Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Looking for snort.conf with new preprocessor info

From: Bill Warren <bwarren () optivel com>
Date: Mon, 26 Jul 2004 14:11:31 -0500
This is my snort.conf.

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] 
var RULE_PATH ../rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
   iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
   profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
include classification.config
include reference.config

Jeff Dell wrote:


If you are using the proper config, you should have seen the following when
starting snort:

,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------

I would double check your config because I didn't see that in your log that
you sent.

Jeff


-----Original Message-----
From: Bill Warren [mailto:bwarren () optivel com] Sent: Monday, July 26, 2004 2:54 PM 
To: Jeff Dell
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Looking for snort.conf with new preprocessor info

Did that.

Jeff Dell wrote:


You must enable the flow preprocessor. Example:
#preprocessor flow: stats_interval 0 hash 2 
Should be:

preprocessor flow: stats_interval 0 hash 2

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bill Warren
Sent: Monday, July 26, 2004 1:47 PM
To: Harper, Patrick; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Looking for snort.conf with new preprocessor

info
I am running Debian Woody with Snort 2.0.0 and nothing else and it is running fine. It would catch all the portscans. Now that I have installed 2.2 rc1 it does not find them. It starts with no errors. Here is what I get from my syslog.
Jul 26 12:42:38 optivel-mgmt snort: Writing PID "21721" to file "/var/run//snort_eth0.pid" 
Jul 26 12:42:38 optivel-mgmt snort: HttpInspect Config:
Jul 26 12:42:38 optivel-mgmt snort:     GLOBAL CONFIG
Jul 26 12:42:38 optivel-mgmt snort:       Max Pipeline Requests:    0
Jul 26 12:42:38 optivel-mgmt snort: Inspection Type: STATELESS 
Jul 26 12:42:38 optivel-mgmt snort:       Detect Proxy Usage:       NO
Jul 26 12:42:38 optivel-mgmt snort: IIS Unicode Map Filename: /etc/snort/etc/unicode.map 
Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Codepage: 1252
Jul 26 12:42:38 optivel-mgmt snort: rpc_decode arguments:
Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode RPC on: 111 32771
Jul 26 12:42:38 optivel-mgmt snort:     alert_fragments: INACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_large_fragments: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_incomplete: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_multiple_requests: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort: telnet_decode arguments:
Jul 26 12:42:38 optivel-mgmt snort: Ports to decode telnet on: 21 23 25 119 
Jul 26 12:42:38 optivel-mgmt snort: Conversation Config:
Jul 26 12:42:38 optivel-mgmt snort:    KeepStats: 0
Jul 26 12:42:38 optivel-mgmt snort:    Conv Count: 3000
Jul 26 12:42:38 optivel-mgmt snort:    Timeout   : 60
Jul 26 12:42:38 optivel-mgmt snort:    Alert Odd?: 0
Jul 26 12:42:38 optivel-mgmt snort:    Allowed IP Protocols:
Jul 26 12:42:38 optivel-mgmt snort:  All
Jul 26 12:42:38 optivel-mgmt snort:
Jul 26 12:42:38 optivel-mgmt snort: Portscan2 config:
Jul 26 12:42:38 optivel-mgmt snort:     log: /var/log/snort/scan.log
Jul 26 12:42:38 optivel-mgmt snort:     scanners_max: 256
Jul 26 12:42:38 optivel-mgmt snort:     targets_max: 1024
Jul 26 12:42:38 optivel-mgmt snort:     target_limit: 5
Jul 26 12:42:38 optivel-mgmt snort:     port_limit: 20
Jul 26 12:42:38 optivel-mgmt snort:     timeout: 60
Jul 26 12:42:38 optivel-mgmt snort: Warning: /etc/snort/etc/../rules/web-misc.rules (396) => flowbits without flow. flow must be enabled for this plugin. 
Jul 26 12:42:38 optivel-mgmt last message repeated 2 times
Jul 26 12:42:38 optivel-mgmt snort: Warning: /etc/snort/etc/../rules/web-misc.rules (397) => flowbits without flow. flow must be enabled for this plugin.
I see that there is a problem with the flowbits. That is why I had did something wrong with the snort.conf file. Any ideas? 

Thanks,
Bill


Harper, Patrick wrote:




What OS are you running?  How did you install (binary for windows, RPM,
Source) a little more info is needed please 






--

**********************************
Bill Warren
Optivel, Inc.
E-mail: bwarren () optivel com
Voice:  317.275.2305
Fax:    317.275.2301
Web:    http://www.optivel.com
**********************************


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: