[Snort-users] Continuous packet streaming on boot of CentOS 6.3 64 bit

Mayur Patil ram.nath241089 at ...11827...
Tue Jun 11 08:11:20 EDT 2013


Hello,

   This a block of code present in my */etc/init.d/snort*  file

*    if [ "$CONF"X = "X" ]; then*
*    CONF="-c /etc/snort/snort.conf"*
*    else*
*     CONF="-c $CONF"*
*    fi
*
    means snort knows where is snort.conf file !!

    http://pastebin.com/jTpKk2dR

    And I also am unable to change boot mode in CentOS from 0 to other no.

    If I try to do so, it revert back to 0.

    Is it any network related or other error ??

    I am totally block now !!

    Seeking for guidance,

    Thanks !!
-- 
*Cheers,
Mayur*.


On Tue, Jun 11, 2013 at 4:16 PM, Mayur Patil <ram.nath241089 at ...11827...>wrote:

> Thanks sir for the reply.
>
>
> Until you get Snort configured to do what you want
>>
>
>  I want to use Snort as IDS mode with N/w Intrusion Detection capability.
>
>
> I suggest disabling the script from start up.  That depends on how you
>> enabled the script.
>>
>
>  This is my last saved script at location /etc/init.d/snort which is
> responsible for boot. Please have a look
>
>  http://pastebin.com/jTpKk2dR
>
>
> Yes, and the solution is to disable the script or fix it as I explained
>> earlier by adding a snort.conf to Snort's command line.  Adding a conf will
>> allow Snort to inspect the traffic and output any alerts instead of dumping
>> all the packets.
>>
>
>  I am confused at this point *HOW TO LOGIN INTO CENTOS* as neither GUI
> nor CLI is responding.
>
>  Seeking for guidance,
>
>
>  Thanks !!
>
>
> On Tue, Jun 11, 2013 at 2:39 PM, Russ Combs <rcombs at ...1935...> wrote:
>
>>
>>
>> On Tue, Jun 11, 2013 at 4:57 AM, Mayur Patil <ram.nath241089 at ...11827...>wrote:
>>
>>> Problem is that when I connect cable I am able to ping to machine but
>>> still unable to ssh.
>>>
>>> When I try to do ssh from other machine, it says connection refused.
>>>
>>> Now I connect the cable and reboot system. When the system starts, it
>>> automatically starts
>>>
>>> checking packets i.e. packet dump mode.
>>>
>>> I think Snort script is preventing CentOS to boot as GUI as well as CLI.
>>>
>>
>> Most likely you system is just slow to respond to your input because it
>> is bogged down dumping packets.
>>
>>>
>>> I am pretty sure that this is Snort script problem.
>>>
>>
>> Yes, and the solution is to disable the script or fix it as I explained
>> earlier by adding a snort.conf to Snort's command line.  Adding a conf will
>> allow Snort to inspect the traffic and output any alerts instead of dumping
>> all the packets.
>>
>>>
>>> Now what to do ??
>>>
>>
>> Until you get Snort configured to do what you want, I suggest disabling
>> the script from start up.  That depends on how you enabled the script.
>>
>>>
>>> Please correct if I am wrong !!
>>>
>>> Seeking for your guidance,
>>>
>>> Thanks !!
>>>
>>> On Tue, Jun 11, 2013 at 2:09 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>
>>>>
>>>>
>>>> On Tue, Jun 11, 2013 at 4:26 AM, Mayur Patil <ram.nath241089 at ...11827...>wrote:
>>>>
>>>>> The snort message is as follows:
>>>>>
>>>>> Initializing output plugins !!
>>>>>
>>>>> pcap DAQ is configured to passive.
>>>>>
>>>>> Acquiring network traffic from "eth0"
>>>>>
>>>>> Decoding ethernet
>>>>>
>>>>>     --==Initialization Complete==--
>>>>>
>>>>> SNort
>>>>> .
>>>>> .
>>>>> .
>>>>> . //messages of version number
>>>>> .
>>>>> .
>>>>> .
>>>>>
>>>>> Commencing packet processing (pid=1668)
>>>>>
>>>>> and stopped there !!
>>>>>
>>>>> I have unplugged n/w cable and got above output.
>>>>>
>>>>> Does "shell in" means getting grub console then yes !!
>>>>>
>>>>
>>>> I meant ssh but if unplugging the cable works, that's great.
>>>>
>>>>>
>>>>> I can get grub console.
>>>>>
>>>>> Looking forward for guidance,
>>>>>
>>>>
>>>> I'm guessing that you are still in packet dump mode and that you really
>>>> want IDS mode.  Do you know what the command line arguments to Snort are?
>>>>  If it is running now you can do something like "ps alx | grep snort" to
>>>> see.  You need to add -c snort.conf to run in IDS mode.
>>>>
>>>>> **
>>>>> On Tue, Jun 11, 2013 at 1:45 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Jun 11, 2013 at 4:12 AM, Mayur Patil <
>>>>>> ram.nath241089 at ...11827...> wrote:
>>>>>>
>>>>>>> Thanks Russ sir for reply.
>>>>>>>
>>>>>>> My problem is I am unable to log into command line mode  i.e.
>>>>>>> Ctrl+Alt+F2
>>>>>>>
>>>>>>> and also GUI mode of CentOS. And after that I have to add this path.
>>>>>>>
>>>>>>> Would you please guide me how to do that it will be a great help !!
>>>>>>>
>>>>>>> Can you shell in?  If that doesn't work, try unplugging your network
>>>>>> cable(s).
>>>>>>
>>>>>>
>>>>>>> Thank you !!
>>>>>>>
>>>>>>> On Tue, Jun 11, 2013 at 1:33 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>>>>>
>>>>>>>> On Tue, Jun 11, 2013 at 3:41 AM, Mayur Patil <
>>>>>>>> ram.nath241089 at ...11827...> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>>  I am seeing something like this
>>>>>>>>>
>>>>>>>>>  *06/11 11:0246  10.1.46.123:136 -> 10.1.46.255:137*
>>>>>>>>>  * UDP:TTL :128 TOS:8 ID:20 IpLen:20 DgmLen:78 Len:50
>>>>>>>>>
>>>>>>>>> * in continuous streaming of packets.
>>>>>>>>> *
>>>>>>>>> *
>>>>>>>>> * *Now I am sure that this is the Snort startup script
>>>>>>>>> problem.....!!
>>>>>>>>>
>>>>>>>>>  At the starting I have seen message  *starting snort in packet
>>>>>>>>> dump mode*
>>>>>>>>>
>>>>>>>>>  Please help how to disable this mode or disable snort script from
>>>>>>>>> loading at boot time??
>>>>>>>>>
>>>>>>>>
>>>>>>>> *Running in packet dump mode is because you don't have a "-c
>>>>>>>> path/snort.conf" option on your command line. *
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jun 11, 2013 at 11:00 AM, Mayur Patil <
>>>>>>>>> ram.nath241089 at ...11827...> wrote:
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>>    I have stuck on one issue. I am unable to see either GUI or
>>>>>>>>>> CLI for CentOS 6.3.
>>>>>>>>>>
>>>>>>>>>>    Description as follows:
>>>>>>>>>>
>>>>>>>>>>    I was just checking my snort script on centos machine
>>>>>>>>>> yesterday. So I left machine as it is.
>>>>>>>>>>
>>>>>>>>>>    When I come today, screen location has changed on desktop so I
>>>>>>>>>> adjusted and reboot.
>>>>>>>>>>
>>>>>>>>>>    When I reboot it takes much time to boot, so I press any key
>>>>>>>>>> on keyboard it shows
>>>>>>>>>>
>>>>>>>>>>    fast continuous streaming, no idea of what, seems like to be
>>>>>>>>>> many packets
>>>>>>>>>>
>>>>>>>>>>    Somewhat
>>>>>>>>>>
>>>>>>>>>>    UDP---TLS-----255.255.255.0 ------------------->
>>>>>>>>>>
>>>>>>>>>>     like this. When I try to load the Ctrl+Alt+f2 nothing happens.
>>>>>>>>>>
>>>>>>>>>>     I am also unable to login through Putty but I am able to ping
>>>>>>>>>> the machine.
>>>>>>>>>>
>>>>>>>>>>     How to stop this packet steaming??
>>>>>>>>>>
>>>>>>>>>>     Need help please!!
>>>>>>>>>>
>>>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130611/716c52bf/attachment.html>


More information about the Snort-users mailing list