[Snort-users] Error when running snort_inline 2.6.1.5 on Centos x86-64

Will Metcalf william.metcalf at ...11827...
Sat Aug 11 01:53:03 EDT 2012


> I use snort_inline version 2.6.1.5 on
> http://snort-inline.sourceforge.net/download.html  and snort rules 2923 with

Don't use snort_inline version 2.6.1.5 :). We haven't touched that
code or updated it in years. Vanilla snort has support for IPS mode. I
suggest you take a look at the README included with DAQ.

http://www.snort.org/snort-downloads/

Regards,

Will

On Fri, Aug 10, 2012 at 11:59 PM, Dang Le Nam <lenam.cntp at ...11827...> wrote:
> I use snort_inline version 2.6.1.5 on
> http://snort-inline.sourceforge.net/download.html  and snort rules 2923 with
> Oinkmaster update auto
>
>
>
> When I running snort_inline:
>
> snort_inline -Q -v -c /etc/snort_inline/snort_inline.conf -l
> /var/log/snort_inline
>
>
>
> Then output error
>
>
>
> Reading from iptables
>
> Running in IDS mode
>
> Initializing Inline mode
>
>
>
>         --== Initializing Snort ==--
>
> Initializing Output Plugins!
>
> Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
>
> Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
>
> Initializing Preprocessors!
>
> Initializing Plug-ins!
>
> Parsing Rules file /etc/snort_inline/snort_inline.conf
>
>
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Initializing rule chains...
>
> Var 'HOME_NET' defined, value len = 3 chars, value = any
>
> Var 'HONEYNET' defined, value len = 3 chars, value = any
>
> Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
>
> Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
>
> Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
>
> Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
>
> Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
>
> Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
>
> Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
>
> Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
>
> Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
>
> Var 'SSH_PORTS' defined, value len = 2 chars, value = 22
>
> Var 'AIM_SERVERS' defined, value len = 185 chars
>
>
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
>
>    .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> Var 'RULE_PATH' defined, value len = 23 chars, value =
> /etc/snort_inline/rules
>
> ,-----------[Flow Config]----------------------
>
> | Stats Interval:  0
>
> | Hash Method:     2
>
> | Memcap:          10485760
>
> | Rows  :          4099
>
> | Overhead Bytes:  32800(%0.31)
>
> `----------------------------------------------
>
> stream4inline mode enabled
>
> truncating mode enabled
>
> Stream4 config:
>
>     Stateful inspection: ACTIVE
>
>     Session statistics: INACTIVE
>
>     Session timeout: 3600 seconds
>
>     Session memory cap: 134217728 bytes
>
>     Session count max: 8192 sessions
>
>     Session cleanup count: 5
>
>     State alerts: INACTIVE
>
>     Evasion alerts: INACTIVE
>
>     Scan alerts: INACTIVE
>
>     Log Flushed Streams: INACTIVE
>
>     MinTTL: 1
>
>     TTL Limit: 5
>
>     Async Link: 0
>
>     State Protection: 0
>
>     Self preservation threshold: 50
>
>     Self preservation period: 90
>
>     Suspend threshold: 200
>
>     Suspend period: 30
>
>     Enforce TCP State: ACTIVE and DROPPING
>
>     Midstream Drop Alerts: INACTIVE
>
>     Allow Blocking of TCP Sessions in Inline: ACTIVE
>
>     Server Data Inspection Limit: -1
>
>     Inline-mode options:
>
>         Inline-mode enabled? (stream4inline): Yes
>
>         Scan mode? (scan_stream_only): Both packet and stream
>
>         Sliding Windowsize (window_size): 3000
>
>         Memcap reached method (truncate): Truncate
>
>         Truncate percentage (truncate_percentage): 33
>
>         Store/Load state from/to disk: No
>
>         Max out-of-order packets in a stream (max_ooo_pkts): 5
>
>         Max out-of-order bytes in a stream (max_ooo_bytes): 5000
>
>         Max sequence holes in a stream (max_seq_holes): 2
>
>         Normalize wscale max (norm_wscale_max): 2
>
>         Perform window scale normaliztion: Yes
>
>         Disable out-of-order packet drop: No
>
>         Disable out-of-order packet drop: No
>
>         Disable sequence hole packet drop: No
>
>         Max sequence holes in a stream (max_seq_holes): 2
>
>         Disable wscale normalization alerts (disable_norm_wscale_alerts): No
>
>         Disable out-of-order alerts (disable_ooo_alerts): No
>
>         Drop bad RST packets? (drop_bad_rst): No
>
>         Disable evasive retransmission packet drop: No
>
>         Disable out-of-window packet drop: No
>
>         Disable all protocol violation drops: No
>
> WARNING /etc/snort_inline/snort_inline.conf(368) => flush_behavior set in
> config file, using old static flushpoints (0)
>
> Stream4_reassemble config:
>
>     Server reassembly: ACTIVE
>
>     Client reassembly: ACTIVE
>
>     Reassembler alerts: ACTIVE
>
>     Zero out flushed packets: INACTIVE
>
>     Flush stream on alert: INACTIVE
>
>     flush_data_diff_size: 500
>
>     Reassembler Packet Preferance : Favor New
>
>     Packet Sequence Overlap Limit: -1
>
>     Flush behavior: Small (<255 bytes)
>
>     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
> 3306
>
>     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
> 1433 1521 3306
>
> HttpInspect Config:
>
>     GLOBAL CONFIG
>
>       Max Pipeline Requests:    0
>
>       Inspection Type:          STATELESS
>
>       Detect Proxy Usage:       NO
>
>       IIS Unicode Map Filename: /etc/snort_inline/unicode.map
>
>       IIS Unicode Map Codepage: 1252
>
>     DEFAULT SERVER CONFIG:
>
>       Server profile: All
>
>       Ports: 80 8080 8180
>
>       Flow Depth: 300
>
>       Max Chunk Length: 500000
>
>       Inspect Pipeline Requests: YES
>
>       URI Discovery Strict Mode: NO
>
>       Allow Proxy Usage: NO
>
>       Disable Alerting: NO
>
>       Oversize Dir Length: 500
>
>       Only inspect URI: NO
>
>       Ascii: YES alert: NO
>
>       Double Decoding: YES alert: YES
>
>       %U Encoding: YES alert: YES
>
>       Bare Byte: YES alert: YES
>
>       Base36: OFF
>
>       UTF 8: OFF
>
>       IIS Unicode: YES alert: YES
>
>       Multiple Slash: YES alert: NO
>
>       IIS Backslash: YES alert: NO
>
>       Directory Traversal: YES alert: NO
>
>       Web Root Traversal: YES alert: YES
>
>       Apache WhiteSpace: YES alert: NO
>
>       IIS Delimiter: YES alert: NO
>
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>
>       Non-RFC Compliant Characters: NONE
>
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>
> rpc_decode arguments:
>
>     Ports to decode RPC on: 111 32771
>
>     alert_fragments: INACTIVE
>
>     alert_large_fragments: ACTIVE
>
>     alert_incomplete: ACTIVE
>
>     alert_multiple_requests: ACTIVE
>
> Portscan Detection Config:
>
>     Detect Protocols:  TCP UDP ICMP IP
>
>     Detect Scan Type:  portscan portsweep decoy_portscan
> distributed_portscan
>
>     Sensitivity Level: Low
>
>     Memcap (in bytes): 10000000
>
>     Number of Nodes:   26109
>
>
>
> ERROR: /etc/snort_inline/rules/exploit.rules(209) => Invalid port:
> [389,3268]
>
> Fatal Error, Quitting..
>
> I break “#” exploit.rules on file snort_inline.conf then appear on other
> rules and so on.
>
> And when I break “ #” with all rules on file snort_inline.conf then ..output
> error :
>
>
>
> ERROR version 1 < 5
>
> ERROR: Failed to initialize dynamic engine: SF_POP (IPV6) version 1.0.1
>
> Fatal Error, Quitting..
>
>
>
>
>
> --------------------
>
> Đặng Lê Nam
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list