Snort mailing list archives

RE: snort new ruleset and vision rules

From: Liam burke <lburke () lancomms ie>
Date: Fri, 24 Aug 2001 17:28:53 +0100

My apologies - I am using snort 1.8.1

heres the output you wanted:

Thanks guys,
LB 


[root@engarde etc]# /var/chroot/snort/sbin/snort -T -c
/var/chroot/snort/etc/snort.conf -l /var/chroot/snort/log
Log directory = /var/chroot/snort/log

        --== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system

Initializing Network Interface eth0
Kernel filter, protocol ALL, raw packet socket
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /var/chroot/snort/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time

*WARNING*: unknown output plugin "trap_snmp", ignoring!

ERROR vision18.rules:1 => Port value missing in rule!
Fatal Error, Quitting..

and....

[root@engarde etc]# cat /var/chroot/snort/etc/snort.conf | grep -v ^# | grep
-v ^$
var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
 
var DNS_SERVERS 172.20.1.1/32 50.0.0.0/8 172.20.128.2/32 172.20.128.61/32
172.20.128.62/32
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 8080 -unicode -cginull
preprocessor rpc_decode: 111 
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 5 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS 5.1.1.0/24 6.1.1.0/24
output alert_syslog: LOG_AUTH LOG_ALERT
output trap_snmp: alert, 7, trap -v 2c -p 162  172.20.128.65 public
include classification.config
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include misc.rules
include local.rules
include vision18.rules








-----Original Message-----
From: Michael Boman [mailto:michael () ayeka dyndns org]
Sent: 24 August 2001 17:28
To: Liam burke; snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort new ruleset and vision rules


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 25 August 2001 00:03, Liam burke wrote:

Whenever I try to load snort using the snort's ruleset and vision.rules it
won't start.
<snip of snort.conf>
include vision.rules
<snd snip>

messages from syslog -
Aug 24 16:54:40 engarde snort: Initializing daemon mode
Aug 24 16:54:41 engarde kernel: eth0: Setting promiscuous mode.
Aug 24 16:54:41 engarde kernel: device eth0 entered promiscuous mode
Aug 24 16:54:41 engarde snortd: snort startup succeeded
Aug 24 16:54:42 engarde kernel: device eth0 left promiscuous mode


and that's all.


Any ideas?
LB


What about giving us the output from:

# /path/to/snort -T -c /path/to/snort.conf (any other options you are using)

and

# cat /path/to/snort.conf | grep -v ^# | grep -v ^$

That would make the whole thing easier to track down, with the current 
information we can't do anything.

and please, include your snort version.

Best regards
 Michael Boman

- -- 
There is no such thing as a system that is secure out of the box.
Tim [Timothy M. Mullen, CIO of AnchorIS.Com] claimed earlier this
morning that he had found one at WalMart the other day that was
secure out of the box, but as it turns out that was a Nintendo.

- -- Jesper M Johansson, Ph.D. Assistant Professor of Information
   Systems at Boston University - during a SANS audio broadcast
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7hoCtjD4u/xp0yJcRAgYOAJ9YmxIVzYEjMNJ1WIzSOQUnrqSeZgCeMjv5
uscHcZVkurlpzAJ5v6szt0c=
=h6Cs
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort new ruleset and vision rules Liam burke (Aug 24)
- Re: snort new ruleset and vision rules Michael Boman (Aug 24)
- <Possible follow-ups>
- RE: snort new ruleset and vision rules Liam burke (Aug 24)
  - Re: snort new ruleset and vision rules Michael Boman (Aug 24)
- RE: snort new ruleset and vision rules Jason Long (Aug 24)
- RE: snort new ruleset and vision rules william . c . gercken (Aug 24)