Snort mailing list archives

RE: start snort in IDS mode

From: "William Fitzgerald" <wfitzgerald () tssg org>
Date: Thu, 10 Feb 2005 14:22:32 -0000

I wonder if you have the rules directory in the correct place.
you should have:
/opt/snort/etc
/opt/snort/rules
 
in the snort.conf file: 
# Path to your rules files (this can be a relative path)

var RULE_PATH ../rules

this goes up one directory from etc to rules. if you copied the rules to
the etc directory then change the RULES_PATH to reflect this.

 

 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Plantier,
Spencer
Sent: 10 February 2005 14:17
To: snort-users () lists sourceforge net
Subject: [Snort-users] start snort in IDS mode



I got IDS to start but I got the following output:

opt/snort/bin/snort -c /opt/snort/etc/snort.conf -i hme0

Running in IDS mode

Initializing Network Interface hme0

        --== Initializing Snort ==--

Initializing Output Plugins!

Decoding Ethernet on interface hme0

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file /opt/snort/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

,-----------[Flow Config]----------------------

| Stats Interval:  0

| Hash Method:     2

| Memcap:          10485760

| Rows  :          4099

| Overhead Bytes:  16400(%0.16)

`----------------------------------------------

No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds

    Fragment memory cap: 4194304 bytes

    Fragment min_ttl:   0

    Fragment ttl_limit: 5

    Fragment Problems: 0

    Self preservation threshold: 500

    Self preservation period: 90

    Suspend threshold: 1000

    Suspend period: 30

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 30 seconds

    Session memory cap: 8388608 bytes

    State alerts: INACTIVE

    Evasion alerts: INACTIVE

    Scan alerts: INACTIVE

    Log Flushed Streams: INACTIVE

    MinTTL: 1

    TTL Limit: 5

    Async Link: 0

    State Protection: 0

    Self preservation threshold: 50

    Self preservation period: 90

    Suspend threshold: 200

    Suspend period: 30

    Enforce TCP State: INACTIVE

    Midstream Drop Alerts: INACTIVE

Stream4_reassemble config:

    Server reassembly: INACTIVE

    Client reassembly: ACTIVE

    Reassembler alerts: ACTIVE

    Zero out flushed packets: INACTIVE

    flush_data_diff_size: 500

    Ports: 21 23 25 53 80 110 111 143 513 1433 

    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 

HttpInspect Config:

    GLOBAL CONFIG

      Max Pipeline Requests:    0

      Inspection Type:          STATELESS

      Detect Proxy Usage:       NO

      IIS Unicode Map Filename: /opt/snort/etc/unicode.map

      IIS Unicode Map Codepage: 1252

    DEFAULT SERVER CONFIG:

      Ports: 80 8080 8180 

      Flow Depth: 300

      Max Chunk Length: 500000

      Inspect Pipeline Requests: YES

      URI Discovery Strict Mode: NO

      Allow Proxy Usage: NO

      Disable Alerting: NO

      Oversize Dir Length: 500

      Only inspect URI: NO

      Ascii: YES alert: NO

      Double Decoding: YES alert: YES

      %U Encoding: YES alert: YES

      Bare Byte: YES alert: YES

      Base36: OFF

      UTF 8: OFF

      IIS Unicode: YES alert: YES

      Multiple Slash: YES alert: NO

      IIS Backslash: YES alert: NO

      Directory Traversal: YES alert: NO

      Web Root Traversal: YES alert: YES

      Apache WhiteSpace: YES alert: NO

      IIS Delimiter: YES alert: NO

      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

      Non-RFC Compliant Characters: NONE

rpc_decode arguments:

    Ports to decode RPC on: 111 32771 

    alert_fragments: INACTIVE

    alert_large_fragments: ACTIVE

    alert_incomplete: ACTIVE

    alert_multiple_requests: ACTIVE

telnet_decode arguments:

    Ports to decode telnet on: 21 23 25 119 

Portscan Detection Config:

    Detect Protocols:  TCP UDP ICMP IP

    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan

    Sensitivity Level: Low

    Memcap (in bytes): 10000000

    Number of Nodes:   36900

ERROR: /opt/snort/etc/../rules(1) => NULL rule type

Fatal Error, Quitting..

#

Current thread:

start snort in IDS mode Plantier, Spencer (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- <Possible follow-ups>
- RE: start snort in IDS mode Plantier, Spencer (Feb 10)
  - RE: start snort in IDS mode William Fitzgerald (Feb 10)
- RE: start snort in IDS mode Plantier, Spencer (Feb 10)
  - RE: start snort in IDS mode William Fitzgerald (Feb 10)
  - RE: start snort in IDS mode William Fitzgerald (Feb 10)
  - RE: start snort in IDS mode William Fitzgerald (Feb 11)
  - RE: start snort in IDS mode William Fitzgerald (Feb 11)
- RE: start snort in IDS mode Plantier, Spencer (Feb 11)
  - RE: start snort in IDS mode William Fitzgerald (Feb 11)
  - RE: start snort in IDS mode Alex Butcher, ISC/ISYS (Feb 16)