-<revision>/chrome-linux/
sudo chown root:root chrome_sandbox
sudo chmod 4755 chrome_sandbox
# copy sandbox executable to a shared location
sudo cp -p chrome_sandbox /usr/local/sbin/chrome-devel-sandbox
# export CHROME_DEVEL_SANDBOX env variable
export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox
Try with
sudo sysctl -w kernel.unprivileged_userns_clone=1
It will allows you, as unprivileged user, to access the sandbox of chromium.
This is temporary and active only until reboot.
You likely have the setuid bit wrong because of the cp command :
$ sudo touch orig
$ ls -l orig
-rw-r--r-- 1 root root 0 févr. 11 23:31 orig
$ sudo chmod 4755 orig
$ ls -l orig
-rwsr-xr-x 1 root root 0 févr. 11 23:31 orig
$ sudo cp orig new
$ ls -l new
-rwxr-xr-x 1 root root 0 févr. 11 23:31 new
The setuid bit (4th character) was changed from s to x after cp.
I'm attempting to install https://github.com/jehiah/json2csv. The problem is apparently tied to my noob status w.r.t. Bash.
System: Ubuntu 14.04 LTS
Load instruction:
$ go get github.com/jehiah/json2csv
Go is installed:
$ which go ==> /usr/bin/go
~/.bashrc setup:
export GOROOT=/usr/bin/go
export GOPATH=$HOME/projects/go
The package seems to download correctly:
$ cd projects/go
$ tree
$ > bin > json2csv
> src > github.com
...
$ ls bin -l
$ > -rwxrwxr-x 1 <user> <user> 55400 Feb 5 13:57 json2csv
But $json2csv isn't recognized, even from the same directory. I'm sure this is a noob problem, but I haven't cracked it yet. Suggestions?
Add $GOPATH/bin to your PATH variable in your shell,
for bash:
export PATH=$GOPATH/bin:$PATH
On Mac OS X, if I send SIGQUIT to my C program, it terminates, but there is no core dump file.
Do you have to manually enable core dumps on Mac OS X (how?), or are they written to somewhere else instead of the working directory?
It seems they are suppressed by default. Running
$ ulimit -c unlimited
Will enable core dumps for the current terminal, and it will be placed in /cores as core.PID. When you open a new session, it will be set to the default value again.
On macOS, your crash dumps are automatically handled by Crash Reporter.
You can find backtrace files by executing Console and going to User Diagnostic Reports section (under 'Diagnostic and Usage Information' group) or you can locate them in ~/Library/Logs/DiagnosticReports.
You can also check where dumps are generated by monitoring system.log file, e.g.
tail -f /var/log/system.log | grep crash
The actual core dump files you can find in /cores.
See also:
How to generate core dumps in Mac OS X?
Technical Note TN2118: Kernel Core Dumps.
Additionally, the /cores directory must exist and the user running the program must have write permissions on it.
The answer above,
ulimit -c unlimited
works -- but be sure to run that in the same terminal from which you will run the program that dumps core. You need to run the ulimit command first.
by default, specific directories in mac osx are hidden. you might want to enable this feature in the terminal and then the core dump should be visible within the directory /cores.
defaults write com.apple.finder AppleShowAllFiles TRUE
There is a great explanation by Quinn “The Eskimo!” on Apple's forums
https://developer.apple.com/forums/thread/694233
I roughly followed that guide. Here are the steps that I did.
Grant write all access to the /cores dir
PROMPT> ls -la / | grep cores
drwxr-xr-x 2 root wheel 64 Dec 8 2021 cores
PROMPT> sudo chmod 1777 /cores
PROMPT> ls -la / | grep cores
drwxrwxrwt 2 root wheel 64 Dec 21 23:29 cores
Set size of core file
PROMPT> ulimit -c unlimited
Compile and sign the program
PROMPT> cargo build --release -p my-crashing-program
PROMPT> /usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" tmp.entitlements
PROMPT> codesign -s - -f --entitlements tmp.entitlements my-crashing-program
Run the program
PROMPT> my-crashing-program
thread 'main' panicked at 'boom', my-crashing-program/src/main.rs:74:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
dumping core for pid 80995
zsh: quit my-crashing-program
Now there is a core file
PROMPT> ls /cores
core.80995
Also Apple's Console app has a list with Crash Reports.