Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trying to trouble shoot snort isntall.

From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Wed, 3 Feb 2010 10:13:20 -0500
Did you tell snort you want to use the preproc and decoder rules?  I don't
see the rules included in your pasted conf.  You have to first enable the
use of this feature with:

./configure --enable-decoder-preprocessor-rules

Then add the rules files from here:

src/snort-2.8.5.1/preproc_rules/decoder.rules
src/snort-2.8.5.1/preproc_rules/preprocessor.rules

Cheers,
-matt

On Tue, Feb 2, 2010 at 4:53 PM, Andy Berryman <aberryman () cymtec com> wrote:


 Can someone point me in the right direction please? I'm trying to figure
out if I'm chasing my tail here. Basically when I start snort I tail syslog
and see this.



Feb  2 21:26:59 (none) snort[19257]:
+++++++++++++++++++++++++++++++++++++++++++++++++++

Feb  2 21:26:59 (none) snort[19257]: Initializing rule chains...

Feb  2 21:27:15 (none) snort[19257]: 5866 Snort rules read

Feb  2 21:27:15 (none) snort[19257]:     5866 detection rules

Feb  2 21:27:15 (none) snort[19257]:     0 decoder rules

Feb  2 21:27:15 (none) snort[19257]:     0 preprocessor rules

Feb  2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624
Chain Headers

Feb  2 21:27:15 (none) snort[19257]: 0 Dynamic rules

Feb  2 21:27:15 (none) snort[19257]:
+++++++++++++++++++++++++++++++++++++++++++++++++++





Doesn't that tell me that it's not loading any of the preprocessor,
decoder, or dynamic rules?





Here is more from syslog where it says it is loading them I thought.

Loading all dynamic engine libs from /snort_lib/snort_dynamicengine...

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic engine
/snort_lib/snort_dynamicengine/libsf_engine.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic engine
libs from /snort_lib/snort_dynamicengine

Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs
from /snort_lib/snort_dynamicrules...

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/bad-traffic.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/chat.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
 /snort_lib/snort_dynamicrules/dos.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/exploit.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/imap.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/misc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/multimedia.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/netbios.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/nntp.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/p2p.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/smtp.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/sql.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/web-client.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/web-misc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/web-activex.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
/snort_lib/snort_dynamicrules/web-iis.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
detection libs from /snort_lib/snort_dynamicrules

Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor libs
from /snort_lib/snort_dynamicpreprocessor...

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
/snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
/snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
/snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
/snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
/snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
/snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
/snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so...

Feb  2 21:30:14 (none) snort[19434]: done

Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
preprocessor libs from /snort_lib/snort_dynamicpreprocessor





Here's my snort.conf



var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24]

var EXTERNAL_NET !$HOME_NET

var DNS_SERVERS 10.27.1.2

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var SSH_PORTS 22

var AIM_SERVERS [
64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
]

var RULE_PATH  /snort/conf

var SORULE_PATH /snort/conf/so_rules

#config detection: search-method ac

config disable_decode_alerts

config disable_tcpopt_experimental_alerts

config profile_rules: print 20, sort total_ticks, filename
rule_profiles.txt

dynamicdetection directory /snort_lib/snort_dynamicrules

dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor

dynamicengine directory /snort_lib/snort_dynamicengine

config flowbits_size: 256

include classification.config

include reference.config

include $RULE_PATH/general.rules

include $RULE_PATH/local.rules

#include $RULE_PATH/so.rules

include $SORULE_PATH/bad-traffic.rules

include $SORULE_PATH/chat.rules

include $SORULE_PATH/dos.rules

include $SORULE_PATH/exploit.rules

include $SORULE_PATH/imap.rules

include $SORULE_PATH/misc.rules

include $SORULE_PATH/multimedia.rules

include $SORULE_PATH/netbios.rules

include $SORULE_PATH/nntp.rules

include $SORULE_PATH/p2p.rules

include $SORULE_PATH/smtp.rules

include $SORULE_PATH/sql.rules

include $SORULE_PATH/web-client.rules

include $SORULE_PATH/web-misc.rules

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies timeout 1800

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no

preprocessor stream5_tcp: policy first

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500 no_alerts

preprocessor rpc_decode: 111 32771

#preprocessor bo

#preprocessor flow: stats_interval 0 hash 2

preprocessor sfportscan: proto  { all } \

                         scan_type { all } \

                         memcap { 10000000 } \

                         sense_level { medium }

preprocessor perfmonitor: \

time 30 events flow max console pktcnt 10000

preprocessor arpspoof

preprocessor dcerpc2

#preprocessor ssl: noinspect_encrypted

output queue: /var/log/snort/queue/ /snort/conf/sidfile

#output alert_syslog: LOG_AUTH LOG_ALERT





Thanks,

Andy Berryman

Cymtec Systems

support () cymtec com






------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the
business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: