Snort mailing list archives
RE: Snort but no alert
From: "nyarlathothep\@libero\.it" <nyarlathothep () libero it>
Date: Mon, 17 May 2004 10:01:22 +0200
Hello all, so... I've check the conf file, and I've tried, as suggested, the test (-T) flag, but I still see only the followingtype of alerts, 2521 alerts in five days of 20 different type. I dont nkow if this is the normal behavior of Snort, with all the rules activated. If someone could tell me if this is "correct"... or if could be something missing... (snort_decoder) WARNING: TCP Data Offset is less than 5! (snort_decoder) WARNING: TCP Header length exceeds packet length! (snort_decoder): Invalid UDP header, length field < 8 (snort_decoder) Unknown Datagram decoding problem! (spp_stream4) TTL LIMIT Exceeded(http_inspect) BARE BYTE UNICODE ENCODING (http_inspect) APACHE WHITESPACE (TAB) (http_inspect) NON-RFC HTTP DELIMITER (http_inspect) OVERSIZE REQUEST-URI DIRECTORY (http_inspect) OVERSIZE CHUNK ENCODING (spo_bo) Back Orifice Traffic detected spp_bo: Back Orifice Traffic detected (key: 31337) Portscan detected from 151.11.129.53 Talker(fixed: 15 sliding: 30) Scanner(fixed: 0 sliding: 0) BAD-TRAFFIC loopback traffic SNMP Broadcast request TFTP GET passwd ICMP Destination Unreachable (Communication Administratively Prohibited) ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited) ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited) ICMP Time-To-Live Exceeded in Transit When I try snort -i eth1 -C ./snort.conf -l ./log -T I got the following output : Running in IDS mode Log directory = ./log Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file ./snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: ./unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: OFF %U Encoding: OFF Bare Byte: OFF Base36: OFF UTF 8: YES alert: NO IIS Unicode: OFF Multiple Slash: YES alert: NO IIS Backslash: OFF Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: OFF IIS Unicode Map: NOT CONFIGURED Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 2041 Snort rules read... 2041 Option Chains linked into 249 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 +-----------------------[suppression]------------------------------------------ ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.3RC1 (Build 26) By Martin Roesch (roesch () sourcefire com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! Final Flow Statistics Snort exiting ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort but no alert nyarlathothep () libero it (May 12)
- RE: Snort but no alert Michael Steele (May 12)
- <Possible follow-ups>
- RE: Snort but no alert Nick Duda (May 12)
- RE: Snort but no alert nyarlathothep () libero it (May 13)
- RE: Snort but no alert nyarlathothep () libero it (May 17)