[Snort-users] Trying to trouble shoot snort isntall.

Andy Berryman aberryman at ...14758...
Tue Feb 2 16:53:52 EST 2010


Can someone point me in the right direction please? I'm trying to figure out if I'm chasing my tail here. Basically when I start snort I tail syslog and see this.

Feb  2 21:26:59 (none) snort[19257]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Feb  2 21:26:59 (none) snort[19257]: Initializing rule chains...
Feb  2 21:27:15 (none) snort[19257]: 5866 Snort rules read
Feb  2 21:27:15 (none) snort[19257]:     5866 detection rules
Feb  2 21:27:15 (none) snort[19257]:     0 decoder rules
Feb  2 21:27:15 (none) snort[19257]:     0 preprocessor rules
Feb  2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624 Chain Headers
Feb  2 21:27:15 (none) snort[19257]: 0 Dynamic rules
Feb  2 21:27:15 (none) snort[19257]: +++++++++++++++++++++++++++++++++++++++++++++++++++


Doesn't that tell me that it's not loading any of the preprocessor, decoder, or dynamic rules?


Here is more from syslog where it says it is loading them I thought.
Loading all dynamic engine libs from /snort_lib/snort_dynamicengine...
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic engine /snort_lib/snort_dynamicengine/libsf_engine.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic engine libs from /snort_lib/snort_dynamicengine
Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs from /snort_lib/snort_dynamicrules...
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/bad-traffic.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/chat.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library  /snort_lib/snort_dynamicrules/dos.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/exploit.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/imap.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/misc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/multimedia.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/netbios.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/nntp.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/p2p.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/smtp.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/sql.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/web-client.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/web-misc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/web-activex.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library /snort_lib/snort_dynamicrules/web-iis.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic detection libs from /snort_lib/snort_dynamicrules
Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor libs from /snort_lib/snort_dynamicpreprocessor...
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library /snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so...
Feb  2 21:30:14 (none) snort[19434]: done
Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic preprocessor libs from /snort_lib/snort_dynamicpreprocessor


Here's my snort.conf

var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS 10.27.1.2
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH  /snort/conf
var SORULE_PATH /snort/conf/so_rules
#config detection: search-method ac
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config profile_rules: print 20, sort total_ticks, filename rule_profiles.txt
dynamicdetection directory /snort_lib/snort_dynamicrules
dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor
dynamicengine directory /snort_lib/snort_dynamicengine
config flowbits_size: 256
include classification.config
include reference.config
include $RULE_PATH/general.rules
include $RULE_PATH/local.rules
#include $RULE_PATH/so.rules
include $SORULE_PATH/bad-traffic.rules
include $SORULE_PATH/chat.rules
include $SORULE_PATH/dos.rules
include $SORULE_PATH/exploit.rules
include $SORULE_PATH/imap.rules
include $SORULE_PATH/misc.rules
include $SORULE_PATH/multimedia.rules
include $SORULE_PATH/netbios.rules
include $SORULE_PATH/nntp.rules
include $SORULE_PATH/p2p.rules
include $SORULE_PATH/smtp.rules
include $SORULE_PATH/sql.rules
include $SORULE_PATH/web-client.rules
include $SORULE_PATH/web-misc.rules
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies timeout 1800
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts
preprocessor rpc_decode: 111 32771
#preprocessor bo
#preprocessor flow: stats_interval 0 hash 2
preprocessor sfportscan: proto  { all } \
                         scan_type { all } \
                         memcap { 10000000 } \
                         sense_level { medium }
preprocessor perfmonitor: \
time 30 events flow max console pktcnt 10000
preprocessor arpspoof
preprocessor dcerpc2
#preprocessor ssl: noinspect_encrypted
output queue: /var/log/snort/queue/ /snort/conf/sidfile
#output alert_syslog: LOG_AUTH LOG_ALERT


Thanks,
Andy Berryman
Cymtec Systems
support at ...14758...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100202/105a2f08/attachment.html>


More information about the Snort-users mailing list