[Snort-devel] Re: No stats

Martin Olsson elof at ...969...
Thu May 15 21:07:08 EDT 2003


On Thu, 15 May 2003, Martin Roesch wrote:

> Which stats are missing?

Missing information in test-mode (-T):
* frag2
* stream4
* Stream4_reassemble
* mysql database information
* the number of rules and chains
* rule application order

Missing information at exit:
* Everything!




When running v2.0.0 in test-mode, this is what I get on stdout:

/usr/sentor/bin/snort -c /usr/sentor/etc/snort.conf -l /usr/sentor/log -u
snort -g snort -T
Running in IDS mode
Log directory = /usr/sentor/log

Initializing Network Interface ed1

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface ed1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /usr/sentor/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Found logdir config directive (/usr/sentor/log)

Initializing Network Interface ed1
Done. Cleaning up.


...and this is what appear in the syslog:

May 15 19:11:02 flash /kernel: ed1: promiscuous mode disabled
May 15 19:11:02 flash /kernel: ed1: promiscuous mode enabled
May 15 19:11:02 flash snort: http_decode arguments:
May 15 19:11:02 flash snort:     Unicode decoding
May 15 19:11:02 flash snort:     IIS alternate Unicode decoding
May 15 19:11:02 flash snort:     IIS double encoding vuln
May 15 19:11:02 flash snort:     Flip backslash to slash
May 15 19:11:02 flash snort:     Include additional whitespace separators
May 15 19:11:02 flash snort:     Ports to decode http on: 80
May 15 19:11:02 flash snort: rpc_decode arguments:
May 15 19:11:02 flash snort:     Ports to decode RPC on: 111 32771
May 15 19:11:02 flash snort:     alert_fragments: INACTIVE
May 15 19:11:02 flash snort:     alert_large_fragments: ACTIVE
May 15 19:11:02 flash snort:     alert_incomplete: ACTIVE
May 15 19:11:02 flash snort:     alert_multiple_requests: ACTIVE
May 15 19:11:02 flash snort: telnet_decode arguments:
May 15 19:11:02 flash snort:     Ports to decode telnet on: 21 23 25 119
May 15 19:11:02 flash snort: Conversation Config:
May 15 19:11:02 flash snort:    KeepStats: 0
May 15 19:11:02 flash snort:    Conv Count: 3000
May 15 19:11:02 flash snort:    Timeout   : 60
May 15 19:11:02 flash snort:    Alert Odd?: 0
May 15 19:11:02 flash snort:    Allowed IP Protocols:
May 15 19:11:02 flash snort:  All
May 15 19:11:02 flash snort:
May 15 19:11:02 flash snort: Portscan2 config:
May 15 19:11:02 flash snort:     log: /usr/sentor/log/snort.portscan
May 15 19:11:02 flash snort:     scanners_max: 256
May 15 19:11:02 flash snort:     targets_max: 1024
May 15 19:11:02 flash snort:     target_limit: 5
May 15 19:11:02 flash snort:     port_limit: 20
May 15 19:11:02 flash snort:     timeout: 60
May 15 19:11:10 flash snort:  Snort sucessfully loaded all rules and checked all rule chains!
May 15 19:11:11 flash /kernel: ed1: promiscuous mode disabled
May 15 19:11:11 flash snort: Snort exiting



When killing v2.0.0, running in daemon-mode, this is what syslog recieve:

/usr/sentor/bin/snort -c /usr/sentor/etc/snort.conf -l /usr/sentor/log -u
snort -g snort -D
kill `cat /var/run/snort_ed1.pid`
May 15 19:31:03 flash /kernel: ed1: promiscuous mode disabled
May 15 19:31:03 flash snort: Snort exiting





Here's my snort.conf:
var SENSOR_NAME flash-01
var DB_USER snort
var DB_PASSWORD foo
var DB_NAME snort
var DB_HOST 10.1.2.3
var HOME_NET 10.0.0.0/8
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS any
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /usr/sentor/lib
config logdir: /usr/sentor/log
config alert_with_interface_name
config umask: 022
config checksum_mode: none
config show_year
config stateful
config interface: ed1
config daemon
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble: both,ports all
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000
preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60, log snort.portscan
output alert_fast: snort.alert
output log_tcpdump: snort.tcpdump
output database: log, mysql, user=$DB_USER password=$DB_PASSWORD dbname=$DB_NAME host=$DB_HOST sensor_name=$SENSOR_NAME
# trapdb should include an output for snmp-traps, but this isn't available in snort v2.0.0
ruletype trapdb
{
  type alert
  output alert_fast: snort.alert
  output log_tcpdump: snort.tcpdump
  output database: log, mysql, user=snort password=foo dbname=snort host=10.1.2.3 sensor_name=flash-01
}
config order: trapdb pass activation dynamic alert log
include /usr/sentor/etc/snort-classification.config
include /usr/sentor/etc/snort-reference.config
include $RULE_PATH/sentor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules








> On Thursday, May 15, 2003, at 08:56 AM, Martin Olsson wrote:
>
> > Why have all the nice information and statistics been removed from
> > snort
> > v2.0.0?
> >
> > When running 1.9.x in test-mode (-T), you got a lot of useful
> > information
> > about the snort-configuration. In v2.0.0 you get way less information,
> > which is bad.
> >
> > Also, when you kill the snort process, v1.9.1 logged some nice
> > statistics.
> > In v2.0.0 they are all gone. This too is bad.
> >
> >
> > Could we please have the stats back?
> >
> >
> > v1.9.1:
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > No arguments to frag2 directive, setting defaults to:
> >     Fragment timeout: 60 seconds
> >     Fragment memory cap: 4194304 bytes
> >     Fragment min_ttl:   0
> >     Fragment ttl_limit: 5
> >     Fragment Problems: 0
> > Stream4 config:
> >     Stateful inspection: ACTIVE
> >     Session statistics: INACTIVE
> >     Session timeout: 30 seconds
> >     Session memory cap: 8388608 bytes
> >     State alerts: INACTIVE
> >     Evasion alerts: INACTIVE
> >     Scan alerts: ACTIVE
> >     Log Flushed Streams: INACTIVE
> >     MinTTL: 1
> >     TTL Limit: 5
> >     Async Link: 0
> >     State Protection: 0
> >     Self preservation threshold: 0
> >     Self preservation period: 0
> >     Suspend threshold: 0
> >     Suspend period: 0
> > Stream4_reassemble config:
> >     Server reassembly: ACTIVE
> >     Client reassembly: ACTIVE
> >     Reassembler alerts: ACTIVE
> >     Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> > http_decode arguments:
> >     Unicode decoding
> >     IIS alternate Unicode decoding
> >     IIS double encoding vuln
> >     Flip backslash to slash
> >     Include additional whitespace separators
> >     Ports to decode http on: 80
> > telnet_decode arguments:
> >     Ports to decode telnet on: 21 23 25 119
> > Conversation Config:
> >    KeepStats: 0
> >    Conv Count: 32000
> >    Timeout   : 60
> >    Alert Odd?: 0
> >    Allowed IP Protocols:  All
> > Portscan2 config:
> >     log: /snort/log/snort.portscan
> >     scanners_max: 3200
> >     targets_max: 5000
> >     target_limit: 25
> >     port_limit: 100
> >     timeout: 60
> > database: compiled support for ( mysql )
> > database: configured to use mysql
> > database:          user = sentor
> > database: password is set
> > database: database name = snort
> > database:          host = 10.1.2.3
> > database:   sensor name = sensor-08
> > database:     sensor id = 11
> > database: schema version = 106
> > database: using the "log" facility
> > 1195 Snort rules read...
> > 1195 Option Chains linked into 127 Chain Headers
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Rule application order: ->pass->activation->dynamic->alert->log->trapdb
> >         --== Initialization Complete ==--
> >
> > v1.9.1 killed:
> >  snort: Snort analyzed 668289 out of 677025 packets,
> >  snort: dropping 8736(1.290%) packets
> >  snort: Breakdown by protocol:                Action Stats:
> >  snort:     TCP: 658135     (97.210%)         ALERTS: 15
> >  snort:     UDP: 403        (0.060%)          LOGGED: 15
> >  snort:    ICMP: 32         (0.005%)          PASSED: 29
> >  snort:     ARP: 116        (0.017%)
> >  snort:   EAPOL: 0          (0.000%)
> >  snort:    IPv6: 0          (0.000%)
> >  snort:     IPX: 0          (0.000%)
> >  snort:   OTHER: 765        (0.113%)
> >  snort: DISCARD: 0          (0.000%)
> >  snort:
> > =======================================================================
> >  snort: Wireless Stats:
> >  snort: Breakdown by type:
> >  snort:     Management Packets: 0          (0.000%)
> >  snort:     Control Packets:    0          (0.000%)
> >  snort:     Data Packets:       0          (0.000%)
> >  snort:
> > =======================================================================
> >  snort: Fragmentation Stats:
> >  snort: Fragmented IP Packets: 0          (0.000%)
> >  snort:     Fragment Trackers: 0
> >  snort:    Rebuilt IP Packets: 0
> >  snort:    Frag elements used: 0
> >  snort: Discarded(incomplete): 0
> >  snort:    Discarded(timeout): 0
> >  snort:   Frag2 memory faults: 0
> >  snort:
> > =======================================================================
> >  snort: TCP Stream Reassembly Stats:
> >  snort:         TCP Packets Used: 658135     (97.210%)
> >  snort:          Stream Trackers: 294
> >  snort:           Stream flushes: 191880
> >  snort:            Segments used: 464605
> >  snort:    Stream4 Memory Faults: 0
> >  snort:
> > =======================================================================
> >
> >
> >
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>





More information about the Snort-devel mailing list