[Snort-users] start snort in IDS mode

Plantier, Spencer spencer.plantier at ...12801...
Fri Feb 11 05:29:50 EST 2005


Thanks that worked. I used windows notepad maybe that messed it up. 

 

Thanks,

 

 

Spencer

________________________________

From: William Fitzgerald [mailto:wfitzgerald at ...9307...] 
Sent: Friday, February 11, 2005 4:01 AM
To: Plantier, Spencer
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] start snort in IDS mode

 

Spencer,

 

I got your config working.

i beleive there was some hidden tags around the var HOME_NET.

to get it to run entirely with my older verion of snort I have to
comment out the sfPortscan preprocessor.

 

any how it should work for your new version now

 

regards,

Will

	-----Original Message-----
	From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Plantier,
Spencer
	Sent: 10 February 2005 15:38
	To: wfitzgerald at ...9307...
	Cc: snort-users at lists.sourceforge.net
	Subject: RE: [Snort-users] start snort in IDS mode

	I still get this error: 

	Initializing rule chains...

	ERROR: /opt/snort/etc/snort.conf(43) => NULL rule type

	Fatal Error, Quitting..

	Thanks,

	 

	 

	Spencer

	
________________________________


	From: William Fitzgerald [mailto:wfitzgerald at ...9307...] 
	Sent: Thursday, February 10, 2005 10:33 AM
	To: Plantier, Spencer
	Cc: snort-users at lists.sourceforge.net
	Subject: RE: [Snort-users] start snort in IDS mode

	 

	So i guess your up and running so :-)

	Glad to be of some help.

		-----Original Message-----
		From: Plantier, Spencer
[mailto:spencer.plantier at ...12801...] 
		Sent: 10 February 2005 15:33
		To: wfitzgerald at ...9307...
		Cc: snort-users at lists.sourceforge.net
		Subject: RE: [Snort-users] start snort in IDS mode

		This is what I have. 

		 

		 

		Example of snort.conf

		 

		include $RULE_PATH /opt/snort/rules/smtp.rules^M

		include $RULE_PATH /opt/snort/rules/imap.rules^M

		include $RULE_PATH /opt/snort/rules/pop2.rules^M

		include $RULE_PATH /opt/snort/rules/pop3.rules^M

		 

		 

		 

		Thanks, opt/snort/etc

		# ls -l

		total 706

		-rw-r--r--   1 root     other       6004 Feb 10 08:36
Makefile

		-rw-r--r--   1 root     other        230 Feb 10 08:36
Makefile.am

		-rw-r--r--   1 root     other       5464 Feb 10 08:36
Makefile.in

		-rw-r--r--   1 root     other       3521 Feb 10 08:36
classification.config

		-rw-r--r--   1 root     other       8066 Feb 10 08:36
gen-msg.map

		-rw-r--r--   1 root     other       1622 Feb 10 08:36
generators

		-rw-r--r--   1 root     other        608 Feb 10 08:36
reference.config

		-rw-r--r--   1 root     other         58 Feb 10 08:36
sid

		-rw-r--r--   1 root     other     235477 Feb 10 08:36
sid-msg.map

		-rw-r--r--   1 root     other      28162 Feb 10 09:37
snort.conf

		-rw-r--r--   1 root     other       2319 Feb 10 08:36
threshold.conf

		-rw-r--r--   1 root     other      53841 Feb 10 08:36
unicode.map

		#

		 

		#  cd ..

		# ls -l

		total 12

		drwxr-xr-x   2 root     other        512 Feb 10 08:33
bin

		drwxr-xr-x   2 root     other        512 Feb 10 09:35
etc

		drwxr-xr-x   2 root     other        512 Feb 10 08:35
folder

		drwxr-xr-x   3 root     other        512 Feb 10 08:33
man

		drwxr-xr-x   2 root     other       1536 Feb 10 08:36
rules

		# cd rules

		# ls -l

		total 2018

		-rw-r--r--   1 root     other       6551 Feb 10 08:36
Makefile

		-rw-r--r--   1 root     other        777 Feb 10 08:36
Makefile.am

		-rw-r--r--   1 root     other       6009 Feb 10 08:36
Makefile.in

		-rw-r--r--   1 root     other       4768 Feb 10 08:36
attack-responses.rules

		-rw-r--r--   1 root     other      16612 Feb 10 08:36
backdoor.rules

		-rw-r--r--   1 root     other       3000 Feb 10 08:36
bad-traffic.rules

		-rw-r--r--   1 root     other       7212 Feb 10 08:36
chat.rules

		-rw-r--r--   1 root     other       6783 Feb 10 08:36
ddos.rules

		-rw-r--r--   1 root     other      63449 Feb 10 08:36
deleted.rules

		-rw-r--r--   1 root     other       5381 Feb 10 08:36
dns.rules

		-rw-r--r--   1 root     other       4831 Feb 10 08:36
dos.rules

		-rw-r--r--   1 root     other        471 Feb 10 08:36
experimental.rules

		-rw-r--r--   1 root     other      24415 Feb 10 08:36
exploit.rules

		-rw-r--r--   1 root     other       3112 Feb 10 08:36
finger.rules

		-rw-r--r--   1 root     other      20491 Feb 10 08:36
ftp.rules

		-rw-r--r--   1 root     other      15618 Feb 10 08:36
icmp-info.rules

		-rw-r--r--   1 root     other       4488 Feb 10 08:36
icmp.rules

		-rw-r--r--   1 root     other      12577 Feb 10 08:36
imap.rules

		-rw-r--r--   1 root     other       2430 Feb 10 08:36
info.rules

		-rw-r--r--   1 root     other        199 Feb 10 08:36
local.rules

		-rw-r--r--   1 root     other      16657 Feb 10 08:36
misc.rules

		-rw-r--r--   1 root     other       2866 Feb 10 08:36
multimedia.rules

		-rw-r--r--   1 root     other        816 Feb 10 08:36
mysql.rules

		-rw-r--r--   1 root     other     118680 Feb 10 08:36
netbios.rules

		-rw-r--r--   1 root     other       3895 Feb 10 08:36
nntp.rules

		-rw-r--r--   1 root     other     176913 Feb 10 08:36
oracle.rules

		-rw-r--r--   1 root     other       1383 Feb 10 08:36
other-ids.rules

		-rw-r--r--   1 root     other       3953 Feb 10 08:36
p2p.rules

		-rw-r--r--   1 root     other       5323 Feb 10 08:36
policy.rules

		-rw-r--r--   1 root     other       1228 Feb 10 08:36
pop2.rules

		-rw-r--r--   1 root     other       8578 Feb 10 08:36
pop3.rules

		-rw-r--r--   1 root     other       5061 Feb 10 08:36
porn.rules

		-rw-r--r--   1 root     other      51378 Feb 10 08:36
rpc.rules

		-rw-r--r--   1 root     other       2920 Feb 10 08:36
rservices.rules

		-rw-r--r--   1 root     other       4088 Feb 10 08:36
scan.rules

		-rw-r--r--   1 root     other       4727 Feb 10 08:36
shellcode.rules

		-rw-r--r--   1 root     other      22090 Feb 10 08:36
smtp.rules

		-rw-r--r--   1 root     other       4915 Feb 10 08:36
snmp.rules

		-rw-r--r--   1 root     other      14409 Feb 10 08:36
sql.rules

		-rw-r--r--   1 root     other       3572 Feb 10 08:36
telnet.rules

		-rw-r--r--   1 root     other       2560 Feb 10 08:36
tftp.rules

		-rw-r--r--   1 root     other       1211 Feb 10 08:36
virus.rules

		-rw-r--r--   1 root     other      10229 Feb 10 08:36
web-attacks.rules

		-rw-r--r--   1 root     other     100668 Feb 10 08:36
web-cgi.rules

		-rw-r--r--   1 root     other       7419 Feb 10 08:36
web-client.rules

		-rw-r--r--   1 root     other       9166 Feb 10 08:36
web-coldfusion.rules

		-rw-r--r--   1 root     other       9484 Feb 10 08:36
web-frontpage.rules

		-rw-r--r--   1 root     other      37230 Feb 10 08:36
web-iis.rules

		-rw-r--r--   1 root     other      94963 Feb 10 08:36
web-misc.rules

		-rw-r--r--   1 root     other      35801 Feb 10 08:36
web-php.rules

		-rw-r--r--   1 root     other        573 Feb 10 08:36
x11.rules

		 

		 

		Spencer

		
________________________________


		From: William Fitzgerald [mailto:wfitzgerald at ...9307...] 
		Sent: Thursday, February 10, 2005 9:23 AM
		To: Plantier, Spencer; snort-users at lists.sourceforge.net
		Subject: RE: [Snort-users] start snort in IDS mode

		 

		I wonder if you have the rules directory in the correct
place.

		you should have:

		/opt/snort/etc

		/opt/snort/rules

		 

		in the snort.conf file: 

		# Path to your rules files (this can be a relative path)

		var RULE_PATH ../rules

		this goes up one directory from etc to rules. if you
copied the rules to the etc directory then change the RULES_PATH to
reflect this.

		 

		 

			-----Original Message-----
			From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Plantier,
Spencer
			Sent: 10 February 2005 14:17
			To: snort-users at lists.sourceforge.net
			Subject: [Snort-users] start snort in IDS mode

			I got IDS to start but I got the following
output:

			opt/snort/bin/snort -c /opt/snort/etc/snort.conf
-i hme0

			Running in IDS mode

			Initializing Network Interface hme0

			        --== Initializing Snort ==--

			Initializing Output Plugins!

			Decoding Ethernet on interface hme0

			Initializing Preprocessors!

			Initializing Plug-ins!

			Parsing Rules file /opt/snort/etc/snort.conf

	
+++++++++++++++++++++++++++++++++++++++++++++++++++

			Initializing rule chains...

			,-----------[Flow Config]----------------------

			| Stats Interval:  0

			| Hash Method:     2

			| Memcap:          10485760

			| Rows  :          4099

			| Overhead Bytes:  16400(%0.16)

			`----------------------------------------------

			No arguments to frag2 directive, setting
defaults to:

			    Fragment timeout: 60 seconds

			    Fragment memory cap: 4194304 bytes

			    Fragment min_ttl:   0

			    Fragment ttl_limit: 5

			    Fragment Problems: 0

			    Self preservation threshold: 500

			    Self preservation period: 90

			    Suspend threshold: 1000

			    Suspend period: 30

			Stream4 config:

			    Stateful inspection: ACTIVE

			    Session statistics: INACTIVE

			    Session timeout: 30 seconds

			    Session memory cap: 8388608 bytes

			    State alerts: INACTIVE

			    Evasion alerts: INACTIVE

			    Scan alerts: INACTIVE

			    Log Flushed Streams: INACTIVE

			    MinTTL: 1

			    TTL Limit: 5

			    Async Link: 0

			    State Protection: 0

			    Self preservation threshold: 50

			    Self preservation period: 90

			    Suspend threshold: 200

			    Suspend period: 30

			    Enforce TCP State: INACTIVE

			    Midstream Drop Alerts: INACTIVE

			Stream4_reassemble config:

			    Server reassembly: INACTIVE

			    Client reassembly: ACTIVE

			    Reassembler alerts: ACTIVE

			    Zero out flushed packets: INACTIVE

			    flush_data_diff_size: 500

			    Ports: 21 23 25 53 80 110 111 143 513 1433 

			    Emergency Ports: 21 23 25 53 80 110 111 143
513 1433 

			HttpInspect Config:

			    GLOBAL CONFIG

			      Max Pipeline Requests:    0

			      Inspection Type:          STATELESS

			      Detect Proxy Usage:       NO

			      IIS Unicode Map Filename:
/opt/snort/etc/unicode.map

			      IIS Unicode Map Codepage: 1252

			    DEFAULT SERVER CONFIG:

			      Ports: 80 8080 8180 

			      Flow Depth: 300

			      Max Chunk Length: 500000

			      Inspect Pipeline Requests: YES

			      URI Discovery Strict Mode: NO

			      Allow Proxy Usage: NO

			      Disable Alerting: NO

			      Oversize Dir Length: 500

			      Only inspect URI: NO

			      Ascii: YES alert: NO

			      Double Decoding: YES alert: YES

			      %U Encoding: YES alert: YES

			      Bare Byte: YES alert: YES

			      Base36: OFF

			      UTF 8: OFF

			      IIS Unicode: YES alert: YES

			      Multiple Slash: YES alert: NO

			      IIS Backslash: YES alert: NO

			      Directory Traversal: YES alert: NO

			      Web Root Traversal: YES alert: YES

			      Apache WhiteSpace: YES alert: NO

			      IIS Delimiter: YES alert: NO

			      IIS Unicode Map: GLOBAL IIS UNICODE MAP
CONFIG

			      Non-RFC Compliant Characters: NONE

			rpc_decode arguments:

			    Ports to decode RPC on: 111 32771 

			    alert_fragments: INACTIVE

			    alert_large_fragments: ACTIVE

			    alert_incomplete: ACTIVE

			    alert_multiple_requests: ACTIVE

			telnet_decode arguments:

			    Ports to decode telnet on: 21 23 25 119 

			Portscan Detection Config:

			    Detect Protocols:  TCP UDP ICMP IP

			    Detect Scan Type:  portscan portsweep
decoy_portscan distributed_portscan

			    Sensitivity Level: Low

			    Memcap (in bytes): 10000000

			    Number of Nodes:   36900

			ERROR: /opt/snort/etc/../rules(1) => NULL rule
type

			Fatal Error, Quitting..

			#

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050211/e9a9d5ef/attachment.html>


More information about the Snort-users mailing list