[Snort-users] Figured it out!: Snort not outputting statistics on exit

Phil Wood cpw at ...440...
Sun Nov 16 18:28:14 EST 2003


On Sun, Nov 16, 2003 at 04:00:50PM -0500, Mark Ewert wrote:
> Greetings,
> 
> I figured it out. I had been searching and searching google for an
> answer and finally found it. Seems there is a bug in snort.c (located
> within the /src subdirectory of the install package). Here's a link to
> the fix provided by Chris Green cmg at ...1935...:
> http://www.pantek.com/library/general/lists/snort.org/snort-devel/msg005
> 22.html .
> 
> Here's the detail:
> 
> This problem seems only to occur in Daemon mode. To fix it:
> 
> Change In snort.c
> 
>     /* Print Statistics */
>     if(!pv.test_mode_flag)
>     {
>         fpShowEventStats();
>         DropStats(0);
>     }
> 
> to
>     /* Print Statistics */
>     if(!pv.test_mode_flag)
>     {
>         fpShowEventStats();
>         pv.quiet_flag = 0;
>         DropStats(0);
>         pv.quiet_flag = 1;
>     }
> 
> After doing this Snort not only properly outputs stats in
> /var/log/messages on exit but it also tells me which libpcap I am using
> on startup which is great because I'm experimenting with Phil Wood's

For grins, start your snort and include PCAP_VERBOSE=1 where you might
be setting PCAP_FRAMES=max.  It will dump a line to stderr which shows
what is really going on after all is said and done.

Example default (no setting PCAP_FRAMES to the max:

# PCAP_VERBOSE=1 tcpdump -i eth0 -c 1 -n
libpcap version: 0.8
Kernel filter, Protocol 0300, MMAP mode (600 frames, snapshot 96), socket type: Raw

Later,

> libpcap8 with ring support and wasn't sure how to tell if Snort was
> actually using it! Sorry I didn't find the solution before posting to
> the group. I'm going to try the same fix (if required) after installing
> v2.0.4
> 
> Mark
> 
> ---------------------------------------------
> Mark F. Ewert, Principal Systems Architect
> Integrated Healthcare Information Services
> www.ihcis.com
> 
> 
> -----Original Message-----
> From: Mark Ewert 
> Sent: Sunday, November 16, 2003 3:27 PM
> To: snort-users at lists.sourceforge.net
> Subject: Snort not outputting statistics on exit
> 
> Greetings,
> 
> I'm having an odd problem that just started with my Snort sensors. When
> I shutdown Snort (either via kill or the stop command with the startup
> script) Snort no longer outputs its performance statistics in
> /var/log/messages - it just lists: Snort Exiting. I may be going crazy
> but I believe it used to output the stats there - I've seen them
> recently as I've been working to improve Snort rule performance and am
> looking for the packet loss data. Any idea what I'm doing wrong? 
> 
> Here's my Snort command line from one of my sensors: snort -c
> /etc/snort/snort.conf -i eth1 -D . I'm using the unified log and alert
> output options and mudpit to process them. Oh - currently running: Snort
> 2.0.2 but will be upgrading to 2.0.4 ASAP. 
> 
> Here's the snort.conf from the same sensor - it's an un-tuned test
> sensor so it's definitely not optimized:
> 
> #
> ## Variables
> ## ---------
> var HOME_NET 192.168.1.0/24
> var EXTERNAL_NET any
> var SMTP_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
> 64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> var RULE_PATH /etc/snort
> var DNS_SERVERS 192.168.1.200
> var HTTP_SERVERS [192.168.1.200/32,192.168.1.117/32]
> var HTTP_PORTS 80
> var SQL_SERVERS [192.168.1.117/32,192,168.1.200/32]
> #
> ## Preprocessor Support
> ## --------------------
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> iis_flip_slash full_whitespace
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor stream4_reassemble
> #preprocessor portscan: $HOME_NET 4 3 portscan.log
> #preprocessor portscan-ignorehosts: 0.0.0.0
> #preprocessor conversation: allowed_ip_protocols all, timeout 60,
> max_conversations 3000
> #preprocessor portscan2: scanners_max 256, targets_max 1024,
> target_limit 5, port_limit 20, timeout 60
> preprocessor frag2
> preprocessor telnet_decode
> #preprocessor arpspoof
> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> #
> #
> ## Output Modules
> ## --------------
> output log_unified: filename /var/log/snort1/unified_log, limit 128
> #
> output alert_unified: filename /var/log/snort1/unified_alert, limit 128
> #
> ## Custom Rules
> ## ------------
> config disable_decode_alerts
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
> config detection: search-method lowmem
> ## Include Files
> ## -------------
> include classification.config
> include reference.config
> #
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> #include $RULE_PATH/web-attacks.rules
> #include $RULE_PATH/backdoor.rules
> #include $RULE_PATH/shellcode.rules
> #include $RULE_PATH/policy.rules
> #include $RULE_PATH/porn.rules
> #include $RULE_PATH/info.rules
> #include $RULE_PATH/icmp-info.rules
> #include $RULE_PATH/virus.rules
> #include $RULE_PATH/chat.rules
> #include $RULE_PATH/multimedia.rules
> #include $RULE_PATH/p2p.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/local.rules
> 
> and the output from snort -T -i eth1 -c /etc/snort/snort.conf :
> 
> -*> Snort! <*-
> Version 2.0.2 (Build 92)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
>  
> Snort sucessfully loaded all rules and checked all rule chains!
> Snort exiting
> [root at ...10568... root]# snort -T -i eth1 -c /etc/snort/snort.conf
> Running in IDS mode
> Log directory = /var/log/snort
>  
> Initializing Network Interface eth1
> OpenPcap() device eth1 network lookup: 
>         eth1: no IPv4 address assigned
>  
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth1
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
>  
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> http_decode arguments:
>     Unicode decoding
>     IIS alternate Unicode decoding
>     IIS double encoding vuln
>     Flip backslash to slash
>     Include additional whitespace separators
>     Ports to decode http on: 80 
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32771 
>     alert_fragments: INACTIVE
>     alert_large_fragments: ACTIVE
>     alert_incomplete: ACTIVE
>     alert_multiple_requests: ACTIVE
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
> Stream4_reassemble config:
>     Server reassembly: INACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Zero out flushed packets: INACTIVE
>     flush_data_diff_size: 500
>     Ports: 21 23 25 53 80 110 111 143 513 1433 
>     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
>     Self preservation threshold: 500
>     Self preservation period: 90
>     Suspend threshold: 1000
>     Suspend period: 30
> telnet_decode arguments:
>     Ports to decode telnet on: 21 23 25 119 
> 1458 Snort rules read...
> 1458 Option Chains linked into 163 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>  
> Rule application order: ->activation->dynamic->alert->pass->log
>  
>         --== Initialization Complete ==--
>  
> -*> Snort! <*-
> Version 2.0.2 (Build 92)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
>  
> Snort sucessfully loaded all rules and checked all rule chains!
> Snort exiting
> 
> THANKS IN ADVANCE.
> 
> Mark
> 
> -------------------------------------------
> Mark F. Ewert, Principal Systems Architect
> Integrated Healthcare Information Services
> 
> ---------------------------------------------------------------------------
> This e-mail and the information transmitted within it is intended only
> for the recipient(s) to which it is addressed and may contain confidential
> and/or privileged material. Any review, retransmission, dissemination or 
> other use of; or taking of any action in reliance upon this information
> by persons or entities other than the intended recipient is prohibited. 
> If you received this in error, please send the e-mail back to notify the
> sender and delete the message and its contents from any computers and
> network systems involved in its receipt. Thank you.
> 
> 
> -------------------------------------------------------
> This SF. Net email is sponsored by: GoToMyPC
> GoToMyPC is the fast, easy and secure way to access your computer from
> any Web browser or wireless device. Click here to Try it Free!
> https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

-- 
Phil Wood (cpw_at_lanl.gov)




More information about the Snort-users mailing list