Snort mailing list archives

SnortSAM + Snort 2.3.3

From: Xavier Cabrera <xavierc () devilcrack org>
Date: Mon, 02 May 2005 13:59:47 -0500

I have recently problems with Snort 2.3.3 and SnortSAM.

Snort can detect the attack but doesn't send the packet to SnortSAMmachine.


What can be happend??

Previusly i made them work with previus releases.

Can anyone help me???

This its my INFO

###############################
### /var/log/messages##############
##############################

May  2 13:52:52 core snort: Initializing daemon mode

May 2 13:52:52 core snort: DEBUG => [Alert_FWsam](AlertFWsamSetup)Output plugin is plugged in...


!

May  2 13:52:53 core snort: command line overrides rules file alert plugin!
May  2 13:52:53 core snort:       IIS Unicode: YES alert: YES

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...

May  2 13:52:53 core snort:       Multiple Slash: YES alert: NO

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: 5minutes

May  2 13:52:53 core snort:       IIS Backslash: YES alert: NO

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...

May  2 13:52:53 core snort:       Directory Traversal: YES alert: NO

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,5minutes

May  2 13:52:53 core snort:       Web Root Traversal: YES alert: YES

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...

May  2 13:52:53 core snort:       Apache WhiteSpace: YES alert: NO

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,5minutes

May  2 13:52:53 core snort:       IIS Delimiter: YES alert: NO

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...May 2 13:52:53 core snort: IIS Unicode Map: GLOBAL IIS UNICODEMAP CONFIGMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,5minutes

May  2 13:52:53 core snort:       Non-RFC Compliant Characters: NONE

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...

May  2 13:52:53 core snort: rpc_decode arguments:

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,1minutesMay 2 13:52:53 core snort: Ports to decode RPC on: 111 32771May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...

May  2 13:52:53 core snort:     alert_fragments: INACTIVE

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,1minutes

May  2 13:52:53 core snort:     alert_large_fragments: ACTIVE

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...

May  2 13:52:53 core snort:     alert_incomplete: ACTIVE

May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,1minutes

May  2 13:52:53 core snort:     alert_multiple_requests: ACTIVE
May  2 13:52:53 core snort: telnet_decode arguments:

May 2 13:52:53 core snort: Ports to decode telnet on: 21 23 25 119May 2 13:52:53 core snort: Portscan Detection Config:

May  2 13:52:53 core snort:     Detect Protocols:  TCP UDP ICMP IP

May 2 13:52:53 core snort: Detect Scan Type: portscan portsweepdecoy_portscan distributed_portscan

May  2 13:52:53 core snort:     Sensitivity Level: Low
May  2 13:52:53 core snort:     Memcap (in bytes): 10000000
May  2 13:52:53 core snort:     Number of Nodes:   36900

May 2 13:52:53 core snort:May 2 13:52:53 core snort: command line overrides rules file alert plugin!May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: 5minutesMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,5minutesMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,5minutesMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,5minutesMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,1minutesMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,1minutesMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)FWsamOptionInit is parsing...May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)Parse Options Args: src,1minutes



#########################################
######## /etc/snortsam/snortsam.conf   #########
########################################

defaultkey mypassword

port 898

accept 127.0.0.1/32, mypassword

bindip 127.0.0.1

########################################
#########/etc/snort/snort.conf   ##############
########################################

output alert_fwsam: 127.0.0.1:898/mypassword


#######################################
######## /var/log/eth0/alert  ###############
######################################

05/02-13:51:53.460764 [**] [1:499:4] ICMP Large ICMP Packet Protegidapor SnortSAM 5 minutos [**] [Classification: Potentially Bad Traffic][Priority: 2] {ICMP} x.y.z.10 -> a.b.c.1






-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problem with socket slice (Apr 29)
- Re: Problem with socket Anthony J Placilla (Apr 29)
  - Re[2]: Problem with socket slice (Apr 29)
    - Re: Re[2]: Problem with socket Paul Schmehl (Apr 29)
    - Re: Re[2]: Problem with socket Anthony J Placilla (Apr 29)
    - SnortSAM + Snort 2.3.3 Xavier Cabrera (May 03)
    - Re: SnortSAM + Snort 2.3.3 Frank Knobbe (May 03)
    - Re: SnortSAM + Snort 2.3.3 Xavier Cabrera (May 04)
- <Possible follow-ups>
- Re: Problem with socket John Creegan (Apr 29)
- Problem with socket slice (Apr 30)