[Snort-users] 0 byte unifed log output

Ashraf Ali ashrafali.ibs at ...11827...
Thu Apr 25 00:50:07 EDT 2013


Hi John,

I had the similar problem , but i was using registered rules.
i sorted out the problem by downloading the latest snapshot(rules) on my
machine, and copied the relevant rules in single file say new.rules, in the
snort.conf file i have included this file only (removed or # the existing
include statement of rules)

And restarted the snort and barnyard2 , i started getting the alerts.

Regards.
Ashraf
Security System Engineer.



On Wed, Apr 24, 2013 at 9:22 PM, John Ainsworth <
john.ainsworth at ...16258...> wrote:

> Hi****
>
> ** **
>
> Im pulling my hair out on this problem****
>
> ** **
>
> I have installed Snort on Ubunutu 12.04 , 2 nics eth0 used for management
> eth1 is receiving traffic that is coming into our firewall via SPAN on the
> switch****
>
> ** **
>
> If I run snort –v I can see traffic racing past so confident that the SPAN
> is working and eth1 is seeing the traffic.****
>
> Output is specified as unified log in /var/log/snort but the unified file
> is always 0bytes in size****
>
> -rw------- 1 snort snort    0 Apr 24 16:12 snort.u2.1366816353****
>
> -rw------- 1 snort snort    0 Apr 24 16:34 snort.u2.1366817650****
>
> -rw------- 1 snort snort    0 Apr 24 16:41 snort.u2.1366818087****
>
> -rw-r--r-- 1 snort snort 2056 Apr 24 16:41 barnyard2.waldo****
>
> ** **
>
> ** **
>
> I have even removed snort and used the autosnort script developed by da667
> https://github.com/da667/Autosnort but get exactly the same issue****
>
> I have bought a subscription and have the latest rules****
>
> ** **
>
> I start it via rc.local using****
>
> ** **
>
> /usr/local/snort/bin/snort -D -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth1****
>
> ** **
>
> If I start it manually via****
>
> /usr/local/snort/bin/snort  -u snort -g snort -c
> /usr/local/snort/etc/snort.conf -i eth1****
>
> ** **
>
> I get the below output but still the same issue, I cant believe none of
> the traffic is matching rules as it’s a busy website that we are mirroring,
> I even tried goin to testmyids.com from a machine to try and generate an
> alert****
>
> ** **
>
> ** **
>
> Anyone seen this or head of it, driving me mad!****
>
> ** **
>
> Thanks****
>
> Running in IDS mode****
>
> ** **
>
>         --== Initializing Snort ==--****
>
> Initializing Output Plugins!****
>
> Initializing Preprocessors!****
>
> Initializing Plug-ins!****
>
> Parsing Rules file "/usr/local/snort/etc/snort.conf"****
>
> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 631 901 1220 1414
> 1741 1****
>
> 830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145
> 7510 7****
>
> 777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8222
> 8243 8****
>
> 280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371
> 34443:34444 410****
>
> 80 50002 55555 ]****
>
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]****
>
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]****
>
> PortVar 'SSH_PORTS' defined :  [ 22 ]****
>
> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]****
>
> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]****
>
> PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 631
> 901 122****
>
> 0 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
> 7000:7001 714****
>
> 4:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123
> 8180:818****
>
> 1 8222 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999
> 11371 34****
>
> 443:34444 41080 50002 55555 ]****
>
> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]****
>
> Detection:****
>
>    Search-Method = AC-Full-Q****
>
>     Split Any/Any group = enabled****
>
>     Search-Method-Optimizations = enabled****
>
>     Maximum pattern length = 20****
>
> Tagged Packet Limit: 256****
>
> Loading dynamic engine
> /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so.****
>
> .. done****
>
> Loading all dynamic detection libs from
> /usr/local/snort/lib/snort_dynamicrules.****
>
> ..****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/web-****
>
> client.so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/mult****
>
> imedia.so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/imap****
>
> .so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/icmp****
>
> .so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/nntp****
>
> .so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/misc****
>
> .so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/web-****
>
> misc.so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/dos.****
>
> so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/web-****
>
> iis.so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/web-****
>
> activex.so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/bad-****
>
> traffic.so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/p2p.****
>
> so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/smtp****
>
> .so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/snmp****
>
> .so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/chat****
>
> .so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/spec****
>
> ific-threats.so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/expl****
>
> oit.so... done****
>
>   Loading dynamic detection library
> /usr/local/snort/lib/snort_dynamicrules/netb****
>
> ios.so... done****
>
>   Finished Loading all dynamic detection libs from
> /usr/local/snort/lib/snort_dy****
>
> namicrules****
>
> Loading all dynamic preprocessor libs from
> /usr/local/snort/lib/snort_dynamicpre****
>
> processor/...****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_sdf_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_imap_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_ssh_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_ssl_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_dns_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_reputation_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_dnp3_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_pop_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_sip_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_gtp_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_dce2_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_modbus_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_smtp_preproc.so... done****
>
>   Loading dynamic preprocessor library
> /usr/local/snort/lib/snort_dynamicpreproc****
>
> essor//libsf_ftptelnet_preproc.so... done****
>
>   Finished Loading all dynamic preprocessor libs from
> /usr/local/snort/lib/snort****
>
> _dynamicpreprocessor/****
>
> Log directory = /var/log/snort****
>
> WARNING: ip4 normalizations disabled because not inline.****
>
> WARNING: tcp normalizations disabled because not inline.****
>
> WARNING: icmp4 normalizations disabled because not inline.****
>
> WARNING: ip6 normalizations disabled because not inline.****
>
> WARNING: icmp6 normalizations disabled because not inline.****
>
> Frag3 global config:****
>
>     Max frags: 65536****
>
>     Fragment memory cap: 4194304 bytes****
>
> Frag3 engine config:****
>
>     Bound Address: default****
>
>     Target-based policy: WINDOWS****
>
>     Fragment timeout: 180 seconds****
>
>     Fragment min_ttl:   1****
>
>     Fragment Anomalies: Alert****
>
>     Overlap Limit:     10****
>
>     Min fragment Length:     100****
>
> Stream5 global config:****
>
>     Track TCP sessions: ACTIVE****
>
>     Max TCP sessions: 262144****
>
>     Memcap (for reassembly packet storage): 8388608****
>
>     Track UDP sessions: ACTIVE****
>
>    Max UDP sessions: 131072****
>
>     Track ICMP sessions: INACTIVE****
>
>     Track IP sessions: INACTIVE****
>
>     Log info if session memory consumption exceeds 1048576****
>
>     Send up to 2 active responses****
>
>     Wait at least 5 seconds between responses****
>
>     Protocol Aware Flushing: ACTIVE****
>
>         Maximum Flush Point: 16000****
>
> Stream5 TCP Policy config:****
>
>     Bound Address: default****
>
>     Reassembly Policy: WINDOWS****
>
>     Timeout: 180 seconds****
>
>     Limit on TCP Overlaps: 10****
>
>     Maximum number of bytes to queue per session: 1048576****
>
>     Maximum number of segs to queue per session: 2621****
>
>     Options:****
>
>         Require 3-Way Handshake: YES****
>
>         3-Way Handshake Timeout: 180****
>
>         Detect Anomalies: YES****
>
>     Reassembly Ports:****
>
>       21 client (Footprint)****
>
>       22 client (Footprint)****
>
>       23 client (Footprint)****
>
>       25 client (Footprint)****
>
>       42 client (Footprint)****
>
>       53 client (Footprint)****
>
>       70 client (Footprint)****
>
>       79 client (Footprint)****
>
>       80 client (Footprint) server (Footprint)****
>
>       81 client (Footprint) server (Footprint)****
>
>       109 client (Footprint)****
>
>       110 client (Footprint) server (Footprint)****
>
>       111 client (Footprint)****
>
>       113 client (Footprint)****
>
>       119 client (Footprint)****
>
>       135 client (Footprint)****
>
>       136 client (Footprint)****
>
>       137 client (Footprint)****
>
>       139 client (Footprint)****
>
>       143 client (Footprint)****
>
>       additional ports configured but not printed.****
>
> Stream5 UDP Policy config:****
>
>     Timeout: 180 seconds****
>
> HttpInspect Config:****
>
>     GLOBAL CONFIG****
>
>       Max Pipeline Requests:    0****
>
>       Inspection Type:          STATELESS****
>
>       Detect Proxy Usage:       NO****
>
>       IIS Unicode Map Filename: /usr/local/snort/etc/unicode.map****
>
>       IIS Unicode Map Codepage: 1252****
>
>       Memcap used for logging URI and Hostname: 150994944****
>
>       Max Gzip Memory: 838860****
>
>       Max Gzip Sessions: 5518****
>
>       Gzip Compress Depth: 65535****
>
>       Gzip Decompress Depth: 65535****
>
>     DEFAULT SERVER CONFIG:****
>
>       Server profile: All****
>
>       Ports (PAF): 80 81 311 383 591 593 631 901 1220 1414 1741 1830 2301
> 2381 2****
>
> 809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779
> 8000 8****
>
> 008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300
> 8800 8****
>
> 888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002
> 55555****
>
>       Server Flow Depth: 0****
>
>       Client Flow Depth: 0****
>
>       Max Chunk Length: 500000****
>
>       Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times**
> **
>
>       Max Header Field Length: 750****
>
>       Max Number Header Fields: 100****
>
>       Max Number of WhiteSpaces allowed with header folding: 200****
>
>       Inspect Pipeline Requests: YES****
>
>       URI Discovery Strict Mode: NO****
>
>       Allow Proxy Usage: NO****
>
>       Disable Alerting: NO****
>
>       Oversize Dir Length: 500****
>
>       Only inspect URI: NO****
>
>       Normalize HTTP Headers: NO****
>
>       Inspect HTTP Cookies: YES****
>
>       Inspect HTTP Responses: YES****
>
>       Extract Gzip from responses: YES****
>
>       Unlimited decompression of gzip data from responses: YES****
>
>       Normalize Javascripts in HTTP Responses: YES****
>
>       Max Number of WhiteSpaces allowed with Javascript Obfuscation in
> HTTP resp****
>
> onses: 200****
>
>       Normalize HTTP Cookies: NO****
>
>       Enable XFF and True Client IP: NO****
>
>       Log HTTP URI data: NO****
>
>       Log HTTP Hostname data: NO****
>
>       Extended ASCII code support in URI: NO****
>
>       Ascii: YES alert: NO****
>
>       Double Decoding: YES alert: NO****
>
>       %U Encoding: YES alert: YES****
>
>       Bare Byte: YES alert: NO****
>
>       UTF 8: YES alert: NO****
>
>       IIS Unicode: YES alert: NO****
>
>       Multiple Slash: YES alert: NO****
>
>       IIS Backslash: YES alert: NO****
>
>       Directory Traversal: YES alert: NO****
>
>       Web Root Traversal: YES alert: NO****
>
>       Apache WhiteSpace: YES alert: NO****
>
>       IIS Delimiter: YES alert: NO****
>
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG****
>
>       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
> ****
>
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d****
>
> rpc_decode arguments:****
>
>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
> 32777****
>
> 32778 32779****
>
>     alert_fragments: INACTIVE****
>
>     alert_large_fragments: INACTIVE****
>
>     alert_incomplete: INACTIVE****
>
>     alert_multiple_requests: INACTIVE****
>
> FTPTelnet Config:****
>
>     GLOBAL CONFIG****
>
>       Inspection Type: stateful****
>
>       Check for Encrypted Traffic: YES alert: NO****
>
>       Continue to check encrypted data: YES****
>
>     TELNET CONFIG:****
>
>       Ports: 23****
>
>       Are You There Threshold: 20****
>
>       Normalize: YES****
>
>       Detect Anomalies: YES****
>
>     FTP CONFIG:****
>
>       FTP Server: default****
>
>         Ports (PAF): 21 2100 3535****
>
>         Check for Telnet Cmds: YES alert: YES****
>
>         Ignore Telnet Cmd Operations: YES alert: YES****
>
>         Identify open data channels: NO****
>
>       FTP Client: default****
>
>         Check for Bounce Attacks: YES alert: YES****
>
>         Check for Telnet Cmds: YES alert: YES****
>
>         Ignore Telnet Cmd Operations: YES alert: YES****
>
>         Max Response Length: 256****
>
> SMTP Config:****
>
>     Ports: 25 465 587 691****
>
>     Inspection Type: Stateful****
>
>     Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
> EVFY EXPN****
>
> HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML
> TICK****
>
> TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
> X-LINK2****
>
> STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50****
>
>     Ignore Data: No****
>
>     Ignore TLS Data: No****
>
>     Ignore SMTP Alerts: No****
>
>     Max Command Line Length: 512****
>
>     Max Specific Command Line Length:****
>
>        ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255****
>
>        EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255****
>
>        ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500****
>
>        IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246****
>
>        QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246****
>
>        SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246****
>
>        TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246****
>
>        XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246****
>
>        XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246****
>
>        XUSR:246****
>
>     Max Header Line Length: 1000****
>
>     Max Response Line Length: 512****
>
>     X-Link2State Alert: Yes****
>
>     Drop on X-Link2State Alert: No****
>
>     Alert on commands: None****
>
>     Alert on unknown commands: No****
>
>     SMTP Memcap: 838860****
>
>     MIME Max Mem: 838860****
>
>     Base64 Decoding: Enabled****
>
>     Base64 Decoding Depth: Unlimited****
>
>     Quoted-Printable Decoding: Enabled****
>
>     Quoted-Printable Decoding Depth: Unlimited****
>
>     Unix-to-Unix Decoding: Enabled****
>
>     Unix-to-Unix Decoding Depth: Unlimited****
>
>     Non-Encoded MIME attachment Extraction: Enabled****
>
>     Non-Encoded MIME attachment Extraction Depth: Unlimited****
>
>     Log Attachment filename: Enabled****
>
>     Log MAIL FROM Address: Enabled****
>
>     Log RCPT TO Addresses: Enabled****
>
>     Log Email Headers: Enabled****
>
>     Email Hdrs Log Depth: 1464****
>
> SSH config:****
>
>     Autodetection: ENABLED****
>
>     Challenge-Response Overflow Alert: ENABLED****
>
>     SSH1 CRC32 Alert: ENABLED****
>
>     Server Version String Overflow Alert: ENABLED****
>
>     Protocol Mismatch Alert: ENABLED****
>
>     Bad Message Direction Alert: DISABLED****
>
>     Bad Payload Size Alert: DISABLED****
>
>     Unrecognized Version Alert: DISABLED****
>
>     Max Encrypted Packets: 20****
>
>     Max Server Version String Length: 100****
>
>     MaxClientBytes: 19600 (Default)****
>
>     Ports:****
>
>         22****
>
> DCE/RPC 2 Preprocessor Configuration****
>
>   Global Configuration****
>
>     DCE/RPC Defragmentation: Enabled****
>
>     Memcap: 102400 KB****
>
>     Events: co****
>
>     SMB Fingerprint policy: Disabled****
>
>   Server Default Configuration****
>
>     Policy: WinXP****
>
>     Detect ports (PAF)****
>
>       SMB: 139 445****
>
>       TCP: 135****
>
>       UDP: 135****
>
>       RPC over HTTP server: 593****
>
>       RPC over HTTP proxy: None****
>
>     Autodetect ports (PAF)****
>
>       SMB: None****
>
>       TCP: 1025-65535****
>
>       UDP: 1025-65535****
>
>       RPC over HTTP server: 1025-65535****
>
>       RPC over HTTP proxy: None****
>
>     Invalid SMB shares: C$ D$ ADMIN$****
>
>     Maximum SMB command chaining: 3 commands****
>
> DNS config:****
>
>     DNS Client rdata txt Overflow Alert: ACTIVE****
>
>     Obsolete DNS RR Types Alert: INACTIVE****
>
>     Experimental DNS RR Types Alert: INACTIVE****
>
>     Ports: 53****
>
> SSLPP config:****
>
>     Encrypted packets: not inspected****
>
>     Ports:****
>
>       443      465      563      636      989****
>
>       992      993      994      995     7801****
>
>      7802     7900     7901     7902     7903****
>
>      7904     7905     7906     7907     7908****
>
>      7909     7910     7911     7912     7913****
>
>      7914     7915     7916     7917     7918****
>
>      7919     7920****
>
>     Server side data is trusted****
>
> Sensitive Data preprocessor config:****
>
>     Global Alert Threshold: 25****
>
>     Masked Output: DISABLED****
>
> SIP config:****
>
>     Max number of sessions: 40000****
>
>     Max number of dialogs in a session: 4 (Default)****
>
>     Status: ENABLED****
>
>     Ignore media channel: DISABLED****
>
>     Max URI length: 512****
>
>     Max Call ID length: 80****
>
>     Max Request name length: 20 (Default)****
>
>     Max From length: 256 (Default)****
>
>     Max To length: 256 (Default)****
>
>     Max Via length: 1024 (Default)****
>
>     Max Contact length: 512****
>
>     Max Content length: 2048****
>
>     Ports:****
>
>         5060    5061    5600****
>
>     Methods:****
>
>          invite cancel ack bye register options refer subscribe update
> join inf****
>
> o message notify benotify do qauth sprack publish service unsubscribe prack
> ****
>
> IMAP Config:****
>
>     Ports: 143****
>
>     IMAP Memcap: 838860****
>
>     Base64 Decoding: Enabled****
>
>     Base64 Decoding Depth: Unlimited****
>
>     Quoted-Printable Decoding: Enabled****
>
>     Quoted-Printable Decoding Depth: Unlimited****
>
>     Unix-to-Unix Decoding: Enabled****
>
>     Unix-to-Unix Decoding Depth: Unlimited****
>
>     Non-Encoded MIME attachment Extraction: Enabled****
>
>     Non-Encoded MIME attachment Extraction Depth: Unlimited****
>
> POP Config:****
>
>     Ports: 110****
>
>     POP Memcap: 838860****
>
>     Base64 Decoding: Enabled****
>
>     Base64 Decoding Depth: Unlimited****
>
>     Quoted-Printable Decoding: Enabled****
>
>     Quoted-Printable Decoding Depth: Unlimited****
>
>     Unix-to-Unix Decoding: Enabled****
>
>     Unix-to-Unix Decoding Depth: Unlimited****
>
>     Non-Encoded MIME attachment Extraction: Enabled****
>
>     Non-Encoded MIME attachment Extraction Depth: Unlimited****
>
> Modbus config:****
>
>     Ports:****
>
>         502****
>
> DNP3 config:****
>
>     Memcap: 262144****
>
>     Check Link-Layer CRCs: ENABLED****
>
>     Ports:****
>
>         20000****
>
> Reputation config:****
>
> WARNING: Can't find any whitelist/blacklist entries. Reputation
> Preprocessor dis****
>
> abled.****
>
> ** **
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++****
>
> Initializing rule chains...****
>
> 3599 Snort rules read****
>
>     3599 detection rules****
>
>     0 decoder rules****
>
>     0 preprocessor rules****
>
> 3599 Option Chains linked into 195 Chain Headers****
>
> 0 Dynamic rules****
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++****
>
> ** **
>
> +-------------------[Rule Port
> Counts]---------------------------------------****
>
> |             tcp     udp    icmp      ip****
>
> |     src    1518       5       0       0****
>
> |     dst    1733     197       0       0****
>
> |     any     124      44      28      26****
>
> |      nc      50      12       1       0****
>
> |     s+d       0       1       0       0****
>
>
> +----------------------------------------------------------------------------
> ****
>
> ** **
>
>
> +-----------------------[detection-filter-config]------------------------------
> ****
>
> | memory-cap : 1048576 bytes****
>
>
> +-----------------------[detection-filter-rules]-------------------------------
> ****
>
>
> -------------------------------------------------------------------------------
> ****
>
> ** **
>
>
> +-----------------------[rate-filter-config]-----------------------------------
> ****
>
> | memory-cap : 1048576 bytes****
>
>
> +-----------------------[rate-filter-rules]------------------------------------
> ****
>
> | none****
>
>
> -------------------------------------------------------------------------------
> ****
>
> ** **
>
>
> +-----------------------[event-filter-config]----------------------------------
> ****
>
> | memory-cap : 1048576 bytes****
>
>
> +-----------------------[event-filter-global]----------------------------------
> ****
>
>
> +-----------------------[event-filter-local]-----------------------------------
> ****
>
> | none****
>
>
> +-----------------------[suppression]------------------------------------------
> ****
>
> | none****
>
>
> -------------------------------------------------------------------------------
> ****
>
> Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->l****
>
> og****
>
> Verifying Preprocessor Configurations!****
>
> ICMP tracking disabled, no ICMP sessions allocated****
>
> IP tracking disabled, no IP sessions allocated****
>
> WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.****
>
> WARNING: flowbits key 'acunetix.scanner' is set but not ever checked.****
>
> WARNING: flowbits key 'file.dcr' is set but not ever checked.****
>
> WARNING: flowbits key 'netsenum' is set but not ever checked.****
>
> WARNING: flowbits key 'file.p2g' is set but not ever checked.****
>
> WARNING: flowbits key 'rtmp.flashver' is set but not ever checked.****
>
> WARNING: flowbits key 'file.wma' is set but not ever checked.****
>
> 119 out of 1024 flowbits in use.****
>
> ** **
>
> [ Port Based Pattern Matching Memory ]****
>
> +- [ Aho-Corasick Summary ] -------------------------------------****
>
> | Storage Format    : Full-Q****
>
> | Finite Automaton  : DFA****
>
> | Alphabet Size     : 256 Chars****
>
> | Sizeof State      : Variable (1,2,4 bytes)****
>
> | Instances         : 151****
>
> |     1 byte states : 138****
>
> |     2 byte states : 13****
>
> |     4 byte states : 0****
>
> | Characters        : 62052****
>
> | States            : 48625****
>
> | Transitions       : 4686661****
>
> | State Density     : 37.6%****
>
> | Patterns          : 3715****
>
> | Match States      : 3592****
>
> | Memory (MB)       : 24.90****
>
> |   Patterns        : 0.40****
>
> |   Match Lists     : 0.80****
>
> |   DFA****
>
> |     1 byte states : 0.89****
>
> |     2 byte states : 22.55****
>
> |     4 byte states : 0.00****
>
> +----------------------------------------------------------------****
>
> [ Number of patterns truncated to 20 bytes: 390 ]****
>
> pcap DAQ configured to passive.****
>
> Acquiring network traffic from "eth1".****
>
> Reload thread starting...****
>
> Reload thread started, thread 0x7f8dcb244700 (1446)****
>
> Decoding Ethernet****
>
> Set gid to 117****
>
> Set uid to 107****
>
> ** **
>
>         --== Initialization Complete ==--****
>
> ** **
>
>    ,,_     -*> Snort! <*-****
>
>   o"  )~   Version 2.9.4.5 GRE (Build 71)****
>
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-t****
>
> eam****
>
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.****
>
>            Using libpcap version 1.1.1****
>
>            Using PCRE version: 8.12 2011-01-15****
>
>            Using ZLIB version: 1.2.3.4****
>
> ** **
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.17  <Build
> 18>****
>
>            Rules Object: netbios  Version 1.0  <Build 1>****
>
>            Rules Object: exploit  Version 1.0  <Build 1>****
>
>            Rules Object: specific-threats  Version 1.0  <Build 1>****
>
>            Rules Object: chat  Version 1.0  <Build 1>****
>
>            Rules Object: snmp  Version 1.0  <Build 1>****
>
>            Rules Object: smtp  Version 1.0  <Build 1>****
>
>            Rules Object: p2p  Version 1.0  <Build 1>****
>
>            Rules Object: bad-traffic  Version 1.0  <Build 1>****
>
>            Rules Object: web-activex  Version 1.0  <Build 1>****
>
>            Rules Object: web-iis  Version 1.0  <Build 1>****
>
>            Rules Object: dos  Version 1.0  <Build 1>****
>
>            Rules Object: web-misc  Version 1.0  <Build 1>****
>
>            Rules Object: misc  Version 1.0  <Build 1>****
>
>            Rules Object: nntp  Version 1.0  <Build 1>****
>
>            Rules Object: icmp  Version 1.0  <Build 1>****
>
>            Rules Object: imap  Version 1.0  <Build 1>****
>
>            Rules Object: multimedia  Version 1.0  <Build 1>****
>
>            Rules Object: web-client  Version 1.0  <Build 1>****
>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>****
>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>****
>
>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>****
>
>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>****
>
>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>****
>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>****
>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>****
>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>****
>
>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>****
>
>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>****
>
> Commencing packet processing (pid=1446)****
>
> ** **
>   --
> <#13e3ce4e4f7e4731_> *John Ainsworth*  - IT Manager
> 01942 868097  (extension 1105)  07733 323091    <#13e3ce4e4f7e4731_> ASH<#13e3ce4e4f7e4731_>
> James Herbert <#13e3ce4e4f7e4731_>
> <http://www.thebookpeople.co.uk/webapp/wcs/stores/servlet/qs_searchResult_tbp?storeId=10001&catalogId=10051&langId=100&pageSize=20&pageNumber=0&searchTerm=AEYRF>   This
> Email and any attachments to it may be confidential and are intended solely
> for the use of the individual to whom it is addressed. Any views or
> opinions expressed are solely those of the author and do not necessarily
> represent those of The Book People Limited. If you are not the intended
> recipient of this email, you must neither take any action based upon its
> contents, nor copy or show it to anyone. Please contact the sender if you
> believe you have received this email in error.
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130425/331b9608/attachment.html>


More information about the Snort-users mailing list