RE: Snort but no alert

["nyarlathothep\@libero\.it" <nyarlathothep () libero it>]

Hello all,
so...
I've check the conf file, and I've tried, as suggested, the test (-T) flag, but
I still see only the followingtype of alerts, 2521 alerts in five days of 20
different type.
I dont nkow if this is the normal behavior of Snort, with all the rules activated.
If someone could tell me if this is "correct"... or if could be something missing...

(snort_decoder) WARNING: TCP Data Offset is less than 5!
(snort_decoder) WARNING: TCP Header length exceeds packet length!
(snort_decoder): Invalid UDP header, length field < 8
(snort_decoder) Unknown Datagram decoding problem!
(spp_stream4) TTL LIMIT Exceeded(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) APACHE WHITESPACE (TAB)
(http_inspect) NON-RFC HTTP DELIMITER
(http_inspect) OVERSIZE REQUEST-URI DIRECTORY
(http_inspect) OVERSIZE CHUNK ENCODING
(spo_bo) Back Orifice Traffic detected
spp_bo: Back Orifice Traffic detected (key: 31337)
Portscan detected from 151.11.129.53 Talker(fixed: 15 sliding: 30)
Scanner(fixed: 0 sliding: 0)
BAD-TRAFFIC loopback traffic
SNMP Broadcast request
TFTP GET passwd
ICMP Destination Unreachable (Communication Administratively Prohibited)
ICMP Destination Unreachable (Communication with Destination Network is
Administratively Prohibited)
ICMP Destination Unreachable (Communication with Destination Host is
Administratively Prohibited)
ICMP Time-To-Live Exceeded in Transit

When I try snort -i eth1 -C ./snort.conf -l ./log -T
I got the following output :

Running in IDS mode
Log directory = ./log

Initializing Network Interface eth1
OpenPcap() device eth1 network lookup:
        eth1: no IPv4 address assigned

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: ./unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: OFF
      %U Encoding: OFF
      Bare Byte: OFF
      Base36: OFF
      UTF 8: YES alert: NO
      IIS Unicode: OFF
      Multiple Slash: YES alert: NO
      IIS Backslash: OFF
      Directory: YES alert: NO
      Apache WhiteSpace: YES alert: YES
      IIS Delimiter: OFF
      IIS Unicode Map:  NOT CONFIGURED
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
2041 Snort rules read...
2041 Option Chains linked into 249 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=2523      type=Both       tracking=dst count=10  seconds=10
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
+-----------------------[suppression]------------------------------------------
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.1.3RC1 (Build 26)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!
Final Flow Statistics
Snort exiting





-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users