[Snort-users] Error when running snort_inline 2.6.1.5 on Centos x86-64

Dang Le Nam lenam.cntp at ...11827...
Sat Aug 11 00:59:31 EDT 2012


I use snort_inline version 2.6.1.5 on http://snort-inline.sourceforge.net/download.html  and snort rules 2923 with  Oinkmaster update auto

 

When I running snort_inline: 

snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline 

 

Then output error

 

Reading from iptables

Running in IDS mode

Initializing Inline mode 

 

        --== Initializing Snort ==--

Initializing Output Plugins!

Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0

Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file /etc/snort_inline/snort_inline.conf

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

Var 'HOME_NET' defined, value len = 3 chars, value = any

Var 'HONEYNET' defined, value len = 3 chars, value = any

Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any

Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any

Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any

Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any

Var 'SQL_SERVERS' defined, value len = 3 chars, value = any

Var 'DNS_SERVERS' defined, value len = 3 chars, value = any

Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80

Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80

Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521

Var 'SSH_PORTS' defined, value len = 2 chars, value = 22

Var 'AIM_SERVERS' defined, value len = 185 chars

   [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9

   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

Var 'RULE_PATH' defined, value len = 23 chars, value = /etc/snort_inline/rules

,-----------[Flow Config]----------------------

| Stats Interval:  0

| Hash Method:     2

| Memcap:          10485760

| Rows  :          4099

| Overhead Bytes:  32800(%0.31)

`----------------------------------------------

stream4inline mode enabled

truncating mode enabled

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 3600 seconds

    Session memory cap: 134217728 bytes

    Session count max: 8192 sessions

    Session cleanup count: 5

    State alerts: INACTIVE

    Evasion alerts: INACTIVE

    Scan alerts: INACTIVE

    Log Flushed Streams: INACTIVE

    MinTTL: 1

    TTL Limit: 5

    Async Link: 0

    State Protection: 0

    Self preservation threshold: 50

    Self preservation period: 90

    Suspend threshold: 200

    Suspend period: 30

    Enforce TCP State: ACTIVE and DROPPING

    Midstream Drop Alerts: INACTIVE

    Allow Blocking of TCP Sessions in Inline: ACTIVE

    Server Data Inspection Limit: -1

    Inline-mode options:

        Inline-mode enabled? (stream4inline): Yes

        Scan mode? (scan_stream_only): Both packet and stream

        Sliding Windowsize (window_size): 3000

        Memcap reached method (truncate): Truncate

        Truncate percentage (truncate_percentage): 33

        Store/Load state from/to disk: No

        Max out-of-order packets in a stream (max_ooo_pkts): 5

        Max out-of-order bytes in a stream (max_ooo_bytes): 5000

        Max sequence holes in a stream (max_seq_holes): 2

        Normalize wscale max (norm_wscale_max): 2

        Perform window scale normaliztion: Yes

        Disable out-of-order packet drop: No

        Disable out-of-order packet drop: No

        Disable sequence hole packet drop: No

        Max sequence holes in a stream (max_seq_holes): 2

        Disable wscale normalization alerts (disable_norm_wscale_alerts): No

        Disable out-of-order alerts (disable_ooo_alerts): No

        Drop bad RST packets? (drop_bad_rst): No

        Disable evasive retransmission packet drop: No

        Disable out-of-window packet drop: No

        Disable all protocol violation drops: No

WARNING /etc/snort_inline/snort_inline.conf(368) => flush_behavior set in config file, using old static flushpoints (0)

Stream4_reassemble config:

    Server reassembly: ACTIVE

    Client reassembly: ACTIVE

    Reassembler alerts: ACTIVE

    Zero out flushed packets: INACTIVE

    Flush stream on alert: INACTIVE

    flush_data_diff_size: 500

    Reassembler Packet Preferance : Favor New

    Packet Sequence Overlap Limit: -1

    Flush behavior: Small (<255 bytes)

    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 

    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 

HttpInspect Config:

    GLOBAL CONFIG

      Max Pipeline Requests:    0

      Inspection Type:          STATELESS

      Detect Proxy Usage:       NO

      IIS Unicode Map Filename: /etc/snort_inline/unicode.map

      IIS Unicode Map Codepage: 1252

    DEFAULT SERVER CONFIG:

      Server profile: All

      Ports: 80 8080 8180 

      Flow Depth: 300

      Max Chunk Length: 500000

      Inspect Pipeline Requests: YES

      URI Discovery Strict Mode: NO

      Allow Proxy Usage: NO

      Disable Alerting: NO

      Oversize Dir Length: 500

      Only inspect URI: NO

      Ascii: YES alert: NO

      Double Decoding: YES alert: YES

      %U Encoding: YES alert: YES

      Bare Byte: YES alert: YES

      Base36: OFF

      UTF 8: OFF

      IIS Unicode: YES alert: YES

      Multiple Slash: YES alert: NO

      IIS Backslash: YES alert: NO

      Directory Traversal: YES alert: NO

      Web Root Traversal: YES alert: YES

      Apache WhiteSpace: YES alert: NO

      IIS Delimiter: YES alert: NO

      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

      Non-RFC Compliant Characters: NONE

      Whitespace Characters: 0x09 0x0b 0x0c 0x0d 

rpc_decode arguments:

    Ports to decode RPC on: 111 32771 

    alert_fragments: INACTIVE

    alert_large_fragments: ACTIVE

    alert_incomplete: ACTIVE

    alert_multiple_requests: ACTIVE

Portscan Detection Config:

    Detect Protocols:  TCP UDP ICMP IP

    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan

    Sensitivity Level: Low

    Memcap (in bytes): 10000000

    Number of Nodes:   26109

 

ERROR: /etc/snort_inline/rules/exploit.rules(209) => Invalid port: [389,3268]

Fatal Error, Quitting.. 

I break “#” exploit.rules on file snort_inline.conf then appear on other rules and so on.

And when I break “ #” with all rules on file snort_inline.conf then ..output error :

 

ERROR version 1 < 5

ERROR: Failed to initialize dynamic engine: SF_POP (IPV6) version 1.0.1

Fatal Error, Quitting..

 

 

--------------------

Đặng Lê Nam

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120811/840e4edb/attachment.html>


More information about the Snort-users mailing list