RE: snort exit

[Steven Garrett <StevenG () cometsystems com>]

Thanks Keith,
 
Although I should have mentioned that I'm running snort on a freebsd box,
not an NT box.  Any ideas on what would cause it to stop running on a
freebsd box?  The logs are silent as mentioned earlier in the thread.
 
Thanks all
 
Steve

-----Original Message-----
From: McCammon, Keith [mailto:Keith.McCammon () eadvancemed com]
Sent: Thursday, May 16, 2002 12:19 PM
To: Steven Garrett; snort-users () lists sourceforge net
Subject: RE: [Snort-users] snort exit


There is no time out period, as far as I am aware.  This is a very common
problem when running on Windows 2000.  As I mentioned in a previous port,
Snort.Panel fixed this for me, as it will restart snort immediately if the
process dies.

-----Original Message-----
From: Steven Garrett [mailto:StevenG () cometsystems com]
Sent: Thursday, May 16, 2002 12:04 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort exit


Hi all.  Is there a defined time-out period for snort.  I leave it running
when I leave for the evening and by the time I come back in the morning it
has exited.  All I can see in the logs is that the interface has left
promiscous mode.  
 
Any ideas?  All suggestions and helpful comments are greatly appreciated.
 
Steve

-----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Thursday, May 16, 2002 10:58 AM
To: 'Richard Roy'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort on
Win2k



Richard,

 

Sounds like you have the permissions set incorrectly for the CGI folder.
Make sure that the IUSER has full access to the folder. If you need some
guidance then you can go to our site, there you will find a complete walk
through for Windows and either Snortsnarf or for Acid as your viewer. Let me
know how thing go.

Michael Steele | Support Technician    
mailto:michaels () silicondefense com <mailto:michaels () silicondefense com> 
Silicon Defense: IDS solutions - http://www.silicondefense.com
<http://www.silicondefense.com> 
Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org>


-----Original Message-----
From: Richard Roy [mailto:royr () justicetrax com] 
Sent: May 16, 2002 7:16 AM
To: 'Michael Steele'
Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort on
Win2k

 

I've definately got it logging now, without IDS center.  I have it logging
to MySQL (there were 15 events at last check) but now I can not get ACID to
work at all.  I get a CGI error that "The specified CGI application
misbehaved by not returning a complete set of HTTP headers. The headers it
did return are"   But that is it, no headers are there.  It is supposed to
be using PHP and the .cgi is mapped the same as .php which didn't help.  Any
thoughts?  


[Rich Roy] 

 

 

 

 

 -----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Wednesday, May 15, 2002 5:29 PM
To: 'Richard Roy'
Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort on
Win2k

Richard,

 

If you are not sure your logging, you can place this rule in your
local.rules file and activate the local.rules file in the snort.conf file.
Now generate some traffic with your browser and you should see your log file
grow.

 

 

alert tcp any any <> any any (msg:"alert-local test";)

 

Michael Steele | Support Technician
mailto:michaels () silicondefense com <mailto:michaels () silicondefense com> 
Silicon Defense: IDS solutions - http://www.silicondefense.com
<http://www.silicondefense.com> 
Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org>


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Richard Roy
Sent: Wednesday, May 15, 2002 7:50 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SNORT newbie looking for some help with Snort on
Win2k

 

I set up SNORT using IDSCentre and tested the config using the applet.  I
received no error messages, the SNORT window is minimized and things appear
to work, yet there are no alerts, no log entries, nothing.  I know we are
under hits all the time, my firewall reports blocking them.  

Setup: 
W2K Pro p3 733.  On a hub with router and firewall external interface.  I
have 64 public IP's and I'd like to scan the range if possible.  I am
including the following.   

> From IDSCentre the command line it fires, the snort.conf file and the screen
output from the minimized snort window.  I can't quite figure out what is
wrong.  Another set of eyes looking at this is what I am hoping someone will
do and see a problem.

TIA for your help 

Rich 
PS Sorry it is a long post, but I did not want to do an attachment. 

[Begin config] 
[************cmd line*********] 
c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h
aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y

[*NOTE, yes I blanked out my IP above.  It is a public IP*] 

 

[***********snort.conf**************] 
#-------------------------------------------------- 
#   http://www.activeworx.com <http://www.activeworx.com>  Snort 1.8.6
Ruleset 
#     IDS Policy Manager Version: 1.3 Build(31) 
# Current Database Updated -- May 10, 2002 10:55 AM 
#-------------------------------------------------- 
# 
## Variables 
## --------- 
#var HOME_NET 10.1.1.0/24 
#var HOME_NET $eth0_ADDRESS 
#var HOME_NET [10.1.1.0/24,192.168.1.0/24] 
var HOME_NET any 
var EXTERNAL_NET any 
var SMTP $HOME_NET 
var HTTP_SERVERS $HOME_NET 
var SQL_SERVERS $HOME_NET 
var DNS_SERVERS $HOME_NET 
#var RULE_PATH ./ 
var RULE_PATH c:\snort\rules 
var SHELLCODE_PORTS !80 
#var SPADEDIR . 
# 
## Preprocessor Support 
## -------------------- 
preprocessor http_decode: 80 -cginull -unicode 
preprocessor rpc_decode: 111 32771 
preprocessor bo: 
preprocessor stream4: detect_scans 
preprocessor stream4_reassemble 
preprocessor portscan: $HOME_NET 4 3 portscan.log 
#preprocessor portscan-ignorehosts: 0.0.0.0 
preprocessor frag2 
preprocessor telnet_decode 
# 
# 
## Output Modules 
## -------------- 
#output database: log, unixodbc, dbname=snort user=snort host=localhost
password=test 
output CSV: log default 
output log_tcpdump: snorttcp.log 
#output xml: Log, file=/var/log/snortxml 
output log_unified: filename snort.log, limit 128 
# 
#output alert_syslog: LOG_AUTH LOG_ALERT 
#output alert_unified: filename snort.alert, limit 128 
#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x
DES -X "" -a SHA -A "" myTrapListener 
# 
## Custom Rules 
## ------------ 
ruletype suspicious 
{ 
 type log 
 output log_tcpdump: suspicious.log 
} 
ruletype redalert 
{ 
 type alert 
 output alert_syslog: LOG_AUTH LOG_ALERT 
# output database: log, mysql, user=snort dbname=snort host=localhost 
} 
#ruletype <New_Custom_Rules> 
#{ 
#} 
# 
## Include Files 
## ------------- 
include classification.config 
# 
include $RULE_PATH/bad-traffic.rules 
include $RULE_PATH/exploit.rules 
include $RULE_PATH/scan.rules 
include $RULE_PATH/finger.rules 
include $RULE_PATH/ftp.rules 
include $RULE_PATH/telnet.rules 
include $RULE_PATH/smtp.rules 
include $RULE_PATH/rpc.rules 
include $RULE_PATH/rservices.rules 
include $RULE_PATH/dos.rules 
include $RULE_PATH/ddos.rules 
include $RULE_PATH/dns.rules 
include $RULE_PATH/tftp.rules 
include $RULE_PATH/web-cgi.rules 
include $RULE_PATH/web-coldfusion.rules 
include $RULE_PATH/web-iis.rules 
include $RULE_PATH/web-frontpage.rules 
include $RULE_PATH/web-misc.rules 
include $RULE_PATH/web-attacks.rules 
include $RULE_PATH/sql.rules 
include $RULE_PATH/x11.rules 
include $RULE_PATH/icmp.rules 
include $RULE_PATH/netbios.rules 
include $RULE_PATH/misc.rules 
include $RULE_PATH/attack-responses.rules 
include $RULE_PATH/backdoor.rules 
include $RULE_PATH/shellcode.rules 
include $RULE_PATH/policy.rules 
include $RULE_PATH/porn.rules 
include $RULE_PATH/info.rules 
include $RULE_PATH/icmp-info.rules 
include $RULE_PATH/virus.rules 
#include $RULE_PATH/experimental.rules 
include $RULE_PATH/local.rules 

 

{*********Snort Screen*************} 

Log directory = c:\snort\log 

Initializing Network Interface \ 

        --== Initializing Snort ==-- 
Decoding Ethernet on interface \Device\Packet_NdisWanIp 
Initializing Preprocessors! 
Initializing Plug-ins! 
Initializating Output Plugins! 
Parsing Rules file c:\snort\snort.conf 

+++++++++++++++++++++++++++++++++++++++++++++++++++ 
Initializing rule chains... 
Stream4 config: 
    Stateful inspection: ACTIVE 
    Session statistics: INACTIVE 
    Session timeout: 30 seconds 
    Session memory cap: 8388608 bytes 
    State alerts: INACTIVE 
    Scan alerts: ACTIVE 
    Log Flushed Streams: INACTIVE 
No arguments to stream4_reassemble, setting defaults: 
     Reassemble client: ACTIVE 
     Reassemble server: INACTIVE 
     Reassemble ports: 21 23 25 53 80 143 110 111 513 
     Reassembly alerts: ACTIVE 
     Reassembly method: FAVOR_OLD 
Using GMT time 
No arguments to frag2 directive, setting defaults to: 
    Fragment timeout: 60 seconds 
    Fragment memory cap: 4194304 bytes 
ProcessFileOption: c:\snort\log/log 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
980 Snort rules read... 
980 Option Chains linked into 100 Chain Headers 
0 Dynamic rules 
+++++++++++++++++++++++++++++++++++++++++++++++++++ 

Rule application order:
->activation->dynamic->alert->pass->log->suspicious->red 
alert 

        --== Initialization Complete ==-- 

-*> Snort! <*- 
Version 1.8-WIN32 (Build 103) 
By Martin Roesch (roesch () sourcefire com, www.snort.org) 
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike) 
1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) 
          (based on code from 1.7 port) 

[End config]