Snort mailing list archives
Re: error: log_tcpdump TcpdumpInitlogefile():no error
From: Joel Esler <joel.esler () sourcefire com>
Date: Mon, 18 Sep 2006 13:02:23 -0400
I know this doesn't help your situation, but I am about to get on a plane, and I figured it would help. I would use Snort to log to Unified format. Then get something like barnyard to read the unified file and put it into a db. Bad juju to have Snort logging directly to DB. Joel On Sep 18, 2006, at 12:53 PM, David Lantz wrote:
Sorry to mail twice, I wanted to add some more information. I've read through all the readme files, searched the web and the faq's and haven't found any answer to the error i am receiving. I've seen other similiar posts that didn't get replied to. I cannot tell with which compenent the error is coming from. Is it generated from a failed DB connection? Here is my conf file: #-------------------------------------------------- # http://www.snort.org Snort 2.6.0 config file # Contact: snort-sigs () lists sourceforge net #-------------------------------------------------- # $Id$ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your own custom configuration: # # 1) Set the variables for your network # 2) Configure dynamic loaded libraries # 3) Configure preprocessors # 4) Configure output plugins # 5) Add any runtime config directives # 6) Customize your rule set # ################################################### # Step #1: Set the network variables: # # You must change the following variables to reflect your local network. The # variable is currently setup for an RFC 1918 address space. # # You can specify it explicitly as: # var HOME_NET 10.0.0.xx/xx # # or use global variable $<interfacename>_ADDRESS which will be always # initialized to IP address and netmask of the network interface which you run # snort at. Under Windows, this must be specified as # $(<interfacename>_ADDRESS), such as: # $\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS # # var HOME_NET_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: # var HOME_NET any # Set up the external network addresses as well. A good start may be "any" var EXTERNAL_NET any # Configure your server lists. This allows snort to only look for attacks to # systems that have a service up. Why look for HTTP attacks if you are not # running a web server? This allows quick filtering based on IP addresses # These configurations MUST follow the same configuration scheme as defined # above for $HOME_NET. # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET # Configure your service ports. This allows snort to look for attacks destined # to a specific application only on the ports that application runs on. For # example, if you run a web server on port 8081, set your HTTP_PORTS variable # like this: # # var HTTP_PORTS 8080 # # Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. # We will adding support for a real list of ports in the future. # Ports you run web servers on # # Please note: [80,8080] does not work. # If you wish to define multiple HTTP ports, # ## var HTTP_PORTS 80 ## include somefile.rules ## var HTTP_PORTS 8080 ## include somefile.rules var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # other variables # # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of servers. var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0 / 24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188 .153.0/24,205.188.179.0/24,205.188.248.0/24] # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH c:\snort\rules # Configure the snort decoder # ============================ # # Snort's decoder will alert on lots of things such as header # truncation or options of unusual length or infrequently used tcp options # # # Stop generic decode events: # # config disable_decode_alerts # # Stop Alerts on experimental TCP options # # config disable_tcpopt_experimental_alerts # # Stop Alerts on obsolete TCP options # # config disable_tcpopt_obsolete_alerts # # Stop Alerts on T/TCP alerts # # In snort 2.0.1 and above, this only alerts when a TCP option is detected # that shows T/TCP being actively used on the network. If this is normal # behavior for your network, disable the next option. # # config disable_tcpopt_ttcp_alerts # # Stop Alerts on all other TCPOption type events: # # config disable_tcpopt_alerts # # Stop Alerts on invalid ip options # # config disable_ipopt_alerts # Configure the detection engine # =============================== # # Use a different pattern matcher in case you have a machine with very limited # resources: # # config detection: search-method lowmem # Configure Inline Resets # ======================== # # If running an iptables firewall with snort in InlineMode() we can now # perform resets via a physical device. We grab the indev from iptables # and use this for the interface on which to send resets. This config # option takes an argument for the src mac address you want to use in the # reset packet. This way the bridge can remain stealthy. If the src mac # option is not set we use the mac address of the indev device. If we # don't set this option we will default to sending resets via raw socket, # which needs an ipaddress to be assigned to the int. # # config layer2resets: 00:06:76:DD:5F:E3 ################################################### # Step #2: Configure dynamic loaded libraries # # If snort was configured to use dynamically loaded libraries, # those libraries can be loaded here. # # Each of the following configuration options can be done via # the command line as well. # # Load all dynamic preprocessors from the install path # (same as command line option --dynamic-preprocessor-lib-dir) # dynamicpreprocessor directory c:\Snort\lib\snort_dynamicpreprocessor # # Load a specific dynamic preprocessor library from the install path # (same as command line option --dynamic-preprocessor-lib) # # dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/ libdynamicexample.so # # Load a dynamic engine from the install path # (same as command line option --dynamic-engine-lib) # dynamicengine c:\snort\lib\snort_dynamicengine\sf_engine.dll # # Load all dynamic rules libraries from the install path # (same as command line option --dynamic-detection-lib-dir) # #dynamicdetection directory c:\snort\lib\snort_dynamicrule\ # # Load a specific dynamic rule library from the install path # (same as command line option --dynamic-detection-lib) # # dynamicdetection file /usr/local/lib/snort_dynamicrule/ libdynamicexamplerule.so # ################################################### # Step #3: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor <name_of_processor>: <configuration_options> # Configure Flow tracking module # ------------------------------- # # The Flow tracking module is meant to start unifying the state keeping # mechanisms of snort into a single place. Right now, only a portscan detector # is implemented but in the long term, many of the stateful subsystems of # snort will be migrated over to becoming flow plugins. This must be enabled # for flow-portscan to work correctly. # # See README.flow for additional information # preprocessor flow: stats_interval 0 hash 2 # frag2: IP defragmentation support # ------------------------------- # This preprocessor performs IP defragmentation. This plugin will also detect # people launching fragmentation attacks (usually DoS) against hosts. No # arguments loads the default configuration of the preprocessor, which is a 60 # second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 # timeout [seconds] - sets the number of [seconds] that an unfinished # fragment will be kept around waiting for completion, # if this time expires the fragment will be flushed # memcap [bytes] - limit frag2 memory usage to [number] bytes # (default: 4194304) # # min_ttl [number] - minimum ttl to accept # # ttl_limit [number] - difference of ttl to accept without alerting # will cause false positves with router flap # # Frag2 uses Generator ID 113 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Oversized fragment (reassembled frag > 64k bytes) # 2 Teardrop-type attack #preprocessor frag2 # frag3: Target-based IP defragmentation # -------------------------------------- # # Frag3 is a brand new IP defragmentation preprocessor that is capable of # performing "target-based" processing of IP fragments. Check out the # README.frag3 file in the doc directory for more background and configuration # information. # # Frag3 configuration is a two step process, a global initialization phase # followed by the definition of a set of defragmentation engines. # # Global configuration defines the number of fragmented packets that Snort can # track at the same time and gives you options regarding the memory cap for the # subsystem or, optionally, allows you to preallocate all the memory for the # entire frag3 system. # # frag3_global options: # max_frags: Maximum number of frag trackers that may be active at once. # Default value is 8192. # memcap: Maximum amount of memory that frag3 may access at any given time. # Default value is 4MB. # prealloc_frags: Maximum number of individual fragments that may be processed # at once. This is instead of the memcap system, uses static # allocation to increase performance. No default value. Each # preallocated fragment eats ~1550 bytes. # # Target-based behavior is attached to an engine as a "policy" for handling # overlaps and retransmissions as enumerated in the Paxson paper. There are # currently five policy types available: "BSD", "BSD-right", "First", "Linux" # and "Last". Engines can be bound to bound to standard Snort CIDR blocks or # IP lists. # # frag3_engine options: # timeout: Amount of time a fragmented packet may be active before expiring. # Default value is 60 seconds. # ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. # Based on the initial received fragment TTL. # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this # value will be discarded. Default value is 0. # detect_anomalies: Activates frag3's anomaly detection mechanisms. # policy: Target-based policy to assign to this engine. Default is BSD. # bind_to: IP address set to bind this engine to. Default is all hosts. # # Frag3 configuration example: #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144 #preprocessor frag3_engine: policy linux \ # bind_to [10.1.1.12/32,10.1.1.13/32] \ # detect_anomalies #preprocessor frag3_engine: policy first \ # bind_to 10.2.1.0/24 \ # detect_anomalies #preprocessor frag3_engine: policy last \ # bind_to 10.3.1.0/24 #preprocessor frag3_engine: policy bsd preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies # stream4: stateful inspection/stream reassembly for Snort #--------------------------------------------------------------------- - # Use in concert with the -z [all|est] command line switch to defeat stick/snot # against TCP rules. Also performs full TCP stream reassembly, stateful # inspection of TCP streams, etc. Can statefully detect various portscan # types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # # disable_evasion_alerts - turn off the possibly noisy mitigation of # overlapping sequences. # # # min_ttl [number] - set a minium ttl that snort will accept to # stream reassembly # # ttl_limit [number] - differential of the initial ttl on a session versus # the normal that someone may be playing games. # Routing flap may cause lots of false positives. # # keepstats [machine|binary] - keep session statistics, add "machine" to # get them in a flat format for machine reading, add # "binary" to get them in a unified binary output # format # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # max_sessions [number] - limit the number of sessions stream4 keeps # track of # memcap [number] - limit stream4 memory usage to [number] bytes # log_flushed_streams - if an event is detected on a stream this option will # cause all packets that are stored in the stream4 # packet buffers to be flushed to disk. This only # works when logging in pcap mode! # server_inspect_limit [bytes] - Byte limit on server side inspection. # # Stream4 uses Generator ID 111 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Stealth activity # 2 Evasive RST packet # 3 Evasive TCP packet retransmission # 4 TCP Window violation # 5 Data on SYN packet # 6 Stealth scan: full XMAS # 7 Stealth scan: SYN-ACK-PSH-URG # 8 Stealth scan: FIN scan # 9 Stealth scan: NULL scan # 10 Stealth scan: NMAP XMAS scan # 11 Stealth scan: Vecna scan # 12 Stealth scan: NMAP fingerprint scan stateful detect # 13 Stealth scan: SYN-FIN scan # 14 TCP forward overlap preprocessor stream4: disable_evasion_alerts # tcp stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default" will turn # on reassembly for ports 21, 23, 25, 42, 53, 80, 110, # 111, 135, 136, 137, 139, 143, 445, 513, 1433, 1521, # and 3306 # favor_old - favor an old segment (based on sequence number) over a new one. # This is the default. # favor_new - favor an new segment (based on sequence number) over an old one. # flush_behavior [mode] - # default - use old static flushpoints (default) # large_window - use new larger static flushpoints # random - use random flushpoints defined by flush_base, # flush_seed and flush_range # flush_base [number] - lowest allowed random flushpoint (512 by default) # flush_range [number] - number is the space within which random flushpoints # are generated (default 1213) # flush_seed [number] - seed for the random number generator, defaults to # Snort PID + time # # Using the default random flushpoints, the smallest flushpoint is 512, # and the largest is 1725 bytes. preprocessor stream4_reassemble # Performance Statistics # ---------------------- # Documentation for this is provided in the Snort Manual. You should read it. # It is included in the release distribution as doc/snort_manual.pdf # # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 # http_inspect: normalize and detect HTTP traffic and protocol anomalies # # lots of options available here. See doc/README.http_inspect. # unicode.map should be wherever your snort.conf lives, or given # a full path to where snort can find it. preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 # # Example unique server configuration # #preprocessor http_inspect_server: server 1.1.1.1 \ # ports { 80 3128 8080 } \ # flow_depth 0 \ # ascii no \ # double_decode yes \ # non_rfc_char { 0x00 } \ # chunk_length 500000 \ # non_strict \ # oversize_dir_length 300 \ # no_alerts # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual 4-byte encoding # that is used by default. This plugin takes the port numbers that RPC # services are running on as arguments - it is assumed that the given ports # are actually running this type of service. If not, change the ports or turn # it off. # The RPC decode preprocessor uses generator ID 106 # # arguments: space separated list # alert_fragments - alert on any rpc fragmented TCP data # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet # no_alert_large_fragments - don't alert when the fragmented # sizes exceed the current packet size # no_alert_incomplete - don't alert when a single segment # exceeds the current packet size preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. # # arguments: # syntax: # preprocessor bo: noalert { client | server | general | snort_attack } \ # drop { client | server | general | snort_attack } # example: # preprocessor bo: noalert { general server } drop { snort_attack } # # The Back Orifice detector uses Generator ID 105 and uses the # following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Back Orifice traffic detected # 2 Back Orifice Client Traffic Detected # 3 Back Orifice Server Traffic Detected # 4 Back Orifice Snort Buffer Attack preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp # traffic. It works in much the same way as the http_decode preprocessor, # searching for traffic that breaks up the normal data stream of a protocol and # replacing it with a normalized representation of that traffic so that the # "content" pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. # # DEPRECATED in favor of ftp_telnet dynamic preprocessor #preprocessor telnet_decode # # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow # ---------------------------------------------------------------------- ----- # This preprocessor normalizes telnet negotiation strings from telnet and # ftp traffic. It looks for traffic that breaks the normal data stream # of the protocol, replacing it with a normalized representation of that # traffic so that the "content" pattern matching keyword can work without # requiring modifications. # # It also performs protocol correctness checks for the FTP command channel, # and identifies open FTP data transfers. # # FTPTelnet has numerous options available, please read # README.ftptelnet for help configuring the options for the global # telnet, ftp server, and ftp client sections for the protocol. ##### # Per Step #2, set the following to load the ftptelnet preprocessor # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so> # or use commandline option # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so> preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 # This is consistent with the FTP rules as of 18 Sept 2004. # CWD can have param length of 200 # MODE has an additional mode of Z (compressed) # Check for string formats in USER & PASS commands # Check nDTM commands that set modification time on the file. preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes # smtp: SMTP normalizer, protocol enforcement and buffer overflow # ---------------------------------------------------------------------- ----- # This preprocessor normalizes SMTP commands by removing extraneous spaces. # It looks for overly long command lines, response lines, and data header lines. # It can alert on invalid commands, or specific valid commands. It can optionally # ignore mail data, and can ignore TLS encrypted data. # # It also performs protocol correctness checks for the FTP command channel, # and identifies open FTP data transfers. # # SMTP has numerous options available, please read README.smtp for help # configuring options. ##### # Per Step #2, set the following to load the smtp preprocessor # dynamicpreprocessor <full path to libsf_smtp_preproc.so> # or use commandline option # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so> preprocessor smtp: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } # sfPortscan # ---------- # Portscan detection module. Detects various types of portscans and # portsweeps. For more information on detection philosophy, alert types, # and detailed portscan information, please refer to the README.sfportscan. # # -configuration options- # proto { tcp udp icmp ip all } # The arguments to the proto option are the types of protocol scans that # the user wants to detect. Arguments should be separated by spaces and # not commas. # scan_type { portscan portsweep decoy_portscan distributed_portscan all } # The arguments to the scan_type option are the scan types that the # user wants to detect. Arguments should be separated by spaces and not # commas. # sense_level { low|medium|high } # There is only one argument to this option and it is the level of # sensitivity in which to detect portscans. The 'low' sensitivity # detects scans by the common method of looking for response errors, such # as TCP RSTs or ICMP unreachables. This level requires the least # tuning. The 'medium' sensitivity level detects portscans and # filtered portscans (portscans that receive no response). This # sensitivity level usually requires tuning out scan events from NATed # IPs, DNS cache servers, etc. The 'high' sensitivity level has # lower thresholds for portscan detection and a longer time window than # the 'medium' sensitivity level. Requires more tuning and may be noisy # on very active networks. However, this sensitivity levels catches the # most scans. # memcap { positive integer } # The maximum number of bytes to allocate for portscan detection. The # higher this number the more nodes that can be tracked. # logfile { filename } # This option specifies the file to log portscan and detailed portscan # values to. If there is not a leading /, then snort logs to the # configured log directory. Refer to README.sfportscan for details on # the logged values in the logfile. # watch_ip { Snort IP List } # ignore_scanners { Snort IP List } # ignore_scanned { Snort IP List } # These options take a snort IP list as the argument. The 'watch_ip' # option specifies the IP(s) to watch for portscan. The # 'ignore_scanners' option specifies the IP(s) to ignore as scanners. # Note that these hosts are still watched as scanned hosts. The # 'ignore_scanners' option is used to tune alerts from very active # hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option # specifies the IP(s) to ignore as scanned hosts. Note that these hosts # are still watched as scanner hosts. The 'ignore_scanned' option is # used to tune alerts from very active hosts such as syslog servers, etc. # detect_ack_scans # This option will include sessions picked up in midstream by the stream # module, which is necessary to detect ACK scans. However, this can lead to # false alerts, especially under heavy load with dropped packets; which is why # the option is off by default. # preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # unicast ARP requests, and specific ARP mapping monitoring. To make use of # this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP request detection. # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Unicast ARP request # 2 Etherframe ARP mismatch (src) # 3 Etherframe ARP mismatch (dst) # 4 ARP cache overwrite attack #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 #################################################################### # Step #4: Configure output plugins # # Uncomment and configure the output plugins you decide to use. General # configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also optionally # specify a particular hostname/port. Under Win32, the default hostname is # '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT output alert_syslog: host=localhost:3261, LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # # output log_tcpdump: c:\snort\log\tcpdump.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort output database: log, mssql, dbname=snortdB user=snortusr password=xxx host=localhost port=3261 # output database: alert, mssql, dbname=snortdB user=snortusr password=xxx host=localhost # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging and generating # alerts from Snort, the "unified" format. The unified format is a straight # binary format for logging data out of Snort that is designed to be fast and # efficient. Used with barnyard (the new alert/log processor), most of the # overhead for logging and alerting to various slow storage mechanisms such as # databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 # prelude: log to the Prelude Hybrid IDS system # --------------------------------------------- # # profile = Name of the Prelude profile to use (default is snort). # # Snort priority to IDMEF severity mappings: # high < medium < low < info # # These are the default mapped from classification.config: # info = 4 # low = 3 # medium = 2 # high = anything below medium # # output alert_prelude # output alert_prelude: profile=snort-profile-name # You can optionally define new rule types and associate one or more output # plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog and a mysql # database: # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mssql, user=snortusr password=xxx dbname=snortdB host=localhost } # # EXAMPLE RULE FOR REDALERT RULETYPE: # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ # (msg:"Someone is being LEET"; flags:A+;) # alert tcp any any -> $HOME_NET any (msg:"TCP traffic";) # # Include classification & priority settings # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\etc\classification.config # include c:\snort\etc\classification.config # # Include reference systems # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\etc\reference.config # include c:\snort\etc\reference.config #################################################################### # Step #5: Configure snort with config statements # # See the snort manual for a full set of configuration references # # config flowbits_size: 64 # # New global ignore_ports config option from Andy Mullican # # config ignore_ports: <tcp|udp> <list of ports separated by whitespace> # config ignore_ports: tcp 21 6667:6671 1356 # config ignore_ports: udp 1:17 53 #################################################################### # Step #6: Customize your rule set # # Up to date snort rules are available at http://www.snort.org # # The snort web site has documentation about how to write your own custom snort # rules. #========================================= # Include all relevant rulesets here # # The following rulesets are disabled by default: # # web-attacks, backdoor, shellcode, policy, porn, info, icmp- info, virus, # chat, multimedia, and p2p # # These rules are either site policy specific or require tuning in order to not # generate false positive alerts in most enviornments. # # Please read the specific include file for more information and # README.alert_order for how rule ordering affects how alerts are triggered. #========================================= include $RULE_PATH\local.rules include $RULE_PATH\bad-traffic.rules include $RULE_PATH\exploit.rules include $RULE_PATH\scan.rules include $RULE_PATH\finger.rules include $RULE_PATH\ftp.rules include $RULE_PATH\telnet.rules include $RULE_PATH\rpc.rules include $RULE_PATH\rservices.rules include $RULE_PATH\dos.rules include $RULE_PATH\ddos.rules include $RULE_PATH\dns.rules include $RULE_PATH\tftp.rules include $RULE_PATH\web-cgi.rules include $RULE_PATH\web-coldfusion.rules include $RULE_PATH\web-iis.rules include $RULE_PATH\web-frontpage.rules include $RULE_PATH\web-misc.rules include $RULE_PATH\web-client.rules include $RULE_PATH\web-php.rules include $RULE_PATH\sql.rules include $RULE_PATH\x11.rules include $RULE_PATH\icmp.rules include $RULE_PATH\netbios.rules include $RULE_PATH\misc.rules include $RULE_PATH\attack-responses.rules include $RULE_PATH\oracle.rules include $RULE_PATH\mysql.rules include $RULE_PATH\snmp.rules include $RULE_PATH\smtp.rules include $RULE_PATH\imap.rules include $RULE_PATH\pop2.rules include $RULE_PATH\pop3.rules include $RULE_PATH\nntp.rules include $RULE_PATH\other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules # include $RULE_PATH/spyware-put.rules include $RULE_PATH\experimental.rules # Include any thresholding or suppression commands. See threshold.conf in the # <snort src>/etc directory for details. Commands don't necessarily need to be # contained in this conf, but a separate conf makes it easier to maintain them. # Note for Windows users: You are advised to make this an absolute path, include c:\snort\etc\threshold.conf # Uncomment if needed. # include threshold.conf From: "David Lantz" <becuz1am () hotmail com> To: snort-users () lists sourceforge net Subject: [Snort-users] error: log_tcpdump TcpdumpInitlogefile():no error Date: Sun, 17 Sep 2006 20:12:27 -0400 snort 2.6.01 win32 mssql 2000 on localhost used create_mssql in /schemas for db get the following error... database: SQL Server message 5701, state 2, severity 0: Changed database context to 'snortdB'. Server ''server\database' database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snortdB'. Server 'server\database', Line 1 database: sensor id = 1 database: schema version = 107 database: using the "log" facility ERROR: log_tcpdump TcpdumpInitLogFile(): No error Fatal Error, Quitting...-------------------------------------------------------------------------Using Tomcat but need to do more? Need to support web services,security?Get stuff done quickly with pre-integrated technology to make yourjob easierDownload IBM WebSphere Application Server v.1.0.1 based on ApacheGeronimohttp://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users---------------------------------------------------------------------- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642______________________________ _________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
+---------------------------------------------------------------------+ joel esler senior security consultant 1-706-627-2101 Sourcefire Security for the /Real/ World -- http://www.sourcefire.com Snort - Open Source Network IPS/IDS -- http://www.snort.org gpg key: http://demo.sourcefire.com/jesler.pgp.key aim:eslerjoel ymsg:eslerjoel gtalk:eslerj +---------------------------------------------------------------------+ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- error: log_tcpdump TcpdumpInitlogefile():no error David Lantz (Sep 17)
- Re: error: log_tcpdump TcpdumpInitlogefile():no error David Lantz (Sep 18)
- Re: error: log_tcpdump TcpdumpInitlogefile():no error Joel Esler (Sep 18)
- Re: error: log_tcpdump TcpdumpInitlogefile():no error David Lantz (Sep 18)