Snort mailing list archives
RE: snort exit
From: Steven Garrett <StevenG () cometsystems com>
Date: Thu, 16 May 2002 12:33:06 -0400
Thanks Keith, Although I should have mentioned that I'm running snort on a freebsd box, not an NT box. Any ideas on what would cause it to stop running on a freebsd box? The logs are silent as mentioned earlier in the thread. Thanks all Steve -----Original Message----- From: McCammon, Keith [mailto:Keith.McCammon () eadvancemed com] Sent: Thursday, May 16, 2002 12:19 PM To: Steven Garrett; snort-users () lists sourceforge net Subject: RE: [Snort-users] snort exit There is no time out period, as far as I am aware. This is a very common problem when running on Windows 2000. As I mentioned in a previous port, Snort.Panel fixed this for me, as it will restart snort immediately if the process dies. -----Original Message----- From: Steven Garrett [mailto:StevenG () cometsystems com] Sent: Thursday, May 16, 2002 12:04 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort exit Hi all. Is there a defined time-out period for snort. I leave it running when I leave for the evening and by the time I come back in the morning it has exited. All I can see in the logs is that the interface has left promiscous mode. Any ideas? All suggestions and helpful comments are greatly appreciated. Steve -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Thursday, May 16, 2002 10:58 AM To: 'Richard Roy'; snort-users () lists sourceforge net Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort on Win2k Richard, Sounds like you have the permissions set incorrectly for the CGI folder. Make sure that the IUSER has full access to the folder. If you need some guidance then you can go to our site, there you will find a complete walk through for Windows and either Snortsnarf or for Acid as your viewer. Let me know how thing go. Michael Steele | Support Technician mailto:michaels () silicondefense com <mailto:michaels () silicondefense com> Silicon Defense: IDS solutions - http://www.silicondefense.com <http://www.silicondefense.com> Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org> -----Original Message----- From: Richard Roy [mailto:royr () justicetrax com] Sent: May 16, 2002 7:16 AM To: 'Michael Steele' Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort on Win2k I've definately got it logging now, without IDS center. I have it logging to MySQL (there were 15 events at last check) but now I can not get ACID to work at all. I get a CGI error that "The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are" But that is it, no headers are there. It is supposed to be using PHP and the .cgi is mapped the same as .php which didn't help. Any thoughts? [Rich Roy] -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Wednesday, May 15, 2002 5:29 PM To: 'Richard Roy' Subject: RE: [Snort-users] SNORT newbie looking for some help with Snort on Win2k Richard, If you are not sure your logging, you can place this rule in your local.rules file and activate the local.rules file in the snort.conf file. Now generate some traffic with your browser and you should see your log file grow. alert tcp any any <> any any (msg:"alert-local test";) Michael Steele | Support Technician mailto:michaels () silicondefense com <mailto:michaels () silicondefense com> Silicon Defense: IDS solutions - http://www.silicondefense.com <http://www.silicondefense.com> Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org> -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Richard Roy Sent: Wednesday, May 15, 2002 7:50 AM To: snort-users () lists sourceforge net Subject: [Snort-users] SNORT newbie looking for some help with Snort on Win2k I set up SNORT using IDSCentre and tested the config using the applet. I received no error messages, the SNORT window is minimized and things appear to work, yet there are no alerts, no log entries, nothing. I know we are under hits all the time, my firewall reports blocking them. Setup: W2K Pro p3 733. On a hub with router and firewall external interface. I have 64 public IP's and I'd like to scan the range if possible. I am including the following.
From IDSCentre the command line it fires, the snort.conf file and the screen
output from the minimized snort window. I can't quite figure out what is wrong. Another set of eyes looking at this is what I am hoping someone will do and see a problem. TIA for your help Rich PS Sorry it is a long post, but I did not want to do an attachment. [Begin config] [************cmd line*********] c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y [*NOTE, yes I blanked out my IP above. It is a public IP*] [***********snort.conf**************] #-------------------------------------------------- # http://www.activeworx.com <http://www.activeworx.com> Snort 1.8.6 Ruleset # IDS Policy Manager Version: 1.3 Build(31) # Current Database Updated -- May 10, 2002 10:55 AM #-------------------------------------------------- # ## Variables ## --------- #var HOME_NET 10.1.1.0/24 #var HOME_NET $eth0_ADDRESS #var HOME_NET [10.1.1.0/24,192.168.1.0/24] var HOME_NET any var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET #var RULE_PATH ./ var RULE_PATH c:\snort\rules var SHELLCODE_PORTS !80 #var SPADEDIR . # ## Preprocessor Support ## -------------------- preprocessor http_decode: 80 -cginull -unicode preprocessor rpc_decode: 111 32771 preprocessor bo: preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor portscan: $HOME_NET 4 3 portscan.log #preprocessor portscan-ignorehosts: 0.0.0.0 preprocessor frag2 preprocessor telnet_decode # # ## Output Modules ## -------------- #output database: log, unixodbc, dbname=snort user=snort host=localhost password=test output CSV: log default output log_tcpdump: snorttcp.log #output xml: Log, file=/var/log/snortxml output log_unified: filename snort.log, limit 128 # #output alert_syslog: LOG_AUTH LOG_ALERT #output alert_unified: filename snort.alert, limit 128 #output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x DES -X "" -a SHA -A "" myTrapListener # ## Custom Rules ## ------------ ruletype suspicious { type log output log_tcpdump: suspicious.log } ruletype redalert { type alert output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost } #ruletype <New_Custom_Rules> #{ #} # ## Include Files ## ------------- include classification.config # include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules #include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules {*********Snort Screen*************} Log directory = c:\snort\log Initializing Network Interface \ --== Initializing Snort ==-- Decoding Ethernet on interface \Device\Packet_NdisWanIp Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file c:\snort\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD Using GMT time No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes ProcessFileOption: c:\snort\log/log WARNING: command line overrides rules file logging plugin! WARNING: command line overrides rules file logging plugin! WARNING: command line overrides rules file logging plugin! 980 Snort rules read... 980 Option Chains linked into 100 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log->suspicious->red alert --== Initialization Complete ==-- -*> Snort! <*- Version 1.8-WIN32 (Build 103) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) (based on code from 1.7 port) [End config]
Current thread:
- snort exit Steven Garrett (May 16)
- <Possible follow-ups>
- RE: snort exit McCammon, Keith (May 16)
- RE: snort exit Steven Garrett (May 16)
- RE: snort exit Steven Garrett (May 16)
- RE: snort exit Steven Garrett (May 16)