Snort mailing list archives
Re: snort new ruleset and vision rules
From: Michael Boman <michael () ayeka dyndns org>
Date: Sat, 25 Aug 2001 10:49:51 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 25 August 2001 00:28, Liam burke wrote:
My apologies - I am using snort 1.8.1 heres the output you wanted: Thanks guys, LB [root@engarde etc]# /var/chroot/snort/sbin/snort -T -c /var/chroot/snort/etc/snort.conf -l /var/chroot/snort/log Log directory = /var/chroot/snort/log --== Initializing Snort ==-- Checking PID path... PATH_VARRUN is set to /var/run/ on this operating system Initializing Network Interface eth0 Kernel filter, protocol ALL, raw packet socket Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /var/chroot/snort/etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time *WARNING*: unknown output plugin "trap_snmp", ignoring!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR vision18.rules:1 => Port value missing in rule!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This can be caused by the unset variables INTERNAL and EXTERNAL used in vision18.rules - see below.
Fatal Error, Quitting.. and.... [root@engarde etc]# cat /var/chroot/snort/etc/snort.conf | grep -v ^# | grep -v ^$ var HOME_NET $eth0_ADDRESS var EXTERNAL_NET any
the vision rules uses INTERNAL and EXTERNAL instead of HOME_NET and EXTERNAL_NET so add: var INTERNAL $HOME_NET var EXTERNAL $EXTERNAL_NET
var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS 172.20.1.1/32 50.0.0.0/8 172.20.128.2/32 172.20.128.61/32 172.20.128.62/32
You can't have spaces the in this list, use: var DNS_SERVERS [172.20.1.1/32,50.0.0.0/8,172.20.128.2/32,172.20.128.61/32,172.20.128.62/32]
preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 8080 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 5 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS 5.1.1.0/24 6.1.1.0/24 output alert_syslog: LOG_AUTH LOG_ALERT output trap_snmp: alert, 7, trap -v 2c -p 162 172.20.128.65 public
Accoring to your 'snort -T' output you are missing the snmp alert facility (or just spelled this wrong - someone else, please take a look - I don't use SNMP alerting) [snip] Best regards Michael Boman - -- There is no such thing as a system that is secure out of the box. Tim [Timothy M. Mullen, CIO of AnchorIS.Com] claimed earlier this morning that he had found one at WalMart the other day that was secure out of the box, but as it turns out that was a Nintendo. - -- Jesper M Johansson, Ph.D. Assistant Professor of Information Systems at Boston University - during a SANS audio broadcast -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7hxJUjD4u/xp0yJcRAo0iAJ9Jrd4vklswBgWUBzC/rh1I2xwQnwCdHiJn NpUYvFNXcfUhi/Kn6G5CD50= =JUYX -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort new ruleset and vision rules Liam burke (Aug 24)
- Re: snort new ruleset and vision rules Michael Boman (Aug 24)
- <Possible follow-ups>
- RE: snort new ruleset and vision rules Liam burke (Aug 24)
- Re: snort new ruleset and vision rules Michael Boman (Aug 24)
- RE: snort new ruleset and vision rules Jason Long (Aug 24)
- RE: snort new ruleset and vision rules william . c . gercken (Aug 24)