Snort mailing list archives
RE: snort new ruleset and vision rules
From: Liam burke <lburke () lancomms ie>
Date: Fri, 24 Aug 2001 17:28:53 +0100
My apologies - I am using snort 1.8.1 heres the output you wanted: Thanks guys, LB [root@engarde etc]# /var/chroot/snort/sbin/snort -T -c /var/chroot/snort/etc/snort.conf -l /var/chroot/snort/log Log directory = /var/chroot/snort/log --== Initializing Snort ==-- Checking PID path... PATH_VARRUN is set to /var/run/ on this operating system Initializing Network Interface eth0 Kernel filter, protocol ALL, raw packet socket Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /var/chroot/snort/etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time *WARNING*: unknown output plugin "trap_snmp", ignoring! ERROR vision18.rules:1 => Port value missing in rule! Fatal Error, Quitting.. and.... [root@engarde etc]# cat /var/chroot/snort/etc/snort.conf | grep -v ^# | grep -v ^$ var HOME_NET $eth0_ADDRESS var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS 172.20.1.1/32 50.0.0.0/8 172.20.128.2/32 172.20.128.61/32 172.20.128.62/32 preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 8080 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 5 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS 5.1.1.0/24 6.1.1.0/24 output alert_syslog: LOG_AUTH LOG_ALERT output trap_snmp: alert, 7, trap -v 2c -p 162 172.20.128.65 public include classification.config include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include sql.rules include x11.rules include icmp.rules include misc.rules include local.rules include vision18.rules -----Original Message----- From: Michael Boman [mailto:michael () ayeka dyndns org] Sent: 24 August 2001 17:28 To: Liam burke; snort-users () lists sourceforge net Subject: Re: [Snort-users] snort new ruleset and vision rules -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 25 August 2001 00:03, Liam burke wrote:
Whenever I try to load snort using the snort's ruleset and vision.rules it won't start. <snip of snort.conf> include vision.rules <snd snip> messages from syslog - Aug 24 16:54:40 engarde snort: Initializing daemon mode Aug 24 16:54:41 engarde kernel: eth0: Setting promiscuous mode. Aug 24 16:54:41 engarde kernel: device eth0 entered promiscuous mode Aug 24 16:54:41 engarde snortd: snort startup succeeded Aug 24 16:54:42 engarde kernel: device eth0 left promiscuous mode and that's all. Any ideas? LB
What about giving us the output from: # /path/to/snort -T -c /path/to/snort.conf (any other options you are using) and # cat /path/to/snort.conf | grep -v ^# | grep -v ^$ That would make the whole thing easier to track down, with the current information we can't do anything. and please, include your snort version. Best regards Michael Boman - -- There is no such thing as a system that is secure out of the box. Tim [Timothy M. Mullen, CIO of AnchorIS.Com] claimed earlier this morning that he had found one at WalMart the other day that was secure out of the box, but as it turns out that was a Nintendo. - -- Jesper M Johansson, Ph.D. Assistant Professor of Information Systems at Boston University - during a SANS audio broadcast -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7hoCtjD4u/xp0yJcRAgYOAJ9YmxIVzYEjMNJ1WIzSOQUnrqSeZgCeMjv5 uscHcZVkurlpzAJ5v6szt0c= =h6Cs -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort new ruleset and vision rules Liam burke (Aug 24)
- Re: snort new ruleset and vision rules Michael Boman (Aug 24)
- <Possible follow-ups>
- RE: snort new ruleset and vision rules Liam burke (Aug 24)
- Re: snort new ruleset and vision rules Michael Boman (Aug 24)
- RE: snort new ruleset and vision rules Jason Long (Aug 24)
- RE: snort new ruleset and vision rules william . c . gercken (Aug 24)