[Snort-users] permission issue

Balla István balla.bmf at ...11827...
Wed Apr 10 16:59:43 EDT 2013


Thanks Jarrett,

I didnt pay attention to the last command. that caused the problem. it is
fixed. I havent found explanation for the following warning msgs in snort
documentation:

Verifying Preprocessor Configurations!
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'file.pecompact' is set but not ever checked.
WARNING: flowbits key 'flags.fin' is set but not ever checked.
WARNING: flowbits key 'file.docm' is set but not ever checked.
WARNING: flowbits key 'sybase.tds.connection' is set but not ever checked.
WARNING: flowbits key 'file.cov' is set but not ever checked.
WARNING: flowbits key 'file.vqf' is set but not ever checked.
WARNING: flowbits key 'smb.smi' is set but not ever checked.
WARNING: flowbits key 'file.maki' is set but not ever checked.
WARNING: flowbits key 'smb.trans2.fileinfo' is set but not ever checked.
WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.
WARNING: flowbits key 'file.ppsx' is set but not ever checked.
WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
WARNING: flowbits key 'file.rar' is set but not ever checked.
WARNING: flowbits key 'file.xlsx' is set but not ever checked.
WARNING: flowbits key 'file.bzip' is checked but not ever set.
WARNING: flowbits key 'file.mpeg' is checked but not ever set.
WARNING: flowbits key 'file.swf.cff' is set but not ever checked.
WARNING: flowbits key 'file.emf' is set but not ever checked.
WARNING: flowbits key 'acunetix.scanner' is set but not ever checked.
WARNING: flowbits key 'ms.packager' is set but not ever checked.
WARNING: flowbits key 'file.wma' is set but not ever checked.
130 out of 1024 flowbits in use.

Do you think these r generated when there is no traffic through snort
interfaces?

Thanks again


2013/4/8 Jarrett Carver <jarrett.carver at ...11827...>

> It looks like you need to make sure that your snort user/group has access
> to the logging directory /var/log/snort, and has permissions to create log
> files in this directory.
>
> I would try something like:
>
> # chown snort:snort /var/log/snort
> # chmod 775 /var/log/snort
>
>
>
>
>
>
> On Sat, Apr 6, 2013 at 3:48 PM, Balla István <balla.bmf at ...11827...> wrote:
>
>> Hi Members,
>>
>> I'm facing problems when I run snort with
>>
>> sudo /usr/local/snort/bin/snort -u snort -g snort -c
>> /usr/local/snort/etc/snort.conf -i eth1
>>
>> command. I followed the
>> http://www.snort.org/assets/158/snortinstallguide293.pdf guide and it
>> seemed to work but I got the error message at the end:
>>
>> ERROR: spo_unified2.c(321) Could not open
>> /var/log/snort/snort.u2.1365276051: Permission denied
>> Fatal Error, Quitting..
>>
>> There is no traffic yet on eth1 but I think this issue is related to the
>> log somehow.
>> I attach below the result of the firstly mentioned command.
>>
>> Thanks for your advise.
>>
>>
>> ----------------------------------------------------------------------------------------------
>> sudo /usr/local/snort/bin/snort -u snort -g snort -c
>> /usr/local/snort/etc/snort.conf -i eth1
>>
>> Running in IDS mode
>>
>>         --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file "/usr/local/snort/etc/snort.conf"
>> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414
>> 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001
>> 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123
>> 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999
>> 11371 34443:34444 41080 50002 55555 ]
>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
>> PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901
>> 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
>> 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090
>> 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091
>> 9443 9999 11371 34443:34444 41080 50002 55555 ]
>> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
>> Detection:
>>    Search-Method = AC-Full-Q
>>     Split Any/Any group = enabled
>>     Search-Method-Optimizations = enabled
>>     Maximum pattern length = 20
>> Tagged Packet Limit: 256
>> Loading dynamic engine
>> /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so... done
>> Loading all dynamic detection libs from
>> /usr/local/snort/lib/snort_dynamicrules...
>> WARNING: No dynamic libraries found in directory
>> /usr/local/snort/lib/snort_dynamicrules.
>>   Finished Loading all dynamic detection libs from
>> /usr/local/snort/lib/snort_dynamicrules
>> Loading all dynamic preprocessor libs from
>> /usr/local/snort/lib/snort_dynamicpreprocessor/...
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
>> done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>> done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>> done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
>> done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>> done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
>> done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
>> done
>>   Loading dynamic preprocessor library
>> /usr/local/snort/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>   Finished Loading all dynamic preprocessor libs from
>> /usr/local/snort/lib/snort_dynamicpreprocessor/
>> Log directory = /var/log/snort
>> WARNING: ip4 normalizations disabled because not inline.
>> WARNING: tcp normalizations disabled because not inline.
>> WARNING: icmp4 normalizations disabled because not inline.
>> WARNING: ip6 normalizations disabled because not inline.
>> WARNING: icmp6 normalizations disabled because not inline.
>> Frag3 global config:
>>     Max frags: 65536
>>     Fragment memory cap: 4194304 bytes
>> Frag3 engine config:
>>     Bound Address: default
>>     Target-based policy: WINDOWS
>>     Fragment timeout: 180 seconds
>>     Fragment min_ttl:   1
>>     Fragment Anomalies: Alert
>>     Overlap Limit:     10
>>     Min fragment Length:     100
>> Stream5 global config:
>>     Track TCP sessions: ACTIVE
>>     Max TCP sessions: 262144
>>     Memcap (for reassembly packet storage): 8388608
>>     Track UDP sessions: ACTIVE
>>     Max UDP sessions: 131072
>>     Track ICMP sessions: INACTIVE
>>     Track IP sessions: INACTIVE
>>     Log info if session memory consumption exceeds 1048576
>>     Send up to 2 active responses
>>     Wait at least 5 seconds between responses
>>     Protocol Aware Flushing: ACTIVE
>>         Maximum Flush Point: 16000
>> Stream5 TCP Policy config:
>>     Bound Address: default
>>     Reassembly Policy: WINDOWS
>>     Timeout: 180 seconds
>>     Limit on TCP Overlaps: 10
>>     Maximum number of bytes to queue per session: 1048576
>>     Maximum number of segs to queue per session: 2621
>>     Options:
>>         Require 3-Way Handshake: YES
>>         3-Way Handshake Timeout: 180
>>         Detect Anomalies: YES
>>     Reassembly Ports:
>>       21 client (Footprint)
>>       22 client (Footprint)
>>       23 client (Footprint)
>>       25 client (Footprint)
>>       42 client (Footprint)
>>       53 client (Footprint)
>>       79 client (Footprint)
>>       80 client (Footprint) server (Footprint)
>>       81 client (Footprint) server (Footprint)
>>       109 client (Footprint)
>>       110 client (Footprint)
>>       111 client (Footprint)
>>       113 client (Footprint)
>>       119 client (Footprint)
>>       135 client (Footprint)
>>       136 client (Footprint)
>>       137 client (Footprint)
>>       139 client (Footprint)
>>       143 client (Footprint)
>>       161 client (Footprint)
>>       additional ports configured but not printed.
>> Stream5 UDP Policy config:
>>     Timeout: 180 seconds
>> HttpInspect Config:
>>     GLOBAL CONFIG
>>       Max Pipeline Requests:    0
>>       Inspection Type:          STATELESS
>>       Detect Proxy Usage:       NO
>>       IIS Unicode Map Filename: /usr/local/snort/etc/unicode.map
>>       IIS Unicode Map Codepage: 1252
>>       Memcap used for logging URI and Hostname: 150994944
>>       Max Gzip Memory: 838860
>>       Max Gzip Sessions: 9532
>>       Gzip Compress Depth: 65535
>>       Gzip Decompress Depth: 65535
>>     DEFAULT SERVER CONFIG:
>>       Server profile: All
>>       Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301
>> 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777
>> 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280
>> 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444
>> 41080 50002 55555
>>       Server Flow Depth: 0
>>       Client Flow Depth: 0
>>       Max Chunk Length: 500000
>>       Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
>>       Max Header Field Length: 750
>>       Max Number Header Fields: 100
>>       Max Number of WhiteSpaces allowed with header folding: 200
>>       Inspect Pipeline Requests: YES
>>       URI Discovery Strict Mode: NO
>>       Allow Proxy Usage: NO
>>       Disable Alerting: NO
>>       Oversize Dir Length: 500
>>       Only inspect URI: NO
>>       Normalize HTTP Headers: NO
>>       Inspect HTTP Cookies: YES
>>       Inspect HTTP Responses: YES
>>       Extract Gzip from responses: YES
>>       Unlimited decompression of gzip data from responses: YES
>>       Normalize Javascripts in HTTP Responses: YES
>>       Max Number of WhiteSpaces allowed with Javascript Obfuscation in
>> HTTP responses: 200
>>       Normalize HTTP Cookies: NO
>>       Enable XFF and True Client IP: NO
>>       Log HTTP URI data: NO
>>       Log HTTP Hostname data: NO
>>       Extended ASCII code support in URI: NO
>>       Ascii: YES alert: NO
>>       Double Decoding: YES alert: NO
>>       %U Encoding: YES alert: YES
>>       Bare Byte: YES alert: NO
>>       UTF 8: YES alert: NO
>>       IIS Unicode: YES alert: NO
>>       Multiple Slash: YES alert: NO
>>       IIS Backslash: YES alert: NO
>>       Directory Traversal: YES alert: NO
>>       Web Root Traversal: YES alert: NO
>>       Apache WhiteSpace: YES alert: NO
>>       IIS Delimiter: YES alert: NO
>>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06
>> 0x07
>>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>> rpc_decode arguments:
>>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
>> 32777 32778 32779
>>     alert_fragments: INACTIVE
>>     alert_large_fragments: INACTIVE
>>     alert_incomplete: INACTIVE
>>     alert_multiple_requests: INACTIVE
>> FTPTelnet Config:
>>     GLOBAL CONFIG
>>       Inspection Type: stateful
>>       Check for Encrypted Traffic: YES alert: NO
>>       Continue to check encrypted data: YES
>>     TELNET CONFIG:
>>       Ports: 23
>>       Are You There Threshold: 20
>>       Normalize: YES
>>       Detect Anomalies: YES
>>     FTP CONFIG:
>>       FTP Server: default
>>         Ports (PAF): 21 2100 3535
>>         Check for Telnet Cmds: YES alert: YES
>>         Ignore Telnet Cmd Operations: YES alert: YES
>>         Identify open data channels: NO
>>       FTP Client: default
>>         Check for Bounce Attacks: YES alert: YES
>>         Check for Telnet Cmds: YES alert: YES
>>         Ignore Telnet Cmd Operations: YES alert: YES
>>         Max Response Length: 256
>> SMTP Config:
>>     Ports: 25 465 587 691
>>     Inspection Type: Stateful
>>     Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
>> EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
>> STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR
>> XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT
>> X-DRCP X-ERCP X-EXCH50
>>     Ignore Data: No
>>     Ignore TLS Data: No
>>     Ignore SMTP Alerts: No
>>     Max Command Line Length: 512
>>     Max Specific Command Line Length:
>>        ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
>>        EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
>>        ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
>>        IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
>>        QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
>>        SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
>>        TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
>>        XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
>>        XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
>>        XUSR:246
>>     Max Header Line Length: 1000
>>     Max Response Line Length: 512
>>     X-Link2State Alert: Yes
>>     Drop on X-Link2State Alert: No
>>     Alert on commands: None
>>     Alert on unknown commands: No
>>     SMTP Memcap: 838860
>>     MIME Max Mem: 838860
>>     Base64 Decoding: Enabled
>>     Base64 Decoding Depth: Unlimited
>>     Quoted-Printable Decoding: Enabled
>>     Quoted-Printable Decoding Depth: Unlimited
>>     Unix-to-Unix Decoding: Enabled
>>     Unix-to-Unix Decoding Depth: Unlimited
>>     Non-Encoded MIME attachment Extraction: Enabled
>>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>>     Log Attachment filename: Enabled
>>     Log MAIL FROM Address: Enabled
>>     Log RCPT TO Addresses: Enabled
>>     Log Email Headers: Enabled
>>     Email Hdrs Log Depth: 1464
>> SSH config:
>>     Autodetection: ENABLED
>>     Challenge-Response Overflow Alert: ENABLED
>>     SSH1 CRC32 Alert: ENABLED
>>     Server Version String Overflow Alert: ENABLED
>>     Protocol Mismatch Alert: ENABLED
>>     Bad Message Direction Alert: DISABLED
>>     Bad Payload Size Alert: DISABLED
>>     Unrecognized Version Alert: DISABLED
>>     Max Encrypted Packets: 20
>>     Max Server Version String Length: 100
>>     MaxClientBytes: 19600 (Default)
>>     Ports:
>>     22
>> DCE/RPC 2 Preprocessor Configuration
>>   Global Configuration
>>     DCE/RPC Defragmentation: Enabled
>>     Memcap: 102400 KB
>>     Events: co
>>     SMB Fingerprint policy: Disabled
>>   Server Default Configuration
>>     Policy: WinXP
>>     Detect ports (PAF)
>>       SMB: 139 445
>>       TCP: 135
>>       UDP: 135
>>       RPC over HTTP server: 593
>>       RPC over HTTP proxy: None
>>     Autodetect ports (PAF)
>>       SMB: None
>>       TCP: 1025-65535
>>       UDP: 1025-65535
>>       RPC over HTTP server: 1025-65535
>>       RPC over HTTP proxy: None
>>     Invalid SMB shares: C$ D$ ADMIN$
>>     Maximum SMB command chaining: 3 commands
>> DNS config:
>>     DNS Client rdata txt Overflow Alert: ACTIVE
>>     Obsolete DNS RR Types Alert: INACTIVE
>>     Experimental DNS RR Types Alert: INACTIVE
>>     Ports: 53
>> SSLPP config:
>>     Encrypted packets: not inspected
>>     Ports:
>>       443      465      563      636      989
>>       992      993      994      995     7801
>>      7802     7900     7901     7902     7903
>>      7904     7905     7906     7907     7908
>>      7909     7910     7911     7912     7913
>>      7914     7915     7916     7917     7918
>>      7919     7920
>>     Server side data is trusted
>> Sensitive Data preprocessor config:
>>     Global Alert Threshold: 25
>>     Masked Output: DISABLED
>> SIP config:
>>     Max number of sessions: 40000
>>     Max number of dialogs in a session: 4 (Default)
>>     Status: ENABLED
>>     Ignore media channel: DISABLED
>>     Max URI length: 512
>>     Max Call ID length: 80
>>     Max Request name length: 20 (Default)
>>     Max From length: 256 (Default)
>>     Max To length: 256 (Default)
>>     Max Via length: 1024 (Default)
>>     Max Contact length: 512
>>     Max Content length: 2048
>>     Ports:
>>     5060    5061    5600
>>     Methods:
>>       invite cancel ack bye register options refer subscribe update join
>> info message notify benotify do qauth sprack publish service unsubscribe
>> prack
>> IMAP Config:
>>     Ports: 143
>>     IMAP Memcap: 838860
>>     Base64 Decoding: Enabled
>>     Base64 Decoding Depth: Unlimited
>>     Quoted-Printable Decoding: Enabled
>>     Quoted-Printable Decoding Depth: Unlimited
>>     Unix-to-Unix Decoding: Enabled
>>     Unix-to-Unix Decoding Depth: Unlimited
>>     Non-Encoded MIME attachment Extraction: Enabled
>>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>> POP Config:
>>     Ports: 110
>>     POP Memcap: 838860
>>     Base64 Decoding: Enabled
>>     Base64 Decoding Depth: Unlimited
>>     Quoted-Printable Decoding: Enabled
>>     Quoted-Printable Decoding Depth: Unlimited
>>     Unix-to-Unix Decoding: Enabled
>>     Unix-to-Unix Decoding Depth: Unlimited
>>     Non-Encoded MIME attachment Extraction: Enabled
>>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>> Modbus config:
>>     Ports:
>>     502
>> DNP3 config:
>>     Memcap: 262144
>>     Check Link-Layer CRCs: ENABLED
>>     Ports:
>>     20000
>> Reputation config:
>> WARNING: Can't find any whitelist/blacklist entries. Reputation
>> Preprocessor disabled.
>>
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Initializing rule chains...
>> 3565 Snort rules read
>>     3565 detection rules
>>     0 decoder rules
>>     0 preprocessor rules
>> 3565 Option Chains linked into 187 Chain Headers
>> 0 Dynamic rules
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> +-------------------[Rule Port
>> Counts]---------------------------------------
>> |             tcp     udp    icmp      ip
>> |     src    1478       5       0       0
>> |     dst    1737     200       0       0
>> |     any     126      44      28      26
>> |      nc      52      12       1       0
>> |     s+d       3       1       0       0
>>
>> +----------------------------------------------------------------------------
>>
>>
>> +-----------------------[detection-filter-config]------------------------------
>> | memory-cap : 1048576 bytes
>>
>> +-----------------------[detection-filter-rules]-------------------------------
>>
>> -------------------------------------------------------------------------------
>>
>>
>> +-----------------------[rate-filter-config]-----------------------------------
>> | memory-cap : 1048576 bytes
>>
>> +-----------------------[rate-filter-rules]------------------------------------
>> | none
>>
>> -------------------------------------------------------------------------------
>>
>>
>> +-----------------------[event-filter-config]----------------------------------
>> | memory-cap : 1048576 bytes
>>
>> +-----------------------[event-filter-global]----------------------------------
>>
>> +-----------------------[event-filter-local]-----------------------------------
>> | none
>>
>> +-----------------------[suppression]------------------------------------------
>> | none
>>
>> -------------------------------------------------------------------------------
>> Rule application order:
>> activation->dynamic->pass->drop->sdrop->reject->alert->log
>> Verifying Preprocessor Configurations!
>> ICMP tracking disabled, no ICMP sessions allocated
>> IP tracking disabled, no IP sessions allocated
>> WARNING: flowbits key 'file.xlsx' is set but not ever checked.
>> WARNING: flowbits key 'file.maki' is set but not ever checked.
>> WARNING: flowbits key 'file.rar' is set but not ever checked.
>> WARNING: flowbits key 'file.cov' is set but not ever checked.
>> WARNING: flowbits key 'file.ppsx' is set but not ever checked.
>> WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.
>> WARNING: flowbits key 'sybase.tds.connection' is set but not ever checked.
>> WARNING: flowbits key 'file.vqf' is set but not ever checked.
>> WARNING: flowbits key 'file.bzip' is checked but not ever set.
>> WARNING: flowbits key 'file.emf' is set but not ever checked.
>> WARNING: flowbits key 'file.wma' is set but not ever checked.
>> WARNING: flowbits key 'file.swf.cff' is set but not ever checked.
>> WARNING: flowbits key 'file.docm' is set but not ever checked.
>> WARNING: flowbits key 'smb.trans2.fileinfo' is set but not ever checked.
>> WARNING: flowbits key 'flags.fin' is set but not ever checked.
>> WARNING: flowbits key 'acunetix.scanner' is set but not ever checked.
>> WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
>> WARNING: flowbits key 'file.mpeg' is checked but not ever set.
>> WARNING: flowbits key 'file.pecompact' is set but not ever checked.
>> WARNING: flowbits key 'smb.smi' is set but not ever checked.
>> WARNING: flowbits key 'ms.packager' is set but not ever checked.
>> 130 out of 1024 flowbits in use.
>>
>> [ Port Based Pattern Matching Memory ]
>> +- [ Aho-Corasick Summary ] -------------------------------------
>> | Storage Format    : Full-Q
>> | Finite Automaton  : DFA
>> | Alphabet Size     : 256 Chars
>> | Sizeof State      : Variable (1,2,4 bytes)
>> | Instances         : 144
>> |     1 byte states : 131
>> |     2 byte states : 13
>> |     4 byte states : 0
>> | Characters        : 60767
>> | States            : 47626
>> | Transitions       : 4423222
>> | State Density     : 36.3%
>> | Patterns          : 3667
>> | Match States      : 3540
>> | Memory (MB)       : 23.68
>> |   Patterns        : 0.28
>> |   Match Lists     : 0.43
>> |   DFA
>> |     1 byte states : 0.80
>> |     2 byte states : 22.03
>> |     4 byte states : 0.00
>> +----------------------------------------------------------------
>> [ Number of patterns truncated to 20 bytes: 391 ]
>> pcap DAQ configured to passive.
>> Acquiring network traffic from "eth1".
>> Reload thread starting...
>> Reload thread started, thread 0xa688bb40 (4951)
>> Decoding Ethernet
>> Set gid to 1001
>> Set uid to 1001
>> ERROR: spo_unified2.c(321) Could not open
>> /var/log/snort/snort.u2.1365276051: Permission denied
>> Fatal Error, Quitting..
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Minimize network downtime and maximize team effectiveness.
>> Reduce network management and security costs.Learn how to hire
>> the most talented Cisco Certified professionals. Visit the
>> Employer Resources Portal
>> http://www.cisco.com/web/learning/employer_resources/index.html
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130410/a053d530/attachment.html>


More information about the Snort-users mailing list