Snort mailing list archives
Snort doesn't produce alerts----WARNING: normalizations disabled because DAQ can't replace packets.
From: Jun Wan <junwei_wan () hotmail com>
Date: Sat, 22 Jan 2011 00:35:19 +0000
Dear list,
I am having some issue with Snort 2.9.0.3 and Snort Report 1.3.1 (our live Snort box), Snort and Barnyard2 seem to
start okay and then Snort doesn’t show any alerts after I use the following:
sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 –A console
I am unable to figure it out the reason why Snort doesn’t sense and produce any alerts (I tested by using Nessus).
Would you please give some direction?
Any information and help would be much appreciated.
Please see the following:
jwan@CarSnort1:~$ sudo /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G
/usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/usr/local/snort/etc/barnyard2.conf"
Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = root
database: database name = snort
database: sensor name = localhost:eth1
database: sensor id = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility
--== Initialization Complete ==--
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.8 (Build 251)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php
+ '''' + (C) Copyright 2008-2010 SecurixLive.
Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using waldo file '/var/log/snort/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = snort.u2
time_stamp = 1295622177
record_idx = 4
Opened spool file '/var/log/snort/snort.u2.1295622177'
Closing spool file '/var/log/snort/snort.u2.1295622177'. Read 4 records
Opened spool file '/var/log/snort/snort.u2.1295653699'
Waiting for new data
Snort starts okay!?
...
...
Warning: flowbits key 'http.ttf' is set but not ever checked.
Warning: flowbits key 'qualcom.worldmail.ok' is checked but not ever set.
392 out of 1024 flowbits in use.
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 422
| 1 byte states : 408
| 2 byte states : 14
| 4 byte states : 0
| Characters : 106643
| States : 81000
| Transitions : 5883668
| State Density : 28.4%
| Patterns : 6156
| Match States : 5695
| Memory (MB) : 39.67
| Patterns : 0.49
| Match Lists : 0.73
| DFA
| 1 byte states : 2.19
| 2 byte states : 35.83
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 1171 ]
pcap DAQ configured to passive.
Acquiring network traffic from "eth1".
Reload thread starting...
Reload thread started, thread 0xb47c1b70 (1132)
Decoding Ethernet
Set gid to 1001
Set uid to 1001
WARNING: normalizations disabled because DAQ can't replace packets.
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.3 IPv6 GRE (Build 98)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3.3
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.13 <Build 18>
Rules Object: snmp Version 1.0 <Build 1>
Rules Object: smtp Version 1.0 <Build 1>
Rules Object: web-activex Version 1.0 <Build 1>
Rules Object: multimedia Version 1.0 <Build 1>
Rules Object: web-iis Version 1.0 <Build 1>
Rules Object: chat Version 1.0 <Build 1>
Rules Object: misc Version 1.0 <Build 1>
Rules Object: icmp Version 1.0 <Build 1>
Rules Object: p2p Version 1.0 <Build 1>
Rules Object: web-misc Version 1.0 <Build 1>
Rules Object: imap Version 1.0 <Build 1>
Rules Object: web-client Version 1.0 <Build 1>
Rules Object: bad-traffic Version 1.0 <Build 1>
Rules Object: dos Version 1.0 <Build 1>
Rules Object: specific-threats Version 1.0 <Build 1>
Rules Object: netbios Version 1.0 <Build 1>
Rules Object: pop3 Version 1.0 <Build 1>
Rules Object: sql Version 1.0 <Build 1>
Rules Object: exploit Version 1.0 <Build 1>
Rules Object: nntp Version 1.0 <Build 1>
Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3>
Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3>
Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13>
Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9>
Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4>
Commencing packet processing (pid=1020)
sudo ps –ax
jwan@CarSnort1:~$ sudo ps -ax
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
PID TTY STAT TIME COMMAND
1 ? Ss 0:00 /sbin/init
2 ? S 0:00 [kthreadd]
3 ? S 0:00 [migration/0]
4 ? S 0:00 [ksoftirqd/0]
5 ? S 0:00 [watchdog/0]
6 ? S 0:00 [events/0]
7 ? S 0:00 [cpuset]
8 ? S 0:00 [khelper]
9 ? S 0:00 [netns]
10 ? S 0:00 [async/mgr]
11 ? S 0:00 [pm]
12 ? S 0:00 [sync_supers]
13 ? S 0:00 [bdi-default]
14 ? S 0:00 [kintegrityd/0]
15 ? S 0:00 [kblockd/0]
16 ? S 0:00 [kacpid]
17 ? S 0:00 [kacpi_notify]
18 ? S 0:00 [kacpi_hotplug]
19 ? S 0:00 [ata/0]
20 ? S 0:00 [ata_aux]
21 ? S 0:00 [ksuspend_usbd]
22 ? S 0:00 [khubd]
23 ? S 0:00 [kseriod]
24 ? S 0:00 [kmmcd]
27 ? S 0:00 [khungtaskd]
28 ? S 0:00 [kswapd0]
29 ? SN 0:00 [ksmd]
30 ? S 0:00 [aio/0]
31 ? S 0:00 [ecryptfs-kthrea]
32 ? S 0:00 [crypto/0]
36 ? S 0:00 [scsi_eh_0]
37 ? S 0:00 [scsi_eh_1]
40 ? S 0:00 [kstriped]
41 ? S 0:00 [kmpathd/0]
42 ? S 0:00 [kmpath_handlerd]
43 ? S 0:00 [ksnapd]
44 ? S 0:00 [kondemand/0]
45 ? S 0:00 [kconservative/0]
178 ? S 0:00 [usbhid_resumer]
187 ? S 0:00 [jbd2/sda1-8]
188 ? S 0:00 [ext4-dio-unwrit]
219 ? S 0:00 [flush-8:0]
248 ? S 0:00 upstart-udev-bridge --daemon
250 ? S<s 0:00 udevd --daemon
381 ? S< 0:00 udevd --daemon
382 ? S< 0:00 udevd --daemon
389 ? S 0:00 [kpsmoused]
468 ? S 0:00 [i915]
531 ? Sl 0:00 rsyslogd -c4
572 ? Ss 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1
604 tty4 Ss+ 0:00 /sbin/getty -8 38400 tty4
607 tty5 Ss+ 0:00 /sbin/getty -8 38400 tty5
612 tty2 Ss+ 0:00 /sbin/getty -8 38400 tty2
614 tty3 Ss+ 0:00 /sbin/getty -8 38400 tty3
620 tty6 Ss+ 0:00 /sbin/getty -8 38400 tty6
630 ? Ss 0:00 atd
631 ? Ss 0:00 cron
688 ? Ssl 0:00 /usr/sbin/mysqld
694 ? Ss 0:00 /usr/sbin/apache2 -k start
703 ? S 0:00 /usr/sbin/apache2 -k start
704 ? S 0:00 /usr/sbin/apache2 -k start
705 ? S 0:00 /usr/sbin/apache2 -k start
706 ? S 0:00 /usr/sbin/apache2 -k start
707 ? S 0:00 /usr/sbin/apache2 -k start
800 ? Ssl 0:00 /usr/local/snort/bin/snort -D -u snort -g snort -c /u
803 ? Ss 0:00 sshd: jwan [priv]
872 ? S 0:00 sshd: jwan@pts/1
873 pts/1 Ss 0:00 -bash
893 ? Ss 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0
910 ? Ss 0:00 /usr/sbin/sshd
921 ? Ss 0:00 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barn
923 tty1 Ss+ 0:00 /sbin/getty -8 38400 tty1
926 ? S 0:00 /usr/sbin/apache2 -k start
927 pts/1 S+ 0:56 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barn
935 ? Ss 0:00 sshd: jwan [priv]
1004 ? S 0:00 sshd: jwan@pts/0
1005 pts/0 Ss 0:00 -bash
1028 pts/0 R+ 0:00 ps -ax
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort doesn't produce alerts----WARNING: normalizations disabled because DAQ can't replace packets. Jun Wan (Jan 21)
- Message not available