Snort mailing list archives
Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0
From: John Messinger <john_messinger () acslink net au>
Date: Fri, 21 Apr 2006 22:36:09 +0800
Joel,That's the funny thing. It seems to be running fine in daemon mode. This is the syslog output I get when starting it up via the /etc/init.d script:
Apr 21 21:35:42 Zaphod kernel: device ppp0 entered promiscuous mode Apr 21 21:35:42 Zaphod snort[3929]: Initializing daemon modeApr 21 21:35:42 Zaphod snort[3930]: PID path stat checked out ok, PID path set to /var/run/ Apr 21 21:35:42 Zaphod snort[3930]: Writing PID "3930" to file "/var/run//snort_ppp0.pid"
Apr 21 21:35:42 Zaphod snort[3930]: Parsing Rules file /etc/snort/snort.conf Apr 21 21:35:42 Zaphod snortd: snort startup succeededApr 21 21:35:42 Zaphod snort[3930]: ,-----------[Flow Config]----------------------
Apr 21 21:35:42 Zaphod snort[3930]: | Stats Interval: 0 Apr 21 21:35:42 Zaphod snort[3930]: | Hash Method: 2 Apr 21 21:35:42 Zaphod snort[3930]: | Memcap: 10485760 Apr 21 21:35:42 Zaphod snort[3930]: | Rows : 4099 Apr 21 21:35:42 Zaphod snort[3930]: | Overhead Bytes: 16400(%0.16)Apr 21 21:35:42 Zaphod snort[3930]: `----------------------------------------------
Apr 21 21:35:42 Zaphod snort[3930]: Frag3 global config: Apr 21 21:35:42 Zaphod snort[3930]: Max frags: 65536 Apr 21 21:35:42 Zaphod snort[3930]: Fragment memory cap: 4194304 bytes Apr 21 21:35:42 Zaphod snort[3930]: Frag3 engine config: Apr 21 21:35:42 Zaphod snort[3930]: Target-based policy: FIRST Apr 21 21:35:42 Zaphod snort[3930]: Fragment timeout: 60 seconds Apr 21 21:35:43 Zaphod snort[3930]: Fragment min_ttl: 1 Apr 21 21:35:43 Zaphod snort[3930]: Fragment ttl_limit: 5 Apr 21 21:35:43 Zaphod snort[3930]: Fragment Problems: 1 Apr 21 21:35:43 Zaphod snort[3930]: Bound Addresses: 0.0.0.0/0.0.0.0 Apr 21 21:35:43 Zaphod snort[3930]: Stream4 config: Apr 21 21:35:43 Zaphod snort[3930]: Stateful inspection: ACTIVE Apr 21 21:35:43 Zaphod snort[3930]: Session statistics: INACTIVE Apr 21 21:35:43 Zaphod snort[3930]: Session timeout: 30 seconds Apr 21 21:35:43 Zaphod snort[3930]: Session memory cap: 8388608 bytes Apr 21 21:35:43 Zaphod snort[3930]: Session count max: 8192 sessions Apr 21 21:35:43 Zaphod snort[3930]: Session cleanup count: 5 Apr 21 21:35:43 Zaphod snort[3930]: State alerts: INACTIVE Apr 21 21:35:43 Zaphod snort[3930]: Evasion alerts: INACTIVE Apr 21 21:35:43 Zaphod snort[3930]: Scan alerts: INACTIVE Apr 21 21:35:43 Zaphod snort[3930]: Log Flushed Streams: INACTIVE Apr 21 21:35:43 Zaphod snort[3930]: MinTTL: 1 Apr 21 21:35:43 Zaphod snort[3930]: TTL Limit: 5 Apr 21 21:35:43 Zaphod snort[3930]: Async Link: 0 Apr 21 21:35:43 Zaphod snort[3930]: State Protection: 0 Apr 21 21:35:43 Zaphod snort[3930]: Self preservation threshold: 50 Apr 21 21:35:44 Zaphod snort[3930]: Self preservation period: 90 Apr 21 21:35:44 Zaphod snort[3930]: Suspend threshold: 200 Apr 21 21:35:44 Zaphod snort[3930]: Suspend period: 30 Apr 21 21:35:44 Zaphod snort[3930]: Enforce TCP State: INACTIVE Apr 21 21:35:44 Zaphod snort[3930]: Midstream Drop Alerts: INACTIVE Apr 21 21:35:44 Zaphod snort[3930]: Server Data Inspection Limit: -1Apr 21 21:35:44 Zaphod snort[3930]: WARNING /etc/snort/snort.conf(373) => flush_behavior set in config file, using old static flushpoints (0)
Apr 21 21:35:44 Zaphod snort[3930]: Stream4_reassemble config: Apr 21 21:35:44 Zaphod snort[3930]: Server reassembly: INACTIVE Apr 21 21:35:44 Zaphod snort[3930]: Client reassembly: ACTIVE Apr 21 21:35:44 Zaphod snort[3930]: Reassembler alerts: ACTIVE Apr 21 21:35:44 Zaphod snort[3930]: Zero out flushed packets: INACTIVE Apr 21 21:35:44 Zaphod snort[3930]: Flush stream on alert: INACTIVE Apr 21 21:35:44 Zaphod snort[3930]: flush_data_diff_size: 500Apr 21 21:35:44 Zaphod snort[3930]: Reassembler Packet Preferance : Favor Old
Apr 21 21:35:44 Zaphod snort[3930]: Packet Sequence Overlap Limit: -1 Apr 21 21:35:44 Zaphod snort[3930]: Flush behavior: Small (<255 bytes)Apr 21 21:35:44 Zaphod snort[3930]: Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Apr 21 21:35:44 Zaphod snort[3930]: Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Apr 21 21:35:44 Zaphod snort[3930]: HttpInspect Config: Apr 21 21:35:45 Zaphod snort[3930]: GLOBAL CONFIG Apr 21 21:35:45 Zaphod snort[3930]: Max Pipeline Requests: 0Apr 21 21:35:45 Zaphod snort[3930]: Inspection Type: STATELESS
Apr 21 21:35:45 Zaphod snort[3930]: Detect Proxy Usage: NOApr 21 21:35:45 Zaphod snort[3930]: IIS Unicode Map Filename: /etc/snort/unicode.map
Apr 21 21:35:45 Zaphod snort[3930]: IIS Unicode Map Codepage: 1252 Apr 21 21:35:45 Zaphod snort[3930]: DEFAULT SERVER CONFIG: Apr 21 21:35:45 Zaphod snort[3930]: Ports: 80 3128 8080 8180 Apr 21 21:35:45 Zaphod snort[3930]: Flow Depth: 300 Apr 21 21:35:45 Zaphod snort[3930]: Max Chunk Length: 500000 Apr 21 21:35:45 Zaphod snort[3930]: Inspect Pipeline Requests: YES Apr 21 21:35:45 Zaphod snort[3930]: URI Discovery Strict Mode: NO Apr 21 21:35:45 Zaphod snort[3930]: Allow Proxy Usage: NO Apr 21 21:35:45 Zaphod snort[3930]: Disable Alerting: NO Apr 21 21:35:45 Zaphod snort[3930]: Oversize Dir Length: 500 Apr 21 21:35:45 Zaphod snort[3930]: Only inspect URI: NO Apr 21 21:35:45 Zaphod snort[3930]: Ascii: YES alert: NO Apr 21 21:35:45 Zaphod snort[3930]: Double Decoding: YES alert: YES Apr 21 21:35:46 Zaphod snort[3930]: %U Encoding: YES alert: YES Apr 21 21:35:46 Zaphod snort[3930]: Bare Byte: YES alert: YES Apr 21 21:35:46 Zaphod snort[3930]: Base36: OFF Apr 21 21:35:46 Zaphod snort[3930]: UTF 8: OFF Apr 21 21:35:46 Zaphod snort[3930]: IIS Unicode: YES alert: YES Apr 21 21:35:46 Zaphod snort[3930]: Multiple Slash: YES alert: NO Apr 21 21:35:46 Zaphod snort[3930]: IIS Backslash: YES alert: NO Apr 21 21:35:46 Zaphod snort[3930]: Directory Traversal: YES alert: NO Apr 21 21:35:46 Zaphod snort[3930]: Web Root Traversal: YES alert: YES Apr 21 21:35:46 Zaphod snort[3930]: Apache WhiteSpace: YES alert: NO Apr 21 21:35:46 Zaphod snort[3930]: IIS Delimiter: YES alert: NOApr 21 21:35:46 Zaphod snort[3930]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Apr 21 21:35:46 Zaphod snort[3930]: Non-RFC Compliant Characters: NONE Apr 21 21:35:46 Zaphod snort[3930]: rpc_decode arguments: Apr 21 21:35:46 Zaphod snort[3930]: Ports to decode RPC on: 111 32771 Apr 21 21:35:46 Zaphod snort[3930]: alert_fragments: INACTIVE Apr 21 21:35:46 Zaphod snort[3930]: alert_large_fragments: ACTIVE Apr 21 21:35:46 Zaphod snort[3930]: alert_incomplete: ACTIVE Apr 21 21:35:46 Zaphod snort[3930]: alert_multiple_requests: ACTIVE Apr 21 21:35:47 Zaphod snort[3930]: telnet_decode arguments:Apr 21 21:35:47 Zaphod snort[3930]: Ports to decode telnet on: 21 23 25 119
Apr 21 21:35:47 Zaphod snort[3930]: Portscan Detection Config: Apr 21 21:35:47 Zaphod snort[3930]: Detect Protocols: TCP UDP ICMP IPApr 21 21:35:47 Zaphod snort[3930]: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Apr 21 21:35:47 Zaphod snort[3930]: Sensitivity Level: Low Apr 21 21:35:47 Zaphod snort[3930]: Memcap (in bytes): 10000000 Apr 21 21:35:47 Zaphod snort[3930]: Number of Nodes: 36900 Apr 21 21:35:47 Zaphod snort[3930]: Apr 21 21:35:47 Zaphod snort[3930]: X-Link2State Config: Apr 21 21:35:47 Zaphod snort[3930]: Ports: 25 691Apr 21 21:35:47 Zaphod snort[3930]: command line overrides rules file alert plugin! Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'http.jpeg' is checked but not ever set. Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. Apr 21 21:35:48 Zaphod snort[3930]: Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Apr 21 21:35:48 Zaphod snort[3930]:Apr 21 21:35:48 Zaphod snort[3930]: +-----------------------[thresholding-config]----------------------------------
Apr 21 21:35:48 Zaphod snort[3930]: | memory-cap : 1048576 bytesApr 21 21:35:48 Zaphod snort[3930]: +-----------------------[thresholding-global]----------------------------------
Apr 21 21:35:48 Zaphod snort[3930]: | noneApr 21 21:35:48 Zaphod snort[3930]: +-----------------------[thresholding-local]----------------------------------- Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2 Apr 21 21:35:48 Zaphod snort[3930]: | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2 Apr 21 21:35:49 Zaphod snort[3930]: | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2 Apr 21 21:35:49 Zaphod snort[3930]: | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 Apr 21 21:35:49 Zaphod snort[3930]: | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60 Apr 21 21:35:49 Zaphod snort[3930]: | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 Apr 21 21:35:49 Zaphod snort[3930]: +-----------------------[suppression]------------------------------------------
Apr 21 21:35:49 Zaphod snort[3930]: | noneApr 21 21:35:49 Zaphod snort[3930]: ------------------------------------------------------------------------------- Apr 21 21:35:49 Zaphod snort[3930]: Rule application order: ->activation->dynamic->drop->alert->pass->log
Apr 21 21:35:49 Zaphod snort[3930]: Log directory = /var/log/snortApr 21 21:35:50 Zaphod snort[3930]: Snort initialization completed successfully (pid=3930)
As far as I can see, it is running OK, and supposedly on interface ppp0. Outputs should be going to a mysql database, but nothing ever shows up there.
Looking closer, I see that there are log files being created in /var/log/snort. So I guess it must be running OK and listening on the correct interface, just not sending output to the expected location. The only output plugin configured in snort.conf is this:
output database: log, mysql, user=snort password=******* dbname=snort host=localhost
Any thoughts/suggestions? John Joel Esler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John, Snort never starts, see the Fatal error?ERROR: Undefined variable name: (/etc/snort/snort.conf:33): ppp0_ADDRESS Fatal Error, Quitting..What do you have on line 33? Joel On Apr 21, 2006, at 12:35 AM, John Messinger wrote:Followed the installation guide from the Docs section (Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core), with the exception that I installed the official Snort 2.4.4 RHEL4 rpms (snort + snort-mysql).Snort seems to start OK (no errors given anywhere, and syslog shows a good startup), but no sensors are listed in BASE - nada.Running snort -c /etc/snort/snort.conf gives the following output: *** *** interface device lookup found: eth0 *** Running in IDS mode Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: Undefined variable name: (/etc/snort/snort.conf:33): ppp0_ADDRESS Fatal Error, Quitting..My snort.conf file defines HOME_NET as $ppp0_ADDRESS. I have modified /etc/sysconfig/snort so that the INTERFACE variable points to ppp0, and also the /etc/rc.d/init.d/snortd script.As far as I can tell, snort should be getting called with the -i ppp0 option, but it is still trying to listen on the eth0 interface.My network setup is a DSL modem connected to eth1, with eth0 being the interface to the private LAN. Yes, the IP address from my ISP is dynamic, not fixed.If more information is required, please let me know. Appreciate any suggestions as to getting this to work.Regards, John ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security?Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimohttp://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFESMb9KbCSyXHckt4RAgYjAJ9hIOmzhBQTM4ubII0No8x5dPnQ2ACfYxGV K5i4SlGKMqNt9HscDS5gWGY= =lWAV -----END PGP SIGNATURE----- --No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.4/320 - Release Date: 20/04/2006
------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.4.4 on CentOS 4.3 won't listen on ppp0 John Messinger (Apr 20)
- Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0 Joel Esler (Apr 21)
- Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0 Dirk Geschke (Apr 21)
- Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0 John Messinger (Apr 21)
- Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0 Patrick S. Harper (Apr 21)
- Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0 John Messinger (Apr 21)
- Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0 Randal T. Rioux (Apr 21)
- Re: Snort 2.4.4 on CentOS 4.3 won't listen on ppp0 Joel Esler (Apr 21)