[Snort-users] installation problem

praveen_recker . praveen_recker at ...4543...
Thu Jun 21 11:02:39 EDT 2012


Try to make $HOME and $EXTERNAL as any just for debugging purpose.
Try to run wireshark on the interface snort is sniffing to make sure you
are able to see traffic.

-praveen darshanam

On Thu, Jun 21, 2012 at 8:23 PM, Michael Steele <michaels at ...9077...>wrote:

> I’ve never seen this particular error  in Windows. Are you trying to use
> the Shared Object Rules?****
>
> ** **
>
> You will need to disable this feature in the snort.conf.****
>
> ** **
>
> Have you tested the snort.conf?****
>
> ** **
>
> snort -c c:\snort\etc\snort.conf -l c:\snort\log –i2 –T****
>
> ** **
>
> Don’t worry about the warnings, however that looks like a LOT more warning
> messages then I’ve ever seen at startup.****
>
> ** **
>
> Kindest regards,****
>
> Michael...****
>
> ** **
>
> WINSNORT.com Management Team Member****
>
> --****
>
> ****************** Established ~ 2001 ***********************
>
> *          Visit Us @ http://www.winsnort.com           *****
>
> *      ~~ FREE WinIDS Snort installation guides ~~      *****
>
> *               ~~ FREE support forums ~~               *****
>
> * Snort: Open Source Network IDS - http://www.snort.org *****
>
> *************************************************************
>
> ** **
>
> *From:* Deepika p [mailto:dgpks1 at ...11827...]
> *Sent:* Thursday, June 21, 2012 9:39 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] installation problem****
>
> ** **
>
> Sir,****
>
>   We have chosen a project on snort .but installation itself became big
> problem and we have chosen windows operating system and ****
>
> when we run following command in command prompt****
>
> \> snort -A console -i2 -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii
> ****
>
>  We got following lines at the end****
>
> ** **
>
> ** **
>
> Encoded Rule Plugin SID: 16662, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 13511, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 18663, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 13969, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 20135, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 16577, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 16375, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 13475, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 15470, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 15125, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 15503, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 13954, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 16237, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 16182, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 16534, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Encoded Rule Plugin SID: 13287, GID: 3 not registered properly.  Disabling
> this****
>
> rule.****
>
> ** **
>
> Verifying Preprocessor Configurations!****
>
> ICMP tracking disabled, no ICMP sessions allocated****
>
> IP tracking disabled, no IP sessions allocated****
>
> WARNING: flowbits key 'file.cdr' is checked but not ever set.****
>
> WARNING: flowbits key 'file.chm' is set but not ever checked.****
>
> WARNING: flowbits key 'file.xul' is set but not ever checked.****
>
> WARNING: flowbits key 'file.smil' is set but not ever checked.****
>
> WARNING: flowbits key 'file.emf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.jarpack' is set but not ever checked.****
>
> WARNING: flowbits key 'file.universalbinary' is set but not ever checked.*
> ***
>
> WARNING: flowbits key 'file.gif' is set but not ever checked.****
>
> WARNING: flowbits key 'file.pdf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.png' is set but not ever checked.****
>
> WARNING: flowbits key 'file.doc' is set but not ever checked.****
>
> WARNING: flowbits key 'file.zip' is set but not ever checked.****
>
> WARNING: flowbits key 'file.rtf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.xbm' is set but not ever checked.****
>
> WARNING: flowbits key 'file.sln' is set but not ever checked.****
>
> WARNING: flowbits key 'file.xm' is set but not ever checked.****
>
> WARNING: flowbits key 'file.caff' is set but not ever checked.****
>
> WARNING: flowbits key 'file.wmv' is set but not ever checked.****
>
> WARNING: flowbits key 'file.swf' is set but not ever checked.****
>
> WARNING: flowbits key 'tlsv1.server_hello.request' is checked but not ever
> set.****
>
> WARNING: flowbits key 'file.addin' is set but not ever checked.****
>
> WARNING: flowbits key 'file.wps' is set but not ever checked.****
>
> WARNING: flowbits key 'file.pub' is set but not ever checked.****
>
> WARNING: flowbits key 'file.pct' is set but not ever checked.****
>
> WARNING: flowbits key 'file.tiff.little' is set but not ever checked.****
>
> WARNING: flowbits key 'tlsv1.client_hello.request' is checked but not ever
> set.****
>
> WARNING: flowbits key 'file.pls' is set but not ever checked.****
>
> WARNING: flowbits key 'trojan.nervos' is set but not ever checked.****
>
> WARNING: flowbits key 'file.lnk' is set but not ever checked.****
>
> WARNING: flowbits key 'backdoor.fearless.runtime' is checked but not ever
> set.****
>
> WARNING: flowbits key 'file.smi' is set but not ever checked.****
>
> WARNING: flowbits key 'file.slk' is set but not ever checked.****
>
> WARNING: flowbits key 'file.xspf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.quicktime.mp4' is set but not ever checked.***
> *
>
> WARNING: flowbits key 'file.dbp' is set but not ever checked.****
>
> WARNING: flowbits key 'backdoor.asylum.connect' is checked but not ever
> set.****
>
> WARNING: flowbits key 'file.otf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.qcp' is set but not ever checked.****
>
> WARNING: flowbits key 'ABSystemSpy_Inforetrieve1' is set but not ever
> checked.****
>
> WARNING: flowbits key 'file.ttf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.tiff' is set but not ever checked.****
>
> WARNING: flowbits key 'file.visprj' is set but not ever checked.****
>
> WARNING: flowbits key 'file.aiff' is set but not ever checked.****
>
> WARNING: flowbits key 'AOLAdmin1.1.connection' is checked but not ever set.
> ****
>
> WARNING: flowbits key 'file.wav' is set but not ever checked.****
>
> WARNING: flowbits key 'file.torrent' is set but not ever checked.****
>
> WARNING: flowbits key 'oracle.connect' is checked but not ever set.****
>
> WARNING: flowbits key 'file.asx' is set but not ever checked.****
>
> WARNING: flowbits key 'file.fpx' is set but not ever checked.****
>
> WARNING: flowbits key 'file.realplayer.playlist' is set but not ever
> checked.****
>
> WARNING: flowbits key 'file.mp3' is set but not ever checked.****
>
> WARNING: flowbits key 'file.ole' is set but not ever checked.****
>
> WARNING: flowbits key 'dorkbot.ircinit' is set but not ever checked.****
>
> WARNING: flowbits key 'file.mswmm' is set but not ever checked.****
>
> WARNING: flowbits key 'file.dxf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.ogg' is set but not ever checked.****
>
> WARNING: flowbits key 'file.xls' is set but not ever checked.****
>
> WARNING: flowbits key 'file.engtesselate' is set but not ever checked.****
>
> WARNING: flowbits key 'file.pkp' is set but not ever checked.****
>
> WARNING: flowbits key 'file.avi.video' is set but not ever checked.****
>
> WARNING: flowbits key 'file.pmd' is set but not ever checked.****
>
> WARNING: flowbits key 'file.class' is set but not ever checked.****
>
> WARNING: flowbits key 'file.visio' is set but not ever checked.****
>
> WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked but
> not ev****
>
> er set.****
>
> WARNING: flowbits key 'file.4xm' is set but not ever checked.****
>
> WARNING: flowbits key 'backdoor.donalddick.1.5.b.3.conn' is checked but
> not ever****
>
>  set.****
>
> WARNING: flowbits key 'file.m3u' is set but not ever checked.****
>
> WARNING: flowbits key 'file.bmp' is set but not ever checked.****
>
> WARNING: flowbits key 'sslv2.server_hello.request' is checked but not ever
> set.****
>
> WARNING: flowbits key 'file.xlw' is set but not ever checked.****
>
> WARNING: flowbits key 'file.psfont' is set but not ever checked.****
>
> WARNING: flowbits key 'file.ani' is set but not ever checked.****
>
> WARNING: flowbits key 'file.realmedia' is set but not ever checked.****
>
> WARNING: flowbits key 'file.quicktime' is set but not ever checked.****
>
> WARNING: flowbits key 'file.wmf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.jpeg' is set but not ever checked.****
>
> WARNING: flowbits key 'file.vap' is set but not ever checked.****
>
> WARNING: flowbits key 'file.hpj' is set but not ever checked.****
>
> WARNING: flowbits key 'file.eot' is set but not ever checked.****
>
> WARNING: flowbits key 'file.works' is set but not ever checked.****
>
> WARNING: flowbits key 'file.cue' is set but not ever checked.****
>
> WARNING: flowbits key 'file.avi' is set but not ever checked.****
>
> WARNING: flowbits key 'kit.blackhole' is set but not ever checked.****
>
> WARNING: flowbits key 'file.flv' is set but not ever checked.****
>
> WARNING: flowbits key 'file.dmg' is set but not ever checked.****
>
> WARNING: flowbits key 'file.tiff.big' is set but not ever checked.****
>
> WARNING: flowbits key 'file.eps' is set but not ever checked.****
>
> WARNING: flowbits key 'file.xml' is set but not ever checked.****
>
> WARNING: flowbits key 'file.asf' is set but not ever checked.****
>
> WARNING: flowbits key 'file.dir' is set but not ever checked.****
>
> WARNING: flowbits key 'file.xpm' is set but not ever checked.****
>
> WARNING: flowbits key 'file.pptx' is set but not ever checked.****
>
> 98 out of 1024 flowbits in use.****
>
> ** **
>
> [ Port Based Pattern Matching Memory ]****
>
> +- [ Aho-Corasick Summary ] -------------------------------------****
>
> | Storage Format    : Full-Q****
>
> | Finite Automaton  : DFA****
>
> | Alphabet Size     : 256 Chars****
>
> | Sizeof State      : Variable (1,2,4 bytes)****
>
> | Instances         : 75****
>
> |     1 byte states : 66****
>
> |     2 byte states : 9****
>
> |     4 byte states : 0****
>
> | Characters        : 11282****
>
> | States            : 8191****
>
> | Transitions       : 176281****
>
> | State Density     : 8.4%****
>
> | Patterns          : 963****
>
> | Match States      : 930****
>
> | Memory (MB)       : 3.98****
>
> |   Patterns        : 0.07****
>
> |   Match Lists     : 0.09****
>
> |   DFA****
>
> |     1 byte states : 0.34****
>
> |     2 byte states : 3.39****
>
> |     4 byte states : 0.00****
>
> +----------------------------------------------------------------****
>
> [ Number of patterns truncated to 20 bytes: 124 ]****
>
> pcap DAQ configured to passive.****
>
> The DAQ version does not support reload.****
>
> Acquiring network traffic from
> "\Device\NPF_{3B066531-94C4-4299-B2D6-3F3A0E2E98B****
>
> 1}".****
>
> Decoding Ethernet****
>
> ** **
>
>         --== Initialization Complete ==--****
>
> ** **
>
>    ,,_     -*> Snort! <*-****
>
>   o"  )~   Version 2.9.2.3-ODBC-MySQL-WIN32 GRE (Build 205)****
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-t****
>
> eam****
>
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.****
>
>            Using PCRE version: 8.10 2010-06-25****
>
>            Using ZLIB version: 1.2.3****
>
> ** **
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.15  <Build
> 18>****
>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>****
>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>****
>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>****
>
>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>****
>
>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>****
>
>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>****
>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>****
>
>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>****
>
> Commencing packet processing (pid=2128)****
>
>    ****
>
> ** **
>
> and after this pressing Ctrl+C  getting following output even though we
> have run it for 30 minutes and opened so many web sites of http and ftp***
> *
>
> ** **
>
> *** Caught Int-Signal****
>
>
> ===============================================================================
> ****
>
> Run time for packet processing was 356.27000 seconds****
>
> Snort processed 0 packets.****
>
> Snort ran for 0 days 0 hours 5 minutes 56 seconds****
>
>    Pkts/min:            0****
>
>    Pkts/sec:            0****
>
>
> ===============================================================================
> ****
>
> Packet I/O Totals:****
>
>    Received:            0****
>
>    Analyzed:            0 (  0.000%)****
>
>     Dropped:            0 (  0.000%)****
>
>    Filtered:            0 (  0.000%)****
>
> Outstanding:            0 (  0.000%)****
>
>    Injected:            0****
>
>
> ===============================================================================
> ****
>
> Breakdown by protocol (includes rebuilt packets):****
>
>         Eth:            0 (  0.000%)****
>
>        VLAN:            0 (  0.000%)****
>
>         IP4:            0 (  0.000%)****
>
>        Frag:            0 (  0.000%)****
>
>        ICMP:            0 (  0.000%)****
>
>         UDP:            0 (  0.000%)****
>
>         TCP:            0 (  0.000%)****
>
>         IP6:            0 (  0.000%)****
>
>     IP6 Ext:            0 (  0.000%)****
>
>    IP6 Opts:            0 (  0.000%)****
>
>       Frag6:            0 (  0.000%)****
>
>       ICMP6:            0 (  0.000%)****
>
>        UDP6:            0 (  0.000%)****
>
>        TCP6:            0 (  0.000%)****
>
>      Teredo:            0 (  0.000%)****
>
>     ICMP-IP:            0 (  0.000%)****
>
>       EAPOL:            0 (  0.000%)****
>
>     IP4/IP4:            0 (  0.000%)****
>
>     IP4/IP6:            0 (  0.000%)****
>
>     IP6/IP4:            0 (  0.000%)****
>
>     IP6/IP6:            0 (  0.000%)****
>
>         GRE:            0 (  0.000%)****
>
>     GRE Eth:            0 (  0.000%)****
>
>    GRE VLAN:            0 (  0.000%)****
>
>     GRE IP4:            0 (  0.000%)****
>
>     GRE IP6:            0 (  0.000%)****
>
> GRE IP6 Ext:            0 (  0.000%)****
>
>    GRE PPTP:            0 (  0.000%)****
>
>     GRE ARP:            0 (  0.000%)****
>
>     GRE IPX:            0 (  0.000%)****
>
>    GRE Loop:            0 (  0.000%)****
>
>        MPLS:            0 (  0.000%)****
>
>         ARP:            0 (  0.000%)****
>
>         IPX:            0 (  0.000%)****
>
>    Eth Loop:            0 (  0.000%)****
>
>    Eth Disc:            0 (  0.000%)****
>
>    IP4 Disc:            0 (  0.000%)****
>
>    IP6 Disc:            0 (  0.000%)****
>
>    TCP Disc:            0 (  0.000%)****
>
>    UDP Disc:            0 (  0.000%)****
>
>   ICMP Disc:            0 (  0.000%)****
>
> All Discard:            0 (  0.000%)****
>
>       Other:            0 (  0.000%)****
>
> Bad Chk Sum:            0 (  0.000%)****
>
>     Bad TTL:            0 (  0.000%)****
>
>      S5 G 1:            0 (  0.000%)****
>
>      S5 G 2:            0 (  0.000%)****
>
>       Total:            0****
>
>
> ===============================================================================
> ****
>
> Action Stats:****
>
>      Alerts:            0 (  0.000%)****
>
>      Logged:            0 (  0.000%)****
>
>      Passed:            0 (  0.000%)****
>
> Limits:****
>
>       Match:            0****
>
>       Queue:            0****
>
>         Log:            0****
>
>       Event:            0****
>
>       Alert:            0****
>
> Verdicts:****
>
>       Allow:            0 (  0.000%)****
>
>       Block:            0 (  0.000%)****
>
>     Replace:            0 (  0.000%)****
>
>   Whitelist:            0 (  0.000%)****
>
>   Blacklist:            0 (  0.000%)****
>
>      Ignore:            0 (  0.000%)****
>
>
> ===============================================================================
> ****
>
> Frag3 statistics:****
>
>         Total Fragments: 0****
>
>       Frags Reassembled: 0****
>
>                Discards: 0****
>
>           Memory Faults: 0****
>
>                Timeouts: 0****
>
>                Overlaps: 0****
>
>               Anomalies: 0****
>
>                  Alerts: 0****
>
>                   Drops: 0****
>
>      FragTrackers Added: 0****
>
>     FragTrackers Dumped: 0****
>
> FragTrackers Auto Freed: 0****
>
>     Frag Nodes Inserted: 0****
>
>      Frag Nodes Deleted: 0****
>
>
> ===============================================================================
> ****
>
> Stream5 statistics:****
>
>             Total sessions: 0****
>
>               TCP sessions: 0****
>
>               UDP sessions: 0****
>
>              ICMP sessions: 0****
>
>                IP sessions: 0****
>
>                 TCP Prunes: 0****
>
>                 UDP Prunes: 0****
>
>                ICMP Prunes: 0****
>
>                  IP Prunes: 0****
>
> TCP StreamTrackers Created: 0****
>
> TCP StreamTrackers Deleted: 0****
>
>               TCP Timeouts: 0****
>
>               TCP Overlaps: 0****
>
>        TCP Segments Queued: 0****
>
>      TCP Segments Released: 0****
>
>        TCP Rebuilt Packets: 0****
>
>          TCP Segments Used: 0****
>
>               TCP Discards: 0****
>
>                   TCP Gaps: 0****
>
>       UDP Sessions Created: 0****
>
>       UDP Sessions Deleted: 0****
>
>               UDP Timeouts: 0****
>
>               UDP Discards: 0****
>
>                     Events: 0****
>
>            Internal Events: 0****
>
>            TCP Port Filter****
>
>                    Dropped: 0****
>
>                  Inspected: 0****
>
>                    Tracked: 0****
>
>            UDP Port Filter****
>
>                    Dropped: 0****
>
>                  Inspected: 0****
>
>                    Tracked: 0****
>
>
> ===============================================================================
> ****
>
>
> ===============================================================================
> ****
>
> SMTP Preprocessor Statistics****
>
>   Total sessions                                    : 0****
>
>   Max concurrent sessions                           : 0****
>
>
> ===============================================================================
> ****
>
> dcerpc2 Preprocessor Statistics****
>
>   Total sessions: 0****
>
>
> ===============================================================================
> ****
>
>
> ===============================================================================
> ****
>
> SIP Preprocessor Statistics****
>
>   Total sessions: 0****
>
>
> ===============================================================================
> ****
>
> Snort exiting****
>
> ** **
>
> Please let me know how to set this for output , modifications to be made
> in snort.conf file and actual output to come and I'll be glad if you 7 tell
>  the rules to be added for  alerting and blocking for windows  7 .and
> version of snort is 2.9.2.3****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120621/7f3928f4/attachment.html>


More information about the Snort-users mailing list