[Snort-users] snort warnings

Bryan Irvine bryan.irvine at ...9066...
Wed Aug 6 14:39:09 EDT 2003


> Would it be possible to try to fix this problem (symptom?) by dumping
> the duplicate entries from the signature table?  

tried it :-(

> I think we need input from more experienced snorters (but in the
> absence of that, I suppose I would create a new test snort db on your
> database machine and have knox3 log to it, and go from there).

I initially just tried running "truncate tablename;" on everything I
thought was being affected, as I suspected something similar.  When that
didn't work I ran "dropdb snort" and deleted the whole kit 'n' kaboodle
and started over from scratch and recreated the whole damn db, and guess
what?  same thing :-/ only not so often now, maybe it will pick back up
as more entries are made.

I even tarred up the snort 2.0.0 from the original build (with all the
make files still there) scp'd it over to the new snort box and ran a
make install.  I checked the version and verified that it was 2.0.0 that
I was using (although I now seriously doubt it had anything to do with
2.0.1) and ran 

snort -o -b -l /var/www/htdocs/snort/fxp1 -D -i fxp1 -c
/usr/local/share/snort/fxp1.conf -q

and here's the output from that...


# Aug  6 13:48:40 knox3 snort: Initializing daemon mode 
Aug  6 13:48:40 knox3 snort: PID path stat checked out ok, PID path set
to /var/run/ 
Aug  6 13:48:40 knox3 snort: Writing PID "4479" to file
"/var/run//snort_fxp1.pid" 
Aug  6 13:48:40 knox3 snort: http_decode arguments: 
Aug  6 13:48:40 knox3 snort:     Unicode decoding 
Aug  6 13:48:40 knox3 snort:     IIS alternate Unicode decoding 
Aug  6 13:48:40 knox3 snort:     IIS double encoding vuln 
Aug  6 13:48:40 knox3 snort:     Flip backslash to slash 
Aug  6 13:48:40 knox3 snort:     Include additional whitespace
separators 
Aug  6 13:48:40 knox3 snort:     Ports to decode http on: 80  
Aug  6 13:48:40 knox3 snort: rpc_decode arguments: 
Aug  6 13:48:40 knox3 snort:     Ports to decode RPC on: 111 32771  
Aug  6 13:48:40 knox3 snort:     alert_fragments: INACTIVE 
Aug  6 13:48:40 knox3 snort:     alert_large_fragments: ACTIVE 
Aug  6 13:48:40 knox3 snort:     alert_incomplete: ACTIVE 
Aug  6 13:48:40 knox3 snort:     alert_multiple_requests: ACTIVE 
Aug  6 13:48:40 knox3 snort: telnet_decode arguments: 
Aug  6 13:48:40 knox3 snort:     Ports to decode telnet on: 21 23 25
119  
Aug  6 13:48:41 knox3 snort: Snort initialization completed successfully


--Bryan





More information about the Snort-users mailing list