Snort mailing list archives
snort causes "modprobe: can't locate.." in syslog
From: John Sage <jsage () finchhaven com>
Date: Thu, 26 Jul 2001 06:28:29 -0700
I've narrowed down the syslog message ("modprobe: Can't locate module
[reading from a ") created by snort 1.8.1.beta4, to its being generated
when I run a secondary set of rules against all packets logged over an
extended period of time by my primary rule sets.
The primary rules binary-log *everything* and do just a little alerting
for some specific ports - nothing fancy.
The secondary ruleset is basically the box-stock snort.conf that comes
with 1.8.1-beta4 and the *-rules that come with beta 4...
So what about all this is trying to locate a module?
Command line that generates the modprobe error:
snort18 -b -i ppp0 -c /usr/local/snort-1.8.1-beta4/snort18.conf &
Output from adding -T
--== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system
Initializing Network Interface ppp0
Decoding raw data on interface ppp0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/snort-1.8.1-beta4/snort18check.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
ProcessFileOption: /var/log/snort/./alert-check.full
Linking FullAlert functions to call lists...
908 Snort rules read...
908 Option Chains linked into 135 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8.1-beta4 (Build 54)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
Snort sucessfully loaded all rules and checked all rule chains!
Stuff set up by snort18check.conf:
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 ./portscan-check.log
output alert_full: ./alert-check.full
include classification.config
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
# include shellcode.rules
include misc.rules
# include policy.rules
# include info.rules
# include icmp-info.rules
# include virus.rules
include local.rules
John Sage wrote:
> Hello world..
>
> snort.1.8.1-beta4 is up and running well in binary mode, pretty much
> box-stock as it comes from the current *.tar.gz
>
> I've got psionic's logcheck running, and now suddenly it's reporting
this:
>
>> Unusual System Events
>> =-=-=-=-=-=-=-=-=-=-=
>> Jul 25 06:40:49 greatwall snort: [1:0:0] TCP to 1024-60999 {TCP}
>> 207.217.120.208:25 -> 12.82.128.60:1631
>
>> Jul 25 06:41:27 greatwall modprobe: modprobe: Can't locate module
>> [reading from a
>
>> Jul 25 06:41:49 greatwall snort: [1:0:0] TCP to 1024-60999 {TCP}
>> 207.217.120.208:25 -> 12.82.128.60:1631
>> Jul 25 06:42:49 greatwall snort: [1:0:0] TCP to 1024-60999 {TCP}
>> 207.217.120.208:25 -> 12.82.128.60:1631
> :
> :
> <snip>
>
> What's this:
>
> > Jul 25 06:41:27 greatwall modprobe: modprobe: Can't locate module
> [reading from a
>
> It stops just like that: "...[reading from a "
>
<snip>
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "modprobe: can't locate.." related to snort? John Sage (Jul 25)
- Installation of Snort 1.8 on Redhat Linux 7.1 using MYSQL Larry E. Smith Jr. (Jul 25)
- RE: Installation of Snort 1.8 on Redhat Linux 7.1 using MYSQL Jason Lewis (Jul 25)
- Re: "modprobe: can't locate.." related to snort: Yes. John Sage (Jul 25)
- snort causes "modprobe: can't locate.." in syslog John Sage (Jul 26)
- Re: snort causes "modprobe: can't locate.." in syslog Kiira Triea (Jul 26)
- Re: snort causes "modprobe: can't locate.." in syslog John Sage (Jul 26)
- Re: snort causes "modprobe: can't locate.." in syslog Ian Jones (Jul 26)
- Re: Fixed: "modprobe: can't locate.." in syslog John Sage (Jul 27)
- Re: snort causes "modprobe: can't locate.." in syslog Kiira Triea (Jul 26)
- Installation of Snort 1.8 on Redhat Linux 7.1 using MYSQL Larry E. Smith Jr. (Jul 25)