NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-04

Re: [Snort-users] Problems with snort

From: Alejandro Flores (alejandro.florestriforsec.com.br)
Date: Mon Apr 26 2004 - 12:38:43 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adriano,

Aparentemente o script de inicialização está chamando um outro
snort.conf ou está trabalhando em um outro modo que não o nids.
Como você está inicializando o snort?

[]s
Alejandro Flores
http://www.triforsec.com.br/
http://www.defenselayer.com/
http://www.nabucodonosor.com/

> Hi,
>
> I´m with a problem... I installed the snort with MySQL and ACID (RedHat9), but it doesn´t show me any alerts.
>
> here is the part of the syslog
>
> Apr 26 10:37:22 russoe kernel: device eth0 entered promiscuous mode
> Apr 26 10:37:22 russoe snort: Initializing daemon mode
> Apr 26 10:37:22 russoe snort: PID path stat checked out ok, PID path set to /var/run/
> Apr 26 10:37:22 russoe snort: Writing PID "6768" to file "/var/run//snort_eth0.pid"
> Apr 26 10:37:22 russoe snort: ,-----------[Flow Config]----------------------
> Apr 26 10:37:22 russoe snort: | Stats Interval: 0
> Apr 26 10:37:22 russoe snort: | Hash Method: 2
> Apr 26 10:37:22 russoe snort: | Memcap: 10485760
> Apr 26 10:37:22 russoe snort: | Rows : 4099
> Apr 26 10:37:22 russoe snort: | Overhead Bytes: 16400(%0.16)
> Apr 26 10:37:22 russoe snort: `----------------------------------------------
> Apr 26 10:37:22 russoe snort: HttpInspect Config:
> Apr 26 10:37:22 russoe snort: GLOBAL CONFIG
> Apr 26 10:37:22 russoe snort: Max Pipeline Requests: 0
> Apr 26 10:37:22 russoe snort: Inspection Type: STATELESS
> Apr 26 10:37:22 russoe snort: Detect Proxy Usage: NO
> Apr 26 10:37:22 russoe snort: IIS Unicode Map Filename: /etc/snort/unicode.map
> Apr 26 10:37:22 russoe snort: IIS Unicode Map Codepage: 1252
> Apr 26 10:37:22 russoe snort: DEFAULT SERVER CONFIG:
> Apr 26 10:37:22 russoe snort: Ports:
> Apr 26 10:37:22 russoe snort: 80
> Apr 26 10:37:22 russoe snort: 8080
> Apr 26 10:37:22 russoe snort: 8180
> Apr 26 10:37:22 russoe snort:
> Apr 26 10:37:22 russoe snort: Flow Depth: 300
> Apr 26 10:37:22 russoe snort: Max Chunk Length: 500000
> Apr 26 10:37:22 russoe snort: Inspect Pipeline Requests: YES
> Apr 26 10:37:22 russoe snort: URI Discovery Strict Mode: NO
> Apr 26 10:37:22 russoe snort: Allow Proxy Usage: NO
> Apr 26 10:37:22 russoe snort: Disable Alerting: NO
> Apr 26 10:37:22 russoe snort: Oversize Dir Length: 500
> Apr 26 10:37:22 russoe snort: Only inspect URI: NO
> Apr 26 10:37:22 russoe snort: Ascii: YES alert: NO
> Apr 26 10:37:22 russoe snort: Double Decoding: YES alert: YES
> Apr 26 10:37:22 russoe snort: %U Encoding: YES alert: YES
> Apr 26 10:37:22 russoe snort: Bare Byte: YES alert: YES
> Apr 26 10:37:22 russoe snort: Base36: OFF
> Apr 26 10:37:22 russoe snort: UTF 8: OFF
> Apr 26 10:37:22 russoe snort: IIS Unicode: YES alert: YES
> Apr 26 10:37:22 russoe snort: Multiple Slash: YES alert: NO
> Apr 26 10:37:22 russoe snort: IIS Backslash: YES alert: NO
> Apr 26 10:37:22 russoe snort: Directory: YES alert: NO
> Apr 26 10:37:22 russoe snort: Apache WhiteSpace: YES alert: YES
> Apr 26 10:37:22 russoe snort: IIS Delimiter: YES alert: YES
> Apr 26 10:37:22 russoe snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> Apr 26 10:37:22 russoe snort: Non-RFC Compliant Characters:
> Apr 26 10:37:22 russoe snort: NONE
> Apr 26 10:37:22 russoe snort:
> Apr 26 10:37:22 russoe snort: rpc_decode arguments:
> Apr 26 10:37:22 russoe snort: Ports to decode RPC on: 111 32771
> Apr 26 10:37:22 russoe snort: alert_fragments: INACTIVE
> Apr 26 10:37:22 russoe snort: alert_large_fragments: ACTIVE
> Apr 26 10:37:22 russoe snort: alert_incomplete: ACTIVE
> Apr 26 10:37:22 russoe snort: alert_multiple_requests: ACTIVE
> Apr 26 10:37:22 russoe snort: telnet_decode arguments:
> Apr 26 10:37:22 russoe snort: Ports to decode telnet on: 21 23 25 119
> Apr 26 10:37:22 russoe snort: Snort initialization completed successfully
>
>
>
>
> ############################################################################################################################
>
> the command: #snort -c /etc/snort/snort.conf show me....
>
>
> Running in IDS mode
> Log directory = /var/log/snort
>
> Initializing Network Interface eth0
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ,-----------[Flow Config]----------------------
> | Stats Interval: 0
> | Hash Method: 2
> | Memcap: 10485760
> | Rows : 4099
> | Overhead Bytes: 16400(%0.16)
> `----------------------------------------------
> No arguments to frag2 directive, setting defaults to:
> Fragment timeout: 60 seconds
> Fragment memory cap: 4194304 bytes
> Fragment min_ttl: 0
> Fragment ttl_limit: 5
> Fragment Problems: 0
> Self preservation threshold: 500
> Self preservation period: 90
> Suspend threshold: 1000
> Suspend period: 30
> Stream4 config:
> Stateful inspection: ACTIVE
> Session statistics: INACTIVE
> Session timeout: 30 seconds
> Session memory cap: 8388608 bytes
> State alerts: INACTIVE
> Evasion alerts: INACTIVE
> Scan alerts: INACTIVE
> Log Flushed Streams: INACTIVE
> MinTTL: 1
> TTL Limit: 5
> Async Link: 0
> State Protection: 0
> Self preservation threshold: 50
> Self preservation period: 90
> Suspend threshold: 200
> Suspend period: 30
> Stream4_reassemble config:
> Server reassembly: INACTIVE
> Client reassembly: ACTIVE
> Reassembler alerts: ACTIVE
> Zero out flushed packets: INACTIVE
> flush_data_diff_size: 500
> Ports: 21 23 25 53 80 110 111 143 513 1433
> Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> HttpInspect Config:
> GLOBAL CONFIG
> Max Pipeline Requests: 0
> Inspection Type: STATELESS
> Detect Proxy Usage: NO
> IIS Unicode Map Filename: /etc/snort/unicode.map
> IIS Unicode Map Codepage: 1252
> DEFAULT SERVER CONFIG:
> Ports: 80 8080 8180
> Flow Depth: 300
> Max Chunk Length: 500000
> Inspect Pipeline Requests: YES
> URI Discovery Strict Mode: NO
> Allow Proxy Usage: NO
> Disable Alerting: NO
> Oversize Dir Length: 500
> Only inspect URI: NO
> Ascii: YES alert: NO
> Double Decoding: YES alert: YES
> %U Encoding: YES alert: YES
> Bare Byte: YES alert: YES
> Base36: OFF
> UTF 8: OFF
> IIS Unicode: YES alert: YES
> Multiple Slash: YES alert: NO
> IIS Backslash: YES alert: NO
> Directory: YES alert: NO
> Apache WhiteSpace: YES alert: YES
> IIS Delimiter: YES alert: YES
> IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> Non-RFC Compliant Characters: NONE
> rpc_decode arguments:
> Ports to decode RPC on: 111 32771
> alert_fragments: INACTIVE
> alert_large_fragments: ACTIVE
> alert_incomplete: ACTIVE
> alert_multiple_requests: ACTIVE
> telnet_decode arguments:
> Ports to decode telnet on: 21 23 25 119
> database: compiled support for ( mysql )
> database: configured to use mysql
> database: user = snort
> database: password is set
> database: database name = snort
> database: host = localhost
> database: sensor name = 10.9.1.250
> database: sensor id = 1
> database: schema version = 106
> database: using the "log" facility
> 1773 Snort rules read...
> 1773 Option Chains linked into 170 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]----------------------------------
> | none
> +-----------------------[thresholding-local]-----------------------------------
> | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
> +-----------------------[suppression]------------------------------------------
> -------------------------------------------------------------------------------
> Rule application order: ->activation->dynamic->alert->pass->log
>
> --== Initialization Complete ==--
>
> -*> Snort! <*-
> Version 2.1.2 (Build 25)
> By Martin Roesch (roeschsourcefire.com, www.snort.org)
>
>
>
>
>
> Adriano Bandeira de Araújo
> Secretaria de Orçamento Federal - SOF
> (61) 348-2111
>

--TriForSec
http://www.triforsec.com.br/

-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]