Snort mailing list archives
Re: Snort 2.6.1 Stops Logging
From: "Eric J. Feldhusen" <efeldhusen.lists () gmail com>
Date: Wed, 22 Nov 2006 12:37:08 -0500
rmkml wrote: > do you have compiled snort ? > what version snort binary you have ?I used the snort 2.6.1 and snort 2.6.1-mysql rpms from the snort downloads. The ruleset I used is the non-scriber current as of November 19th. The OS is rhel4u4, minimum install, fully up to date, with the only other installed rpms being the rrdtool, rrd-devel, perl-rrd, and ntop from the Dag's repository, and webmin 1.300 rpm.
> how bandwith you have ?The snort box has dual gigabit ethernet interfaces, one for accessing the box via an IP, and the other is in promisious mode without an IP. My switch is sending about 16Mbps at peak to the stealth interface, average is about 12Mbps.
> do you use snort inline or only snort on ids mode ? IDS mode
snort.conf
See attached snortconf
ps axwwl
see attached snortpsaxwwl
snort cmd option
see attached snortcmdoption
your log
I wasn't sure which log here?
Best Regards Rmkml
-- Eric Feldhusen Network Administrator http://www.remc1.org eric () remc1 org PO Box 270 (906) 482-4520 x239 809 Hecla St (906) 482-5031 fax Hancock, MI 49930 (906) 370 6202 mobile
var HOME_NET [10.0.0.0/8,172.0.0.0/8]
var EXTERNAL_NET any
var DNS_SERVERS [172.16.100.10/32,10.2.100.10/32]
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS [172.17.136.53/32]
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
# config disable_decode_alerts
# config disable_tcpopt_experimental_alerts
# config disable_tcpopt_obsolete_alerts
# config disable_tcpopt_ttcp_alerts
# config disable_tcpopt_alerts
# config disable_ipopt_alerts
# config enable_decode_oversized_alerts
# config enable_decode_oversized_drops
# config detection: search-method lowmem
# config layer2resets: 00:06:76:DD:5F:E3
dynamicpreprocessor directory /usr/lib/snort-2.6.1_dynamicpreprocessor/
# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
dynamicengine /usr/lib/snort-2.6.1_dynamicengine/libsf_engine.so
# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
preprocessor flow: stats_interval 0 hash 2
#preprocessor frag2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433
# preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#preprocessor ssh: server_ports { 22 } \
# max_client_bytes 19600 \
# max_encrypted_packets 20
#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
# output log_tcpdump: tcpdump.log
output database: log, mysql, user=snort password=changedforlists dbname=snort host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
# output alert_prelude
# output alert_prelude: profile=snort-profile-name
include classification.config
include reference.config
#include $RULE_PATH/local.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
#include $RULE_PATH/p2p.rules
#include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/experimental.rules
include threshold.confF UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 4 0 1 0 16 0 2876 552 - S ? 0:01 init [3] 1 0 2 1 -100 - 0 0 migrat S ? 0:00 [migration/0] 1 0 3 1 34 19 0 0 ksofti SN ? 0:00 [ksoftirqd/0] 1 0 4 1 -100 - 0 0 migrat S ? 0:00 [migration/1] 1 0 5 1 34 19 0 0 ksofti SN ? 0:00 [ksoftirqd/1] 1 0 6 1 -100 - 0 0 migrat S ? 0:00 [migration/2] 1 0 7 1 34 19 0 0 ksofti SN ? 0:00 [ksoftirqd/2] 1 0 8 1 -100 - 0 0 migrat S ? 0:03 [migration/3] 1 0 9 1 34 19 0 0 ksofti SN ? 0:00 [ksoftirqd/3] 1 0 10 1 5 -10 0 0 worker S< ? 0:00 [events/0] 1 0 11 1 5 -10 0 0 worker S< ? 0:00 [events/1] 1 0 12 1 5 -10 0 0 worker S< ? 0:00 [events/2] 1 0 13 1 5 -10 0 0 worker S< ? 0:00 [events/3] 1 0 14 10 7 -10 0 0 worker S< ? 0:00 [khelper] 1 0 15 10 15 -10 0 0 worker S< ? 0:00 [kacpid] 1 0 30 10 5 -10 0 0 worker S< ? 0:00 [kblockd/0] 1 0 31 10 5 -10 0 0 worker S< ? 0:00 [kblockd/1] 1 0 32 10 5 -10 0 0 worker S< ? 0:00 [kblockd/2] 1 0 33 10 5 -10 0 0 worker S< ? 0:00 [kblockd/3] 1 0 54 10 10 -10 0 0 worker S< ? 0:00 [aio/0] 1 0 55 10 5 -10 0 0 worker S< ? 0:00 [aio/1] 1 0 56 10 5 -10 0 0 worker S< ? 0:00 [aio/2] 1 0 57 10 10 -10 0 0 worker S< ? 0:00 [aio/3] 1 0 34 1 15 0 0 0 hub_th S ? 0:00 [khubd] 1 0 53 1 15 0 0 0 kswapd S ? 0:00 [kswapd0] 1 0 201 1 25 0 0 0 serio_ S ? 0:00 [kseriod] 1 0 331 1 15 0 0 0 kjourn S ? 0:25 [kjournald] 4 0 1356 1 6 -10 2760 464 - S<s ? 0:00 udevd 1 0 1545 10 6 -10 0 0 kaudit S< ? 0:00 [kauditd] 1 0 1626 10 8 -10 0 0 worker S< ? 0:00 [kmirrord] 1 0 1646 1 15 0 0 0 kjourn S ? 0:00 [kjournald] 5 0 2383 1 16 0 1852 548 - Ss ? 0:09 syslogd -m 0 5 0 2387 1 16 0 1780 384 syslog Ss ? 0:00 klogd -x 5 0 2397 1 16 0 1708 300 - Ss ? 0:00 irqbalance 1 0 2427 1 16 0 6016 344 - Ss ? 0:00 rpc.idmapd 5 0 2486 1 18 0 1516 436 - Ss ? 0:00 /usr/sbin/acpid 5 0 2495 1 15 0 4744 1020 - Ss ? 0:00 /usr/sbin/sshd 5 0 2508 1 18 0 3012 756 - Ss ? 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid 5 0 2672 1 16 0 8168 2024 - Ss ? 0:00 sendmail: accepting connections 1 51 2680 1 16 0 8500 1628 pause Ss ? 0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue 5 0 2690 1 16 0 2068 360 - Ss ? 0:00 gpm -m /dev/input/mice -t imps2 5 0 2700 1 16 0 15788 5576 - Ss ? 0:01 /usr/sbin/httpd 5 0 2709 1 15 0 5192 928 - Ss ? 0:00 crond 5 48 2718 2700 15 0 22944 10840 semtim S ? 0:27 /usr/sbin/httpd 5 48 2719 2700 15 0 23056 11496 semtim S ? 0:42 /usr/sbin/httpd 5 48 2720 2700 15 0 22860 10732 semtim S ? 1:39 /usr/sbin/httpd 5 48 2721 2700 15 0 22920 10752 semtim S ? 4:54 /usr/sbin/httpd 5 48 2722 2700 16 0 23032 10952 - S ? 0:29 /usr/sbin/httpd 5 48 2723 2700 15 0 22924 10804 semtim S ? 4:00 /usr/sbin/httpd 5 48 2724 2700 15 0 23020 10848 semtim S ? 3:27 /usr/sbin/httpd 5 48 2725 2700 15 0 23016 10868 semtim S ? 0:35 /usr/sbin/httpd 5 0 2743 1 16 0 3044 420 - Ss ? 0:00 /usr/sbin/atd 5 81 2752 1 15 0 3740 956 - Ss ? 0:00 dbus-daemon-1 --system 5 0 2763 1 16 0 5508 296 - Ss ? 0:00 rhnsd --interval 240 5 0 2775 1 16 0 7344 4132 - Ss ? 0:33 hald 5 0 2839 1 16 0 9828 5824 - Ss ? 0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf 4 0 2843 1 18 0 2908 412 - Ss+ tty1 0:00 /sbin/mingetty tty1 4 0 2844 1 18 0 2724 412 - Ss+ tty2 0:00 /sbin/mingetty tty2 4 0 2845 1 18 0 2132 412 - Ss+ tty3 0:00 /sbin/mingetty tty3 4 0 2846 1 18 0 2532 412 - Ss+ tty4 0:00 /sbin/mingetty tty4 4 0 2847 1 18 0 2732 412 - Ss+ tty5 0:00 /sbin/mingetty tty5 4 0 2848 1 18 0 1484 412 - Ss+ tty6 0:00 /sbin/mingetty tty6 1 0 26700 13 15 0 0 0 pdflus S ? 0:00 [pdflush] 1 0 27045 13 15 0 0 0 pdflus S ? 0:03 [pdflush] 5 100 32745 1 16 0 138200 44048 - Ssl ? 178:36 ntop -d -L @/etc/ntop.conf 4 0 16774 2495 17 0 8320 2408 - Ss ? 0:00 sshd: eric [priv] 5 500 16776 16774 15 0 8488 1648 - S ? 0:09 sshd: eric@pts/0 0 500 16777 16776 15 0 5364 1408 wait Ss pts/0 0:00 -bash 4 0 16803 16777 15 0 4536 1468 wait S pts/0 0:00 /bin/bash 4 0 17044 1 25 0 4380 1252 wait S pts/0 0:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysqld/mysqld.pid 4 27 17077 17044 16 0 128816 27124 - Sl pts/0 12:24 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --socket=/var/lib/mysql/mysql.sock 5 503 17801 1 15 0 52780 9380 - Ss ? 0:06 /usr/sbin/snort -b -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort 4 0 17834 16803 16 0 2540 652 - R+ pts/0 0:00 ps axwwl
Running in IDS mode with inferred config file: ./snort.conf
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 24 chars, value = [10.0.0.0/8,172.0.0.0/8]
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 33 chars, value = [172.16.100.10/32,10.2.100.10/32]
Var 'SMTP_SERVERS' defined, value len = 24 chars, value = [10.0.0.0/8,172.0.0.0/8]
Var 'HTTP_SERVERS' defined, value len = 24 chars, value = [10.0.0.0/8,172.0.0.0/8]
Var 'SQL_SERVERS' defined, value len = 24 chars, value = [10.0.0.0/8,172.0.0.0/8]
Var 'TELNET_SERVERS' defined, value len = 24 chars, value = [10.0.0.0/8,172.0.0.0/8]
Var 'SNMP_SERVERS' defined, value len = 18 chars, value = [172.17.136.53/32]
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
WARNING ./snort.conf(438) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
WARNING ./snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: ACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: ./unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| gen-id=1 sig-id=1411 tracking=srcip=172.17.136.53 mask=255.255.255.255
| gen-id=1 sig-id=1411 tracking=srcip=172.17.136.75 mask=255.255.255.255
| gen-id=1 sig-id=1432 tracking=srcip=172.0.0.0 mask=255.0.0.0
| gen-id=1 sig-id=1432 tracking=srcip=172.0.0.0 mask=255.0.0.0
| gen-id=1 sig-id=556 tracking=srcip=10.0.0.0 mask=255.0.0.0
| gen-id=1 sig-id=556 tracking=srcip=10.0.0.0 mask=255.0.0.0
| gen-id=1 sig-id=1417 tracking=srcip=172.17.136.53 mask=255.255.255.255
| gen-id=1 sig-id=1417 tracking=srcip=172.17.136.75 mask=255.255.255.255
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/lib/snort-2.6.1_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/lib/snort-2.6.1_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort-2.6.1_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort-2.6.1_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort-2.6.1_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: STATEFUL
Normalize Spaces: YES
Ignore Data: NO
Ignore TLS Data: NO
Ignore Alerts: NO
Max Command Length: 0
Max Header Line Length: 0
Max Response Line Length: 0
X-Link2State Alert: YES
Drop on X-Link2State Alert: NO
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
Verifying Preprocessor Configurations!
0 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***
Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
syntax error
PCAP command: cmd option
Fatal Error, Quitting..------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.6.1 Stops Logging Colin Grady (Nov 21)
- Re: Snort 2.6.1 Stops Logging Jason Haar (Nov 21)
- Re: Snort 2.6.1 Stops Logging Eric J. Feldhusen (Nov 21)
- Re: Snort 2.6.1 Stops Logging Colin Grady (Nov 21)
- Re: Snort 2.6.1 Stops Logging Martin Roesch (Nov 21)
- Re: Snort 2.6.1 Stops Logging Jason Haar (Nov 22)
- Re: Snort 2.6.1 Stops Logging Eric Feldhusen (Nov 22)
- Message not available
- Re: Snort 2.6.1 Stops Logging Eric J. Feldhusen (Nov 22)
- Message not available
- Re: Snort 2.6.1 Stops Logging Eric J. Feldhusen (Nov 22)
- Re: Snort 2.6.1 Stops Logging Eric J. Feldhusen (Nov 21)
- Re: Snort 2.6.1 Stops Logging Jason Haar (Nov 21)