Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0

From: John Messinger <john_messinger () acslink net au>
Date: Fri, 21 Apr 2006 22:36:09 +0800
Joel,
That's the funny thing. It seems to be running fine in daemon mode. This is the syslog output I get when starting it up via the /etc/init.d script: 

Apr 21 21:35:42 Zaphod kernel: device ppp0 entered promiscuous mode
Apr 21 21:35:42 Zaphod snort[3929]: Initializing daemon mode
Apr 21 21:35:42 Zaphod snort[3930]: PID path stat checked out ok, PID path set to /var/run/ Apr 21 21:35:42 Zaphod snort[3930]: Writing PID "3930" to file "/var/run//snort_ppp0.pid" 
Apr 21 21:35:42 Zaphod snort[3930]: Parsing Rules file /etc/snort/snort.conf
Apr 21 21:35:42 Zaphod snortd: snort startup succeeded
Apr 21 21:35:42 Zaphod snort[3930]: ,-----------[Flow Config]---------------------- 
Apr 21 21:35:42 Zaphod snort[3930]: | Stats Interval:  0
Apr 21 21:35:42 Zaphod snort[3930]: | Hash Method:     2
Apr 21 21:35:42 Zaphod snort[3930]: | Memcap:          10485760
Apr 21 21:35:42 Zaphod snort[3930]: | Rows  :          4099
Apr 21 21:35:42 Zaphod snort[3930]: | Overhead Bytes:  16400(%0.16)
Apr 21 21:35:42 Zaphod snort[3930]: `---------------------------------------------- 
Apr 21 21:35:42 Zaphod snort[3930]: Frag3 global config:
Apr 21 21:35:42 Zaphod snort[3930]:     Max frags: 65536
Apr 21 21:35:42 Zaphod snort[3930]:     Fragment memory cap: 4194304 bytes
Apr 21 21:35:42 Zaphod snort[3930]: Frag3 engine config:
Apr 21 21:35:42 Zaphod snort[3930]:     Target-based policy: FIRST
Apr 21 21:35:42 Zaphod snort[3930]:     Fragment timeout: 60 seconds
Apr 21 21:35:43 Zaphod snort[3930]:     Fragment min_ttl:   1
Apr 21 21:35:43 Zaphod snort[3930]:     Fragment ttl_limit: 5
Apr 21 21:35:43 Zaphod snort[3930]:     Fragment Problems: 1
Apr 21 21:35:43 Zaphod snort[3930]:     Bound Addresses: 0.0.0.0/0.0.0.0
Apr 21 21:35:43 Zaphod snort[3930]: Stream4 config:
Apr 21 21:35:43 Zaphod snort[3930]:     Stateful inspection: ACTIVE
Apr 21 21:35:43 Zaphod snort[3930]:     Session statistics: INACTIVE
Apr 21 21:35:43 Zaphod snort[3930]:     Session timeout: 30 seconds
Apr 21 21:35:43 Zaphod snort[3930]:     Session memory cap: 8388608 bytes
Apr 21 21:35:43 Zaphod snort[3930]:     Session count max: 8192 sessions
Apr 21 21:35:43 Zaphod snort[3930]:     Session cleanup count: 5
Apr 21 21:35:43 Zaphod snort[3930]:     State alerts: INACTIVE
Apr 21 21:35:43 Zaphod snort[3930]:     Evasion alerts: INACTIVE
Apr 21 21:35:43 Zaphod snort[3930]:     Scan alerts: INACTIVE
Apr 21 21:35:43 Zaphod snort[3930]:     Log Flushed Streams: INACTIVE
Apr 21 21:35:43 Zaphod snort[3930]:     MinTTL: 1
Apr 21 21:35:43 Zaphod snort[3930]:     TTL Limit: 5
Apr 21 21:35:43 Zaphod snort[3930]:     Async Link: 0
Apr 21 21:35:43 Zaphod snort[3930]:     State Protection: 0
Apr 21 21:35:43 Zaphod snort[3930]:     Self preservation threshold: 50
Apr 21 21:35:44 Zaphod snort[3930]:     Self preservation period: 90
Apr 21 21:35:44 Zaphod snort[3930]:     Suspend threshold: 200
Apr 21 21:35:44 Zaphod snort[3930]:     Suspend period: 30
Apr 21 21:35:44 Zaphod snort[3930]:     Enforce TCP State: INACTIVE
Apr 21 21:35:44 Zaphod snort[3930]:     Midstream Drop Alerts: INACTIVE
Apr 21 21:35:44 Zaphod snort[3930]:     Server Data Inspection Limit: -1
Apr 21 21:35:44 Zaphod snort[3930]: WARNING /etc/snort/snort.conf(373) => flush_behavior set in config file, using old static flushpoints (0) 
Apr 21 21:35:44 Zaphod snort[3930]: Stream4_reassemble config:
Apr 21 21:35:44 Zaphod snort[3930]:     Server reassembly: INACTIVE
Apr 21 21:35:44 Zaphod snort[3930]:     Client reassembly: ACTIVE
Apr 21 21:35:44 Zaphod snort[3930]:     Reassembler alerts: ACTIVE
Apr 21 21:35:44 Zaphod snort[3930]:     Zero out flushed packets: INACTIVE
Apr 21 21:35:44 Zaphod snort[3930]:     Flush stream on alert: INACTIVE
Apr 21 21:35:44 Zaphod snort[3930]:     flush_data_diff_size: 500
Apr 21 21:35:44 Zaphod snort[3930]: Reassembler Packet Preferance : Favor Old 
Apr 21 21:35:44 Zaphod snort[3930]:     Packet Sequence Overlap Limit: -1
Apr 21 21:35:44 Zaphod snort[3930]:     Flush behavior: Small (<255 bytes)
Apr 21 21:35:44 Zaphod snort[3930]: Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Apr 21 21:35:44 Zaphod snort[3930]: Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 
Apr 21 21:35:44 Zaphod snort[3930]: HttpInspect Config:
Apr 21 21:35:45 Zaphod snort[3930]:     GLOBAL CONFIG
Apr 21 21:35:45 Zaphod snort[3930]:       Max Pipeline Requests:    0
Apr 21 21:35:45 Zaphod snort[3930]: Inspection Type: STATELESS 
Apr 21 21:35:45 Zaphod snort[3930]:       Detect Proxy Usage:       NO
Apr 21 21:35:45 Zaphod snort[3930]: IIS Unicode Map Filename: /etc/snort/unicode.map 
Apr 21 21:35:45 Zaphod snort[3930]:       IIS Unicode Map Codepage: 1252
Apr 21 21:35:45 Zaphod snort[3930]:     DEFAULT SERVER CONFIG:
Apr 21 21:35:45 Zaphod snort[3930]:       Ports: 80 3128 8080 8180
Apr 21 21:35:45 Zaphod snort[3930]:       Flow Depth: 300
Apr 21 21:35:45 Zaphod snort[3930]:       Max Chunk Length: 500000
Apr 21 21:35:45 Zaphod snort[3930]:       Inspect Pipeline Requests: YES
Apr 21 21:35:45 Zaphod snort[3930]:       URI Discovery Strict Mode: NO
Apr 21 21:35:45 Zaphod snort[3930]:       Allow Proxy Usage: NO
Apr 21 21:35:45 Zaphod snort[3930]:       Disable Alerting: NO
Apr 21 21:35:45 Zaphod snort[3930]:       Oversize Dir Length: 500
Apr 21 21:35:45 Zaphod snort[3930]:       Only inspect URI: NO
Apr 21 21:35:45 Zaphod snort[3930]:       Ascii: YES alert: NO
Apr 21 21:35:45 Zaphod snort[3930]:       Double Decoding: YES alert: YES
Apr 21 21:35:46 Zaphod snort[3930]:       %U Encoding: YES alert: YES
Apr 21 21:35:46 Zaphod snort[3930]:       Bare Byte: YES alert: YES
Apr 21 21:35:46 Zaphod snort[3930]:       Base36: OFF
Apr 21 21:35:46 Zaphod snort[3930]:       UTF 8: OFF
Apr 21 21:35:46 Zaphod snort[3930]:       IIS Unicode: YES alert: YES
Apr 21 21:35:46 Zaphod snort[3930]:       Multiple Slash: YES alert: NO
Apr 21 21:35:46 Zaphod snort[3930]:       IIS Backslash: YES alert: NO
Apr 21 21:35:46 Zaphod snort[3930]:       Directory Traversal: YES alert: NO
Apr 21 21:35:46 Zaphod snort[3930]:       Web Root Traversal: YES alert: YES
Apr 21 21:35:46 Zaphod snort[3930]:       Apache WhiteSpace: YES alert: NO
Apr 21 21:35:46 Zaphod snort[3930]:       IIS Delimiter: YES alert: NO
Apr 21 21:35:46 Zaphod snort[3930]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 
Apr 21 21:35:46 Zaphod snort[3930]:       Non-RFC Compliant Characters: NONE
Apr 21 21:35:46 Zaphod snort[3930]: rpc_decode arguments:
Apr 21 21:35:46 Zaphod snort[3930]:     Ports to decode RPC on: 111 32771
Apr 21 21:35:46 Zaphod snort[3930]:     alert_fragments: INACTIVE
Apr 21 21:35:46 Zaphod snort[3930]:     alert_large_fragments: ACTIVE
Apr 21 21:35:46 Zaphod snort[3930]:     alert_incomplete: ACTIVE
Apr 21 21:35:46 Zaphod snort[3930]:     alert_multiple_requests: ACTIVE
Apr 21 21:35:47 Zaphod snort[3930]: telnet_decode arguments:
Apr 21 21:35:47 Zaphod snort[3930]: Ports to decode telnet on: 21 23 25 119 
Apr 21 21:35:47 Zaphod snort[3930]: Portscan Detection Config:
Apr 21 21:35:47 Zaphod snort[3930]:     Detect Protocols:  TCP UDP ICMP IP
Apr 21 21:35:47 Zaphod snort[3930]: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan 
Apr 21 21:35:47 Zaphod snort[3930]:     Sensitivity Level: Low
Apr 21 21:35:47 Zaphod snort[3930]:     Memcap (in bytes): 10000000
Apr 21 21:35:47 Zaphod snort[3930]:     Number of Nodes:   36900
Apr 21 21:35:47 Zaphod snort[3930]:
Apr 21 21:35:47 Zaphod snort[3930]: X-Link2State Config:
Apr 21 21:35:47 Zaphod snort[3930]:     Ports: 25 691
Apr 21 21:35:47 Zaphod snort[3930]: command line overrides rules file alert plugin! Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'http.jpeg' is checked but not ever set. Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. 
Apr 21 21:35:48 Zaphod snort[3930]:
Apr 21 21:35:48 Zaphod snort[3930]: +-----------------------[thresholding-config]---------------------------------- 
Apr 21 21:35:48 Zaphod snort[3930]: | memory-cap : 1048576 bytes
Apr 21 21:35:48 Zaphod snort[3930]: +-----------------------[thresholding-global]---------------------------------- 
Apr 21 21:35:48 Zaphod snort[3930]: | none
Apr 21 21:35:48 Zaphod snort[3930]: +-----------------------[thresholding-local]----------------------------------- Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2 Apr 21 21:35:49 Zaphod snort[3930]: | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2 Apr 21 21:35:49 Zaphod snort[3930]: | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 Apr 21 21:35:49 Zaphod snort[3930]: | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60 Apr 21 21:35:49 Zaphod snort[3930]: | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 Apr 21 21:35:49 Zaphod snort[3930]: +-----------------------[suppression]------------------------------------------ 
Apr 21 21:35:49 Zaphod snort[3930]: | none
Apr 21 21:35:49 Zaphod snort[3930]: ------------------------------------------------------------------------------- Apr 21 21:35:49 Zaphod snort[3930]: Rule application order: ->activation->dynamic->drop->alert->pass->log 
Apr 21 21:35:49 Zaphod snort[3930]: Log directory = /var/log/snort
Apr 21 21:35:50 Zaphod snort[3930]: Snort initialization completed successfully (pid=3930)
As far as I can see, it is running OK, and supposedly on interface ppp0. Outputs should be going to a mysql database, but nothing ever shows up there.
Looking closer, I see that there are log files being created in /var/log/snort. So I guess it must be running OK and listening on the correct interface, just not sending output to the expected location. The only output plugin configured in snort.conf is this:
output database: log, mysql, user=snort password=******* dbname=snort host=localhost 

Any thoughts/suggestions?

John



Joel Esler wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John,

Snort never starts, see the Fatal error?

ERROR: Undefined variable name: (/etc/snort/snort.conf:33): ppp0_ADDRESS
Fatal Error, Quitting..


What do you have on line 33?

Joel




On Apr 21, 2006, at 12:35 AM, John Messinger wrote:
Followed the installation guide from the Docs section (Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core), with the exception that I installed the official Snort 2.4.4 RHEL4 rpms (snort + snort-mysql).
Snort seems to start OK (no errors given anywhere, and syslog shows a good startup), but no sensors are listed in BASE - nada. 

Running snort -c /etc/snort/snort.conf gives the following output:

***
*** interface device lookup found: eth0
***
Running in IDS mode

Initializing Network Interface eth0

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: Undefined variable name: (/etc/snort/snort.conf:33): ppp0_ADDRESS
Fatal Error, Quitting..
My snort.conf file defines HOME_NET as $ppp0_ADDRESS. I have modified /etc/sysconfig/snort so that the INTERFACE variable points to ppp0, and also the /etc/rc.d/init.d/snortd script.
As far as I can tell, snort should be getting called with the -i ppp0 option, but it is still trying to listen on the eth0 interface.
My network setup is a DSL modem connected to eth1, with eth0 being the interface to the private LAN. Yes, the IP address from my ISP is dynamic, not fixed.
If more information is required, please let me know. Appreciate any suggestions as to getting this to work. 

Regards,

John


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo 
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFESMb9KbCSyXHckt4RAgYjAJ9hIOmzhBQTM4ubII0No8x5dPnQ2ACfYxGV
K5i4SlGKMqNt9HscDS5gWGY=
=lWAV
-----END PGP SIGNATURE-----


--No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.4.4/320 - Release Date: 20/04/2006





-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: