Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Figured it out!: Snort not outputting statistics on exit

From: "Mark Ewert" <mewert () ihcis com>
Date: Sun, 16 Nov 2003 16:00:50 -0500
Greetings,

I figured it out. I had been searching and searching google for an
answer and finally found it. Seems there is a bug in snort.c (located
within the /src subdirectory of the install package). Here's a link to
the fix provided by Chris Green cmg () sourcefire com:
http://www.pantek.com/library/general/lists/snort.org/snort-devel/msg005
22.html .

Here's the detail:

This problem seems only to occur in Daemon mode. To fix it:

Change In snort.c

    /* Print Statistics */
    if(!pv.test_mode_flag)
    {
        fpShowEventStats();
        DropStats(0);
    }

to
    /* Print Statistics */
    if(!pv.test_mode_flag)
    {
        fpShowEventStats();
        pv.quiet_flag = 0;
        DropStats(0);
        pv.quiet_flag = 1;
    }

After doing this Snort not only properly outputs stats in
/var/log/messages on exit but it also tells me which libpcap I am using
on startup which is great because I'm experimenting with Phil Wood's
libpcap8 with ring support and wasn't sure how to tell if Snort was
actually using it! Sorry I didn't find the solution before posting to
the group. I'm going to try the same fix (if required) after installing
v2.0.4

Mark

---------------------------------------------
Mark F. Ewert, Principal Systems Architect
Integrated Healthcare Information Services
www.ihcis.com


-----Original Message-----
From: Mark Ewert 
Sent: Sunday, November 16, 2003 3:27 PM
To: snort-users () lists sourceforge net
Subject: Snort not outputting statistics on exit

Greetings,

I'm having an odd problem that just started with my Snort sensors. When
I shutdown Snort (either via kill or the stop command with the startup
script) Snort no longer outputs its performance statistics in
/var/log/messages - it just lists: Snort Exiting. I may be going crazy
but I believe it used to output the stats there - I've seen them
recently as I've been working to improve Snort rule performance and am
looking for the packet loss data. Any idea what I'm doing wrong? 

Here's my Snort command line from one of my sensors: snort -c
/etc/snort/snort.conf -i eth1 -D . I'm using the unified log and alert
output options and mudpit to process them. Oh - currently running: Snort
2.0.2 but will be upgrading to 2.0.4 ASAP. 

Here's the snort.conf from the same sensor - it's an un-tuned test
sensor so it's definitely not optimized:

#
## Variables
## ---------
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort
var DNS_SERVERS 192.168.1.200
var HTTP_SERVERS [192.168.1.200/32,192.168.1.117/32]
var HTTP_PORTS 80
var SQL_SERVERS [192.168.1.117/32,192,168.1.200/32]
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor portscan: $HOME_NET 4 3 portscan.log
#preprocessor portscan-ignorehosts: 0.0.0.0
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000
#preprocessor portscan2: scanners_max 256, targets_max 1024,
target_limit 5, port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#
#
## Output Modules
## --------------
output log_unified: filename /var/log/snort1/unified_log, limit 128
#
output alert_unified: filename /var/log/snort1/unified_alert, limit 128
#
## Custom Rules
## ------------
config disable_decode_alerts
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method lowmem
## Include Files
## -------------
include classification.config
include reference.config
#
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/porn.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

and the output from snort -T -i eth1 -c /etc/snort/snort.conf :

-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
 
Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting
[root@vlnxsvr5 root]# snort -T -i eth1 -c /etc/snort/snort.conf
Running in IDS mode
Log directory = /var/log/snort
 
Initializing Network Interface eth1
OpenPcap() device eth1 network lookup: 
        eth1: no IPv4 address assigned
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433 
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
1458 Snort rules read...
1458 Option Chains linked into 163 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
 
Rule application order: ->activation->dynamic->alert->pass->log
 
        --== Initialization Complete ==--
 
-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
 
Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting

THANKS IN ADVANCE.

Mark

-------------------------------------------
Mark F. Ewert, Principal Systems Architect
Integrated Healthcare Information Services

---------------------------------------------------------------------------
This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or 
other use of; or taking of any action in reliance upon this information
by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please send the e-mail back to notify the
sender and delete the message and its contents from any computers and
network systems involved in its receipt. Thank you.


-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: