Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort not catching anything

From: "Vintage Mud" <vintagemud () gmail com>
Date: Mon, 6 Nov 2006 12:01:33 -0500
Hey all,

I finished installing snort a couple of days ago, and have yet to receive
any alerts in BASE. From all appearances, everything appears to be working,
I'm just not getting anything out of it (I've run attacks on the machine to
test it).

To give a little background, I'm running FC6 on a machine behind a Linksys
router (WRT54G), which is then connected to a cable modem. I more or less
followed the FC6 LAMP tutorial on howtoforge without the DNS or ISPConfig
stuff [http://www.howtoforge.com/installing_a_lamp_system_with_fedora_core_6]
and added on the IDS with BASE and Snort tutorial [
http://www.howtoforge.com/intrusion_detection_base_snort]. I am using the
latest registered users rules package, and added on the init.d script from
the "Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or
Fedora Core – with NTOP" tutorial off the snort site [
http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf]. I have
IPTables turned off since I have a few selected ports being forwarded
through my router.

When snort starts, I don't receive any errors, and the logs are empty as
well. This is my output from running "snort -c /etc/snort/snort.conf"

Any help would be appreciated.

----------------------------------------------- Output Begins Now
-----------------------------------------------

[root@superman ~]# snort -c /etc/snort/snort.conf
Running in IDS mode

       --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'EXTERNAL_NET' defined, value len = 15 chars, value = !192.168.1.0/24
Var 'DNS_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'SMTP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'HTTP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'SQL_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'TELNET_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'SNMP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
  [
64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
  .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
Frag3 global config:
   Max frags: 65536
   Fragment memory cap: 4194304 bytes
Frag3 engine config:
   Target-based policy: FIRST
   Fragment timeout: 60 seconds
   Fragment min_ttl:   1
   Fragment ttl_limit: 5
   Fragment Problems: 1
   Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
   Stateful inspection: ACTIVE
   Session statistics: INACTIVE
   Session timeout: 30 seconds
   Session memory cap: 8388608 bytes
   Session count max: 8192 sessions
   Session cleanup count: 5
   State alerts: INACTIVE
   Evasion alerts: INACTIVE
   Scan alerts: INACTIVE
   Log Flushed Streams: INACTIVE
   MinTTL: 1
   TTL Limit: 5
   Async Link: 0
   State Protection: 0
   Self preservation threshold: 50
   Self preservation period: 90
   Suspend threshold: 200
   Suspend period: 30
   Enforce TCP State: INACTIVE
   Midstream Drop Alerts: INACTIVE
   Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(408) => flush_behavior set in config file,
using old static flushpoints (0)
Stream4_reassemble config:
   Server reassembly: INACTIVE
   Client reassembly: ACTIVE
   Reassembler alerts: ACTIVE
   Zero out flushed packets: INACTIVE
   Flush stream on alert: INACTIVE
   flush_data_diff_size: 500
   Reassembler Packet Preferance : Favor Old
   Packet Sequence Overlap Limit: -1
   Flush behavior: Small (<255 bytes)
   Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
3306
   Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
1433 1521 3306
WARNING /etc/snort/snort.conf(409) => flush_behavior set in config file,
using old static flushpoints (0)
Stream4_reassemble config:
   Server reassembly: ACTIVE
   Client reassembly: ACTIVE
   Reassembler alerts: ACTIVE
   Zero out flushed packets: INACTIVE
   Flush stream on alert: INACTIVE
   flush_data_diff_size: 500
   Reassembler Packet Preferance : Favor Old
   Packet Sequence Overlap Limit: -1
   Flush behavior: Small (<255 bytes)
   Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
   Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
1433 1521 3306
HttpInspect Config:
   GLOBAL CONFIG
     Max Pipeline Requests:    0
     Inspection Type:          STATELESS
     Detect Proxy Usage:       NO
     IIS Unicode Map Filename: /etc/snort/unicode.map
     IIS Unicode Map Codepage: 1252
   DEFAULT SERVER CONFIG:
     Ports: 80 8080 8180
     Flow Depth: 300
     Max Chunk Length: 500000
     Inspect Pipeline Requests: YES
     URI Discovery Strict Mode: NO
     Allow Proxy Usage: NO
     Disable Alerting: NO
     Oversize Dir Length: 500
     Only inspect URI: NO
     Ascii: YES alert: NO
     Double Decoding: YES alert: YES
     %U Encoding: YES alert: YES
     Bare Byte: YES alert: YES
     Base36: OFF
     UTF 8: OFF
     IIS Unicode: YES alert: YES
     Multiple Slash: YES alert: NO
     IIS Backslash: YES alert: NO
     Directory Traversal: YES alert: NO
     Web Root Traversal: YES alert: YES
     Apache WhiteSpace: YES alert: NO
     IIS Delimiter: YES alert: NO
     IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
     Non-RFC Compliant Characters: NONE
     Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
   Ports to decode RPC on: 111 32771
   alert_fragments: INACTIVE
   alert_large_fragments: ACTIVE
   alert_incomplete: ACTIVE
   alert_multiple_requests: ACTIVE
Portscan Detection Config:
   Detect Protocols:  TCP UDP ICMP IP
   Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan
   Sensitivity Level: Low
   Memcap (in bytes): 10000000
   Number of Nodes:   36900

5427 Snort rules read...
5427 Option Chains linked into 218 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Tagged Packet Limit: 256

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10
seconds=60
| gen-id=1      sig-id=3542       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5
seconds=60
| gen-id=1      sig-id=3543       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10
seconds=10
| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10
seconds=60
| gen-id=1      sig-id=4984       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5
seconds=60
| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5
seconds=2
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
done
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
 Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
   GLOBAL CONFIG
     Inspection Type: stateful
     Check for Encrypted Traffic: YES alert: YES
     Continue to check encrypted data: NO
   TELNET CONFIG:
     Ports: 23
     Are You There Threshold: 200
     Normalize: YES
   FTP CONFIG:
     FTP Server: default
       Ports: 21
       Check for Telnet Cmds: YES alert: YES
       Identify open data channels: YES
     FTP Client: default
       Check for Bounce Attacks: YES alert: YES
       Check for Telnet Cmds: YES alert: YES
       Max Response Length: 256
SMTP Config:
     Ports: 25
     Inspection Type:            STATEFUL
     Normalize Spaces:           YES
     Ignore Data:                NO
     Ignore TLS Data:            NO
     Ignore Alerts:              NO
     Max Command Length:         0
     Max Header Line Length:     0
     Max Response Line Length:   0
     X-Link2State Alert:         YES
     Drop on X-Link2State Alert: NO
DNS config:
   DNS Client rdata txt Overflow Alert: ACTIVE
   Obsolete DNS RR Types Alert: INACTIVE
   Experimental DNS RR Types Alert: INACTIVE
   Ports: 53
Verifying Preprocessor Configurations!
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set but
not ever checked.
***
*** interface device lookup found: eth0
***

Initializing Network Interface eth0
Var 'eth0_ADDRESS' defined, value len = 25 chars, value =
192.168.1.0/255.255.255.0
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snortusr
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.1.75
database:     sensor id = 1
database: schema version = 107
database: using the "log" facility

       --== Initialization Complete ==--

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.6.0.2 (Build 85)
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
          (C) Copyright 1998-2006 Sourcefire Inc., et al.

          Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.5  <Build 10>
          Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 8>
          Preprocessor Object: SF_DNS  Version 1.0  <Build 1>
          Preprocessor Object: SF_SMTP  Version 1.0  <Build 6>
Not Using PCAP_FRAMES
*** Caught Int-Signal
Frag3 statistics:
       Total Fragments: 0
     Frags Reassembled: 0
              Discards: 0
         Memory Faults: 0
              Timeouts: 0
              Overlaps: 0
             Anomalies: 0
                Alerts: 0
    FragTrackers Added: 0
   FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
   Frag Nodes Inserted: 0
    Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.168352)/blocks (17653/8)
Overhead blocks: 1 Could Hold: (58579)
IPV4 count: 7 frees: 0
low_time: 1162828861, high_time: 1162832257, diff: 0h:56:36s
   finds: 669 reversed: 0(%0.000000)
   find_success: 662 find_fail: 7
percent_success: (%98.953662) new_flows: 7
Protocol: 17 (%100.000000)
  finds: 669
  reversed: 0(%0.000000)
  find_success: 662
  find_fail: 7
  percent_success: (%98.953662)
  new_flows: 7


===============================================================================

Snort received 1677 packets
   Analyzed: 1672(99.702%)
   Dropped: 0(0.000%)
   Outstanding: 5(0.298%)
===============================================================================
Breakdown by protocol:
   TCP: 920        (55.024%)
   UDP: 682        (40.789%)
  ICMP: 0          (0.000%)
   ARP: 70         (4.187%)
 EAPOL: 0          (0.000%)
  IPv6: 0          (0.000%)
ETHLOOP: 0          (0.000%)
   IPX: 0          (0.000%)
  FRAG: 0          (0.000%)
 OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
database: Closing connection to database "snort"
Snort exiting
[root@superman ~]#

----------------------------------------------- Output Ends Now
-----------------------------------------------

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: