Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Steam5 configuration with Windows, and Linux

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 19 Nov 2015 14:53:28 -0700
Read my previous email.....track_udp needs to go in the global section.

James

On 2015-11-19 14:48, Rafael Leiva-Ochoa wrote:

Any idea why I am getting the

"Initializing rule chains...

ERROR: /etc/snort/snort.conf(281) Unknown rule type: track_udp."

Error?

Thanks,

Rafael

On Thu, Nov 19, 2015 at 1:09 PM, Rafael Leiva-Ochoa
<spawn () rloteck net> wrote:


Perfect, it is giving me more information about the problem. Here is
the output:

root@snort-sensor1 ~]# snort -i eth1 -c /etc/snort/snort.conf -A
console

Running in IDS mode

--== Initializing Snort ==--

Initializing Output Plugins!

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file "/etc/snort/snort.conf"

PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631
801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301
2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848
5000 5117 5250 5600 5814 6080 6173 6988 7000:7001 7005 7071
7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020 8028
8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280
8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000
9002 9060 9080 9090:9091 9111 9290 9443 9447 9710 9788 9999:10000
11371 12601 13014 15489 19980 29991 33300 34412 34443:34444 40007
41080 44449 50000 50002 51423 53331 55252 55555 56712 ]

PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]

PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]

PortVar 'SSH_PORTS' defined :  [ 22 ]

PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]

PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]

PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555
591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942
2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000
4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 7000:7001 7005
7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020
8028 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243
8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983
9000 9002 9060 9080 9090:9091 9111 9290 9443 9447 9710 9788
9999:10000 11371 12601 13014 15489 19980 29991 33300 34412
34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 55555
56712 ]

PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]

Detection:

Search-Method = AC-Full-Q

Split Any/Any group = enabled

Search-Method-Optimizations = enabled

Maximum pattern length = 20

Tagged Packet Limit: 256

Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done

Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules...

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/file-pdf.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/policy-social.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/browser-ie.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/server-iis.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/exploit-kit.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/protocol-tftp.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/file-other.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/protocol-other.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/file-multimedia.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/server-webapp.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/protocol-dns.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/os-other.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/server-other.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/browser-other.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/file-office.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/file-java.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/malware-other.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/protocol-snmp.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/pua-p2p.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/os-windows.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/malware-cnc.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/file-flash.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/protocol-nntp.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/indicator-shellcode.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/server-mail.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/netbios.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/file-image.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/os-linux.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/server-mysql.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/server-apache.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/protocol-voip.so... done

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/server-oracle.so... done

Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules

Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
done

Loading dynamic preprocessor library


/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...

done

Loading dynamic preprocessor library


/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...

done

Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done

Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/

Log directory = /var/log/snort

WARNING: ip4 normalizations disabled because not inline.

WARNING: tcp normalizations disabled because not inline.

WARNING: icmp4 normalizations disabled because not inline.

WARNING: ip6 normalizations disabled because not inline.

WARNING: icmp6 normalizations disabled because not inline.

Frag3 global config:

Max frags: 65536

Fragment memory cap: 4194304 bytes

Frag3 engine config:

Bound Address: default

Target-based policy: LINUX

Fragment timeout: 180 seconds

Fragment min_ttl:   1

Fragment Anomalies: Alert

Overlap Limit:     10

Min fragment Length:     100

Max Expected Streams: 768

Stream global config:

Track TCP sessions: ACTIVE

Max TCP sessions: 262144

TCP cache pruning timeout: 30 seconds

TCP cache nominal timeout: 3600 seconds

Memcap (for reassembly packet storage): 8388608

Track UDP sessions: ACTIVE

Max UDP sessions: 131072

UDP cache pruning timeout: 30 seconds

UDP cache nominal timeout: 180 seconds

Track ICMP sessions: INACTIVE

Track IP sessions: INACTIVE

Log info if session memory consumption exceeds 1048576

Send up to 0 active responses

Protocol Aware Flushing: ACTIVE

Maximum Flush Point: 16000

Stream TCP Policy config:

Bound Addresses: 192.168.1.28

Reassembly Policy: WINDOWS

Timeout: 30 seconds

Maximum number of bytes to queue per session: 1048576

Maximum number of segs to queue per session: 2621

Reassembly Ports:

Stream TCP Policy config:

Bound Addresses: 192.168.1.30

Reassembly Policy: WINDOWS

Timeout: 30 seconds

Maximum number of bytes to queue per session: 1048576

Maximum number of segs to queue per session: 2621

Reassembly Ports:

Stream TCP Policy config:

Bound Address: default

Reassembly Policy: LINUX

Timeout: 30 seconds

Maximum number of bytes to queue per session: 1048576

Maximum number of segs to queue per session: 2621

Reassembly Ports:

Stream UDP Policy config:

Timeout: 180 seconds

HttpInspect Config:

GLOBAL CONFIG

Detect Proxy Usage:       NO

IIS Unicode Map Filename: /etc/snort/unicode.map

IIS Unicode Map Codepage: 1252

Memcap used for logging URI and Hostname: 150994944

Max Gzip Memory: 838860

Max Gzip Sessions: 1807

Gzip Compress Depth: 65535

Gzip Decompress Depth: 65535

DEFAULT SERVER CONFIG:

Server profile: All

Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555
591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942
2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000
4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 7000 7001 7005
7071 7144 7145 7510 7770 7777 7778 7779 8000 8001 8008 8014 8015
8020 8028 8040 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181
8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800
8888 8899 8983 9000 9002 9060 9080 9090 9091 9111 9290 9443 9447
9710 9788 9999 10000 11371 12601 13014 15489 19980 29991 33300 34412
34443 34444 40007 41080 44449 50000 50002 51423 53331 55252 55555
56712

Server Flow Depth: 0

Client Flow Depth: 0

Max Chunk Length: 500000

Small Chunk Length Evasion: chunk size <= 10, threshold >= 5
times

Max Header Field Length: 750

Max Number Header Fields: 100

Max Number of WhiteSpaces allowed with header folding: 200

Inspect Pipeline Requests: YES

URI Discovery Strict Mode: NO

Allow Proxy Usage: NO

Disable Alerting: NO

Oversize Dir Length: 500

Only inspect URI: NO

Normalize HTTP Headers: NO

Inspect HTTP Cookies: YES

Inspect HTTP Responses: YES

Extract Gzip from responses: YES

Decompress response files:

Unlimited decompression of gzip data from responses: YES

Normalize Javascripts in HTTP Responses: YES

Max Number of WhiteSpaces allowed with Javascript Obfuscation
in HTTP responses: 200

Normalize HTTP Cookies: NO

Enable XFF and True Client IP: NO

Log HTTP URI data: NO

Log HTTP Hostname data: NO

Extended ASCII code support in URI: NO

Ascii: YES alert: NO

Double Decoding: YES alert: NO

%U Encoding: YES alert: YES

Bare Byte: YES alert: NO

UTF 8: YES alert: NO

IIS Unicode: YES alert: NO

Multiple Slash: YES alert: NO

IIS Backslash: YES alert: NO

Directory Traversal: YES alert: NO

Web Root Traversal: YES alert: NO

Apache WhiteSpace: YES alert: NO

IIS Delimiter: YES alert: NO

IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05
0x06 0x07

Whitespace Characters: 0x09 0x0b 0x0c 0x0d

rpc_decode arguments:

Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779

alert_fragments: INACTIVE

alert_large_fragments: INACTIVE

alert_incomplete: INACTIVE

alert_multiple_requests: INACTIVE

FTPTelnet Config:

GLOBAL CONFIG

Inspection Type: stateful

Check for Encrypted Traffic: YES alert: NO

Continue to check encrypted data: YES

TELNET CONFIG:

Ports: 23

Are You There Threshold: 20

Normalize: YES

Detect Anomalies: YES

FTP CONFIG:

FTP Server: default

Ports (PAF): 21 2100 3535

Check for Telnet Cmds: YES alert: YES

Ignore Telnet Cmd Operations: YES alert: YES

Ignore open data channels: NO

FTP Client: default

Check for Bounce Attacks: YES alert: YES

Check for Telnet Cmds: YES alert: YES

Ignore Telnet Cmd Operations: YES alert: YES

Max Response Length: 256

SMTP Config:

Ports: 25 465 587 691

Inspection Type: Stateful

Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM
ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET
SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR
XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR
CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50

Ignore Data: No

Ignore TLS Data: No

Ignore SMTP Alerts: No

Max Command Line Length: 512

Max Specific Command Line Length:

ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255

EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255

ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500

IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246

QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246

SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246

TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246

XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246

XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246

XUSR:246

Max Header Line Length: 1000

Max Response Line Length: 512

X-Link2State Alert: Yes

Drop on X-Link2State Alert: No

Alert on commands: None

Alert on unknown commands: No

SMTP Memcap: 838860

MIME Max Mem: 838860

Base64 Decoding: Enabled

Base64 Decoding Depth: Unlimited

Quoted-Printable Decoding: Enabled

Quoted-Printable Decoding Depth: Unlimited

Unix-to-Unix Decoding: Enabled

Unix-to-Unix Decoding Depth: Unlimited

Non-Encoded MIME attachment Extraction: Enabled

Non-Encoded MIME attachment Extraction Depth: Unlimited

Log Attachment filename: Enabled

Log MAIL FROM Address: Enabled

Log RCPT TO Addresses: Enabled

Log Email Headers: Enabled

Email Hdrs Log Depth: 1464

SSH config:

Autodetection: ENABLED

Challenge-Response Overflow Alert: ENABLED

SSH1 CRC32 Alert: ENABLED

Server Version String Overflow Alert: ENABLED

Protocol Mismatch Alert: ENABLED

Bad Message Direction Alert: DISABLED

Bad Payload Size Alert: DISABLED

Unrecognized Version Alert: DISABLED

Max Encrypted Packets: 20

Max Server Version String Length: 100

MaxClientBytes: 19600 (Default)

Ports:

22

DCE/RPC 2 Preprocessor Configuration

Global Configuration

DCE/RPC Defragmentation: Enabled

Memcap: 102400 KB

Events: co

SMB Fingerprint policy: Disabled

Server Default Configuration

Policy: WinXP

Detect ports (PAF)

SMB: 139 445

TCP: 135

UDP: 135

RPC over HTTP server: 593

RPC over HTTP proxy: None

Autodetect ports (PAF)

SMB: None

TCP: 1025-65535

UDP: 1025-65535

RPC over HTTP server: 1025-65535

RPC over HTTP proxy: None

Invalid SMB shares: C$ D$ ADMIN$

Maximum SMB command chaining: 3 commands

SMB file inspection: Disabled

DNS config:

DNS Client rdata txt Overflow Alert: ACTIVE

Obsolete DNS RR Types Alert: INACTIVE

Experimental DNS RR Types Alert: INACTIVE

Ports: 53

SSLPP config:

Encrypted packets: not inspected

Ports:

443      465      563      636      989

992      993      994      995     5061

7801     7802     7900     7901     7902

7903     7904     7905     7906     7907

7908     7909     7910     7911     7912

7913     7914     7915     7916     7917

7918     7919     7920

Server side data is trusted

Maximum SSL Heartbeat length: 0

Sensitive Data preprocessor config:

Global Alert Threshold: 25

Masked Output: DISABLED

SIP config:

Max number of sessions: 40000

Max number of dialogs in a session: 4 (Default)

Status: ENABLED

Ignore media channel: DISABLED

Max URI length: 512

Max Call ID length: 80

Max Request name length: 20 (Default)

Max From length: 256 (Default)

Max To length: 256 (Default)

Max Via length: 1024 (Default)

Max Contact length: 512

Max Content length: 2048

Ports:

5060 5061 5600

Methods:

invite cancel ack bye register options refer subscribe update
join info message notify benotify do qauth sprack publish service
unsubscribe prack

IMAP Config:

Ports: 143

IMAP Memcap: 838860

MIME Max Mem: 838860

Base64 Decoding: Enabled

Base64 Decoding Depth: Unlimited

Quoted-Printable Decoding: Enabled

Quoted-Printable Decoding Depth: Unlimited

Unix-to-Unix Decoding: Enabled

Unix-to-Unix Decoding Depth: Unlimited

Non-Encoded MIME attachment Extraction: Enabled

Non-Encoded MIME attachment Extraction Depth: Unlimited

POP Config:

Ports: 110

POP Memcap: 838860

MIME Max Mem: 838860

Base64 Decoding: Enabled

Base64 Decoding Depth: Unlimited

Quoted-Printable Decoding: Enabled

Quoted-Printable Decoding Depth: Unlimited

Unix-to-Unix Decoding: Enabled

Unix-to-Unix Decoding Depth: Unlimited

Non-Encoded MIME attachment Extraction: Enabled

Non-Encoded MIME attachment Extraction Depth: Unlimited

Modbus config:

Ports:

502

DNP3 config:

Memcap: 262144

Check Link-Layer CRCs: ENABLED

Ports:

20000

Reputation config:

WARNING: Can't find any whitelist/blacklist entries. Reputation
Preprocessor disabled.

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

ERROR: /etc/snort/snort.conf(281) Unknown rule type: track_udp.

Fatal Error, Quitting..

Any ideas?

On Thu, Nov 19, 2015 at 1:01 PM, James Lay
<jlay () slave-tothe-box net> wrote:


Comment out:

$RepeatedMsgReduction on

in your rsyslog.conf if you want to see all the messages.

Or just start it without the -D and run it in the foreground.

James

On 2015-11-19 13:58, Rafael Leiva-Ochoa wrote:

Where do I look for the rate-limited messages? That is what is
confusing me.

Thanks,

Rafael

On Thu, Nov 19, 2015 at 12:52 PM, James Lay

<jlay () slave-tothe-box net>

wrote:


On 2015-11-19 13:47, Rafael Leiva-Ochoa wrote:


Thanks for the reply James. Snort was working fine, but when I
added
the following entries:

preprocessor stream5_global: track_tcp yes




preprocessor stream5_tcp: bind_to 192.168.1.28/32 [1] [1] [1],

policy

windows

preprocessor stream5_tcp: bind_to 192.168.1.30/32 [2] [2] [2],

policy

windows

preprocessor stream5_tcp: policy linux

It gives me that "rsyslog-limitting" error. I have no idea

what

that
has to do with the changes I made. All I want to do is to

support

reassembly for both Linux, and Windows system. I only have 2
Windows
system, I thought it was by easy to define them explicitly on

the

configuration as you see above, but it is not working on the

snort

configuration.

Thanks,

Rafael


Ya that looks good...though you can most likely drop the "/32"

since

these are just single IP's.  I'd be curious to see what the
rate-limited messages are.

James

On Thu, Nov 19, 2015 at 12:39 PM, James Lay
<jlay () slave-tothe-box net>
wrote:

On 2015-11-19 12:26, Rafael Leiva-Ochoa wrote:
Hi All,

I am trying to configure the Stream5 preprocessor to do
reassembly
for both Windows and Linux using the following configuration:

# Target-Based stateful inspection/stream reassembly.  For more
inforation, see README.stream5

preprocessor stream5_global: track_tcp yes

preprocessor stream5_tcp: bind_to 192.168.1.28/32 [1] [1] [1]

[1],

policy
windows

preprocessor stream5_tcp: bind_to 192.168.1.30/32 [2] [2] [2]

[2],


policy

windows

preprocessor stream5_tcp: policy linux

track_udp yes, \

track_icmp no, \

max_tcp 262144, \

max_udp 131072, \

max_active_responses 2, \

min_response_seconds 5

detect_anomalies, require_3whs 180, \

overlap_limit 10, small_segments 0 bytes 150, timeout 180, \

ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135
136
137 139 143 \

161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070
6665
6666 6667 6668 6669 \

7000 8181 32770 32771 32772 32773 32774 32775 32776 32777
32778 32779, \

ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443
465
563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995
1158
1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980

3029

3037
3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814

6080

6173
6988 7907 7000 7001 7005 7071 7144 7145 7510 7802 7770 7777

7778

7779
\

7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910
7911
7912 7913 7914 7915 7916 \

7917 7918 7919 7920 8000 8001 8008 8014 8015 8020 8028
8040
8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222

8243

8280
8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983

9000

9002
9060 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000

11371

12601 13014 15489 19980 29991 33300 34412 34443 34444 40007

41080

44449 50000 50002 51423 53331 55252 55555 56712

But, I only get this error when trying to run it.

Nov 19 11:24:25 snort-sensor1 snort[24078]: Frag3 global

config:


Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max frags:

65536


Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment memory
cap:
4194304 bytes

Nov 19 11:24:25 snort-sensor1 snort[24078]: Frag3 engine

config:


Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Address:
default

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Target-based
policy:
LINUX

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment

timeout:

180
seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment

min_ttl:

1

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Fragment
Anomalies:
Alert

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Overlap Limit:
10

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Min fragment
Length:
100

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Expected
Streams: 768

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream global

config:


Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track TCP
sessions:
ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max TCP

sessions:

262144

Nov 19 11:24:25 snort-sensor1 snort[24078]:     TCP cache

pruning

timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     TCP cache

nominal

timeout: 3600 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Memcap (for
reassembly
packet storage): 8388608

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track UDP
sessions:
ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Max UDP

sessions:

131072

Nov 19 11:24:25 snort-sensor1 snort[24078]:     UDP cache

pruning

timeout: 30 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     UDP cache

nominal

timeout: 180 seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track ICMP
sessions:
INACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Track IP

sessions:

INACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Log info if
session
memory consumption exceeds 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Send up to 0
active
responses

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Protocol Aware
Flushing: ACTIVE

Nov 19 11:24:25 snort-sensor1 snort[24078]:         Maximum

Flush

Point: 16000

Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy
config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound

Addresses:

192.168.1.28

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly

Policy:

WINDOWS

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30
seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number

of

bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number

of

segs
to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly

Ports:


Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy
config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound

Addresses:

192.168.1.30

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly

Policy:

WINDOWS

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30
seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number

of

bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number

of

segs
to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly

Ports:


Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream TCP Policy
config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Bound Address:
default

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly

Policy:

LINUX

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 30
seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number

of

bytes to queue per session: 1048576

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Maximum number

of

segs
to queue per session: 2621

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Reassembly

Ports:


Nov 19 11:24:25 snort-sensor1 snort[24078]: Stream UDP Policy
config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     Timeout: 180
seconds

Nov 19 11:24:25 snort-sensor1 snort[24078]: HttpInspect Config:

Nov 19 11:24:25 snort-sensor1 snort[24078]:     GLOBAL CONFIG

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Detect Proxy
Usage:
NO

Nov 19 11:24:25 snort-sensor1 snort[24078]:       IIS Unicode

Map

Filename: /etc/snort/unicode.map

Nov 19 11:24:25 snort-sensor1 snort[24078]:       IIS Unicode

Map

Codepage: 1252

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Memcap used

for

logging URI and Hostname: 150994944

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Gzip

Memory:

838860

Nov 19 11:24:25 snort-sensor1 snort[24078]:       Max Gzip
Sessions:
1807

Nov 19 11:24:25 snort-sensor1 rsyslogd-2177: imuxsock begins to
drop
messages from pid 24078 due to rate-limiting
Any ideas on how to fix this?

Thanks,

Rafael

What's the issue?  The syslog entry?  Normal at startup with

Snort

if
you have rsyslog rate-limiting on.  Comment out:

$RepeatedMsgReduction on

in your rsyslog.conf if you want to see all the messages.

James









------------------------------------------------------------------------------



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:




http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all the

latest

Snort news!


Links:
------
[1] http://192.168.1.28/32
[2] http://192.168.1.30/32



Links:
------
[1] http://192.168.1.28/32
[2] http://192.168.1.30/32






------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:


http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all the
latest Snort news!




Links:
------
[1] http://192.168.1.28/32
[2] http://192.168.1.30/32


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: