Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: snort warnings

From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
Date: 06 Aug 2003 10:30:58 -0700
it is getting started in Daemon mode I just see the data go by.

It might be unrelated to my current problem, and I only bring it up
because it might be related.  but when I run 

###paste good command###
snort -o -b -l /var/www/htdocs/snort/xl1 -d -D -i xl1 -c
/usr/local/share/snort/xl1.conf not host '(10.0.0.2)'
########################

I don't get any output, it jsut drops me down a line, but when I run

###paste bad command###
snort -o -b -l /var/www/htdocs/snort/fxp0 -d -D -i fxp0 -c
/usr/local/share/snort/fxp0.conf not host '(192.233.100.78)'
#######################

I get this:

###Paste output from bad command###
# Aug  6 10:05:33 knox3 snort: Initializing daemon mode 
Aug  6 10:05:33 knox3 snort: PID path stat checked out ok, PID path set
to
/var/                                                                                    
run/ 
Aug  6 10:05:33 knox3 snort: Writing PID "25358" to file
"/var/run//snort_fxp1.p                                                                                    
id" 
Aug  6 10:05:33 knox3 snort: http_decode arguments: 
Aug  6 10:05:33 knox3 snort:     Unicode decoding 
Aug  6 10:05:33 knox3 snort:     IIS alternate Unicode decoding 
Aug  6 10:05:33 knox3 snort:     IIS double encoding vuln 
Aug  6 10:05:33 knox3 snort:     Flip backslash to slash 
Aug  6 10:05:33 knox3 snort:     Include additional whitespace
separators 
Aug  6 10:05:33 knox3 snort:     Ports to decode http on: 80  
Aug  6 10:05:33 knox3 snort: rpc_decode arguments: 
Aug  6 10:05:33 knox3 snort:     Ports to decode RPC on: 111 32771  
Aug  6 10:05:33 knox3 snort:     alert_fragments: INACTIVE 
Aug  6 10:05:33 knox3 snort:     alert_large_fragments: ACTIVE 
Aug  6 10:05:33 knox3 snort:     alert_incomplete: ACTIVE 
Aug  6 10:05:33 knox3 snort:     alert_multiple_requests: ACTIVE 
Aug  6 10:05:33 knox3 snort: telnet_decode arguments: 
Aug  6 10:05:33 knox3 snort:     Ports to decode telnet on: 21 23 25
119  

Aug  6 10:05:35 knox3 snort: Snort initialization completed successfully
#################################

It does fire up in Daemon mode, just not quietly like the other one
does.

I'm thinking it might be related to the fact that you only get 1
instance when you run the select and I get 141.

I tried just doing a "select * from signature;" just to satisfy my own
curisoty and got tired of watching the output at around record
10,000-ish and canceled out, there was lot's of output for the records
that aren't getting inserted.

--Bryan

On Wed, 2003-08-06 at 10:09, Everist, Benjamin S. (NASWI) wrote:

be my guest.  Another question - you wrote in another post:
"the 2.0.0 box starts quietly and I don't see any output when I run
the script, the 2.0.1 box scrolls the regular startup output when
started."

Snort scrolling the startup output to stdout sounds like it -isn't-
starting in Daemon mode.  What's up with that?

-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com]
Sent: Wednesday, August 06, 2003 9:58 AM
To: Everist, Benjamin S. (NASWI)
Subject: RE: [Snort-users] snort warnings


i uhm...get 141 rows....

odd...might if I repost your message to the list?


--Bryan

On Wed, 2003-08-06 at 09:47, Everist, Benjamin S. (NASWI) wrote:

Just out of curiosity, if you log into postgres and issue the
following query:

select * from signature where sig_name = 'WEB-CGI adcycle access'

and

sig_rev = 3 and sig_sid = 1721;

what do you get?  In mysql, I get:


+--------+------------------------+--------------+--------------+---------+---------+

| sig_id | sig_name               | sig_class_id | sig_priority |
sig_rev | sig_sid |


+--------+------------------------+--------------+--------------+---------+---------+

|     39 | WEB-CGI adcycle access |            5 |            2
|       3 |    1721 |


+--------+------------------------+--------------+--------------+---------+---------+

1 row in set (0.00 sec)

It looks as if snort is expecting one record and getting >1.  Snort

is

then writing the error to stdout.


-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com]
Sent: Tuesday, August 05, 2003 3:06 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort warnings


I get tons of these errors

Aug  5 14:48:10 knox3 snort: database: warning (SELECT sig_id FROM
signature WHERE sig_name = 'WEB-CGI adcycle access' AND  sig_rev = 3
AND
sig_sid = 1721 ) returned more than one result 
Aug  5 14:48:10 knox3 snort: database: warning (SELECT sig_id FROM
signature WHERE sig_name = 'WEB-CGI adcycle access' AND  sig_rev = 3
AND
sig_sid = 1721 ) returned more than one result 
Aug  5 14:48:10 knox3 snort: database: Problem inserting a new
signature
'WEB-CGI adcycle access' 
Aug  5 14:48:10 knox3 snort: database: Problem inserting a new
signature
'WEB-CGI adcycle access'

the odd thing is, this is set to run in daemon mode and log to
postgres
so i'm not sure why i'm even getting the errors to stdout.

This is the script I'm using to start snort.

snort -o -b -l /var/www/htdocs/snort/fxp0 -d -D -i fxp0 -c
/usr/local/share/snort/fxp0.conf not host '(192.233.100.178)'

snort -o -b -l /var/www/htdocs/snort/fxp1 -d -D -i fxp1 -c
/usr/local/share/snort/fxp1.conf not host '(192.233.100.178)'

any ideas?

--Bryan






-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: