[Snort-users] installation problem

praveen_recker . praveen_recker at ...4543...
Thu Jun 21 10:30:02 EDT 2012


The interface which you are using (-i 2), it it connected to internet.
If it is a lab set up make sure traffic is passing through the interface

send ur snort.conf file to the list.

best regards,
praveen darshanam


On Thu, Jun 21, 2012 at 7:09 PM, Deepika p <dgpks1 at ...11827...> wrote:

>  Sir,
>   We have chosen a project on snort .but installation itself became big
> problem and we have chosen windows operating system and
> when we run following command in command prompt
> \> snort -A console -i2 -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
>  We got following lines at the end
>
>
> Encoded Rule Plugin SID: 16662, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 13511, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 18663, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 13969, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 20135, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 16577, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 16375, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 13475, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 15470, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 15125, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 15503, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 13954, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 16237, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 16182, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 16534, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Encoded Rule Plugin SID: 13287, GID: 3 not registered properly.  Disabling
> this
> rule.
>
> Verifying Preprocessor Configurations!
> ICMP tracking disabled, no ICMP sessions allocated
> IP tracking disabled, no IP sessions allocated
> WARNING: flowbits key 'file.cdr' is checked but not ever set.
> WARNING: flowbits key 'file.chm' is set but not ever checked.
> WARNING: flowbits key 'file.xul' is set but not ever checked.
> WARNING: flowbits key 'file.smil' is set but not ever checked.
> WARNING: flowbits key 'file.emf' is set but not ever checked.
> WARNING: flowbits key 'file.jarpack' is set but not ever checked.
> WARNING: flowbits key 'file.universalbinary' is set but not ever checked.
> WARNING: flowbits key 'file.gif' is set but not ever checked.
> WARNING: flowbits key 'file.pdf' is set but not ever checked.
> WARNING: flowbits key 'file.png' is set but not ever checked.
> WARNING: flowbits key 'file.doc' is set but not ever checked.
> WARNING: flowbits key 'file.zip' is set but not ever checked.
> WARNING: flowbits key 'file.rtf' is set but not ever checked.
> WARNING: flowbits key 'file.xbm' is set but not ever checked.
> WARNING: flowbits key 'file.sln' is set but not ever checked.
> WARNING: flowbits key 'file.xm' is set but not ever checked.
> WARNING: flowbits key 'file.caff' is set but not ever checked.
> WARNING: flowbits key 'file.wmv' is set but not ever checked.
> WARNING: flowbits key 'file.swf' is set but not ever checked.
> WARNING: flowbits key 'tlsv1.server_hello.request' is checked but not ever
> set.
> WARNING: flowbits key 'file.addin' is set but not ever checked.
> WARNING: flowbits key 'file.wps' is set but not ever checked.
> WARNING: flowbits key 'file.pub' is set but not ever checked.
> WARNING: flowbits key 'file.pct' is set but not ever checked.
> WARNING: flowbits key 'file.tiff.little' is set but not ever checked.
> WARNING: flowbits key 'tlsv1.client_hello.request' is checked but not ever
> set.
> WARNING: flowbits key 'file.pls' is set but not ever checked.
> WARNING: flowbits key 'trojan.nervos' is set but not ever checked.
> WARNING: flowbits key 'file.lnk' is set but not ever checked.
> WARNING: flowbits key 'backdoor.fearless.runtime' is checked but not ever
> set.
> WARNING: flowbits key 'file.smi' is set but not ever checked.
> WARNING: flowbits key 'file.slk' is set but not ever checked.
> WARNING: flowbits key 'file.xspf' is set but not ever checked.
> WARNING: flowbits key 'file.quicktime.mp4' is set but not ever checked.
> WARNING: flowbits key 'file.dbp' is set but not ever checked.
> WARNING: flowbits key 'backdoor.asylum.connect' is checked but not ever
> set.
> WARNING: flowbits key 'file.otf' is set but not ever checked.
> WARNING: flowbits key 'file.qcp' is set but not ever checked.
> WARNING: flowbits key 'ABSystemSpy_Inforetrieve1' is set but not ever
> checked.
> WARNING: flowbits key 'file.ttf' is set but not ever checked.
> WARNING: flowbits key 'file.tiff' is set but not ever checked.
> WARNING: flowbits key 'file.visprj' is set but not ever checked.
> WARNING: flowbits key 'file.aiff' is set but not ever checked.
> WARNING: flowbits key 'AOLAdmin1.1.connection' is checked but not ever set.
> WARNING: flowbits key 'file.wav' is set but not ever checked.
> WARNING: flowbits key 'file.torrent' is set but not ever checked.
> WARNING: flowbits key 'oracle.connect' is checked but not ever set.
> WARNING: flowbits key 'file.asx' is set but not ever checked.
> WARNING: flowbits key 'file.fpx' is set but not ever checked.
> WARNING: flowbits key 'file.realplayer.playlist' is set but not ever
> checked.
> WARNING: flowbits key 'file.mp3' is set but not ever checked.
> WARNING: flowbits key 'file.ole' is set but not ever checked.
> WARNING: flowbits key 'dorkbot.ircinit' is set but not ever checked.
> WARNING: flowbits key 'file.mswmm' is set but not ever checked.
> WARNING: flowbits key 'file.dxf' is set but not ever checked.
> WARNING: flowbits key 'file.ogg' is set but not ever checked.
> WARNING: flowbits key 'file.xls' is set but not ever checked.
> WARNING: flowbits key 'file.engtesselate' is set but not ever checked.
> WARNING: flowbits key 'file.pkp' is set but not ever checked.
> WARNING: flowbits key 'file.avi.video' is set but not ever checked.
> WARNING: flowbits key 'file.pmd' is set but not ever checked.
> WARNING: flowbits key 'file.class' is set but not ever checked.
> WARNING: flowbits key 'file.visio' is set but not ever checked.
> WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked but
> not ev
> er set.
> WARNING: flowbits key 'file.4xm' is set but not ever checked.
> WARNING: flowbits key 'backdoor.donalddick.1.5.b.3.conn' is checked but
> not ever
>  set.
> WARNING: flowbits key 'file.m3u' is set but not ever checked.
> WARNING: flowbits key 'file.bmp' is set but not ever checked.
> WARNING: flowbits key 'sslv2.server_hello.request' is checked but not ever
> set.
> WARNING: flowbits key 'file.xlw' is set but not ever checked.
> WARNING: flowbits key 'file.psfont' is set but not ever checked.
> WARNING: flowbits key 'file.ani' is set but not ever checked.
> WARNING: flowbits key 'file.realmedia' is set but not ever checked.
> WARNING: flowbits key 'file.quicktime' is set but not ever checked.
> WARNING: flowbits key 'file.wmf' is set but not ever checked.
> WARNING: flowbits key 'file.jpeg' is set but not ever checked.
> WARNING: flowbits key 'file.vap' is set but not ever checked.
> WARNING: flowbits key 'file.hpj' is set but not ever checked.
> WARNING: flowbits key 'file.eot' is set but not ever checked.
> WARNING: flowbits key 'file.works' is set but not ever checked.
> WARNING: flowbits key 'file.cue' is set but not ever checked.
> WARNING: flowbits key 'file.avi' is set but not ever checked.
> WARNING: flowbits key 'kit.blackhole' is set but not ever checked.
> WARNING: flowbits key 'file.flv' is set but not ever checked.
> WARNING: flowbits key 'file.dmg' is set but not ever checked.
> WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
> WARNING: flowbits key 'file.eps' is set but not ever checked.
> WARNING: flowbits key 'file.xml' is set but not ever checked.
> WARNING: flowbits key 'file.asf' is set but not ever checked.
> WARNING: flowbits key 'file.dir' is set but not ever checked.
> WARNING: flowbits key 'file.xpm' is set but not ever checked.
> WARNING: flowbits key 'file.pptx' is set but not ever checked.
> 98 out of 1024 flowbits in use.
>
> [ Port Based Pattern Matching Memory ]
> +- [ Aho-Corasick Summary ] -------------------------------------
> | Storage Format    : Full-Q
> | Finite Automaton  : DFA
> | Alphabet Size     : 256 Chars
> | Sizeof State      : Variable (1,2,4 bytes)
> | Instances         : 75
> |     1 byte states : 66
> |     2 byte states : 9
> |     4 byte states : 0
> | Characters        : 11282
> | States            : 8191
> | Transitions       : 176281
> | State Density     : 8.4%
> | Patterns          : 963
> | Match States      : 930
> | Memory (MB)       : 3.98
> |   Patterns        : 0.07
> |   Match Lists     : 0.09
> |   DFA
> |     1 byte states : 0.34
> |     2 byte states : 3.39
> |     4 byte states : 0.00
> +----------------------------------------------------------------
> [ Number of patterns truncated to 20 bytes: 124 ]
> pcap DAQ configured to passive.
> The DAQ version does not support reload.
> Acquiring network traffic from
> "\Device\NPF_{3B066531-94C4-4299-B2D6-3F3A0E2E98B
> 1}".
> Decoding Ethernet
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.2.3-ODBC-MySQL-WIN32 GRE (Build 205)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-t
> eam
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using PCRE version: 8.10 2010-06-25
>            Using ZLIB version: 1.2.3
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.15  <Build
> 18>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
> Commencing packet processing (pid=2128)
>
>
> and after this pressing Ctrl+C  getting following output even though we
> have run it for 30 minutes and opened so many web sites of http and ftp
>
> *** Caught Int-Signal
>
> ===============================================================================
> Run time for packet processing was 356.27000 seconds
> Snort processed 0 packets.
> Snort ran for 0 days 0 hours 5 minutes 56 seconds
>    Pkts/min:            0
>    Pkts/sec:            0
>
> ===============================================================================
> Packet I/O Totals:
>    Received:            0
>    Analyzed:            0 (  0.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
>
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>         Eth:            0 (  0.000%)
>        VLAN:            0 (  0.000%)
>         IP4:            0 (  0.000%)
>        Frag:            0 (  0.000%)
>        ICMP:            0 (  0.000%)
>         UDP:            0 (  0.000%)
>         TCP:            0 (  0.000%)
>         IP6:            0 (  0.000%)
>     IP6 Ext:            0 (  0.000%)
>    IP6 Opts:            0 (  0.000%)
>       Frag6:            0 (  0.000%)
>       ICMP6:            0 (  0.000%)
>        UDP6:            0 (  0.000%)
>        TCP6:            0 (  0.000%)
>      Teredo:            0 (  0.000%)
>     ICMP-IP:            0 (  0.000%)
>       EAPOL:            0 (  0.000%)
>     IP4/IP4:            0 (  0.000%)
>     IP4/IP6:            0 (  0.000%)
>     IP6/IP4:            0 (  0.000%)
>     IP6/IP6:            0 (  0.000%)
>         GRE:            0 (  0.000%)
>     GRE Eth:            0 (  0.000%)
>    GRE VLAN:            0 (  0.000%)
>     GRE IP4:            0 (  0.000%)
>     GRE IP6:            0 (  0.000%)
> GRE IP6 Ext:            0 (  0.000%)
>    GRE PPTP:            0 (  0.000%)
>     GRE ARP:            0 (  0.000%)
>     GRE IPX:            0 (  0.000%)
>    GRE Loop:            0 (  0.000%)
>        MPLS:            0 (  0.000%)
>         ARP:            0 (  0.000%)
>         IPX:            0 (  0.000%)
>    Eth Loop:            0 (  0.000%)
>    Eth Disc:            0 (  0.000%)
>    IP4 Disc:            0 (  0.000%)
>    IP6 Disc:            0 (  0.000%)
>    TCP Disc:            0 (  0.000%)
>    UDP Disc:            0 (  0.000%)
>   ICMP Disc:            0 (  0.000%)
> All Discard:            0 (  0.000%)
>       Other:            0 (  0.000%)
> Bad Chk Sum:            0 (  0.000%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:            0 (  0.000%)
>      S5 G 2:            0 (  0.000%)
>       Total:            0
>
> ===============================================================================
> Action Stats:
>      Alerts:            0 (  0.000%)
>      Logged:            0 (  0.000%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>        Event:            0
>       Alert:            0
> Verdicts:
>       Allow:            0 (  0.000%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
>
> ===============================================================================
> Frag3 statistics:
>         Total Fragments: 0
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>                   Drops: 0
>      FragTrackers Added: 0
>     FragTrackers Dumped: 0
> FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 0
>      Frag Nodes Deleted: 0
>
> ===============================================================================
> Stream5 statistics:
>             Total sessions: 0
>               TCP sessions: 0
>               UDP sessions: 0
>              ICMP sessions: 0
>                IP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
>                  IP Prunes: 0
> TCP StreamTrackers Created: 0
> TCP StreamTrackers Deleted: 0
>               TCP Timeouts: 0
>               TCP Overlaps: 0
>        TCP Segments Queued: 0
>      TCP Segments Released: 0
>        TCP Rebuilt Packets: 0
>          TCP Segments Used: 0
>               TCP Discards: 0
>                   TCP Gaps: 0
>       UDP Sessions Created: 0
>       UDP Sessions Deleted: 0
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 0
>            Internal Events: 0
>            TCP Port Filter
>                    Dropped: 0
>                  Inspected: 0
>                    Tracked: 0
>            UDP Port Filter
>                    Dropped: 0
>                  Inspected: 0
>                    Tracked: 0
>
> ===============================================================================
>
> ===============================================================================
> SMTP Preprocessor Statistics
>   Total sessions                                    : 0
>   Max concurrent sessions                           : 0
>
> ===============================================================================
> dcerpc2 Preprocessor Statistics
>   Total sessions: 0
>
> ===============================================================================
>
> ===============================================================================
> SIP Preprocessor Statistics
>   Total sessions: 0
>
> ===============================================================================
> Snort exiting
>
> Please let me know how to set this for output , modifications to be made
> in snort.conf file and actual output to come and I'll be glad if you 7 tell
>  the rules to be added for  alerting and blocking for windows  7 .and
> version of snort is 2.9.2.3
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120621/dfcba722/attachment.html>


More information about the Snort-users mailing list