FW: Snort doesn't produce alerts----WARNING: normalizations disabled because DAQ can't replace packets.

[Jun Wan <junwei_wan () hotmail com>]

All good! it was my typo, there were two NICs in my Snort 2.9.0.3 box, it should be eth0 instead of eth1.
 
Thanks for your time.
 
Regards
 
John
 
> From: junwei_wan () hotmail com
> To: nathan-gibson () ouhsc edu
> Date: Sun, 23 Jan 2011 08:27:21 +0000
> CC: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Snort doesn't produce alerts----WARNING: normalizations disabled because DAQ can't replace 
> packets.
>
>
> Hi Nathan, 
>
> I used -u snort -g snort , please see the following: 
>
> sudo vi /etc/rc.local
> ****************************
> ifconfig eth1 up
> /usr/local/snort/bin/snort -D -u snort -g snort \
> -c /usr/local/snort/etc/snort.conf -i eth1
> /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
> -G /usr/local/snort/etc/gen-msg.map \
> -S /usr/local/snort/etc/sid-msg.map \
> -d /var/log/snort \
> -f snort.u2 \
> -w /var/log/snort/barnyard2.waldo \
> -D
> ********************************
> ----------------------------------------
> > From: Nathan-Gibson () ouhsc edu
> > To: junwei_wan () hotmail com
> > Date: Sat, 22 Jan 2011 11:55:29 -0600
> > Subject: RE: [Snort-users] Snort doesn't produce alerts----WARNING: normalizations disabled because DAQ can't 
> > replace packets.
> >
> > Try adding -u snort -g snort to your barnyard2 startup line. Looks like you are running snort as user snort and 
> > barnyard2 as user root. Barnyard probably doesn't have rights to read snorts unified file since its being created 
> > by the snort user and barnyard is running as root user.
> >
> > -----Original Message-----
> > From: Jun Wan [mailto:junwei_wan () hotmail com]
> > Sent: Friday, January 21, 2011 6:35 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-use
> rs] Snort doesn't produce alerts----WARNING: normalizations disabled because DAQ can't replace packets.
> > Dear list,
> >
> >
> > I am having some issue with Snort 2.9.0.3 and Snort Report 1.3.1 (our live Snort box), Snort and Barnyard2 seem to 
> > start okay and then Snort doesn't show any alerts after I use the following:
> >
> > sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -A console
> >
> > I am unable to figure it out the reason why Snort doesn't sense and produce any alerts (I tested by using Nessus). 
> > Would you please give some direction?
> >
> > Any information and help would be much appreciated.
> >
> > Please see the following:
> >
> > jwan@CarSnort1:~$ sudo /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G 
> > /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w 
> > /var/log/snort/barnyard2.waldo
> >
> >
> > Running in Continuous mode
> > --== Initializing Barnyard2 ==--
> > Initializing Input Plugins!
> > Initializing Output Plugins!
> > Parsing config file "/usr/local/snort/etc/barnyard2.conf"
> > Log directory = /var/log/barnyard2
> > database: compiled support for (mysql)
> > database: configured to use mysql
> > database: schema version = 107
> > database: host = localhost
> > database: user = root
> > database: database name = snort
> > database: sensor name = localhost:eth1
> > database: sensor id = 1
> > database: data encoding = hex
> > database: detail level = full
> > database: ignore_bpf = no
> > database: using the "log" facility
> > --== Initialization Complete ==--
> > ______ -*> Barnyard2 <*-
> > / ,,_ \ Version 2.1.8 (Build 251)
> > |o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php
> > + '''' + (C) Copyright 2008-2010 SecurixLive.
> > Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
> > (C) Copyright 1998-2007 Sourcefire Inc., et al.
> > Using waldo file '/var/log/snort/barnyard2.waldo':
> > spool directory = /var/log/snort
> > spool filebase = snort.u2
> > time_stamp = 1295622177
> > record_idx = 4
> > Opened spool file '/var/log/snort/snort.u2.1295622177'
> > Closing spool file '/var/log/snort/snort.u2.1295622177'. Read 4 records
> > Opened spool file '/var/log/snort/snort.u2.1295653699'
> > Waiting for new data
> >
> >
> >
> > Snort starts okay!?
> > ...
> > ...
> > Warning: flowbits key 'http.ttf' is set but not ever checked.
> > Warning: flowbits key 'qualcom.worldmail.ok' is checked but not ever set.
> > 392 out of 1024 flowbits in use.
> > [ Port Based Pattern Matching Memory ]
> > +- [ Aho-Corasick Summary ] -------------------------------------
> > | Storage Format : Full-Q
> > | Finite Automaton : DFA
> > | Alphabet Size : 256 Chars
> > | Sizeof State : Variable (1,2,4 bytes)
> > | Instances : 422
> > | 1 byte states : 408
> > | 2 byte states : 14
> > | 4 byte states : 0
> > | Characters : 106643
> > | States : 81000
> > | Transitions : 5883668
> > | State Density : 28.4%
> > | Patterns : 6156
> > | Match States : 5695
> > | Memory (MB) : 39.67
> > | Patterns : 0.49
> > | Match Lists : 0.73
> > | DFA
> > | 1 byte states : 2.19
> > | 2 byte states : 35.83
> > | 4 byte states : 0.00
> > +----------------------------------------------------------------
> > [ Number of patterns truncated to 20 bytes: 1171 ]
> > pcap DAQ configured to passive.
> > Acquiring network traffic from "eth1".
> > Reload thread starting...
> > Reload thread started, thread 0xb47c1b70 (1132)
> > Decoding Ethernet
> > Set gid to 1001
> > Set uid to 1001
> > WARNING: normalizations disabled because DAQ can't replace packets.
> >
> >
> > --== Initialization Complete ==--
> > ,,_ -*> Snort! <*-
> > o" )~ Version 2.9.0.3 IPv6 GRE (Build 98)
> > '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
> > Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> > Using libpcap version 1.0.0
> > Using PCRE version: 7.8 2008-09-05
> > Using ZLIB version: 1.2.3.3
> > Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.13 
> > Rules Object: snmp Version 1.0 
> > Rules Object: smtp Version 1.0 
> > Rules Object: web-activex Version 1.0 
> > Rules Object: multimedia Version 1.0 
> > Rules Object: web-iis Version 1.0 
> > Rules Object: chat Version 1.0 
> > Rules Object: misc Version 1.0 
> > Rules Object: icmp Version 1.0 
> > Rules Object: p2p Version 1.0 
> > Rules Object: web-misc Version 1.0 
> > Rules Object: imap Version 1.0 
> > Rules Object: web-client Version 1.0 
> > Rules Object: bad-traffic Version 1.0 
> > Rules Object: dos Version 1.0 
> > Rules Object: specific-threats Version 1.0 
> > Rules Object: netbios Version 1.0 
> > Rules Object: pop3 Version 1.0 
> > Rules Object: sql Version 1.0 
> > Rules Object: exploit Version 1.0 
> > Rules Object: nntp Version 1.0 
> > Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 
> > Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 
> > Preprocessor Object: SF_SDF (IPV6) Version 1.1 
> > Preprocessor Object: SF_SSH (IPV6) Version 1.1 
> > Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 
> > Preprocessor Object: SF_SMTP (IPV6) Version 1.1 
> > Preprocessor Object: SF_DNS (IPV6) Version 1.1 
> > Commencing packet processing (pid=1020)
> >
> >
> > sudo ps -ax
> >
> > jwan@CarSnort1:~$ sudo ps -ax
> > Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
> > PID TTY STAT TIME COMMAND
> > 1 ? Ss 0:00 /sbin/init
> > 2 ? S 0:00 [kthreadd]
> > 3 ? S 0:00 [migration/0]
> > 4 ? S 0:00 [ksoftirqd/0]
> > 5 ? S 0:00 [watchdog/0]
> > 6 ? S 0:00 [events/0]
> > 7 ? S 0:00 [cpuset]
> > 8 ? S 0:00 [khelper]
> > 9 ? S 0:00 [netns]
> > 10 ? S 0:00 [async/mgr]
> > 11 ? S 0:00 [pm]
> > 12 ? S 0:00 [sync_supers]
> > 13 ? S 0:00 [bdi-default]
> > 14 ? S 0:00 [kintegrityd/0]
> > 15 ? S 0:00 [kblockd/0]
> > 16 ? S 0:00 [kacpid]
> > 17 ? S 0:00 [kacpi_notify]
> > 18 ? S 0:00 [kacpi_hotplug]
> > 19 ? S 0:00 [ata/0]
> > 20 ? S 0:00 [ata_aux]
> > 21 ? S 0:00 [ksuspend_usbd]
> > 22 ? S 0:00 [khubd]
> > 23 ? S 0:00 [kseriod]
> > 24 ? S 0:00 [kmmcd]
> > 27 ? S 0:00 [khungtaskd]
> > 28 ? S 0:00 [kswapd0]
> > 29 ? SN 0:00 [ksmd]
> > 30 ? S 0:00 [aio/0]
> > 31 ? S 0:00 [ecryptfs-kthrea]
> > 32 ? S 0:00 [crypto/0]
> > 36 ? S 0:00 [scsi_eh_0]
> > 37 ? S 0:00 [scsi_eh_1]
> > 40 ? S 0:00 [kstriped]
> > 41 ? S 0:00 [kmpathd/0]
> > 42 ? S 0:00 [kmpath_handlerd]
> > 43 ? S 0:00 [ksnapd]
> > 44 ? S 0:00 [kondemand/0]
> > 45 ? S 0:00 [kconservative/0]
> > 178 ? S 0:00 [usbhid_resumer]
> > 187 ? S 0:00 [jbd2/sda1-8]
> > 188 ? S 0:00 [ext4-dio-unwrit]
> > 219 ? S 0:00 [flush-8:0]
> > 248 ? S 0:00 upstart-udev-bridge --daemon
> > 250 ? S> 381 ? S< 0:00 udevd --daemon
> > 382 ? S< 0:00 udevd --daemon
> > 389 ? S 0:00 [kpsmoused]
> > 468 ? S 0:00 [i915]
> > 531 ? Sl 0:00 rsyslogd -c4
> > 572 ? Ss 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth1
> > 604 tty4 Ss+ 0:00 /sbin/getty -8 38400 tty4
> > 607 tty5 Ss+ 0:00 /sbin/getty -8 38400 tty5
> > 612 tty2 Ss+ 0:00 /sbin/getty -8 38400 tty2
> > 614 tty3 Ss+ 0:00 /sbin/getty -8 38400 tty3
> > 620 tty6 Ss+ 0:00 /sbin/getty -8 38400 tty6
> > 630 ? Ss 0:00 atd
> > 631 ? Ss 0:00 cron
> > 688 ? Ssl 0:00 /usr/sbin/mysqld
> > 694 ? Ss 0:00 /usr/sbin/apache2 -k start
> > 703 ? S 0:00 /usr/sbin/apache2 -k start
> > 704 ? S 0:00 /usr/sbin/apache2 -k start
> > 705 ? S 0:00 /usr/sbin/apache2 -k start
> > 706 ? S 0:00 /usr/sbin/apache2 -k start
> > 707 ? S 0:00 /usr/sbin/apache2 -k start
> > 800 ? Ssl 0:00 /usr/local/snort/bin/snort -D -u snort -g snort -c /u
> > 803 ? Ss 0:00 sshd: jwan [priv]
> > 872 ? S 0:00 sshd: jwan@pts/1
> > 873 pts/1 Ss 0:00 -bash
> > 893 ? Ss 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0
> > 910 ? Ss 0:00 /usr/sbin/sshd
> > 921 ? Ss 0:00 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barn
> > 923 tty1 Ss+ 0:00 /sbin/getty -8 38400 tty1
> > 926 ? S 0:00 /usr/sbin/apache2 -k start
> > 927 pts/1 S+ 0:56 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barn
> > 935 ? Ss 0:00 sshd: jwan [priv]
> > 1004 ? S 0:00 sshd: jwan@pts/0
> > 1005 pts/0 Ss 0:00 -bash
> > 1028 pts/0 R+ 0:00 ps -ax
> > ------------------------------------------------------------------------------
> > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> > Finally, a world-class log management solution at an even better price-free!
> > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> > February 28th, so secure your free ArcSight Logger TODAY!
> > http://p.sf.net/sfu/arcsight-sfd2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
> February 28th, so secure your free ArcSight Logger TODAY! 
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users