[Snort-users] Demarc

Bart Decker (DCS) info at ...9038...
Mon Apr 28 04:20:12 EDT 2003


Hello all , 

After installing Demarc on my linux server , i'm not able to get to the
console . When entering the right URL in my browser (windows XP IE6.x) i get
notified about the certificate (security alert pop-up) . 
When clicking on yes to continue , it shows me only this : 

Forbidden 
You don't have permission to access /Demarc/PureSecure on this server. 


-----------------------------------------------------------------------------
-- 

Apache/1.3.27 Server at linux Port 443 

I tried the demarc knowledge base , bit it doesn't containt some in depth
information about the problem . It's saying i have to recheck my
configuration for the proper settings . They all seem right to me . 


I've never worked with ssl , and i think it has something to do with setting
up ssl properly . 

I really have no clue which settings to check .... 



Additional Logs : SSL_ENGINE.LOG , ERROR_LOG , ACCESS_LOG from apache log
dir ...ow and ssl_request.log 


[27/Apr/2003 12:41:31 12848] [warn] Init: (linux:443) RSA server certificate
CommonName (CN) `localhost' does NOT match server name!? 
[27/Apr/2003 12:42:49 12859] [info] Connection to child 0 established
(server linux:443, client 192.168.0.2) 
[27/Apr/2003 12:42:50 12859] [info] Seeding PRNG with 1160 bytes of entropy 
[27/Apr/2003 12:42:50 12859] [info] Connection: Client IP: 192.168.0.2,
Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) 
[27/Apr/2003 12:42:53 12859] [info] Connection to child 0 closed with
standard shutdown (server linux:443, client 192.168.0.2) 
[27/Apr/2003 12:44:42 12860] [info] Connection to child 1 established
(server linux:443, client 192.168.0.2) 
[27/Apr/2003 12:44:42 12860] [info] Seeding PRNG with 1160 bytes of entropy 
[27/Apr/2003 12:44:42 12860] [info] Connection: Client IP: 192.168.0.2,
Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) 
[27/Apr/2003 12:44:42 12860] [info] Initial (No.1) HTTPS request received
for child 1 (server linux:443) 
[27/Apr/2003 12:44:42 12860] [info] Connection to child 1 closed with
unclean shutdown (server linux:443, client 192.168.0.2) 


ERROR_LOG : 

[Sat Apr 26 15:21:50 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sat Apr 26 15:21:50 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sat Apr 26 15:24:13 2003] [notice] caught SIGTERM, shutting down 
[Sat Apr 26 15:24:15 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sat Apr 26 15:24:15 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sat Apr 26 15:25:16 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:25:59 2003] [notice] caught SIGTERM, shutting down 
[Sat Apr 26 15:26:01 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sat Apr 26 15:26:01 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sat Apr 26 15:26:03 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:05 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:05 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:06 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:07 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:07 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:08 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:08 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:09 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:26:24 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:27:41 2003] [notice] caught SIGTERM, shutting down 
[Sat Apr 26 15:27:49 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sat Apr 26 15:27:49 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sat Apr 26 15:27:53 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/favicon.ico 
[Sat Apr 26 15:27:55 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:28:01 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/PS 
[Sat Apr 26 15:29:00 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/PS 
[Sat Apr 26 15:29:40 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/ps 
[Sat Apr 26 15:29:51 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/cgi-bin 
[Sat Apr 26 15:30:10 2003] [notice] caught SIGTERM, shutting down 
[Sat Apr 26 15:30:29 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sat Apr 26 15:30:29 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sat Apr 26 15:30:32 2003] [error] [client 192.168.0.2] File does not exist:
/usr/local/www/htdocs/demarc 
[Sat Apr 26 15:32:27 2003] [notice] caught SIGTERM, shutting down 
[Sat Apr 26 15:36:58 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sat Apr 26 15:36:58 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sat Apr 26 15:38:24 2003] [notice] caught SIGTERM, shutting down 
[Sat Apr 26 15:39:11 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sat Apr 26 15:39:11 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sat Apr 26 15:55:46 2003] [notice] caught SIGTERM, shutting down 
[Sat Apr 26 15:55:51 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sat Apr 26 15:55:51 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sun Apr 27 12:40:33 2003] [notice] caught SIGTERM, shutting down 
[Sun Apr 27 12:40:47 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sun Apr 27 12:40:47 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)

[Sun Apr 27 12:41:31 2003] [notice] SIGHUP received. Attempting to restart 
[Sun Apr 27 12:41:31 2003] [notice] Apache/1.3.27 (Unix) mod_perl/1.27
mod_ssl/2.8.11 OpenSSL/0.9.6g configured -- resuming normal operations 
[Sun Apr 27 12:41:31 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)



ACCESS.LOG 

192.168.0.2 - - [26/Apr/2003:15:27:53 -0700] "GET /favicon.ico HTTP/1.1" 404
285 
192.168.0.2 - - [26/Apr/2003:15:27:55 -0700] "GET /ps HTTP/1.1" 404 276 
192.168.0.2 - - [26/Apr/2003:15:28:01 -0700] "GET /PS HTTP/1.1" 404 276 
192.168.0.2 - - [26/Apr/2003:15:29:00 -0700] "GET /PS HTTP/1.1" 404 276 
192.168.0.2 - - [26/Apr/2003:15:29:40 -0700] "GET /ps HTTP/1.1" 404 276 
192.168.0.2 - - [26/Apr/2003:15:29:45 -0700] "GET / HTTP/1.1" 200 2007 
192.168.0.2 - - [26/Apr/2003:15:29:51 -0700] "GET /cgi-bin HTTP/1.1" 404 281

192.168.0.2 - - [26/Apr/2003:15:30:32 -0700] "GET /demarc HTTP/1.1" 404 280 
192.168.0.2 - - [26/Apr/2003:15:30:36 -0700] "GET / HTTP/1.1" 200 2007 
192.168.0.2 - - [26/Apr/2003:15:30:37 -0700] "GET /manual/index.html HTTP/1
1" 200 9465 
192.168.0.2 - - [26/Apr/2003:15:30:37 -0700] "GET
/manual/images/apache_header.gif HTTP/1.1" 200 4084 
192.168.0.2 - - [26/Apr/2003:15:30:37 -0700] "GET /manual/images/index.gif
HTTP/1.1" 200 1540 
192.168.0.2 - - [26/Apr/2003:15:30:37 -0700] "GET /manual/images/pixel.gif
HTTP/1.1" 200 61 
192.168.0.2 - - [26/Apr/2003:15:30:49 -0700] "GET /manual/vhosts/index.html
HTTP/1.1" 200 3274 
192.168.0.2 - - [26/Apr/2003:15:30:49 -0700] "GET /manual/images/home.gif
HTTP/1.1" 200 1465 
192.168.0.2 - - [26/Apr/2003:15:30:49 -0700] "GET /manual/images/sub.gif
HTTP/1.1" 200 6083 
192.168.0.2 - - [27/Apr/2003:12:44:42 -0700] "GET /Demarc/PureSecure HTTP/1
1" 403 278 



SSL_REQUEST.LOG 

[26/Apr/2003:15:16:16 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET /Console HTTP/1
1" 270 
[26/Apr/2003:15:16:53 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET /images/index
html HTTP/1.1" 280 
[26/Apr/2003:15:17:01 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET /ps HTTP/1.1"
298 
[26/Apr/2003:15:17:01 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:21:55 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:21:56 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:21:57 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:21:57 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:21:57 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:21:57 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:21:57 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:23:38 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:23:39 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[26/Apr/2003:15:23:40 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET
/Demarc/PureSecure HTTP/1.1" 284 
[27/Apr/2003:12:44:42 -0700] 192.168.0.2 SSLv3 RC4-MD5 "GET /Demarc/PureSecure HTTP/1.1" 278
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030428/85f56459/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.jpg
Type: image/jpeg
Size: 5304 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030428/85f56459/attachment.jpg>


More information about the Snort-users mailing list