Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Still trying to build this box

From: Jim Turner <JTurner () hilltopconsultants com>
Date: Tue, 12 Mar 2013 10:03:38 -0400
I have made progress since last night.  Snort is now starting and not erroring on the rules.  I accomplished this by 
uninstalling and starting all over again.  Now I am just unable to log any of the data.



I have attached my snort.conf.  I have pasted the results of this command line:
snort -A console -i1 -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii

I feel like I am almost there.  Please assist.





og
Verifying Preprocessor Configurations!
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'file.otf' is set but not ever checked.
WARNING: flowbits key 'file.xspf' is set but not ever checked.
WARNING: flowbits key 'file.rjs' is set but not ever checked.
WARNING: flowbits key 'file.rmf' is set but not ever checked.
WARNING: flowbits key 'file.elf' is set but not ever checked.
WARNING: flowbits key 'smb.query_sec_desc' is set but not ever checked.
WARNING: flowbits key 'file.works' is set but not ever checked.
WARNING: flowbits key 'file.manifest' is set but not ever checked.
WARNING: flowbits key 'file.smi' is set but not ever checked.
WARNING: flowbits key 'file.avi.video' is set but not ever checked.
WARNING: flowbits key 'file.class' is set but not ever checked.
WARNING: flowbits key 'file.pmd' is set but not ever checked.
WARNING: flowbits key 'file.xpm' is set but not ever checked.
WARNING: flowbits key 'file.mny' is checked but not ever set.
WARNING: flowbits key 'file.dmg' is set but not ever checked.
WARNING: flowbits key 'file.psfont' is set but not ever checked.
WARNING: flowbits key 'file.cgm' is set but not ever checked.
WARNING: flowbits key 'file.slk' is set but not ever checked.
WARNING: flowbits key 'file.avi' is set but not ever checked.
WARNING: flowbits key 'file.tiff' is set but not ever checked.
WARNING: flowbits key 'file.gif' is set but not ever checked.
WARNING: flowbits key 'file.chm' is set but not ever checked.
WARNING: flowbits key 'file.visprj' is set but not ever checked.
WARNING: flowbits key 'file.ani' is set but not ever checked.
WARNING: flowbits key 'file.engtesselate' is set but not ever checked.
WARNING: flowbits key 'file.realmedia' is set but not ever checked.
WARNING: flowbits key 'file.tiff.little' is set but not ever checked.
WARNING: flowbits key 'file.tga' is set but not ever checked.
WARNING: flowbits key 'file.eps' is set but not ever checked.
WARNING: flowbits key 'file.smil' is set but not ever checked.
WARNING: flowbits key 'file.zip' is set but not ever checked.
WARNING: flowbits key 'file.realplayer' is set but not ever checked.
WARNING: flowbits key 'file.realplayer.playlist' is set but not ever checked.
WARNING: flowbits key 'imagesource.redefine' is set but not ever checked.
WARNING: flowbits key 'file.asx' is set but not ever checked.
WARNING: flowbits key 'file.dws' is set but not ever checked.
WARNING: flowbits key 'file.swf' is set but not ever checked.
WARNING: flowbits key 'file.silverlight' is set but not ever checked.
WARNING: flowbits key 'file.xls' is set but not ever checked.
WARNING: flowbits key 'file.xul' is set but not ever checked.
WARNING: flowbits key 'file.mp4' is set but not ever checked.
WARNING: flowbits key 'file.vap' is set but not ever checked.
WARNING: flowbits key 'file.flv' is set but not ever checked.
WARNING: flowbits key 'file.wmv' is set but not ever checked.
WARNING: flowbits key 'file.asf' is set but not ever checked.
WARNING: flowbits key 'file.rtf' is set but not ever checked.
WARNING: flowbits key 'file.m4v' is set but not ever checked.
WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
WARNING: flowbits key 'file.mswmm' is set but not ever checked.
WARNING: flowbits key 'file.pls' is set but not ever checked.
WARNING: flowbits key 'file.xml' is set but not ever checked.
WARNING: flowbits key 'file.oless.v3' is checked but not ever set.
WARNING: flowbits key 'file.visio' is set but not ever checked.
WARNING: flowbits key 'server.mdaemon' is set but not ever checked.
WARNING: flowbits key 'file.4xm' is set but not ever checked.
WARNING: flowbits key 'file.ses' is set but not ever checked.
WARNING: flowbits key 'file.jar' is set but not ever checked.
WARNING: flowbits key 'file.dir' is set but not ever checked.
WARNING: flowbits key 'file.png' is set but not ever checked.
WARNING: flowbits key 'file.pub' is set but not ever checked.
WARNING: flowbits key 'file.fpx' is set but not ever checked.
WARNING: flowbits key 'file.jpeg' is set but not ever checked.
WARNING: flowbits key 'file.eot' is set but not ever checked.
WARNING: flowbits key 'file.lnk' is set but not ever checked.
WARNING: flowbits key 'file.pac' is set but not ever checked.
WARNING: flowbits key 'file.dxf' is set but not ever checked.
WARNING: flowbits key 'file.quicktime' is set but not ever checked.
WARNING: flowbits key 'file.tar' is set but not ever checked.
WARNING: flowbits key 'file.csd' is set but not ever checked.
WARNING: flowbits key 'file.wav' is set but not ever checked.
WARNING: flowbits key 'file.m3u' is set but not ever checked.
WARNING: flowbits key 'file.cdr' is set but not ever checked.
WARNING: flowbits key 'file.pdf' is set but not ever checked.
WARNING: flowbits key 'file.pct' is set but not ever checked.
WARNING: flowbits key 'file.xbm' is set but not ever checked.
WARNING: flowbits key 'file.universalbinary' is set but not ever checked.
WARNING: flowbits key 'file.torrent' is set but not ever checked.
WARNING: flowbits key 'file.mp3' is set but not ever checked.
WARNING: flowbits key 'file.qcp' is set but not ever checked.
WARNING: flowbits key 'file.jnlp' is set but not ever checked.
WARNING: flowbits key 'file.hpj' is set but not ever checked.
WARNING: flowbits key 'smb.trans2.fileinfo' is set but not ever checked.
WARNING: flowbits key 'file.wmf' is set but not ever checked.
WARNING: flowbits key 'file.doc' is set but not ever checked.
93 out of 1024 flowbits in use.

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 48
|     1 byte states : 43
|     2 byte states : 5
|     4 byte states : 0
| Characters        : 8890
| States            : 6460
| Transitions       : 148770
| State Density     : 9.0%
| Patterns          : 876
| Match States      : 806
| Memory (MB)       : 3.19
|   Patterns        : 0.06
|   Match Lists     : 0.07
|   DFA
|     1 byte states : 0.20
|     2 byte states : 2.81
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 30 ]
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "\Device\NPF_{4809A428-8B29-48E8-AE8C-844A398DF0C
C}".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4.1-WIN32 GRE (Build 69)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-t
eam
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using PCRE version: 8.10 2010-06-25
           Using ZLIB version: 1.2.3

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.17  <Build 18>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
Commencing packet processing (pid=364)
*** Caught Int-Signal
===============================================================================
Run time for packet processing was 90.6000 seconds
Snort processed 422 packets.
Snort ran for 0 days 0 hours 1 minutes 30 seconds
   Pkts/min:          422
   Pkts/sec:            4
===============================================================================
Packet I/O Totals:
   Received:          431
   Analyzed:          422 ( 97.912%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            9 (  2.088%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:          422 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          149 ( 35.308%)
       Frag:            0 (  0.000%)
       ICMP:            8 (  1.896%)
        UDP:          141 ( 33.412%)
        TCP:            0 (  0.000%)
        IP6:           53 ( 12.559%)
    IP6 Ext:           53 ( 12.559%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:           53 ( 12.559%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
      EAPOL:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:          175 ( 41.469%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:           45 ( 10.664%)
Bad Chk Sum:            4 (  0.948%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:          422
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          422 ( 97.912%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
===============================================================================
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
                  Drops: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
            Total sessions: 32
              TCP sessions: 0
              UDP sessions: 32
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 0
TCP StreamTrackers Deleted: 0
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 0
     TCP Segments Released: 0
       TCP Rebuilt Packets: 0
         TCP Segments Used: 0
              TCP Discards: 0
                  TCP Gaps: 0
      UDP Sessions Created: 32
      UDP Sessions Deleted: 32
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
           Internal Events: 0
           TCP Port Filter
                   Dropped: 0
                 Inspected: 0
                   Tracked: 0
           UDP Port Filter
                   Dropped: 0
                 Inspected: 81
                   Tracked: 32
===============================================================================
===============================================================================
SMTP Preprocessor Statistics
  Total sessions                                    : 0
  Max concurrent sessions                           : 0
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 0
===============================================================================
===============================================================================
SIP Preprocessor Statistics
  Total sessions: 0
===============================================================================
Reputation Preprocessor Statistics
  Total Memory Allocated: 0
===============================================================================
Snort exiting

C:\Snort\bin>

Attachment: snort.conf
Description: snort.conf

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: