[Snort-devel] Please verif Output of DPX (sample dynamic preprocessor tool kit)

Russ Combs rcombs at ...402...
Mon Dec 2 13:05:55 EST 2013


What makes you think it isn't running OK?  From what I see, DPX ran and
generated alerts.

You can get more output if you build with --enable-debug
--enable-debug-msgs.

On Fri, Nov 29, 2013 at 1:26 PM, Amtul Saboor <saboor.amtul at ...2499...>wrote:

>
> Hello
>
> I recently installed the sample dynamic preprocessor tool kit and after
> following each step from the following official snort link:
>
> http://www.snort.org/snort-downloads/dynamic-preprocessor-starter-kit/
>
> Please let me know if this is not the expetcted output.
>
> I need to verify if I am doing it correctly. because i dont think dpx.c is
> running the way it should. This is my output when i type ./test.sh :
>
>
>
> #/dpx-1.6# cd /usr/src/dp
> #/dp# ./test.sh
> ./setup.sh: line 1: /root/snort: is a directory
> Running in IDS mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "test/snort.conf"
> Tagged Packet Limit: 256
> Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor...
>   Loading dynamic preprocessor library
> lib/snort_dynamicpreprocessor/libdpx.so... done
>   Finished Loading all dynamic preprocessor libs from
> lib/snort_dynamicpreprocessor
> Log directory = /var/log/snort
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 4 Snort rules read
>     4 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 2 Option Chains linked into 2 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> +-------------------[Rule Port
> Counts]---------------------------------------
> |             tcp     udp    icmp      ip
> |     src       0       0       0       0
> |     dst       0       0       0       0
> |     any       4       0       0       0
> |      nc       4       0       0       0
> |     s+d       0       0       0       0
>
> +----------------------------------------------------------------------------
>
>
> +-----------------------[detection-filter-config]------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[detection-filter-rules]-------------------------------
> | none
>
> -------------------------------------------------------------------------------
>
>
> +-----------------------[rate-filter-config]-----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[rate-filter-rules]------------------------------------
> | none
>
> -------------------------------------------------------------------------------
>
>
> +-----------------------[event-filter-config]----------------------------------
> | memory-cap : 1048576 bytes
>
> +-----------------------[event-filter-global]----------------------------------
>
> +-----------------------[event-filter-local]-----------------------------------
> | none
>
> +-----------------------[suppression]------------------------------------------
> | none
>
> -------------------------------------------------------------------------------
> Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> Verifying Preprocessor Configurations!
>
> [ Port Based Pattern Matching Memory ]
> pcap DAQ configured to read-file.
> The DAQ version does not support reload.
> Acquiring network traffic from "test/test.pcap".
> Reload thread starting...
> Reload thread started, thread 0xb6997b70 (1754)
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.5.5 GRE (Build 205)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3.3
>
>            Preprocessor Object: dpx  Version 1.6  <Build 1>
> Commencing packet processing (pid=1753)
> 3    256    2    0
> 4    256    2    0
> 5    256    1    0
>
> ===============================================================================
> Run time for packet processing was 0.994 seconds
> Snort processed 6 packets.
> Snort ran for 0 days 0 hours 0 minutes 0 seconds
>    Pkts/sec:            6
>
> ===============================================================================
> Packet I/O Totals:
>    Received:            6
>    Analyzed:            6 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
>
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>         Eth:            6 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:            6 (100.000%)
>        Frag:            0 (  0.000%)
>        ICMP:            0 (  0.000%)
>         UDP:            0 (  0.000%)
>         TCP:            6 (100.000%)
>         IP6:            0 (  0.000%)
>     IP6 Ext:            0 (  0.000%)
>    IP6 Opts:            0 (  0.000%)
>       Frag6:            0 (  0.000%)
>       ICMP6:            0 (  0.000%)
>        UDP6:            0 (  0.000%)
>        TCP6:            0 (  0.000%)
>      Teredo:            0 (  0.000%)
>     ICMP-IP:            0 (  0.000%)
>     IP4/IP4:            0 (  0.000%)
>     IP4/IP6:            0 (  0.000%)
>     IP6/IP4:            0 (  0.000%)
>     IP6/IP6:            0 (  0.000%)
>         GRE:            0 (  0.000%)
>     GRE Eth:            0 (  0.000%)
>    GRE VLAN:            0 (  0.000%)
>     GRE IP4:            0 (  0.000%)
>     GRE IP6:            0 (  0.000%)
> GRE IP6 Ext:            0 (  0.000%)
>    GRE PPTP:            0 (  0.000%)
>     GRE ARP:            0 (  0.000%)
>     GRE IPX:            0 (  0.000%)
>    GRE Loop:            0 (  0.000%)
>        MPLS:            0 (  0.000%)
>         ARP:            0 (  0.000%)
>         IPX:            0 (  0.000%)
>    Eth Loop:            0 (  0.000%)
>    Eth Disc:            0 (  0.000%)
>    IP4 Disc:            0 (  0.000%)
>    IP6 Disc:            0 (  0.000%)
>    TCP Disc:            0 (  0.000%)
>    UDP Disc:            0 (  0.000%)
>   ICMP Disc:            0 (  0.000%)
> All Discard:            0 (  0.000%)
>       Other:            0 (  0.000%)
> Bad Chk Sum:            0 (  0.000%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:            0 (  0.000%)
>      S5 G 2:            0 (  0.000%)
>       Total:            6
>
> ===============================================================================
> Action Stats:
>      Alerts:            3 ( 50.000%)
>      Logged:            3 ( 50.000%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:            6 (100.000%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
> =============================
> Snort exiting
>
>
> Regards
> --
> *Amtul Saboor*
>
> *MS (Information Security)*
>
> *Military College of Signals, National University of Science & Technology,
> Rawalpindi *
>
> *Pakistan*
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/ce0c3129/attachment.html>


More information about the Snort-devel mailing list