Snort mailing list archives
SnortSAM + Snort 2.3.3
From: Xavier Cabrera <xavierc () devilcrack org>
Date: Mon, 02 May 2005 13:59:47 -0500
I have recently problems with Snort 2.3.3 and SnortSAM.Snort can detect the attack but doesn't send the packet to SnortSAM machine.
What can be happend?? Previusly i made them work with previus releases. Can anyone help me??? This its my INFO ############################### ### /var/log/messages############## ############################## May 2 13:52:52 core snort: Initializing daemon modeMay 2 13:52:52 core snort: DEBUG => [Alert_FWsam](AlertFWsamSetup) Output plugin is plugged in...
! May 2 13:52:53 core snort: command line overrides rules file alert plugin! May 2 13:52:53 core snort: IIS Unicode: YES alert: YESMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing...
May 2 13:52:53 core snort: Multiple Slash: YES alert: NOMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: 5minutes
May 2 13:52:53 core snort: IIS Backslash: YES alert: NOMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing...
May 2 13:52:53 core snort: Directory Traversal: YES alert: NOMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,5minutes
May 2 13:52:53 core snort: Web Root Traversal: YES alert: YESMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing...
May 2 13:52:53 core snort: Apache WhiteSpace: YES alert: NOMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,5minutes
May 2 13:52:53 core snort: IIS Delimiter: YES alert: NOMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing... May 2 13:52:53 core snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,5minutes
May 2 13:52:53 core snort: Non-RFC Compliant Characters: NONEMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing...
May 2 13:52:53 core snort: rpc_decode arguments:May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,1minutes May 2 13:52:53 core snort: Ports to decode RPC on: 111 32771 May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing...
May 2 13:52:53 core snort: alert_fragments: INACTIVEMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,1minutes
May 2 13:52:53 core snort: alert_large_fragments: ACTIVEMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing...
May 2 13:52:53 core snort: alert_incomplete: ACTIVEMay 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,1minutes
May 2 13:52:53 core snort: alert_multiple_requests: ACTIVE May 2 13:52:53 core snort: telnet_decode arguments:May 2 13:52:53 core snort: Ports to decode telnet on: 21 23 25 119 May 2 13:52:53 core snort: Portscan Detection Config:
May 2 13:52:53 core snort: Detect Protocols: TCP UDP ICMP IPMay 2 13:52:53 core snort: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
May 2 13:52:53 core snort: Sensitivity Level: Low May 2 13:52:53 core snort: Memcap (in bytes): 10000000 May 2 13:52:53 core snort: Number of Nodes: 36900May 2 13:52:53 core snort: May 2 13:52:53 core snort: command line overrides rules file alert plugin! May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing... May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: 5minutes May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing... May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,5minutes May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing... May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,5minutes May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing... May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,5minutes May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing... May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,1minutes May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing... May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,1minutes May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) FWsamOptionInit is parsing... May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit) Parse Options Args: src,1minutes
######################################### ######## /etc/snortsam/snortsam.conf ######### ######################################## defaultkey mypassword port 898 accept 127.0.0.1/32, mypassword bindip 127.0.0.1 ######################################## #########/etc/snort/snort.conf ############## ######################################## output alert_fwsam: 127.0.0.1:898/mypassword ####################################### ######## /var/log/eth0/alert ############### ######################################05/02-13:51:53.460764 [**] [1:499:4] ICMP Large ICMP Packet Protegida por SnortSAM 5 minutos [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} x.y.z.10 -> a.b.c.1
------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with socket slice (Apr 29)
- Re: Problem with socket Anthony J Placilla (Apr 29)
- Re[2]: Problem with socket slice (Apr 29)
- Re: Re[2]: Problem with socket Paul Schmehl (Apr 29)
- Re: Re[2]: Problem with socket Anthony J Placilla (Apr 29)
- SnortSAM + Snort 2.3.3 Xavier Cabrera (May 03)
- Re: SnortSAM + Snort 2.3.3 Frank Knobbe (May 03)
- Re: SnortSAM + Snort 2.3.3 Xavier Cabrera (May 04)
- Re[2]: Problem with socket slice (Apr 29)
- Re: Problem with socket Anthony J Placilla (Apr 29)
- <Possible follow-ups>
- Re: Problem with socket John Creegan (Apr 29)
- Problem with socket slice (Apr 30)