Snort mailing list archives
Snort not catching anything
From: "Vintage Mud" <vintagemud () gmail com>
Date: Mon, 6 Nov 2006 12:01:33 -0500
Hey all, I finished installing snort a couple of days ago, and have yet to receive any alerts in BASE. From all appearances, everything appears to be working, I'm just not getting anything out of it (I've run attacks on the machine to test it). To give a little background, I'm running FC6 on a machine behind a Linksys router (WRT54G), which is then connected to a cable modem. I more or less followed the FC6 LAMP tutorial on howtoforge without the DNS or ISPConfig stuff [http://www.howtoforge.com/installing_a_lamp_system_with_fedora_core_6] and added on the IDS with BASE and Snort tutorial [ http://www.howtoforge.com/intrusion_detection_base_snort]. I am using the latest registered users rules package, and added on the init.d script from the "Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core – with NTOP" tutorial off the snort site [ http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf]. I have IPTables turned off since I have a few selected ports being forwarded through my router. When snort starts, I don't receive any errors, and the logs are empty as well. This is my output from running "snort -c /etc/snort/snort.conf" Any help would be appreciated. ----------------------------------------------- Output Begins Now ----------------------------------------------- [root@superman ~]# snort -c /etc/snort/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'EXTERNAL_NET' defined, value len = 15 chars, value = !192.168.1.0/24 Var 'DNS_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24 Var 'SMTP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24 Var 'HTTP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24 Var 'SQL_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24 Var 'TELNET_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24 Var 'SNMP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24 Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 Var 'AIM_SERVERS' defined, value len = 185 chars [ 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: FIRST Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment ttl_limit: 5 Fragment Problems: 1 Bound Addresses: 0.0.0.0/0.0.0.0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Server Data Inspection Limit: -1 WARNING /etc/snort/snort.conf(408) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 WARNING /etc/snort/snort.conf(409) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 53 80 110 111 139 143 445 513 1433 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 5427 Snort rules read... 5427 Option Chains linked into 218 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Tagged Packet Limit: 256 +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60 | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2 +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->pass->drop->alert->log Log directory = /var/log/snort Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23 Are You There Threshold: 200 Normalize: YES FTP CONFIG: FTP Server: default Ports: 21 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25 Inspection Type: STATEFUL Normalize Spaces: YES Ignore Data: NO Ignore TLS Data: NO Ignore Alerts: NO Max Command Length: 0 Max Header Line Length: 0 Max Response Line Length: 0 X-Link2State Alert: YES Drop on X-Link2State Alert: NO DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 Verifying Preprocessor Configurations! Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set but not ever checked. *** *** interface device lookup found: eth0 *** Initializing Network Interface eth0 Var 'eth0_ADDRESS' defined, value len = 25 chars, value = 192.168.1.0/255.255.255.0 Decoding Ethernet on interface eth0 database: compiled support for ( mysql ) database: configured to use mysql database: user = snortusr database: password is set database: database name = snort database: host = localhost database: sensor name = 192.168.1.75 database: sensor id = 1 database: schema version = 107 database: using the "log" facility --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.6.0.2 (Build 85) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2006 Sourcefire Inc., et al. Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.5 <Build 10> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 8> Preprocessor Object: SF_DNS Version 1.0 <Build 1> Preprocessor Object: SF_SMTP Version 1.0 <Build 6> Not Using PCAP_FRAMES *** Caught Int-Signal Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 =============================================================================== Final Flow Statistics ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.168352)/blocks (17653/8) Overhead blocks: 1 Could Hold: (58579) IPV4 count: 7 frees: 0 low_time: 1162828861, high_time: 1162832257, diff: 0h:56:36s finds: 669 reversed: 0(%0.000000) find_success: 662 find_fail: 7 percent_success: (%98.953662) new_flows: 7 Protocol: 17 (%100.000000) finds: 669 reversed: 0(%0.000000) find_success: 662 find_fail: 7 percent_success: (%98.953662) new_flows: 7 =============================================================================== Snort received 1677 packets Analyzed: 1672(99.702%) Dropped: 0(0.000%) Outstanding: 5(0.298%) =============================================================================== Breakdown by protocol: TCP: 920 (55.024%) UDP: 682 (40.789%) ICMP: 0 (0.000%) ARP: 70 (4.187%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) FRAG: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== database: Closing connection to database "snort" Snort exiting [root@superman ~]# ----------------------------------------------- Output Ends Now -----------------------------------------------
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not catching anything Vintage Mud (Nov 06)