[Snort-users] problems in snort installing.

Joel Esler jesler at ...1935...
Tue Mar 19 16:45:48 EDT 2013


The next question is, what are you doing with your alerts and how are you reviewing them.  

--
Joel Esler
Sent from my iPhone 

On Mar 19, 2013, at 1:35 PM, Mohammad MontazerI <mohamad_montazery at ...8167....> wrote:

> If you say snort working correctly so it is!
> Thank you so much guys.
> 
> From: JJC <cummingsj at ...11827...>
> To: Mohammad MontazerI <mohamad_montazery at ...131...> 
> Cc: "snort-users at lists.sourceforge.net" <snort-users at ...3893...t> 
> Sent: Tuesday, March 19, 2013 9:53 PM
> Subject: Re: [Snort-users] problems in snort installing.
> 
> Back to what Joel said, there is no command "status" that you can
> issue to snort.  Perhaps someone created a startup script at some
> point and that's what you are referencing in the guide that you are
> following.
> 
> This said, snort is clearly starting up correctly when you issue it
> the correct commands.
> 
> 
> 
> On Tue, Mar 19, 2013 at 11:15 AM, Mohammad MontazerI
> <mohamad_montazery at ...131...> wrote:
> >
> > If you run "snort -c /path/to/snort.conf -i eth0"  what happens?
> >
> > worked just fine(i guess). every thing seems ok except ./snort stauts!
> > here command line output:
> > linux-s211:~ # snort -c /etc/snort/snort.conf -i eth0
> > Running in IDS mode
> >
> >
> >        --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Parsing Rules file "/etc/snort/snort.conf"
> > PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830 2301
> > 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028
> > 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443
> > 9999 11371 55555 ]
> > PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> > PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> > PortVar 'SSH_PORTS' defined :  [ 22 ]
> > PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
> > PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
> > PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 591 593 901 1220
> > 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000
> > 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080
> > 9090:9091 9443 9999 11371 55555 ]
> > PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
> > Detection:
> >    Search-Method = AC-Full-Q
> >    Split Any/Any group = enabled
> >    Search-Method-Optimizations = enabled
> >    Maximum pattern length = 20
> > Tagged Packet Limit: 256
> > Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> > done
> > Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
> > WARNING: No dynamic libraries found in directory
> > /usr/local/lib/snort_dynamicrules.
> >  Finished Loading all dynamic detection libs from
> > /usr/local/lib/snort_dynamicrules
> > Loading all dynamic preprocessor libs from
> > /usr/local/lib/snort_dynamicpreprocessor/...
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
> > done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
> >  Loading dynamic preprocessor library
> > /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
> >  Finished Loading all dynamic preprocessor libs from
> > /usr/local/lib/snort_dynamicpreprocessor/
> > Log directory = /var/log/snort
> > WARNING: ip4 normalizations disabled because not inline.
> > WARNING: tcp normalizations disabled because not inline.
> > WARNING: icmp4 normalizations disabled because not inline.
> > WARNING: ip6 normalizations disabled because not inline.
> > WARNING: icmp6 normalizations disabled because not inline.
> > Frag3 global config:
> >    Max frags: 65536
> >    Fragment memory cap: 4194304 bytes
> > Frag3 engine config:
> >    Bound Address: default
> >    Target-based policy: WINDOWS
> >    Fragment timeout: 180 seconds
> >    Fragment min_ttl:  1
> >    Fragment Anomalies: Alert
> >    Overlap Limit:    10
> >    Min fragment Length:    100
> > Stream5 global config:
> >    Track TCP sessions: ACTIVE
> >    Max TCP sessions: 262144
> >    Memcap (for reassembly packet storage): 8388608
> >    Track UDP sessions: ACTIVE
> >    Max UDP sessions: 131072
> >    Track ICMP sessions: INACTIVE
> >    Track IP sessions: INACTIVE
> >    Log info if session memory consumption exceeds 1048576
> >    Send up to 2 active responses
> >    Wait at least 5 seconds between responses
> >    Protocol Aware Flushing: ACTIVE
> >        Maximum Flush Point: 16000
> > Stream5 TCP Policy config:
> >    Bound Address: default
> >    Reassembly Policy: WINDOWS
> >    Timeout: 180 seconds
> >    Limit on TCP Overlaps: 10
> >    Maximum number of bytes to queue per session: 1048576
> >    Maximum number of segs to queue per session: 2621
> >    Options:
> >        Require 3-Way Handshake: YES
> >        3-Way Handshake Timeout: 180
> >        Detect Anomalies: YES
> >    Reassembly Ports:
> >      21 client (Footprint)
> >      22 client (Footprint)
> >      23 client (Footprint)
> >      25 client (Footprint)
> >      42 client (Footprint)
> >      53 client (Footprint)
> >      79 client (Footprint)
> >      80 client (Footprint) server (Footprint)
> >      81 client (Footprint) server (Footprint)
> >      109 client (Footprint)
> >      110 client (Footprint)
> >      111 client (Footprint)
> >      113 client (Footprint)
> >      119 client (Footprint)
> >      135 client (Footprint)
> >      136 client (Footprint)
> >      137 client (Footprint)
> >      139 client (Footprint)
> >      143 client (Footprint)
> >      161 client (Footprint)
> >      additional ports configured but not printed.
> > Stream5 UDP Policy config:
> >    Timeout: 180 seconds
> > HttpInspect Config:
> >    GLOBAL CONFIG
> >      Max Pipeline Requests:    0
> >      Inspection Type:          STATELESS
> >      Detect Proxy Usage:      NO
> >      IIS Unicode Map Filename: /etc/snort/unicode.map
> >      IIS Unicode Map Codepage: 1252
> >      Memcap used for logging URI and Hostname: 150994944
> >      Max Gzip Memory: 838860
> >      Max Gzip Sessions: 9532
> >      Gzip Compress Depth: 65535
> >      Gzip Decompress Depth: 65535
> >    DEFAULT SERVER CONFIG:
> >      Server profile: All
> >      Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
> > 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118
> > 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
> >      Server Flow Depth: 0
> >      Client Flow Depth: 0
> >      Max Chunk Length: 500000
> >      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
> >      Max Header Field Length: 750
> >      Max Number Header Fields: 100
> >      Max Number of WhiteSpaces allowed with header folding: 0
> >      Inspect Pipeline Requests: YES
> >      URI Discovery Strict Mode: NO
> >      Allow Proxy Usage: NO
> >      Disable Alerting: NO
> >      Oversize Dir Length: 500
> >      Only inspect URI: NO
> >      Normalize HTTP Headers: NO
> >      Inspect HTTP Cookies: YES
> >      Inspect HTTP Responses: YES
> >      Extract Gzip from responses: YES
> >      Unlimited decompression of gzip data from responses: YES
> >      Normalize Javascripts in HTTP Responses: YES
> >      Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP
> > responses: 200
> >      Normalize HTTP Cookies: NO
> >      Enable XFF and True Client IP: NO
> >      Log HTTP URI data: NO
> >      Log HTTP Hostname data: NO
> >      Extended ASCII code support in URI: NO
> >      Ascii: YES alert: NO
> >      Double Decoding: YES alert: NO
> >      %U Encoding: YES alert: YES
> >      Bare Byte: YES alert: NO
> >      UTF 8: YES alert: NO
> >      IIS Unicode: YES alert: NO
> >      Multiple Slash: YES alert: NO
> >      IIS Backslash: YES alert: NO
> >      Directory Traversal: YES alert: NO
> >      Web Root Traversal: YES alert: NO
> >      Apache WhiteSpace: YES alert: NO
> >      IIS Delimiter: YES alert: NO
> >      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
> >      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
> >      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> > rpc_decode arguments:
> >    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
> > 32777 32778 32779
> >    alert_fragments: INACTIVE
> >    alert_large_fragments: INACTIVE
> >    alert_incomplete: INACTIVE
> >    alert_multiple_requests: INACTIVE
> > FTPTelnet Config:
> >    GLOBAL CONFIG
> >      Inspection Type: stateful
> >      Check for Encrypted Traffic: YES alert: NO
> >      Continue to check encrypted data: NO
> >    TELNET CONFIG:
> >      Ports: 23
> >      Are You There Threshold: 20
> >      Normalize: YES
> >      Detect Anomalies: YES
> >    FTP CONFIG:
> >      FTP Server: default
> >        Ports (PAF): 21 2100 3535
> >        Check for Telnet Cmds: YES alert: YES
> >        Ignore Telnet Cmd Operations: YES alert: YES
> >        Identify open data channels: NO
> >      FTP Client: default
> >        Check for Bounce Attacks: YES alert: YES
> >        Check for Telnet Cmds: YES alert: YES
> >        Ignore Telnet Cmd Operations: YES alert: YES
> >        Max Response Length: 256
> > SMTP Config:
> >    Ports: 25 465 587 691
> >    Inspection Type: Stateful
> >    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY
> > EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS
> > SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN
> > XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP
> > X-EXCH50
> >    Ignore Data: No
> >    Ignore TLS Data: No
> >    Ignore SMTP Alerts: No
> >    Max Command Line Length: 512
> >    Max Specific Command Line Length:
> >        ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
> >        EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
> >        ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
> >        IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
> >        QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
> >        SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
> >        TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
> >        XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
> >        XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
> >        XUSR:246
> >    Max Header Line Length: 1000
> >    Max Response Line Length: 512
> >    X-Link2State Alert: Yes
> >    Drop on X-Link2State Alert: No
> >    Alert on commands: None
> >    Alert on unknown commands: No
> >    SMTP Memcap: 838860
> >    MIME Max Mem: 838860
> >    Base64 Decoding: Enabled
> >    Base64 Decoding Depth: Unlimited
> >    Quoted-Printable Decoding: Enabled
> >    Quoted-Printable Decoding Depth: Unlimited
> >    Unix-to-Unix Decoding: Enabled
> >    Unix-to-Unix Decoding Depth: Unlimited
> >    Non-Encoded MIME attachment Extraction: Enabled
> >    Non-Encoded MIME attachment Extraction Depth: Unlimited
> >    Log Attachment filename: Enabled
> >    Log MAIL FROM Address: Enabled
> >    Log RCPT TO Addresses: Enabled
> >    Log Email Headers: Enabled
> >    Email Hdrs Log Depth: 1464
> > SSH config:
> >    Autodetection: ENABLED
> >    Challenge-Response Overflow Alert: ENABLED
> >    SSH1 CRC32 Alert: ENABLED
> >    Server Version String Overflow Alert: ENABLED
> >    Protocol Mismatch Alert: ENABLED
> >    Bad Message Direction Alert: DISABLED
> >    Bad Payload Size Alert: DISABLED
> >    Unrecognized Version Alert: DISABLED
> >    Max Encrypted Packets: 20
> >    Max Server Version String Length: 100
> >    MaxClientBytes: 19600 (Default)
> >    Ports:
> >        22
> > DCE/RPC 2 Preprocessor Configuration
> >  Global Configuration
> >    DCE/RPC Defragmentation: Enabled
> >    Memcap: 102400 KB
> >    Events: co
> >    SMB Fingerprint policy: Disabled
> >  Server Default Configuration
> >    Policy: WinXP
> >    Detect ports (PAF)
> >      SMB: 139 445
> >      TCP: 135
> >      UDP: 135
> >      RPC over HTTP server: 593
> >      RPC over HTTP proxy: None
> >    Autodetect ports (PAF)
> >      SMB: None
> >      TCP: 1025-65535
> >      UDP: 1025-65535
> >      RPC over HTTP server: 1025-65535
> >      RPC over HTTP proxy: None
> >    Invalid SMB shares: C$ D$ ADMIN$
> >    Maximum SMB command chaining: 3 commands
> > DNS config:
> >    DNS Client rdata txt Overflow Alert: ACTIVE
> >    Obsolete DNS RR Types Alert: INACTIVE
> >    Experimental DNS RR Types Alert: INACTIVE
> >    Ports: 53
> > SSLPP config:
> >    Encrypted packets: not inspected
> >    Ports:
> >      443      465      563      636      989
> >      992      993      994      995    7801
> >      7802    7900    7901    7902    7903
> >      7904    7905    7906    7907    7908
> >      7909    7910    7911    7912    7913
> >      7914    7915    7916    7917    7918
> >      7919    7920
> >    Server side data is trusted
> > Sensitive Data preprocessor config:
> >    Global Alert Threshold: 25
> >    Masked Output: DISABLED
> > SIP config:
> >    Max number of sessions: 40000
> >    Max number of dialogs in a session: 4 (Default)
> >    Status: ENABLED
> >    Ignore media channel: DISABLED
> >    Max URI length: 512
> >    Max Call ID length: 80
> >    Max Request name length: 20 (Default)
> >    Max From length: 256 (Default)
> >    Max To length: 256 (Default)
> >    Max Via length: 1024 (Default)
> >    Max Contact length: 512
> >    Max Content length: 2048
> >    Ports:
> >        5060    5061    5600
> >    Methods:
> >          invite cancel ack bye register options refer subscribe update join
> > info message notify benotify do qauth sprack publish service unsubscribe
> > prack
> > IMAP Config:
> >    Ports: 143
> >    IMAP Memcap: 838860
> >    Base64 Decoding: Enabled
> >    Base64 Decoding Depth: Unlimited
> >    Quoted-Printable Decoding: Enabled
> >    Quoted-Printable Decoding Depth: Unlimited
> >    Unix-to-Unix Decoding: Enabled
> >    Unix-to-Unix Decoding Depth: Unlimited
> >    Non-Encoded MIME attachment Extraction: Enabled
> >    Non-Encoded MIME attachment Extraction Depth: Unlimited
> > POP Config:
> >    Ports: 110
> >    POP Memcap: 838860
> >    Base64 Decoding: Enabled
> >    Base64 Decoding Depth: Unlimited
> >    Quoted-Printable Decoding: Enabled
> >    Quoted-Printable Decoding Depth: Unlimited
> >    Unix-to-Unix Decoding: Enabled
> >    Unix-to-Unix Decoding Depth: Unlimited
> >    Non-Encoded MIME attachment Extraction: Enabled
> >    Non-Encoded MIME attachment Extraction Depth: Unlimited
> > Modbus config:
> >    Ports:
> >        502
> > DNP3 config:
> >    Memcap: 262144
> >    Check Link-Layer CRCs: ENABLED
> >    Ports:
> >        20000
> > Reputation config:
> > WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor
> > disabled.
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > 873 Snort rules read
> >    873 detection rules
> >    0 decoder rules
> >    0 preprocessor rules
> > 873 Option Chains linked into 65 Chain Headers
> >
> > 0 Dynamic rules
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > +-------------------[Rule Port
> > Counts]---------------------------------------
> > |            tcp    udp    icmp      ip
> > |    src    247      1      0      0
> > |    dst    474    138      0      0
> > |    any      8      5      0      0
> > |      nc      25      0      0      0
> > |    s+d      0      0      0      0
> > +----------------------------------------------------------------------------
> >
> > +-----------------------[detection-filter-config]------------------------------
> > | memory-cap : 1048576 bytes
> > +-----------------------[detection-filter-rules]-------------------------------
> > | none
> > -------------------------------------------------------------------------------
> >
> > +-----------------------[rate-filter-config]-----------------------------------
> > | memory-cap : 1048576 bytes
> > +-----------------------[rate-filter-rules]------------------------------------
> > | none
> > -------------------------------------------------------------------------------
> >
> > +-----------------------[event-filter-config]----------------------------------
> > | memory-cap : 1048576 bytes
> > +-----------------------[event-filter-global]----------------------------------
> > +-----------------------[event-filter-local]-----------------------------------
> > | none
> > +-----------------------[suppression]------------------------------------------
> > | none
> > -------------------------------------------------------------------------------
> > Rule application order:
> > activation->dynamic->pass->drop->sdrop->reject->alert->log
> > Verifying Preprocessor Configurations!
> > ICMP tracking disabled, no ICMP sessions allocated
> > IP tracking disabled, no IP sessions allocated
> > WARNING: flowbits key 'file.works' is set but not ever checked.
> > WARNING: flowbits key 'file.qcp' is set but not ever checked.
> > WARNING: flowbits key 'imagesource.redefine' is set but not ever checked.
> > WARNING: flowbits key 'file.cdr' is set but not ever checked.
> > WARNING: flowbits key 'file.xls' is set but not ever checked.
> > WARNING: flowbits key 'file.dir' is set but not ever checked.
> > WARNING: flowbits key 'smb.query_sec_desc' is set but not ever checked.
> > WARNING: flowbits key 'file.avi.video' is set but not ever checked.
> > WARNING: flowbits key 'file.lnk' is set but not ever checked.
> > WARNING: flowbits key 'file.csd' is set but not ever checked.
> > WARNING: flowbits key 'file.wav' is set but not ever checked.
> > WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
> > WARNING: flowbits key 'file.dxf' is set but not ever checked.
> > WARNING: flowbits key 'file.silverlight' is set but not ever checked.
> > WARNING: flowbits key 'file.slk' is set but not ever checked.
> > WARNING: flowbits key 'file.asf' is set but not ever checked.
> > WARNING: flowbits key 'file.m4v' is set but not ever checked.
> > WARNING: flowbits key 'file.ses' is set but not ever checked.
> > WARNING: flowbits key 'file.mny' is checked but not ever set.
> > WARNING: flowbits key 'file.oless.v3' is checked but not ever set.
> > WARNING: flowbits key 'file.rjs' is set but not ever checked.
> > WARNING: flowbits key 'file.mswmm' is set but not ever checked.
> > WARNING: flowbits key 'file.jpeg' is set but not ever checked.
> > WARNING: flowbits key 'file.xspf' is set but not ever checked.
> > WARNING: flowbits key 'file.elf' is set but not ever checked.
> > WARNING: flowbits key 'file.psfont' is set but not ever checked.
> > WARNING: flowbits key 'file.smil' is set but not ever checked.
> > WARNING: flowbits key 'file.pct' is set but not ever checked.
> > WARNING: flowbits key 'file.mp4' is set but not ever checked.
> > WARNING: flowbits key 'file.universalbinary' is set but not ever checked.
> > WARNING: flowbits key 'file.tga' is set but not ever checked.
> > WARNING: flowbits key 'file.wmf' is set but not ever checked.
> > WARNING: flowbits key 'file.eot' is set but not ever checked.
> > WARNING: flowbits key 'server.mdaemon' is set but not ever checked.
> > WARNING: flowbits key 'file.dws' is set but not ever checked.
> > WARNING: flowbits key 'file.otf' is set but not ever checked.
> > WARNING: flowbits key 'file.eps' is set but not ever checked.
> > WARNING: flowbits key 'file.rmf' is set but not ever checked.
> > WARNING: flowbits key 'file.pdf' is set but not ever checked.
> > WARNING: flowbits key 'file.xbm' is set but not ever checked.
> > WARNING: flowbits key 'file.xpm' is set but not ever checked.
> > WARNING: flowbits key 'file.rtf' is set but not ever checked.
> > WARNING: flowbits key 'file.xul' is set but not ever checked.
> > WARNING: flowbits key 'file.engtesselate' is set but not ever checked.
> > WARNING: flowbits key 'file.swf' is set but not ever checked.
> > WARNING: flowbits key 'file.torrent' is set but not ever checked.
> > WARNING: flowbits key 'file.ani' is set but not ever checked.
> > WARNING: flowbits key 'file.realplayer' is set but not ever checked.
> > WARNING: flowbits key 'file.jnlp' is set but not ever checked.
> > WARNING: flowbits key 'file.m3u' is set but not ever checked.
> > WARNING: flowbits key 'file.jar' is set but not ever checked.
> > WARNING: flowbits key 'file.quicktime' is set but not ever checked.
> > WARNING: flowbits key 'file.gif' is set but not ever checked.
> > WARNING: flowbits key 'file.smi' is set but not ever checked.
> > WARNING: flowbits key 'file.xml' is set but not ever checked.
> > WARNING: flowbits key 'file.visio' is set but not ever checked.
> > WARNING: flowbits key 'file.vap' is set but not ever checked.
> > WARNING: flowbits key 'file.tar' is set but not ever checked.
> > WARNING: flowbits key 'file.zip' is set but not ever checked.
> > WARNING: flowbits key 'file.pls' is set but not ever checked.
> > WARNING: flowbits key 'file.pmd' is set but not ever checked.
> > WARNING: flowbits key 'file.fpx' is set but not ever checked.
> > WARNING: flowbits key 'file.chm' is set but not ever checked.
> > WARNING: flowbits key 'file.mp3' is set but not ever checked.
> > WARNING: flowbits key 'file.png' is set but not ever checked.
> > WARNING: flowbits key 'file.dmg' is set but not ever checked.
> > WARNING: flowbits key 'file.avi' is set but not ever checked.
> > WARNING: flowbits key 'file.cgm' is set but not ever checked.
> > WARNING: flowbits key 'file.class' is set but not ever checked.
> > WARNING: flowbits key 'file.visprj' is set but not ever checked.
> > WARNING: flowbits key 'file.pac' is set but not ever checked.
> > WARNING: flowbits key 'file.4xm' is set but not ever checked.
> > WARNING: flowbits key 'file.manifest' is set but not ever checked.
> > WARNING: flowbits key 'file.tiff.little' is set but not ever checked.
> > WARNING: flowbits key 'file.pub' is set but not ever checked.
> > WARNING: flowbits key 'smb.trans2.fileinfo' is set but not ever checked.
> > WARNING: flowbits key 'file.doc' is set but not ever checked.
> > WARNING: flowbits key 'file.flv' is set but not ever checked.
> > WARNING: flowbits key 'file.hpj' is set but not ever checked.
> > WARNING: flowbits key 'file.realmedia' is set but not ever checked.
> > WARNING: flowbits key 'file.wmv' is set but not ever checked.
> > WARNING: flowbits key 'file.tiff' is set but not ever checked.
> > WARNING: flowbits key 'file.realplayer.playlist' is set but not ever
> > checked.
> > WARNING: flowbits key 'file.asx' is set but not ever checked.
> > 93 out of 1024 flowbits in use.
> >
> > [ Port Based Pattern Matching Memory ]
> > +- [ Aho-Corasick Summary ] -------------------------------------
> > | Storage Format    : Full-Q
> > | Finite Automaton  : DFA
> > | Alphabet Size    : 256 Chars
> > | Sizeof State      : Variable (1,2,4 bytes)
> > | Instances        : 48
> > |    1 byte states : 43
> > |    2 byte states : 5
> > |    4 byte states : 0
> > | Characters        : 8890
> > | States            : 6460
> > | Transitions      : 148770
> > | State Density    : 9.0%
> > | Patterns          : 876
> > | Match States      : 806
> > | Memory (MB)      : 3.19
> > |  Patterns        : 0.06
> > |  Match Lists    : 0.07
> > |  DFA
> > |    1 byte states : 0.20
> > |    2 byte states : 2.81
> > |    4 byte states : 0.00
> > +----------------------------------------------------------------
> > [ Number of patterns truncated to 20 bytes: 30 ]
> > pcap DAQ configured to passive.
> > Acquiring network traffic from "eth0".
> > Reload thread starting...
> > Reload thread started, thread 0xa64cbb40 (4343)
> > Decoding Ethernet
> >
> >
> >        --== Initialization Complete ==--
> >
> >    ,,_    -*> Snort! <*-
> >  o"  )~  Version 2.9.4.1 GRE (Build 69) i386
> >    ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> >            Using libpcap version 1.2.1
> >            Using PCRE version: 8.30 2012-02-04
> >            Using ZLIB version: 1.2.7
> >
> >            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.17  <Build 18>
> >            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
> >            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
> >            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
> >            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
> >            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
> >            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
> >            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
> >            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
> >            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
> >            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
> >            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
> >            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
> >            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
> >            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
> > Commencing packet processing (pid=4343)
> >
> >
> > ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_d2d_mar
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130319/97af38e9/attachment.html>


More information about the Snort-users mailing list