[Snort-users] Trying to trouble shoot snort isntall.

Andy Berryman aberryman at ...14758...
Wed Feb 3 11:22:21 EST 2010


Thanks to everyone for the help so far. I'm doing some testing and trying this out right now. I'll let you know how it goes.

Thanks,
Andy

From: Matt Watchinski [mailto:mwatchinski at ...1935...]
Sent: Wednesday, February 03, 2010 10:14 AM
To: Andy Berryman
Cc: Nigel Houghton; Snort Users List
Subject: Re: [Snort-users] Trying to trouble shoot snort isntall.

If you didn't compile with

./configure --enable-decoder-preprocessor-rules

Then alerting works the old way.

Cheers,
-matt
On Wed, Feb 3, 2010 at 11:00 AM, Andy Berryman <aberryman at ...14758...<mailto:aberryman at ...14758...>> wrote:
Well, if I'm not loading the preprocessor rules, why do I get http_inspect alerts and portscan alerts? Do the preprocessors generate alerts on the default settings regardless if a rule is applied or not?

Thanks,
Andy

-----Original Message-----
From: Nigel Houghton [mailto:nhoughton at ...1935...<mailto:nhoughton at ...1935...>]
Sent: Wednesday, February 03, 2010 9:43 AM
To: Andy Berryman
Cc: Snort Users List
Subject: Re: [Snort-users] Trying to trouble shoot snort isntall.

On Wed, Feb 3, 2010 at 10:13 AM, Matt Watchinski
<mwatchinski at ...1935...<mailto:mwatchinski at ...1935...>> wrote:
> Did you tell snort you want to use the preproc and decoder rules?  I don't
> see the rules included in your pasted conf.  You have to first enable the
> use of this feature with:
>
> ./configure --enable-decoder-preprocessor-rules
>
> Then add the rules files from here:
>
> src/snort-2.8.5.1/preproc_rules/decoder.rules
> src/snort-2.8.5.1/preproc_rules/preprocessor.rules
>
> Cheers,
> -matt
>
> On Tue, Feb 2, 2010 at 4:53 PM, Andy Berryman <aberryman at ...14758...<mailto:aberryman at ...14758...>> wrote:
>>
>> Can someone point me in the right direction please? I'm trying to figure
>> out if I'm chasing my tail here. Basically when I start snort I tail syslog
>> and see this.
>>
>>
>>
>> Feb  2 21:26:59 (none) snort[19257]:
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> Feb  2 21:26:59 (none) snort[19257]: Initializing rule chains...
>>
>> Feb  2 21:27:15 (none) snort[19257]: 5866 Snort rules read
>>
>> Feb  2 21:27:15 (none) snort[19257]:     5866 detection rules
>>
>> Feb  2 21:27:15 (none) snort[19257]:     0 decoder rules
>>
>> Feb  2 21:27:15 (none) snort[19257]:     0 preprocessor rules
>>
>> Feb  2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624
>> Chain Headers
>>
>> Feb  2 21:27:15 (none) snort[19257]: 0 Dynamic rules
>>
>> Feb  2 21:27:15 (none) snort[19257]:
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>>
>>
>>
>>
>> Doesn't that tell me that it's not loading any of the preprocessor,
>> decoder, or dynamic rules?
>>
>>
>>
>>
>>
>> Here is more from syslog where it says it is loading them I thought.
>>
>> Loading all dynamic engine libs from /snort_lib/snort_dynamicengine...
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic engine
>> /snort_lib/snort_dynamicengine/libsf_engine.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic engine
>> libs from /snort_lib/snort_dynamicengine
>>
>> Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs
>> from /snort_lib/snort_dynamicrules...
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/bad-traffic.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/chat.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>>  /snort_lib/snort_dynamicrules/dos.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/exploit.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/imap.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/misc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/multimedia.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/netbios.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/nntp.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/p2p.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/smtp.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/sql.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/web-client.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/web-misc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/web-activex.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection library
>> /snort_lib/snort_dynamicrules/web-iis.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
>> detection libs from /snort_lib/snort_dynamicrules
>>
>> Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor libs
>> from /snort_lib/snort_dynamicpreprocessor...
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> library /snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> library /snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> library /snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> library /snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> library /snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> library /snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> library /snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so...
>>
>> Feb  2 21:30:14 (none) snort[19434]: done
>>
>> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
>> preprocessor libs from /snort_lib/snort_dynamicpreprocessor
>>
>>
>>
>>
>>
>> Here's my snort.conf
>>
>>
>>
>> var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24<http://10.27.1.0/24,10.10.1.0/24,10.150.1.0/24>]
>>
>> var EXTERNAL_NET !$HOME_NET
>>
>> var DNS_SERVERS 10.27.1.2
>>
>> var SMTP_SERVERS $HOME_NET
>>
>> var HTTP_SERVERS $HOME_NET
>>
>> var SQL_SERVERS $HOME_NET
>>
>> var TELNET_SERVERS $HOME_NET
>>
>> var SNMP_SERVERS $HOME_NET
>>
>> var HTTP_PORTS 80
>>
>> var SHELLCODE_PORTS !80
>>
>> var ORACLE_PORTS 1521
>>
>> var SSH_PORTS 22
>>
>> var AIM_SERVERS
>> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24<http://64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24>]
>>
>> var RULE_PATH  /snort/conf
>>
>> var SORULE_PATH /snort/conf/so_rules
>>
>> #config detection: search-method ac
>>
>> config disable_decode_alerts
>>
>> config disable_tcpopt_experimental_alerts
>>
>> config profile_rules: print 20, sort total_ticks, filename
>> rule_profiles.txt
>>
>> dynamicdetection directory /snort_lib/snort_dynamicrules
>>
>> dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor
>>
>> dynamicengine directory /snort_lib/snort_dynamicengine
>>
>> config flowbits_size: 256
>>
>> include classification.config
>>
>> include reference.config
>>
>> include $RULE_PATH/general.rules
>>
>> include $RULE_PATH/local.rules
>>
>> #include $RULE_PATH/so.rules
>>
>> include $SORULE_PATH/bad-traffic.rules
>>
>> include $SORULE_PATH/chat.rules
>>
>> include $SORULE_PATH/dos.rules
>>
>> include $SORULE_PATH/exploit.rules
>>
>> include $SORULE_PATH/imap.rules
>>
>> include $SORULE_PATH/misc.rules
>>
>> include $SORULE_PATH/multimedia.rules
>>
>> include $SORULE_PATH/netbios.rules
>>
>> include $SORULE_PATH/nntp.rules
>>
>> include $SORULE_PATH/p2p.rules
>>
>> include $SORULE_PATH/smtp.rules
>>
>> include $SORULE_PATH/sql.rules
>>
>> include $SORULE_PATH/web-client.rules
>>
>> include $SORULE_PATH/web-misc.rules
>>
>> preprocessor frag3_global: max_frags 65536
>>
>> preprocessor frag3_engine: policy first detect_anomalies timeout 1800
>>
>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
>>
>> preprocessor stream5_tcp: policy first
>>
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>
>> preprocessor http_inspect_server: server default profile all ports { 80
>> 8080 8180 } oversize_dir_length 500 no_alerts
>>
>> preprocessor rpc_decode: 111 32771
>>
>> #preprocessor bo
>>
>> #preprocessor flow: stats_interval 0 hash 2
>>
>> preprocessor sfportscan: proto  { all } \
>>
>>                          scan_type { all } \
>>
>>                          memcap { 10000000 } \
>>
>>                          sense_level { medium }
>>
>> preprocessor perfmonitor: \
>>
>> time 30 events flow max console pktcnt 10000
>>
>> preprocessor arpspoof
>>
>> preprocessor dcerpc2
>>
>> #preprocessor ssl: noinspect_encrypted
>>
>> output queue: /var/log/snort/queue/ /snort/conf/sidfile
>>
>> #output alert_syslog: LOG_AUTH LOG_ALERT
>>
>>
>>
>>
>>
>> Thanks,
>>
>> Andy Berryman
>>
>> Cymtec Systems
>>
>> support at ...14758...<mailto:support at ...14758...>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term contracts
>> Personal 24x7 support from experience hosting pros just a phone call away.
>> http://p.sf.net/sfu/theplanet-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Matthew Watchinski
> Sr. Director Vulnerability Research Team (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Also, if the shared object rules didn't get activated there is some
more output from snort after the output you pasted that would be
useful.

Make sure you dumped the shared object rule stubs into your SORULE_PATH.

 # snort -c /snort/conf/snort.conf --dump-dynamic-rules=/snort/conf/so_rules

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100203/1b2d1e97/attachment.html>


More information about the Snort-users mailing list