[Snort-users] Snort not outputting statistics on exit

Mark Ewert mewert at ...10516...
Sun Nov 16 12:28:14 EST 2003


Greetings,

I'm having an odd problem that just started with my Snort sensors. When
I shutdown Snort (either via kill or the stop command with the startup
script) Snort no longer outputs its performance statistics in
/var/log/messages - it just lists: Snort Exiting. I may be going crazy
but I believe it used to output the stats there - I've seen them
recently as I've been working to improve Snort rule performance and am
looking for the packet loss data. Any idea what I'm doing wrong? 

Here's my Snort command line from one of my sensors: snort -c
/etc/snort/snort.conf -i eth1 -D . I'm using the unified log and alert
output options and mudpit to process them. Oh - currently running: Snort
2.0.2 but will be upgrading to 2.0.4 ASAP. 

Here's the snort.conf from the same sensor - it's an un-tuned test
sensor so it's definitely not optimized:

#
## Variables
## ---------
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort
var DNS_SERVERS 192.168.1.200
var HTTP_SERVERS [192.168.1.200/32,192.168.1.117/32]
var HTTP_PORTS 80
var SQL_SERVERS [192.168.1.117/32,192,168.1.200/32]
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor portscan: $HOME_NET 4 3 portscan.log
#preprocessor portscan-ignorehosts: 0.0.0.0
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000
#preprocessor portscan2: scanners_max 256, targets_max 1024,
target_limit 5, port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#
#
## Output Modules
## --------------
output log_unified: filename /var/log/snort1/unified_log, limit 128
#
output alert_unified: filename /var/log/snort1/unified_alert, limit 128
#
## Custom Rules
## ------------
config disable_decode_alerts
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method lowmem
## Include Files
## -------------
include classification.config
include reference.config
#
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/porn.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

and the output from snort -T -i eth1 -c /etc/snort/snort.conf :

-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch at ...1935..., www.snort.org)
 
Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting
[root at ...10568... root]# snort -T -i eth1 -c /etc/snort/snort.conf
Running in IDS mode
Log directory = /var/log/snort
 
Initializing Network Interface eth1
OpenPcap() device eth1 network lookup: 
        eth1: no IPv4 address assigned
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433 
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
1458 Snort rules read...
1458 Option Chains linked into 163 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
 
Rule application order: ->activation->dynamic->alert->pass->log
 
        --== Initialization Complete ==--
 
-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch at ...1935..., www.snort.org)
 
Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting

THANKS IN ADVANCE.

Mark

-------------------------------------------
Mark F. Ewert, Principal Systems Architect
Integrated Healthcare Information Services

---------------------------------------------------------------------------
This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or 
other use of; or taking of any action in reliance upon this information
by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please send the e-mail back to notify the
sender and delete the message and its contents from any computers and
network systems involved in its receipt. Thank you.




More information about the Snort-users mailing list