Snort mailing list archives
Re: Snort new install won't start
From: Nabyl Benmlih <nabylb () stptech com>
Date: Mon, 23 Jul 2012 17:58:07 -0400
Hi again !
By clearing of old dcerpc preprocessor I trashed my system, so I redid a
clean install !
Everything is installed ok centos 5, snort 2.9.2.3, rules, barnyard2,
mysql
but Barnyard is giving me issues :
To verify it's ok, when I run /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
/var/log/snort/barnyard.waldo
I get :
[root@holopinios barnyard2]# /usr/local/bin/barnyard2 -c
/etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
/var/log/snort/barnyard.waldo
Running in Continuous mode
--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
ERROR: Unable to open SID file_'/etc/snort/sid-msg.map_' (No such file
or directory)
Log directory = /var/log/barnyard2
database: must enter database name in configuration file
etc...
My barnyard conf file has the following grep -v '^#'
/etc/snort/barnyard2.conf :
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: _/etc/snort/gen-msg.map_
config sid_file: _/etc/snort/sid-msg.map_
config hostname: localhost
config interface: eth1
input unified2
output alert_fast: stdout
output database: log, mysql, user=snort password=XXXXX dbname=snort
host=localhost ==> I confirmed that the DB is ok and
username/passwd worked.
How/where do I get those 2 files ?
Running snort -c /etc/snort/snort.conf -i eth1 for a while actually
give me traffic results, I'll sort out the volume later.
Thanks in advance
On 7/19/2012 4:27 PM, Todd Wease wrote:
On Thu, Jul 19, 2012 at 3:19 PM, Nabyl Benmlih <nabylb () stptech com <mailto:nabylb () stptech com>> wrote: hi I use to run snort 2.8.5.3/mysql/base <http://2.8.5.3/mysql/base> without issue but decided to upgrade to latest version : ,,_ -*> Snort! <*- o" )~ Version 2.9.2.3 IPv6 GRE (Build 205) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3 it's running on Linux Holopinos 2.6.18-308.11.1.el5 #1 SMP Tue Jul 10 08:49:28 EDT 2012 i686 i686 i386 GNU/Linux when I run : snort -c /etc/snort/snort.conf -i eth1 I get this error message : Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" PortVar 'HTTP_PORTS' defined : [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 800 0 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 11371 55555 ] PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Loading dynamic detection library /usr/local/lib/snort_dynamicrules/specific-threats.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/dos.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/web-iis.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/web-client.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/p2p.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/exploit.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/smtp.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/misc.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/chat.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/nntp.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/icmp.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/multimedia.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/bad-traffic.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/snmp.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/netbios.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/imap.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/web-activex.so... done Loading dynamic detection library /usr/local/lib/snort_dynamicrules/web-misc.so... done Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ Log directory = /var/log/snort Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Bound Address: default Target-based policy: WINDOWS Fragment timeout: 180 seconds Fragment min_ttl: 1 Fragment Anomalies: Alert Overlap Limit: 10 Min fragment Length: 100 Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 262144 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: ACTIVE Max UDP sessions: 131072 Track ICMP sessions: INACTIVE Track IP sessions: INACTIVE Log info if session memory consumption exceeds 1048576 Send up to 2 active responses Wait at least 5 seconds between responses Protocol Aware Flushing: ACTIVE Maximum Flush Point: 16000 Stream5 TCP Policy config: Bound Address: default Reassembly Policy: WINDOWS Timeout: 180 seconds Limit on TCP Overlaps: 10 Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Options: Require 3-Way Handshake: YES 3-Way Handshake Timeout: 180 Detect Anomalies: YES Reassembly Ports: 21 client (Footprint) 22 client (Footprint) 23 client (Footprint) 25 client (Footprint) 42 client (Footprint) 53 client (Footprint) 79 client (Footprint) 80 client (Footprint) server (Footprint) 81 client (Footprint) server (Footprint) 109 client (Footprint) 110 client (Footprint) 111 client (Footprint) 113 client (Footprint) 119 client (Footprint) 135 client (Footprint) 136 client (Footprint) 137 client (Footprint) 139 client (Footprint) 143 client (Footprint) 161 client (Footprint) additional ports configured but not printed. Stream5 UDP Policy config: Timeout: 180 seconds HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 Memcap used for logging URI and Hostname: 150994944 Max Gzip Memory: 838860 Max Gzip Sessions: 6 Gzip Compress Depth: 65535 Gzip Decompress Depth: 65535 DEFAULT SERVER CONFIG: Server profile: All Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 802 8 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 Server Flow Depth: 0 Client Flow Depth: 0 Max Chunk Length: 500000 Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Max Header Field Length: 750 Max Number Header Fields: 100 Max Number of WhiteSpaces allowed with header folding: 0 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Normalize HTTP Headers: NO Inspect HTTP Cookies: YES Inspect HTTP Responses: YES Extract Gzip from responses: YES Unlimited decompression of gzip data from responses: YES Normalize Javascripts in HTTP Responses: YES Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Normalize HTTP Cookies: NO Enable XFF and True Client IP: NO Log HTTP URI data: NO Log HTTP Hostname data: NO Extended ASCII code support in URI: NO Ascii: YES alert: NO Double Decoding: YES alert: NO %U Encoding: YES alert: YES Bare Byte: YES alert: NO UTF 8: YES alert: NO IIS Unicode: YES alert: NO Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: NO Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 alert_fragments: INACTIVE alert_large_fragments: INACTIVE alert_incomplete: INACTIVE alert_multiple_requests: INACTIVE _ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC version 1.1.5 (-1) Fatal Error, Quitting.. _What am I doing wrong ? My snort.conf file is basic, I'm not using any fancy features, etc ... The path are set correctly : var RULE_PATH ./rules var SO_RULE_PATH ./so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules and these folders contains the latest rules I could get. Let me know if I need to provide any additional info ! Thanks in advance -- Nabyl Benmlih CIO STI Processing Ltd. Francis Trading Building,2nd Floor High Street St. John's, Antigua Tel: 268-481-8358 <tel:268-481-8358> Mobile: 268-764-0220 <tel:268-764-0220> Fax: 268-562-7743 <tel:268-562-7743> Email: nabylb () stptech com <mailto:nabylb () stptech com> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Hi Nabyl, Looks like you're using the old dcerpc preprocessor. You'll need to remove the old dcerpc configuration and shared object (/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so) and add a configuration for dcerpc2. See README.dcerpc2 and the snort manual for details. Todd
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort new install won't start Nabyl Benmlih (Jul 19)
- Re: Snort new install won't start Todd Wease (Jul 19)
- Re: Snort new install won't start Nabyl Benmlih (Jul 23)
- Re: Snort new install won't start Joel Esler (Jul 24)
- Re: Snort new install won't start Nabyl Benmlih (Jul 24)
- Re: Snort new install won't start Joel Esler (Jul 24)
- Re: Snort new install won't start Nabyl Benmlih (Jul 23)
- Re: Snort new install won't start Todd Wease (Jul 19)