Snort mailing list archives

RE: Problems with snort

From: "Harper, Patrick" <patrick.harper () phns com>
Date: Mon, 26 Apr 2004 10:05:13 -0500
are you on a switch?  where are you looking for alerts?

 
 

  _____  

From: Adriano Bandeira de Araújo [mailto:adriano.araujo () planejamento gov br] 
Sent: Monday, April 26, 2004 7:49 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Problems with snort




Hi, 

I´m with a problem... I installed the snort with MySQL and ACID (RedHat9), but it doesn´t show me any alerts. 

here is the part of the syslog 

Apr 26 10:37:22 russoe kernel: device eth0 entered promiscuous mode 
Apr 26 10:37:22 russoe snort: Initializing daemon mode 
Apr 26 10:37:22 russoe snort: PID path stat checked out ok, PID path set to /var/run/ 
Apr 26 10:37:22 russoe snort: Writing PID "6768" to file "/var/run//snort_eth0.pid" 
Apr 26 10:37:22 russoe snort: ,-----------[Flow Config]---------------------- 
Apr 26 10:37:22 russoe snort: | Stats Interval:  0 
Apr 26 10:37:22 russoe snort: | Hash Method:     2 
Apr 26 10:37:22 russoe snort: | Memcap:          10485760 
Apr 26 10:37:22 russoe snort: | Rows  :          4099 
Apr 26 10:37:22 russoe snort: | Overhead Bytes:  16400(%0.16) 
Apr 26 10:37:22 russoe snort: `---------------------------------------------- 
Apr 26 10:37:22 russoe snort: HttpInspect Config: 
Apr 26 10:37:22 russoe snort:     GLOBAL CONFIG 
Apr 26 10:37:22 russoe snort:       Max Pipeline Requests:    0 
Apr 26 10:37:22 russoe snort:       Inspection Type:          STATELESS 
Apr 26 10:37:22 russoe snort:       Detect Proxy Usage:       NO 
Apr 26 10:37:22 russoe snort:       IIS Unicode Map Filename: /etc/snort/unicode.map 
Apr 26 10:37:22 russoe snort:       IIS Unicode Map Codepage: 1252 
Apr 26 10:37:22 russoe snort:     DEFAULT SERVER CONFIG: 
Apr 26 10:37:22 russoe snort:       Ports: 
Apr 26 10:37:22 russoe snort: 80 
Apr 26 10:37:22 russoe snort: 8080 
Apr 26 10:37:22 russoe snort: 8180 
Apr 26 10:37:22 russoe snort: 
Apr 26 10:37:22 russoe snort:       Flow Depth: 300 
Apr 26 10:37:22 russoe snort:       Max Chunk Length: 500000 
Apr 26 10:37:22 russoe snort:       Inspect Pipeline Requests: YES 
Apr 26 10:37:22 russoe snort:       URI Discovery Strict Mode: NO 
Apr 26 10:37:22 russoe snort:       Allow Proxy Usage: NO 
Apr 26 10:37:22 russoe snort:       Disable Alerting: NO 
Apr 26 10:37:22 russoe snort:       Oversize Dir Length: 500 
Apr 26 10:37:22 russoe snort:       Only inspect URI: NO 
Apr 26 10:37:22 russoe snort:       Ascii: YES alert: NO 
Apr 26 10:37:22 russoe snort:       Double Decoding: YES alert: YES 
Apr 26 10:37:22 russoe snort:       %U Encoding: YES alert: YES 
Apr 26 10:37:22 russoe snort:       Bare Byte: YES alert: YES 
Apr 26 10:37:22 russoe snort:       Base36: OFF 
Apr 26 10:37:22 russoe snort:       UTF 8: OFF 
Apr 26 10:37:22 russoe snort:       IIS Unicode: YES alert: YES 
Apr 26 10:37:22 russoe snort:       Multiple Slash: YES alert: NO 
Apr 26 10:37:22 russoe snort:       IIS Backslash: YES alert: NO 
Apr 26 10:37:22 russoe snort:       Directory: YES alert: NO 
Apr 26 10:37:22 russoe snort:       Apache WhiteSpace: YES alert: YES 
Apr 26 10:37:22 russoe snort:       IIS Delimiter: YES alert: YES 
Apr 26 10:37:22 russoe snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 
Apr 26 10:37:22 russoe snort:       Non-RFC Compliant Characters: 
Apr 26 10:37:22 russoe snort: NONE 
Apr 26 10:37:22 russoe snort: 
Apr 26 10:37:22 russoe snort: rpc_decode arguments: 
Apr 26 10:37:22 russoe snort:     Ports to decode RPC on: 111 32771 
Apr 26 10:37:22 russoe snort:     alert_fragments: INACTIVE 
Apr 26 10:37:22 russoe snort:     alert_large_fragments: ACTIVE 
Apr 26 10:37:22 russoe snort:     alert_incomplete: ACTIVE 
Apr 26 10:37:22 russoe snort:     alert_multiple_requests: ACTIVE 
Apr 26 10:37:22 russoe snort: telnet_decode arguments: 
Apr 26 10:37:22 russoe snort:     Ports to decode telnet on: 21 23 25 119
Apr 26 10:37:22 russoe snort: Snort initialization completed successfully




############################################################################################################################

the command: #snort -c /etc/snort/snort.conf show me.... 


Running in IDS mode 
Log directory = /var/log/snort 

Initializing Network Interface eth0 

        --== Initializing Snort ==-- 
Initializing Output Plugins! 
Decoding Ethernet on interface eth0 
Initializing Preprocessors! 
Initializing Plug-ins! 
Parsing Rules file /etc/snort/snort.conf 

+++++++++++++++++++++++++++++++++++++++++++++++++++ 
Initializing rule chains... 
,-----------[Flow Config]---------------------- 
| Stats Interval:  0 
| Hash Method:     2 
| Memcap:          10485760 
| Rows  :          4099 
| Overhead Bytes:  16400(%0.16) 
`---------------------------------------------- 
No arguments to frag2 directive, setting defaults to: 
    Fragment timeout: 60 seconds 
    Fragment memory cap: 4194304 bytes 
    Fragment min_ttl:   0 
    Fragment ttl_limit: 5 
    Fragment Problems: 0 
    Self preservation threshold: 500 
    Self preservation period: 90 
    Suspend threshold: 1000 
    Suspend period: 30 
Stream4 config: 
    Stateful inspection: ACTIVE 
    Session statistics: INACTIVE 
    Session timeout: 30 seconds 
    Session memory cap: 8388608 bytes 
    State alerts: INACTIVE 
    Evasion alerts: INACTIVE 
    Scan alerts: INACTIVE 
    Log Flushed Streams: INACTIVE 
    MinTTL: 1 
    TTL Limit: 5 
    Async Link: 0 
    State Protection: 0 
    Self preservation threshold: 50 
    Self preservation period: 90 
    Suspend threshold: 200 
    Suspend period: 30 
Stream4_reassemble config: 
    Server reassembly: INACTIVE 
    Client reassembly: ACTIVE 
    Reassembler alerts: ACTIVE 
    Zero out flushed packets: INACTIVE 
    flush_data_diff_size: 500 
    Ports: 21 23 25 53 80 110 111 143 513 1433 
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
HttpInspect Config: 
    GLOBAL CONFIG 
      Max Pipeline Requests:    0 
      Inspection Type:          STATELESS 
      Detect Proxy Usage:       NO 
      IIS Unicode Map Filename: /etc/snort/unicode.map 
      IIS Unicode Map Codepage: 1252 
    DEFAULT SERVER CONFIG: 
      Ports: 80 8080 8180 
      Flow Depth: 300 
      Max Chunk Length: 500000 
      Inspect Pipeline Requests: YES 
      URI Discovery Strict Mode: NO 
      Allow Proxy Usage: NO 
      Disable Alerting: NO 
      Oversize Dir Length: 500 
      Only inspect URI: NO 
      Ascii: YES alert: NO 
      Double Decoding: YES alert: YES 
      %U Encoding: YES alert: YES 
      Bare Byte: YES alert: YES 
      Base36: OFF 
      UTF 8: OFF 
      IIS Unicode: YES alert: YES 
      Multiple Slash: YES alert: NO 
      IIS Backslash: YES alert: NO 
      Directory: YES alert: NO 
      Apache WhiteSpace: YES alert: YES 
      IIS Delimiter: YES alert: YES 
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 
      Non-RFC Compliant Characters: NONE 
rpc_decode arguments: 
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE 
    alert_large_fragments: ACTIVE 
    alert_incomplete: ACTIVE 
    alert_multiple_requests: ACTIVE 
telnet_decode arguments: 
    Ports to decode telnet on: 21 23 25 119 
database: compiled support for ( mysql ) 
database: configured to use mysql 
database:          user = snort 
database: password is set 
database: database name = snort 
database:          host = localhost 
database:   sensor name = 10.9.1.250 
database:     sensor id = 1 
database: schema version = 106 
database: using the "log" facility 
1773 Snort rules read... 
1773 Option Chains linked into 170 Chain Headers 
0 Dynamic rules 
+++++++++++++++++++++++++++++++++++++++++++++++++++ 


+-----------------------[thresholding-config]---------------------------------- 
| memory-cap : 1048576 bytes 
+-----------------------[thresholding-global]---------------------------------- 
| none 
+-----------------------[thresholding-local]----------------------------------- 
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60 
+-----------------------[suppression]------------------------------------------ 
------------------------------------------------------------------------------- 
Rule application order: ->activation->dynamic->alert->pass->log 

        --== Initialization Complete ==-- 

-*> Snort! <*- 
Version 2.1.2 (Build 25) 
By Martin Roesch (roesch () sourcefire com, www.snort.org) 





Adriano Bandeira de Araújo 
Secretaria de Orçamento Federal - SOF 
(61) 348-2111  




Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify the sender immediately.
Current thread:

Problems with snort Adriano Bandeira de Araújo (Apr 26)
- Re: Problems with snort Alejandro Flores (Apr 26)
- <Possible follow-ups>
- RE: Problems with snort Harper, Patrick (Apr 26)