Snort mailing list archives
Snort doesn't produce alerts----WARNING: normalizations disabled because DAQ can't replace packets.
From: Jun Wan <junwei_wan () hotmail com>
Date: Sat, 22 Jan 2011 00:35:19 +0000
Dear list, I am having some issue with Snort 2.9.0.3 and Snort Report 1.3.1 (our live Snort box), Snort and Barnyard2 seem to start okay and then Snort doesn’t show any alerts after I use the following: sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 –A console I am unable to figure it out the reason why Snort doesn’t sense and produce any alerts (I tested by using Nessus). Would you please give some direction? Any information and help would be much appreciated. Please see the following: jwan@CarSnort1:~$ sudo /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/usr/local/snort/etc/barnyard2.conf" Log directory = /var/log/barnyard2 database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = root database: database name = snort database: sensor name = localhost:eth1 database: sensor id = 1 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.8 (Build 251) |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php + '''' + (C) Copyright 2008-2010 SecurixLive. Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.u2 time_stamp = 1295622177 record_idx = 4 Opened spool file '/var/log/snort/snort.u2.1295622177' Closing spool file '/var/log/snort/snort.u2.1295622177'. Read 4 records Opened spool file '/var/log/snort/snort.u2.1295653699' Waiting for new data Snort starts okay!? ... ... Warning: flowbits key 'http.ttf' is set but not ever checked. Warning: flowbits key 'qualcom.worldmail.ok' is checked but not ever set. 392 out of 1024 flowbits in use. [ Port Based Pattern Matching Memory ] +- [ Aho-Corasick Summary ] ------------------------------------- | Storage Format : Full-Q | Finite Automaton : DFA | Alphabet Size : 256 Chars | Sizeof State : Variable (1,2,4 bytes) | Instances : 422 | 1 byte states : 408 | 2 byte states : 14 | 4 byte states : 0 | Characters : 106643 | States : 81000 | Transitions : 5883668 | State Density : 28.4% | Patterns : 6156 | Match States : 5695 | Memory (MB) : 39.67 | Patterns : 0.49 | Match Lists : 0.73 | DFA | 1 byte states : 2.19 | 2 byte states : 35.83 | 4 byte states : 0.00 +---------------------------------------------------------------- [ Number of patterns truncated to 20 bytes: 1171 ] pcap DAQ configured to passive. Acquiring network traffic from "eth1". Reload thread starting... Reload thread started, thread 0xb47c1b70 (1132) Decoding Ethernet Set gid to 1001 Set uid to 1001 WARNING: normalizations disabled because DAQ can't replace packets. --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.0.3 IPv6 GRE (Build 98) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.13 <Build 18> Rules Object: snmp Version 1.0 <Build 1> Rules Object: smtp Version 1.0 <Build 1> Rules Object: web-activex Version 1.0 <Build 1> Rules Object: multimedia Version 1.0 <Build 1> Rules Object: web-iis Version 1.0 <Build 1> Rules Object: chat Version 1.0 <Build 1> Rules Object: misc Version 1.0 <Build 1> Rules Object: icmp Version 1.0 <Build 1> Rules Object: p2p Version 1.0 <Build 1> Rules Object: web-misc Version 1.0 <Build 1> Rules Object: imap Version 1.0 <Build 1> Rules Object: web-client Version 1.0 <Build 1> Rules Object: bad-traffic Version 1.0 <Build 1> Rules Object: dos Version 1.0 <Build 1> Rules Object: specific-threats Version 1.0 <Build 1> Rules Object: netbios Version 1.0 <Build 1> Rules Object: pop3 Version 1.0 <Build 1> Rules Object: sql Version 1.0 <Build 1> Rules Object: exploit Version 1.0 <Build 1> Rules Object: nntp Version 1.0 <Build 1> Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3> Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3> Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4> Commencing packet processing (pid=1020) sudo ps –ax jwan@CarSnort1:~$ sudo ps -ax Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html PID TTY STAT TIME COMMAND 1 ? Ss 0:00 /sbin/init 2 ? S 0:00 [kthreadd] 3 ? S 0:00 [migration/0] 4 ? S 0:00 [ksoftirqd/0] 5 ? S 0:00 [watchdog/0] 6 ? S 0:00 [events/0] 7 ? S 0:00 [cpuset] 8 ? S 0:00 [khelper] 9 ? S 0:00 [netns] 10 ? S 0:00 [async/mgr] 11 ? S 0:00 [pm] 12 ? S 0:00 [sync_supers] 13 ? S 0:00 [bdi-default] 14 ? S 0:00 [kintegrityd/0] 15 ? S 0:00 [kblockd/0] 16 ? S 0:00 [kacpid] 17 ? S 0:00 [kacpi_notify] 18 ? S 0:00 [kacpi_hotplug] 19 ? S 0:00 [ata/0] 20 ? S 0:00 [ata_aux] 21 ? S 0:00 [ksuspend_usbd] 22 ? S 0:00 [khubd] 23 ? S 0:00 [kseriod] 24 ? S 0:00 [kmmcd] 27 ? S 0:00 [khungtaskd] 28 ? S 0:00 [kswapd0] 29 ? SN 0:00 [ksmd] 30 ? S 0:00 [aio/0] 31 ? S 0:00 [ecryptfs-kthrea] 32 ? S 0:00 [crypto/0] 36 ? S 0:00 [scsi_eh_0] 37 ? S 0:00 [scsi_eh_1] 40 ? S 0:00 [kstriped] 41 ? S 0:00 [kmpathd/0] 42 ? S 0:00 [kmpath_handlerd] 43 ? S 0:00 [ksnapd] 44 ? S 0:00 [kondemand/0] 45 ? S 0:00 [kconservative/0] 178 ? S 0:00 [usbhid_resumer] 187 ? S 0:00 [jbd2/sda1-8] 188 ? S 0:00 [ext4-dio-unwrit] 219 ? S 0:00 [flush-8:0] 248 ? S 0:00 upstart-udev-bridge --daemon 250 ? S<s 0:00 udevd --daemon 381 ? S< 0:00 udevd --daemon 382 ? S< 0:00 udevd --daemon 389 ? S 0:00 [kpsmoused] 468 ? S 0:00 [i915] 531 ? Sl 0:00 rsyslogd -c4 572 ? Ss 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1 604 tty4 Ss+ 0:00 /sbin/getty -8 38400 tty4 607 tty5 Ss+ 0:00 /sbin/getty -8 38400 tty5 612 tty2 Ss+ 0:00 /sbin/getty -8 38400 tty2 614 tty3 Ss+ 0:00 /sbin/getty -8 38400 tty3 620 tty6 Ss+ 0:00 /sbin/getty -8 38400 tty6 630 ? Ss 0:00 atd 631 ? Ss 0:00 cron 688 ? Ssl 0:00 /usr/sbin/mysqld 694 ? Ss 0:00 /usr/sbin/apache2 -k start 703 ? S 0:00 /usr/sbin/apache2 -k start 704 ? S 0:00 /usr/sbin/apache2 -k start 705 ? S 0:00 /usr/sbin/apache2 -k start 706 ? S 0:00 /usr/sbin/apache2 -k start 707 ? S 0:00 /usr/sbin/apache2 -k start 800 ? Ssl 0:00 /usr/local/snort/bin/snort -D -u snort -g snort -c /u 803 ? Ss 0:00 sshd: jwan [priv] 872 ? S 0:00 sshd: jwan@pts/1 873 pts/1 Ss 0:00 -bash 893 ? Ss 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0 910 ? Ss 0:00 /usr/sbin/sshd 921 ? Ss 0:00 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barn 923 tty1 Ss+ 0:00 /sbin/getty -8 38400 tty1 926 ? S 0:00 /usr/sbin/apache2 -k start 927 pts/1 S+ 0:56 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barn 935 ? Ss 0:00 sshd: jwan [priv] 1004 ? S 0:00 sshd: jwan@pts/0 1005 pts/0 Ss 0:00 -bash 1028 pts/0 R+ 0:00 ps -ax ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort doesn't produce alerts----WARNING: normalizations disabled because DAQ can't replace packets. Jun Wan (Jan 21)
- Message not available