Snort mailing list archives
RE: snort warnings
From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
Date: 06 Aug 2003 10:30:58 -0700
it is getting started in Daemon mode I just see the data go by. It might be unrelated to my current problem, and I only bring it up because it might be related. but when I run ###paste good command### snort -o -b -l /var/www/htdocs/snort/xl1 -d -D -i xl1 -c /usr/local/share/snort/xl1.conf not host '(10.0.0.2)' ######################## I don't get any output, it jsut drops me down a line, but when I run ###paste bad command### snort -o -b -l /var/www/htdocs/snort/fxp0 -d -D -i fxp0 -c /usr/local/share/snort/fxp0.conf not host '(192.233.100.78)' ####################### I get this: ###Paste output from bad command### # Aug 6 10:05:33 knox3 snort: Initializing daemon mode Aug 6 10:05:33 knox3 snort: PID path stat checked out ok, PID path set to /var/ run/ Aug 6 10:05:33 knox3 snort: Writing PID "25358" to file "/var/run//snort_fxp1.p id" Aug 6 10:05:33 knox3 snort: http_decode arguments: Aug 6 10:05:33 knox3 snort: Unicode decoding Aug 6 10:05:33 knox3 snort: IIS alternate Unicode decoding Aug 6 10:05:33 knox3 snort: IIS double encoding vuln Aug 6 10:05:33 knox3 snort: Flip backslash to slash Aug 6 10:05:33 knox3 snort: Include additional whitespace separators Aug 6 10:05:33 knox3 snort: Ports to decode http on: 80 Aug 6 10:05:33 knox3 snort: rpc_decode arguments: Aug 6 10:05:33 knox3 snort: Ports to decode RPC on: 111 32771 Aug 6 10:05:33 knox3 snort: alert_fragments: INACTIVE Aug 6 10:05:33 knox3 snort: alert_large_fragments: ACTIVE Aug 6 10:05:33 knox3 snort: alert_incomplete: ACTIVE Aug 6 10:05:33 knox3 snort: alert_multiple_requests: ACTIVE Aug 6 10:05:33 knox3 snort: telnet_decode arguments: Aug 6 10:05:33 knox3 snort: Ports to decode telnet on: 21 23 25 119 Aug 6 10:05:35 knox3 snort: Snort initialization completed successfully ################################# It does fire up in Daemon mode, just not quietly like the other one does. I'm thinking it might be related to the fact that you only get 1 instance when you run the select and I get 141. I tried just doing a "select * from signature;" just to satisfy my own curisoty and got tired of watching the output at around record 10,000-ish and canceled out, there was lot's of output for the records that aren't getting inserted. --Bryan On Wed, 2003-08-06 at 10:09, Everist, Benjamin S. (NASWI) wrote:
be my guest. Another question - you wrote in another post: "the 2.0.0 box starts quietly and I don't see any output when I run the script, the 2.0.1 box scrolls the regular startup output when started." Snort scrolling the startup output to stdout sounds like it -isn't- starting in Daemon mode. What's up with that? -----Original Message----- From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com] Sent: Wednesday, August 06, 2003 9:58 AM To: Everist, Benjamin S. (NASWI) Subject: RE: [Snort-users] snort warnings i uhm...get 141 rows.... odd...might if I repost your message to the list? --Bryan On Wed, 2003-08-06 at 09:47, Everist, Benjamin S. (NASWI) wrote:Just out of curiosity, if you log into postgres and issue the following query: select * from signature where sig_name = 'WEB-CGI adcycle access'andsig_rev = 3 and sig_sid = 1721; what do you get? In mysql, I get:+--------+------------------------+--------------+--------------+---------+---------+| sig_id | sig_name | sig_class_id | sig_priority | sig_rev | sig_sid |+--------+------------------------+--------------+--------------+---------+---------+| 39 | WEB-CGI adcycle access | 5 | 2 | 3 | 1721 |+--------+------------------------+--------------+--------------+---------+---------+1 row in set (0.00 sec) It looks as if snort is expecting one record and getting >1. Snortisthen writing the error to stdout. -----Original Message----- From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com] Sent: Tuesday, August 05, 2003 3:06 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort warnings I get tons of these errors Aug 5 14:48:10 knox3 snort: database: warning (SELECT sig_id FROM signature WHERE sig_name = 'WEB-CGI adcycle access' AND sig_rev = 3 AND sig_sid = 1721 ) returned more than one result Aug 5 14:48:10 knox3 snort: database: warning (SELECT sig_id FROM signature WHERE sig_name = 'WEB-CGI adcycle access' AND sig_rev = 3 AND sig_sid = 1721 ) returned more than one result Aug 5 14:48:10 knox3 snort: database: Problem inserting a new signature 'WEB-CGI adcycle access' Aug 5 14:48:10 knox3 snort: database: Problem inserting a new signature 'WEB-CGI adcycle access' the odd thing is, this is set to run in daemon mode and log to postgres so i'm not sure why i'm even getting the errors to stdout. This is the script I'm using to start snort. snort -o -b -l /var/www/htdocs/snort/fxp0 -d -D -i fxp0 -c /usr/local/share/snort/fxp0.conf not host '(192.233.100.178)' snort -o -b -l /var/www/htdocs/snort/fxp1 -d -D -i fxp1 -c /usr/local/share/snort/fxp1.conf not host '(192.233.100.178)' any ideas? --Bryan
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort warnings Bryan Irvine (Aug 05)
- <Possible follow-ups>
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Erek Adams (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Michael J. McCasland (Aug 07)