[Snort-users] Trying to trouble shoot snort isntall.

Matt Watchinski mwatchinski at ...1935...
Wed Feb 3 10:13:20 EST 2010


Did you tell snort you want to use the preproc and decoder rules?  I don't
see the rules included in your pasted conf.  You have to first enable the
use of this feature with:

./configure --enable-decoder-preprocessor-rules

Then add the rules files from here:

src/snort-2.8.5.1/preproc_rules/decoder.rules
src/snort-2.8.5.1/preproc_rules/preprocessor.rules

Cheers,
-matt

On Tue, Feb 2, 2010 at 4:53 PM, Andy Berryman <aberryman at ...14758...> wrote:

>  Can someone point me in the right direction please? I'm trying to figure
> out if I'm chasing my tail here. Basically when I start snort I tail syslog
> and see this.
>
>
>
> Feb  2 21:26:59 (none) snort[19257]:
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Feb  2 21:26:59 (none) snort[19257]: Initializing rule chains...
>
> Feb  2 21:27:15 (none) snort[19257]: 5866 Snort rules read
>
> Feb  2 21:27:15 (none) snort[19257]:     5866 detection rules
>
> Feb  2 21:27:15 (none) snort[19257]:     0 decoder rules
>
> Feb  2 21:27:15 (none) snort[19257]:     0 preprocessor rules
>
> Feb  2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624
> Chain Headers
>
> Feb  2 21:27:15 (none) snort[19257]: 0 Dynamic rules
>
> Feb  2 21:27:15 (none) snort[19257]:
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
>
>
> Doesn't that tell me that it's not loading any of the preprocessor,
> decoder, or dynamic rules?
>
>
>
>
>
> Here is more from syslog where it says it is loading them I thought.
>
> Loading all dynamic engine libs from /snort_lib/snort_dynamicengine...
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic engine
> /snort_lib/snort_dynamicengine/libsf_engine.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic engine
> libs from /snort_lib/snort_dynamicengine
>
> Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs
> from /snort_lib/snort_dynamicrules...
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/bad-traffic.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/chat.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>  /snort_lib/snort_dynamicrules/dos.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/exploit.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/imap.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/misc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/multimedia.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/netbios.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/nntp.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/p2p.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/smtp.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/sql.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/web-client.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/web-misc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/web-activex.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
> /snort_lib/snort_dynamicrules/web-iis.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
> detection libs from /snort_lib/snort_dynamicrules
>
> Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor libs
> from /snort_lib/snort_dynamicpreprocessor...
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
> /snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
> /snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
> /snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
> /snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
> /snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
> /snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor library
> /snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so...
>
> Feb  2 21:30:14 (none) snort[19434]: done
>
> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
> preprocessor libs from /snort_lib/snort_dynamicpreprocessor
>
>
>
>
>
> Here's my snort.conf
>
>
>
> var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24]
>
> var EXTERNAL_NET !$HOME_NET
>
> var DNS_SERVERS 10.27.1.2
>
> var SMTP_SERVERS $HOME_NET
>
> var HTTP_SERVERS $HOME_NET
>
> var SQL_SERVERS $HOME_NET
>
> var TELNET_SERVERS $HOME_NET
>
> var SNMP_SERVERS $HOME_NET
>
> var HTTP_PORTS 80
>
> var SHELLCODE_PORTS !80
>
> var ORACLE_PORTS 1521
>
> var SSH_PORTS 22
>
> var AIM_SERVERS [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
>
> var RULE_PATH  /snort/conf
>
> var SORULE_PATH /snort/conf/so_rules
>
> #config detection: search-method ac
>
> config disable_decode_alerts
>
> config disable_tcpopt_experimental_alerts
>
> config profile_rules: print 20, sort total_ticks, filename
> rule_profiles.txt
>
> dynamicdetection directory /snort_lib/snort_dynamicrules
>
> dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor
>
> dynamicengine directory /snort_lib/snort_dynamicengine
>
> config flowbits_size: 256
>
> include classification.config
>
> include reference.config
>
> include $RULE_PATH/general.rules
>
> include $RULE_PATH/local.rules
>
> #include $RULE_PATH/so.rules
>
> include $SORULE_PATH/bad-traffic.rules
>
> include $SORULE_PATH/chat.rules
>
> include $SORULE_PATH/dos.rules
>
> include $SORULE_PATH/exploit.rules
>
> include $SORULE_PATH/imap.rules
>
> include $SORULE_PATH/misc.rules
>
> include $SORULE_PATH/multimedia.rules
>
> include $SORULE_PATH/netbios.rules
>
> include $SORULE_PATH/nntp.rules
>
> include $SORULE_PATH/p2p.rules
>
> include $SORULE_PATH/smtp.rules
>
> include $SORULE_PATH/sql.rules
>
> include $SORULE_PATH/web-client.rules
>
> include $SORULE_PATH/web-misc.rules
>
> preprocessor frag3_global: max_frags 65536
>
> preprocessor frag3_engine: policy first detect_anomalies timeout 1800
>
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
>
> preprocessor stream5_tcp: policy first
>
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default profile all ports { 80
> 8080 8180 } oversize_dir_length 500 no_alerts
>
> preprocessor rpc_decode: 111 32771
>
> #preprocessor bo
>
> #preprocessor flow: stats_interval 0 hash 2
>
> preprocessor sfportscan: proto  { all } \
>
>                          scan_type { all } \
>
>                          memcap { 10000000 } \
>
>                          sense_level { medium }
>
> preprocessor perfmonitor: \
>
> time 30 events flow max console pktcnt 10000
>
> preprocessor arpspoof
>
> preprocessor dcerpc2
>
> #preprocessor ssl: noinspect_encrypted
>
> output queue: /var/log/snort/queue/ /snort/conf/sidfile
>
> #output alert_syslog: LOG_AUTH LOG_ALERT
>
>
>
>
>
> Thanks,
>
> Andy Berryman
>
> Cymtec Systems
>
> support at ...14758...
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100203/24838080/attachment.html>


More information about the Snort-users mailing list