Snort mailing list archives
RE: Problems with snort
From: "Harper, Patrick" <patrick.harper () phns com>
Date: Mon, 26 Apr 2004 10:05:13 -0500
are you on a switch? where are you looking for alerts? _____ From: Adriano Bandeira de Araújo [mailto:adriano.araujo () planejamento gov br] Sent: Monday, April 26, 2004 7:49 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Problems with snort Hi, I´m with a problem... I installed the snort with MySQL and ACID (RedHat9), but it doesn´t show me any alerts. here is the part of the syslog Apr 26 10:37:22 russoe kernel: device eth0 entered promiscuous mode Apr 26 10:37:22 russoe snort: Initializing daemon mode Apr 26 10:37:22 russoe snort: PID path stat checked out ok, PID path set to /var/run/ Apr 26 10:37:22 russoe snort: Writing PID "6768" to file "/var/run//snort_eth0.pid" Apr 26 10:37:22 russoe snort: ,-----------[Flow Config]---------------------- Apr 26 10:37:22 russoe snort: | Stats Interval: 0 Apr 26 10:37:22 russoe snort: | Hash Method: 2 Apr 26 10:37:22 russoe snort: | Memcap: 10485760 Apr 26 10:37:22 russoe snort: | Rows : 4099 Apr 26 10:37:22 russoe snort: | Overhead Bytes: 16400(%0.16) Apr 26 10:37:22 russoe snort: `---------------------------------------------- Apr 26 10:37:22 russoe snort: HttpInspect Config: Apr 26 10:37:22 russoe snort: GLOBAL CONFIG Apr 26 10:37:22 russoe snort: Max Pipeline Requests: 0 Apr 26 10:37:22 russoe snort: Inspection Type: STATELESS Apr 26 10:37:22 russoe snort: Detect Proxy Usage: NO Apr 26 10:37:22 russoe snort: IIS Unicode Map Filename: /etc/snort/unicode.map Apr 26 10:37:22 russoe snort: IIS Unicode Map Codepage: 1252 Apr 26 10:37:22 russoe snort: DEFAULT SERVER CONFIG: Apr 26 10:37:22 russoe snort: Ports: Apr 26 10:37:22 russoe snort: 80 Apr 26 10:37:22 russoe snort: 8080 Apr 26 10:37:22 russoe snort: 8180 Apr 26 10:37:22 russoe snort: Apr 26 10:37:22 russoe snort: Flow Depth: 300 Apr 26 10:37:22 russoe snort: Max Chunk Length: 500000 Apr 26 10:37:22 russoe snort: Inspect Pipeline Requests: YES Apr 26 10:37:22 russoe snort: URI Discovery Strict Mode: NO Apr 26 10:37:22 russoe snort: Allow Proxy Usage: NO Apr 26 10:37:22 russoe snort: Disable Alerting: NO Apr 26 10:37:22 russoe snort: Oversize Dir Length: 500 Apr 26 10:37:22 russoe snort: Only inspect URI: NO Apr 26 10:37:22 russoe snort: Ascii: YES alert: NO Apr 26 10:37:22 russoe snort: Double Decoding: YES alert: YES Apr 26 10:37:22 russoe snort: %U Encoding: YES alert: YES Apr 26 10:37:22 russoe snort: Bare Byte: YES alert: YES Apr 26 10:37:22 russoe snort: Base36: OFF Apr 26 10:37:22 russoe snort: UTF 8: OFF Apr 26 10:37:22 russoe snort: IIS Unicode: YES alert: YES Apr 26 10:37:22 russoe snort: Multiple Slash: YES alert: NO Apr 26 10:37:22 russoe snort: IIS Backslash: YES alert: NO Apr 26 10:37:22 russoe snort: Directory: YES alert: NO Apr 26 10:37:22 russoe snort: Apache WhiteSpace: YES alert: YES Apr 26 10:37:22 russoe snort: IIS Delimiter: YES alert: YES Apr 26 10:37:22 russoe snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Apr 26 10:37:22 russoe snort: Non-RFC Compliant Characters: Apr 26 10:37:22 russoe snort: NONE Apr 26 10:37:22 russoe snort: Apr 26 10:37:22 russoe snort: rpc_decode arguments: Apr 26 10:37:22 russoe snort: Ports to decode RPC on: 111 32771 Apr 26 10:37:22 russoe snort: alert_fragments: INACTIVE Apr 26 10:37:22 russoe snort: alert_large_fragments: ACTIVE Apr 26 10:37:22 russoe snort: alert_incomplete: ACTIVE Apr 26 10:37:22 russoe snort: alert_multiple_requests: ACTIVE Apr 26 10:37:22 russoe snort: telnet_decode arguments: Apr 26 10:37:22 russoe snort: Ports to decode telnet on: 21 23 25 119 Apr 26 10:37:22 russoe snort: Snort initialization completed successfully ############################################################################################################################ the command: #snort -c /etc/snort/snort.conf show me.... Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = 10.9.1.250 database: sensor id = 1 database: schema version = 106 database: using the "log" facility 1773 Snort rules read... 1773 Option Chains linked into 170 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 +-----------------------[suppression]------------------------------------------ ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.2 (Build 25) By Martin Roesch (roesch () sourcefire com, www.snort.org) Adriano Bandeira de Araújo Secretaria de Orçamento Federal - SOF (61) 348-2111 Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
Current thread:
- Problems with snort Adriano Bandeira de Araújo (Apr 26)
- Re: Problems with snort Alejandro Flores (Apr 26)
- <Possible follow-ups>
- RE: Problems with snort Harper, Patrick (Apr 26)