[Snort-users] Problems with snort

Alejandro Flores alejandro.flores at ...11361...
Mon Apr 26 10:40:09 EDT 2004


	Adriano,

	Aparentemente o script de inicialização está chamando um outro
snort.conf ou está trabalhando em um outro modo que não o nids.
	Como você está inicializando o snort?

[]s
Alejandro Flores
http://www.triforsec.com.br/
http://www.defenselayer.com/
http://www.nabucodonosor.com/



> Hi,
> 
> I´m with a problem... I installed the snort with MySQL and ACID (RedHat9), but it doesn´t show me any alerts.
> 
> here is the part of the syslog
> 
> Apr 26 10:37:22 russoe kernel: device eth0 entered promiscuous mode
> Apr 26 10:37:22 russoe snort: Initializing daemon mode
> Apr 26 10:37:22 russoe snort: PID path stat checked out ok, PID path set to /var/run/
> Apr 26 10:37:22 russoe snort: Writing PID "6768" to file "/var/run//snort_eth0.pid"
> Apr 26 10:37:22 russoe snort: ,-----------[Flow Config]----------------------
> Apr 26 10:37:22 russoe snort: | Stats Interval:  0
> Apr 26 10:37:22 russoe snort: | Hash Method:     2
> Apr 26 10:37:22 russoe snort: | Memcap:          10485760
> Apr 26 10:37:22 russoe snort: | Rows  :          4099
> Apr 26 10:37:22 russoe snort: | Overhead Bytes:  16400(%0.16)
> Apr 26 10:37:22 russoe snort: `----------------------------------------------
> Apr 26 10:37:22 russoe snort: HttpInspect Config:
> Apr 26 10:37:22 russoe snort:     GLOBAL CONFIG
> Apr 26 10:37:22 russoe snort:       Max Pipeline Requests:    0
> Apr 26 10:37:22 russoe snort:       Inspection Type:          STATELESS
> Apr 26 10:37:22 russoe snort:       Detect Proxy Usage:       NO
> Apr 26 10:37:22 russoe snort:       IIS Unicode Map Filename: /etc/snort/unicode.map
> Apr 26 10:37:22 russoe snort:       IIS Unicode Map Codepage: 1252
> Apr 26 10:37:22 russoe snort:     DEFAULT SERVER CONFIG:
> Apr 26 10:37:22 russoe snort:       Ports:
> Apr 26 10:37:22 russoe snort: 80
> Apr 26 10:37:22 russoe snort: 8080
> Apr 26 10:37:22 russoe snort: 8180
> Apr 26 10:37:22 russoe snort:
> Apr 26 10:37:22 russoe snort:       Flow Depth: 300
> Apr 26 10:37:22 russoe snort:       Max Chunk Length: 500000
> Apr 26 10:37:22 russoe snort:       Inspect Pipeline Requests: YES
> Apr 26 10:37:22 russoe snort:       URI Discovery Strict Mode: NO
> Apr 26 10:37:22 russoe snort:       Allow Proxy Usage: NO
> Apr 26 10:37:22 russoe snort:       Disable Alerting: NO
> Apr 26 10:37:22 russoe snort:       Oversize Dir Length: 500
> Apr 26 10:37:22 russoe snort:       Only inspect URI: NO
> Apr 26 10:37:22 russoe snort:       Ascii: YES alert: NO
> Apr 26 10:37:22 russoe snort:       Double Decoding: YES alert: YES
> Apr 26 10:37:22 russoe snort:       %U Encoding: YES alert: YES
> Apr 26 10:37:22 russoe snort:       Bare Byte: YES alert: YES
> Apr 26 10:37:22 russoe snort:       Base36: OFF
> Apr 26 10:37:22 russoe snort:       UTF 8: OFF
> Apr 26 10:37:22 russoe snort:       IIS Unicode: YES alert: YES
> Apr 26 10:37:22 russoe snort:       Multiple Slash: YES alert: NO
> Apr 26 10:37:22 russoe snort:       IIS Backslash: YES alert: NO
> Apr 26 10:37:22 russoe snort:       Directory: YES alert: NO
> Apr 26 10:37:22 russoe snort:       Apache WhiteSpace: YES alert: YES
> Apr 26 10:37:22 russoe snort:       IIS Delimiter: YES alert: YES
> Apr 26 10:37:22 russoe snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> Apr 26 10:37:22 russoe snort:       Non-RFC Compliant Characters:
> Apr 26 10:37:22 russoe snort: NONE
> Apr 26 10:37:22 russoe snort:
> Apr 26 10:37:22 russoe snort: rpc_decode arguments:
> Apr 26 10:37:22 russoe snort:     Ports to decode RPC on: 111 32771
> Apr 26 10:37:22 russoe snort:     alert_fragments: INACTIVE
> Apr 26 10:37:22 russoe snort:     alert_large_fragments: ACTIVE
> Apr 26 10:37:22 russoe snort:     alert_incomplete: ACTIVE
> Apr 26 10:37:22 russoe snort:     alert_multiple_requests: ACTIVE
> Apr 26 10:37:22 russoe snort: telnet_decode arguments:
> Apr 26 10:37:22 russoe snort:     Ports to decode telnet on: 21 23 25 119
> Apr 26 10:37:22 russoe snort: Snort initialization completed successfully
> 
> 
> 
> 
> ############################################################################################################################
> 
> the command: #snort -c /etc/snort/snort.conf show me....
> 
> 
> Running in IDS mode
> Log directory = /var/log/snort
> 
> Initializing Network Interface eth0
> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ,-----------[Flow Config]----------------------
> | Stats Interval:  0
> | Hash Method:     2
> | Memcap:          10485760
> | Rows  :          4099
> | Overhead Bytes:  16400(%0.16)
> `----------------------------------------------
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
>     Self preservation threshold: 500
>     Self preservation period: 90
>     Suspend threshold: 1000
>     Suspend period: 30
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: INACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
> Stream4_reassemble config:
>     Server reassembly: INACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Zero out flushed packets: INACTIVE
>     flush_data_diff_size: 500
>     Ports: 21 23 25 53 80 110 111 143 513 1433
>     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> HttpInspect Config:
>     GLOBAL CONFIG
>       Max Pipeline Requests:    0
>       Inspection Type:          STATELESS
>       Detect Proxy Usage:       NO
>       IIS Unicode Map Filename: /etc/snort/unicode.map
>       IIS Unicode Map Codepage: 1252
>     DEFAULT SERVER CONFIG:
>       Ports: 80 8080 8180
>       Flow Depth: 300
>       Max Chunk Length: 500000
>       Inspect Pipeline Requests: YES
>       URI Discovery Strict Mode: NO
>       Allow Proxy Usage: NO
>       Disable Alerting: NO
>       Oversize Dir Length: 500
>       Only inspect URI: NO
>       Ascii: YES alert: NO
>       Double Decoding: YES alert: YES
>       %U Encoding: YES alert: YES
>       Bare Byte: YES alert: YES
>       Base36: OFF
>       UTF 8: OFF
>       IIS Unicode: YES alert: YES
>       Multiple Slash: YES alert: NO
>       IIS Backslash: YES alert: NO
>       Directory: YES alert: NO
>       Apache WhiteSpace: YES alert: YES
>       IIS Delimiter: YES alert: YES
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>       Non-RFC Compliant Characters: NONE
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32771
>     alert_fragments: INACTIVE
>     alert_large_fragments: ACTIVE
>     alert_incomplete: ACTIVE
>     alert_multiple_requests: ACTIVE
> telnet_decode arguments:
>     Ports to decode telnet on: 21 23 25 119
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = snort
> database: password is set
> database: database name = snort
> database:          host = localhost
> database:   sensor name = 10.9.1.250
> database:     sensor id = 1
> database: schema version = 106
> database: using the "log" facility
> 1773 Snort rules read...
> 1773 Option Chains linked into 170 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> 
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]----------------------------------
> | none
> +-----------------------[thresholding-local]-----------------------------------
> | gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
> +-----------------------[suppression]------------------------------------------
> -------------------------------------------------------------------------------
> Rule application order: ->activation->dynamic->alert->pass->log
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 2.1.2 (Build 25)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 
> 
> 
> 
> 
> Adriano Bandeira de Araújo
> Secretaria de Orçamento Federal - SOF
> (61) 348-2111 
> 




--TriForSec
http://www.triforsec.com.br/ 


More information about the Snort-users mailing list