[Snort-users] Snort not catching anything

Vintage Mud vintagemud at ...11827...
Mon Nov 6 12:01:33 EST 2006


Hey all,

I finished installing snort a couple of days ago, and have yet to receive
any alerts in BASE. From all appearances, everything appears to be working,
I'm just not getting anything out of it (I've run attacks on the machine to
test it).

To give a little background, I'm running FC6 on a machine behind a Linksys
router (WRT54G), which is then connected to a cable modem. I more or less
followed the FC6 LAMP tutorial on howtoforge without the DNS or ISPConfig
stuff [http://www.howtoforge.com/installing_a_lamp_system_with_fedora_core_6]
and added on the IDS with BASE and Snort tutorial [
http://www.howtoforge.com/intrusion_detection_base_snort]. I am using the
latest registered users rules package, and added on the init.d script from
the "Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or
Fedora Core – with NTOP" tutorial off the snort site [
http://www.snort.org/docs/setup_guides/Snort_Base_Minimal.pdf]. I have
IPTables turned off since I have a few selected ports being forwarded
through my router.

When snort starts, I don't receive any errors, and the logs are empty as
well. This is my output from running "snort -c /etc/snort/snort.conf"

Any help would be appreciated.

----------------------------------------------- Output Begins Now
-----------------------------------------------

[root at ...13983... ~]# snort -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'EXTERNAL_NET' defined, value len = 15 chars, value = !192.168.1.0/24
Var 'DNS_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'SMTP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'HTTP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'SQL_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'TELNET_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'SNMP_SERVERS' defined, value len = 14 chars, value = 192.168.1.0/24
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
   [
64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 1
    Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE
    Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(408) => flush_behavior set in config file,
using old static flushpoints (0)
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor Old
    Packet Sequence Overlap Limit: -1
    Flush behavior: Small (<255 bytes)
    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
3306
    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
1433 1521 3306
WARNING /etc/snort/snort.conf(409) => flush_behavior set in config file,
using old static flushpoints (0)
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor Old
    Packet Sequence Overlap Limit: -1
    Flush behavior: Small (<255 bytes)
    Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
1433 1521 3306
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

5427 Snort rules read...
5427 Option Chains linked into 218 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Tagged Packet Limit: 256

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10
seconds=60
| gen-id=1      sig-id=3542       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5
seconds=60
| gen-id=1      sig-id=3543       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10
seconds=10
| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10
seconds=60
| gen-id=1      sig-id=4984       type=Threshold tracking=src count=5
seconds=2
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5
seconds=60
| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5
seconds=2
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
done
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Max Response Length: 256
SMTP Config:
      Ports: 25
      Inspection Type:            STATEFUL
      Normalize Spaces:           YES
      Ignore Data:                NO
      Ignore TLS Data:            NO
      Ignore Alerts:              NO
      Max Command Length:         0
      Max Header Line Length:     0
      Max Response Line Length:   0
      X-Link2State Alert:         YES
      Drop on X-Link2State Alert: NO
DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
Verifying Preprocessor Configurations!
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set but
not ever checked.
***
*** interface device lookup found: eth0
***

Initializing Network Interface eth0
Var 'eth0_ADDRESS' defined, value len = 25 chars, value =
192.168.1.0/255.255.255.0
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snortusr
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.1.75
database:     sensor id = 1
database: schema version = 107
database: using the "log" facility

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0.2 (Build 85)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.5  <Build 10>
           Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 8>
           Preprocessor Object: SF_DNS  Version 1.0  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.0  <Build 6>
Not Using PCAP_FRAMES
*** Caught Int-Signal
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.168352)/blocks (17653/8)
Overhead blocks: 1 Could Hold: (58579)
IPV4 count: 7 frees: 0
low_time: 1162828861, high_time: 1162832257, diff: 0h:56:36s
    finds: 669 reversed: 0(%0.000000)
    find_success: 662 find_fail: 7
percent_success: (%98.953662) new_flows: 7
 Protocol: 17 (%100.000000)
   finds: 669
   reversed: 0(%0.000000)
   find_success: 662
   find_fail: 7
   percent_success: (%98.953662)
   new_flows: 7


===============================================================================

Snort received 1677 packets
    Analyzed: 1672(99.702%)
    Dropped: 0(0.000%)
    Outstanding: 5(0.298%)
===============================================================================
Breakdown by protocol:
    TCP: 920        (55.024%)
    UDP: 682        (40.789%)
   ICMP: 0          (0.000%)
    ARP: 70         (4.187%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
ETHLOOP: 0          (0.000%)
    IPX: 0          (0.000%)
   FRAG: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
database: Closing connection to database "snort"
Snort exiting
[root at ...13983... ~]#

----------------------------------------------- Output Ends Now
-----------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20061106/57865b0a/attachment.html>


More information about the Snort-users mailing list