Snort mailing list archives
Re: Problems with snort
From: Alejandro Flores <alejandro.flores () triforsec com br>
Date: Mon, 26 Apr 2004 14:38:43 -0300
Adriano, Aparentemente o script de inicialização está chamando um outro snort.conf ou está trabalhando em um outro modo que não o nids. Como você está inicializando o snort? []s Alejandro Flores http://www.triforsec.com.br/ http://www.defenselayer.com/ http://www.nabucodonosor.com/
Hi, I´m with a problem... I installed the snort with MySQL and ACID (RedHat9), but it doesn´t show me any alerts. here is the part of the syslog Apr 26 10:37:22 russoe kernel: device eth0 entered promiscuous mode Apr 26 10:37:22 russoe snort: Initializing daemon mode Apr 26 10:37:22 russoe snort: PID path stat checked out ok, PID path set to /var/run/ Apr 26 10:37:22 russoe snort: Writing PID "6768" to file "/var/run//snort_eth0.pid" Apr 26 10:37:22 russoe snort: ,-----------[Flow Config]---------------------- Apr 26 10:37:22 russoe snort: | Stats Interval: 0 Apr 26 10:37:22 russoe snort: | Hash Method: 2 Apr 26 10:37:22 russoe snort: | Memcap: 10485760 Apr 26 10:37:22 russoe snort: | Rows : 4099 Apr 26 10:37:22 russoe snort: | Overhead Bytes: 16400(%0.16) Apr 26 10:37:22 russoe snort: `---------------------------------------------- Apr 26 10:37:22 russoe snort: HttpInspect Config: Apr 26 10:37:22 russoe snort: GLOBAL CONFIG Apr 26 10:37:22 russoe snort: Max Pipeline Requests: 0 Apr 26 10:37:22 russoe snort: Inspection Type: STATELESS Apr 26 10:37:22 russoe snort: Detect Proxy Usage: NO Apr 26 10:37:22 russoe snort: IIS Unicode Map Filename: /etc/snort/unicode.map Apr 26 10:37:22 russoe snort: IIS Unicode Map Codepage: 1252 Apr 26 10:37:22 russoe snort: DEFAULT SERVER CONFIG: Apr 26 10:37:22 russoe snort: Ports: Apr 26 10:37:22 russoe snort: 80 Apr 26 10:37:22 russoe snort: 8080 Apr 26 10:37:22 russoe snort: 8180 Apr 26 10:37:22 russoe snort: Apr 26 10:37:22 russoe snort: Flow Depth: 300 Apr 26 10:37:22 russoe snort: Max Chunk Length: 500000 Apr 26 10:37:22 russoe snort: Inspect Pipeline Requests: YES Apr 26 10:37:22 russoe snort: URI Discovery Strict Mode: NO Apr 26 10:37:22 russoe snort: Allow Proxy Usage: NO Apr 26 10:37:22 russoe snort: Disable Alerting: NO Apr 26 10:37:22 russoe snort: Oversize Dir Length: 500 Apr 26 10:37:22 russoe snort: Only inspect URI: NO Apr 26 10:37:22 russoe snort: Ascii: YES alert: NO Apr 26 10:37:22 russoe snort: Double Decoding: YES alert: YES Apr 26 10:37:22 russoe snort: %U Encoding: YES alert: YES Apr 26 10:37:22 russoe snort: Bare Byte: YES alert: YES Apr 26 10:37:22 russoe snort: Base36: OFF Apr 26 10:37:22 russoe snort: UTF 8: OFF Apr 26 10:37:22 russoe snort: IIS Unicode: YES alert: YES Apr 26 10:37:22 russoe snort: Multiple Slash: YES alert: NO Apr 26 10:37:22 russoe snort: IIS Backslash: YES alert: NO Apr 26 10:37:22 russoe snort: Directory: YES alert: NO Apr 26 10:37:22 russoe snort: Apache WhiteSpace: YES alert: YES Apr 26 10:37:22 russoe snort: IIS Delimiter: YES alert: YES Apr 26 10:37:22 russoe snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Apr 26 10:37:22 russoe snort: Non-RFC Compliant Characters: Apr 26 10:37:22 russoe snort: NONE Apr 26 10:37:22 russoe snort: Apr 26 10:37:22 russoe snort: rpc_decode arguments: Apr 26 10:37:22 russoe snort: Ports to decode RPC on: 111 32771 Apr 26 10:37:22 russoe snort: alert_fragments: INACTIVE Apr 26 10:37:22 russoe snort: alert_large_fragments: ACTIVE Apr 26 10:37:22 russoe snort: alert_incomplete: ACTIVE Apr 26 10:37:22 russoe snort: alert_multiple_requests: ACTIVE Apr 26 10:37:22 russoe snort: telnet_decode arguments: Apr 26 10:37:22 russoe snort: Ports to decode telnet on: 21 23 25 119 Apr 26 10:37:22 russoe snort: Snort initialization completed successfully ############################################################################################################################ the command: #snort -c /etc/snort/snort.conf show me.... Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = 10.9.1.250 database: sensor id = 1 database: schema version = 106 database: using the "log" facility 1773 Snort rules read... 1773 Option Chains linked into 170 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 +-----------------------[suppression]------------------------------------------ ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.2 (Build 25) By Martin Roesch (roesch () sourcefire com, www.snort.org) Adriano Bandeira de Araújo Secretaria de Orçamento Federal - SOF (61) 348-2111
--TriForSec http://www.triforsec.com.br/
Current thread:
- Problems with snort Adriano Bandeira de Araújo (Apr 26)
- Re: Problems with snort Alejandro Flores (Apr 26)
- <Possible follow-ups>
- RE: Problems with snort Harper, Patrick (Apr 26)