Snort mailing list archives
Re: Trying to trouble shoot snort isntall.
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Wed, 3 Feb 2010 10:13:20 -0500
Did you tell snort you want to use the preproc and decoder rules? I don't see the rules included in your pasted conf. You have to first enable the use of this feature with: ./configure --enable-decoder-preprocessor-rules Then add the rules files from here: src/snort-2.8.5.1/preproc_rules/decoder.rules src/snort-2.8.5.1/preproc_rules/preprocessor.rules Cheers, -matt On Tue, Feb 2, 2010 at 4:53 PM, Andy Berryman <aberryman () cymtec com> wrote:
Can someone point me in the right direction please? I'm trying to figure out if I'm chasing my tail here. Basically when I start snort I tail syslog and see this. Feb 2 21:26:59 (none) snort[19257]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Feb 2 21:26:59 (none) snort[19257]: Initializing rule chains... Feb 2 21:27:15 (none) snort[19257]: 5866 Snort rules read Feb 2 21:27:15 (none) snort[19257]: 5866 detection rules Feb 2 21:27:15 (none) snort[19257]: 0 decoder rules Feb 2 21:27:15 (none) snort[19257]: 0 preprocessor rules Feb 2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624 Chain Headers Feb 2 21:27:15 (none) snort[19257]: 0 Dynamic rules Feb 2 21:27:15 (none) snort[19257]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Doesn't that tell me that it's not loading any of the preprocessor, decoder, or dynamic rules? Here is more from syslog where it says it is loading them I thought. Loading all dynamic engine libs from /snort_lib/snort_dynamicengine... Feb 2 21:30:14 (none) snort[19434]: Loading dynamic engine /snort_lib/snort_dynamicengine/libsf_engine.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Finished Loading all dynamic engine libs from /snort_lib/snort_dynamicengine Feb 2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs from /snort_lib/snort_dynamicrules... Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/bad-traffic.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/chat.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/dos.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/exploit.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/imap.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/misc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/multimedia.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/netbios.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/nntp.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/p2p.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/smtp.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/sql.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/web-client.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/web-misc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/web-activex.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic detection library /snort_lib/snort_dynamicrules/web-iis.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Finished Loading all dynamic detection libs from /snort_lib/snort_dynamicrules Feb 2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor libs from /snort_lib/snort_dynamicpreprocessor... Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... Feb 2 21:30:14 (none) snort[19434]: done Feb 2 21:30:14 (none) snort[19434]: Finished Loading all dynamic preprocessor libs from /snort_lib/snort_dynamicpreprocessor Here's my snort.conf var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24] var EXTERNAL_NET !$HOME_NET var DNS_SERVERS 10.27.1.2 var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var SSH_PORTS 22 var AIM_SERVERS [ 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24 ] var RULE_PATH /snort/conf var SORULE_PATH /snort/conf/so_rules #config detection: search-method ac config disable_decode_alerts config disable_tcpopt_experimental_alerts config profile_rules: print 20, sort total_ticks, filename rule_profiles.txt dynamicdetection directory /snort_lib/snort_dynamicrules dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor dynamicengine directory /snort_lib/snort_dynamicengine config flowbits_size: 256 include classification.config include reference.config include $RULE_PATH/general.rules include $RULE_PATH/local.rules #include $RULE_PATH/so.rules include $SORULE_PATH/bad-traffic.rules include $SORULE_PATH/chat.rules include $SORULE_PATH/dos.rules include $SORULE_PATH/exploit.rules include $SORULE_PATH/imap.rules include $SORULE_PATH/misc.rules include $SORULE_PATH/multimedia.rules include $SORULE_PATH/netbios.rules include $SORULE_PATH/nntp.rules include $SORULE_PATH/p2p.rules include $SORULE_PATH/smtp.rules include $SORULE_PATH/sql.rules include $SORULE_PATH/web-client.rules include $SORULE_PATH/web-misc.rules preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies timeout 1800 preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no preprocessor stream5_tcp: policy first preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts preprocessor rpc_decode: 111 32771 #preprocessor bo #preprocessor flow: stats_interval 0 hash 2 preprocessor sfportscan: proto { all } \ scan_type { all } \ memcap { 10000000 } \ sense_level { medium } preprocessor perfmonitor: \ time 30 events flow max console pktcnt 10000 preprocessor arpspoof preprocessor dcerpc2 #preprocessor ssl: noinspect_encrypted output queue: /var/log/snort/queue/ /snort/conf/sidfile #output alert_syslog: LOG_AUTH LOG_ALERT Thanks, Andy Berryman Cymtec Systems support () cymtec com ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Trying to trouble shoot snort isntall. Andy Berryman (Feb 02)
- Re: Trying to trouble shoot snort isntall. Matt Watchinski (Feb 03)
- Re: Trying to trouble shoot snort isntall. Nigel Houghton (Feb 03)
- Re: Trying to trouble shoot snort isntall. Andy Berryman (Feb 03)
- Re: Trying to trouble shoot snort isntall. Matt Watchinski (Feb 03)
- Re: Trying to trouble shoot snort isntall. Andy Berryman (Feb 03)
- Re: Trying to trouble shoot snort isntall. Andy Berryman (Feb 03)
- Re: Trying to trouble shoot snort isntall. Jason Wallace (Feb 03)
- Re: Trying to trouble shoot snort isntall. Andy Berryman (Feb 03)
- Re: Trying to trouble shoot snort isntall. Nigel Houghton (Feb 03)
- Re: Trying to trouble shoot snort isntall. Matt Watchinski (Feb 03)