Snort mailing list archives
No data and alarm log
From: "Xiaoxu Huang" <xhuang () graphnet com>
Date: Tue, 4 Jun 2013 18:15:46 -0400
Hi, We have installed the snort(2.9.4.6) on CentOS 6.4. The test looks OK as followings. But not get anything in the log files (snort.log and alert). Thanks for help. snort -d -A fast -l /var/log/snort -c /etc/snort/snort.conf -T ******* ******* FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: NO Continue to check encrypted data: YES TELNET CONFIG: Ports: 23 Are You There Threshold: 20 Normalize: YES Detect Anomalies: YES FTP CONFIG: FTP Server: default Ports (PAF): 21 2100 3535 Check for Telnet Cmds: YES alert: YES Ignore Telnet Cmd Operations: YES alert: YES Identify open data channels: NO FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Ignore Telnet Cmd Operations: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25 465 587 691 Inspection Type: Stateful Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50 Ignore Data: No Ignore TLS Data: No Ignore SMTP Alerts: No Max Command Line Length: 512 Max Specific Command Line Length: ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255 EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255 ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500 IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246 QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246 SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246 TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246 XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246 XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246 XUSR:246 Max Header Line Length: 1000 Max Response Line Length: 512 X-Link2State Alert: Yes Drop on X-Link2State Alert: No Alert on commands: None Alert on unknown commands: No SMTP Memcap: 838860 MIME Max Mem: 838860 Base64 Decoding: Enabled Base64 Decoding Depth: Unlimited Quoted-Printable Decoding: Enabled Quoted-Printable Decoding Depth: Unlimited Unix-to-Unix Decoding: Enabled Unix-to-Unix Decoding Depth: Unlimited Non-Encoded MIME attachment Extraction: Enabled Non-Encoded MIME attachment Extraction Depth: Unlimited Log Attachment filename: Enabled Log MAIL FROM Address: Enabled Log RCPT TO Addresses: Enabled Log Email Headers: Enabled Email Hdrs Log Depth: 1464 SSH config: Autodetection: ENABLED Challenge-Response Overflow Alert: ENABLED SSH1 CRC32 Alert: ENABLED Server Version String Overflow Alert: ENABLED Protocol Mismatch Alert: ENABLED Bad Message Direction Alert: DISABLED Bad Payload Size Alert: DISABLED Unrecognized Version Alert: DISABLED Max Encrypted Packets: 20 Max Server Version String Length: 100 MaxClientBytes: 19600 (Default) Ports: 22 DCE/RPC 2 Preprocessor Configuration Global Configuration DCE/RPC Defragmentation: Enabled Memcap: 102400 KB Events: co SMB Fingerprint policy: Disabled Server Default Configuration Policy: WinXP Detect ports (PAF) SMB: 139 445 TCP: 135 UDP: 135 RPC over HTTP server: 593 RPC over HTTP proxy: None Autodetect ports (PAF) SMB: None TCP: 1025-65535 UDP: 1025-65535 RPC over HTTP server: 1025-65535 RPC over HTTP proxy: None Invalid SMB shares: C$ D$ ADMIN$ Maximum SMB command chaining: 3 commands DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 SSLPP config: Encrypted packets: not inspected Ports: 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 Server side data is trusted Sensitive Data preprocessor config: Global Alert Threshold: 25 Masked Output: DISABLED SIP config: Max number of sessions: 40000 Max number of dialogs in a session: 4 (Default) Status: ENABLED Ignore media channel: DISABLED Max URI length: 512 Max Call ID length: 80 Max Request name length: 20 (Default) Max From length: 256 (Default) Max To length: 256 (Default) Max Via length: 1024 (Default) Max Contact length: 512 Max Content length: 2048 Ports: 5060 5061 5600 Methods: invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack IMAP Config: Ports: 143 IMAP Memcap: 838860 Base64 Decoding: Enabled Base64 Decoding Depth: Unlimited Quoted-Printable Decoding: Enabled Quoted-Printable Decoding Depth: Unlimited Unix-to-Unix Decoding: Enabled Unix-to-Unix Decoding Depth: Unlimited Non-Encoded MIME attachment Extraction: Enabled Non-Encoded MIME attachment Extraction Depth: Unlimited POP Config: Ports: 110 POP Memcap: 838860 Base64 Decoding: Enabled Base64 Decoding Depth: Unlimited Quoted-Printable Decoding: Enabled Quoted-Printable Decoding Depth: Unlimited Unix-to-Unix Decoding: Enabled Unix-to-Unix Decoding Depth: Unlimited Non-Encoded MIME attachment Extraction: Enabled Non-Encoded MIME attachment Extraction Depth: Unlimited Modbus config: Ports: 502 DNP3 config: Memcap: 262144 Check Link-Layer CRCs: ENABLED Ports: 20000 +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 3584 Snort rules read 3584 detection rules 0 decoder rules 0 preprocessor rules 3584 Option Chains linked into 193 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 1514 5 0 0 | dst 1722 197 0 0 | any 124 44 28 26 | nc 50 12 1 0 | s+d 0 1 0 0 +--------------------------------------------------------------------------- - +-----------------------[detection-filter-config]--------------------------- --- | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]---------------------------- --- ---------------------------------------------------------------------------- --- +-----------------------[rate-filter-config]-------------------------------- --- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]--------------------------------- --- | none ---------------------------------------------------------------------------- --- +-----------------------[event-filter-config]------------------------------- --- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]------------------------------- --- +-----------------------[event-filter-local]-------------------------------- --- | none +-----------------------[suppression]--------------------------------------- --- | none ---------------------------------------------------------------------------- --- Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! ICMP tracking disabled, no ICMP sessions allocated IP tracking disabled, no IP sessions allocated WARNING: flowbits key 'acunetix.scanner' is set but not ever checked. WARNING: flowbits key 'netsenum' is set but not ever checked. WARNING: flowbits key 'file.wma' is set but not ever checked. WARNING: flowbits key 'file.p2g' is set but not ever checked. WARNING: flowbits key 'rtmp.flashver' is set but not ever checked. WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked. 118 out of 1024 flowbits in use. [ Port Based Pattern Matching Memory ] +- [ Aho-Corasick Summary ] ------------------------------------- | Storage Format : Full-Q | Finite Automaton : DFA | Alphabet Size : 256 Chars | Sizeof State : Variable (1,2,4 bytes) | Instances : 148 | 1 byte states : 135 | 2 byte states : 13 | 4 byte states : 0 | Characters : 61735 | States : 48355 | Transitions : 4643640 | State Density : 37.5% | Patterns : 3701 | Match States : 3581 | Memory (MB) : 24.01 | Patterns : 0.29 | Match Lists : 0.43 | DFA | 1 byte states : 0.85 | 2 byte states : 22.29 | 4 byte states : 0.00 +---------------------------------------------------------------- [ Number of patterns truncated to 20 bytes: 392 ] --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.4.6 GRE (Build 73) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.17 <Build 18> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Snort successfully validated the configuration!
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- No data and alarm log Xiaoxu Huang (Jun 04)
- Re: No data and alarm log James Lay (Jun 04)
- Re: No data and alarm log Xiaoxu Huang (Jun 04)
- Re: No data and alarm log James Lay (Jun 05)
- Re: No data and alarm log Xiaoxu Huang (Jun 06)
- Re: No data and alarm log James Lay (Jun 06)
- Re: No data and alarm log Xiaoxu Huang (Jun 04)
- Re: No data and alarm log James Lay (Jun 04)