Snort mailing list archives
Re: Error when running snort_inline 2.6.1.5 on Centos x86-64
From: Will Metcalf <william.metcalf () gmail com>
Date: Sat, 11 Aug 2012 00:53:03 -0500
I use snort_inline version 2.6.1.5 on http://snort-inline.sourceforge.net/download.html and snort rules 2923 with
Don't use snort_inline version 2.6.1.5 :). We haven't touched that code or updated it in years. Vanilla snort has support for IPS mode. I suggest you take a look at the README included with DAQ. http://www.snort.org/snort-downloads/ Regards, Will On Fri, Aug 10, 2012 at 11:59 PM, Dang Le Nam <lenam.cntp () gmail com> wrote:
I use snort_inline version 2.6.1.5 on http://snort-inline.sourceforge.net/download.html and snort rules 2923 with Oinkmaster update auto When I running snort_inline: snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline Then output error Reading from iptables Running in IDS mode Initializing Inline mode --== Initializing Snort ==-- Initializing Output Plugins! Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_inline/snort_inline.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'HOME_NET' defined, value len = 3 chars, value = any Var 'HONEYNET' defined, value len = 3 chars, value = any Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any Var 'SQL_SERVERS' defined, value len = 3 chars, value = any Var 'DNS_SERVERS' defined, value len = 3 chars, value = any Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 Var 'SSH_PORTS' defined, value len = 2 chars, value = 22 Var 'AIM_SERVERS' defined, value len = 185 chars [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] Var 'RULE_PATH' defined, value len = 23 chars, value = /etc/snort_inline/rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 32800(%0.31) `---------------------------------------------- stream4inline mode enabled truncating mode enabled Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 3600 seconds Session memory cap: 134217728 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: ACTIVE and DROPPING Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE Server Data Inspection Limit: -1 Inline-mode options: Inline-mode enabled? (stream4inline): Yes Scan mode? (scan_stream_only): Both packet and stream Sliding Windowsize (window_size): 3000 Memcap reached method (truncate): Truncate Truncate percentage (truncate_percentage): 33 Store/Load state from/to disk: No Max out-of-order packets in a stream (max_ooo_pkts): 5 Max out-of-order bytes in a stream (max_ooo_bytes): 5000 Max sequence holes in a stream (max_seq_holes): 2 Normalize wscale max (norm_wscale_max): 2 Perform window scale normaliztion: Yes Disable out-of-order packet drop: No Disable out-of-order packet drop: No Disable sequence hole packet drop: No Max sequence holes in a stream (max_seq_holes): 2 Disable wscale normalization alerts (disable_norm_wscale_alerts): No Disable out-of-order alerts (disable_ooo_alerts): No Drop bad RST packets? (drop_bad_rst): No Disable evasive retransmission packet drop: No Disable out-of-window packet drop: No Disable all protocol violation drops: No WARNING /etc/snort_inline/snort_inline.conf(368) => flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor New Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_inline/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 26109 ERROR: /etc/snort_inline/rules/exploit.rules(209) => Invalid port: [389,3268] Fatal Error, Quitting.. I break “#” exploit.rules on file snort_inline.conf then appear on other rules and so on. And when I break “ #” with all rules on file snort_inline.conf then ..output error : ERROR version 1 < 5 ERROR: Failed to initialize dynamic engine: SF_POP (IPV6) version 1.0.1 Fatal Error, Quitting.. -------------------- Đặng Lê Nam ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Error when running snort_inline 2.6.1.5 on Centos x86-64 Dang Le Nam (Aug 10)
- Re: Error when running snort_inline 2.6.1.5 on Centos x86-64 Will Metcalf (Aug 10)