[Snort-users] installation help

Jeremy Hoel jthoel at ...11827...
Wed Aug 27 13:41:20 EDT 2014


./snort stats tries to feed the work 'status' as a BPF option; hence the
error "Snort BPF option: status"

what you might be looking for is more like '/etc/init.d/snortd status'

What is it you are trying to see?

To se if it's running you could use a ps and to check it's stats you could
run  'kill -usr1 <pid of snort>' and that should output it's stats to
/var/log/messages




On Wed, Aug 27, 2014 at 5:29 PM, Robert Millott <
robm at ...16885...> wrote:

> I run snort with daq settings as well. I have never tried ./snort status,
> but I just did and I get a similiar error.
> snort status
> Running in packet dump mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Snort BPF option: status
> ERROR: Can't find pcap DAQ!
> Fatal Error, Quitting..
>
> My snort is running just fine and has been for months, so I'm not sure
> that what you are seeing is a problem.  Try just running
>
> ps ax | grep snort
>
> to make sure snort is running
>
>
>
> On Wed, Aug 27, 2014 at 12:52 PM, Sharif Uddin <
> Sharif.Uddin at ...16962...> wrote:
>
>>  Hello
>>
>>
>>
>>
>>
>> I have followed this guide to install snort
>> https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/002/original/snort296x_centos6x.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1409153064&Signature=TBLNp6Ze%2FN9F3smCPMgm1AWkl6g%3D
>>
>>
>>
>> I am using a vm on virtual box with centos 7 64bit minimal install.
>>
>>
>>
>>
>>
>>
>>
>> So far I can run following command
>>
>>
>>
>> [root at ...2306... bin]# ./snort -A fast -b -d -D -i enp0s3 -u snort -g snort
>> -c /etc/snort/snort.conf -l /var/log/snort
>>
>> Spawning daemon child...
>>
>> My daemon child 1415 lives...
>>
>> Daemon parent exiting (0)
>>
>>
>>
>>
>>
>> In the log file I get the following
>>
>>
>>
>>
>>
>>
>>
>> Aug 27 17:50:21 snort snort[1414]: Running in IDS mode
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: --== Initializing Snort ==--
>>
>> Aug 27 17:50:21 snort snort[1414]: Initializing Output Plugins!
>>
>> Aug 27 17:50:21 snort snort[1414]: Initializing Preprocessors!
>>
>> Aug 27 17:50:21 snort snort[1414]: Initializing Plug-ins!
>>
>> Aug 27 17:50:21 snort snort[1414]: Parsing Rules file
>> "/etc/snort/snort.conf"
>>
>> Aug 27 17:50:21 snort snort[1414]: PortVar 'HTTP_PORTS' defined :
>>
>> Aug 27 17:50:21 snort snort[1414]: [ 36 80:90 311 383 555 591 593 631 801
>> 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980
>> 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173
>> 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028
>> 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344
>> 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443
>> 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
>> 44449 50000 50002 51423 53331 55252 55555 56712 ]
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: PortVar 'SHELLCODE_PORTS' defined :
>>
>> Aug 27 17:50:21 snort snort[1414]: [ 0:79 81:65535 ]
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: PortVar 'ORACLE_PORTS' defined :
>>
>> Aug 27 17:50:21 snort snort[1414]: [ 1024:65535 ]
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: PortVar 'SSH_PORTS' defined :
>>
>> Aug 27 17:50:21 snort snort[1414]: [ 22 ]
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: PortVar 'FTP_PORTS' defined :
>>
>> Aug 27 17:50:21 snort snort[1414]: [ 21 2100 3535 ]
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: PortVar 'SIP_PORTS' defined :
>>
>> Aug 27 17:50:21 snort snort[1414]: [ 5060:5061 5600 ]
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: PortVar 'FILE_DATA_PORTS' defined :
>>
>> Aug 27 17:50:21 snort snort[1414]: [ 36 80:90 110 143 311 383 555 591 593
>> 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381
>> 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600
>> 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014
>> 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333
>> 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443
>> 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
>> 44449 50000 50002 51423 53331 55252 55555 56712 ]
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: PortVar 'GTP_PORTS' defined :
>>
>> Aug 27 17:50:21 snort snort[1414]: [ 2123 2152 3386 ]
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: Detection:
>>
>> Aug 27 17:50:21 snort snort[1414]: Search-Method = AC-Full-Q
>>
>> Aug 27 17:50:21 snort snort[1414]: Split Any/Any group = enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Search-Method-Optimizations = enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Maximum pattern length = 20
>>
>> Aug 27 17:50:21 snort snort[1414]: Tagged Packet Limit: 256
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic engine
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading all dynamic detection libs
>> from /usr/local/lib/snort_dynamicrules...
>>
>> Aug 27 17:50:21 snort snort[1414]: WARNING: No dynamic libraries found in
>> directory /usr/local/lib/snort_dynamicrules.
>>
>> Aug 27 17:50:21 snort snort[1414]: Finished Loading all dynamic detection
>> libs from /usr/local/lib/snort_dynamicrules
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading all dynamic preprocessor libs
>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
>>
>> Aug 27 17:50:21 snort snort[1414]: done
>>
>> Aug 27 17:50:21 snort snort[1414]: Finished Loading all dynamic
>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>
>> Aug 27 17:50:21 snort snort[1414]: Log directory = /var/log/snort
>>
>> Aug 27 17:50:21 snort snort[1414]: WARNING: ip4 normalizations disabled
>> because not inline.
>>
>> Aug 27 17:50:21 snort snort[1414]: WARNING: tcp normalizations disabled
>> because not inline.
>>
>> Aug 27 17:50:21 snort snort[1414]: WARNING: icmp4 normalizations disabled
>> because not inline.
>>
>> Aug 27 17:50:21 snort snort[1414]: WARNING: ip6 normalizations disabled
>> because not inline.
>>
>> Aug 27 17:50:21 snort snort[1414]: WARNING: icmp6 normalizations disabled
>> because not inline.
>>
>> Aug 27 17:50:21 snort snort[1414]: Frag3 global config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Max frags: 65536
>>
>> Aug 27 17:50:21 snort snort[1414]: Fragment memory cap: 4194304 bytes
>>
>> Aug 27 17:50:21 snort snort[1414]: Frag3 engine config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Bound Address: default
>>
>> Aug 27 17:50:21 snort snort[1414]: Target-based policy: WINDOWS
>>
>> Aug 27 17:50:21 snort snort[1414]: Fragment timeout: 180 seconds
>>
>> Aug 27 17:50:21 snort snort[1414]: Fragment min_ttl:   1
>>
>> Aug 27 17:50:21 snort snort[1414]: Fragment Anomalies: Alert
>>
>> Aug 27 17:50:21 snort snort[1414]: Overlap Limit:     10
>>
>> Aug 27 17:50:21 snort snort[1414]: Min fragment Length:     100
>>
>> Aug 27 17:50:21 snort snort[1414]: Stream5 global config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Track TCP sessions: ACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: Max TCP sessions: 262144
>>
>> Aug 27 17:50:21 snort snort[1414]: TCP cache pruning timeout: 30 seconds
>>
>> Aug 27 17:50:21 snort snort[1414]: TCP cache nominal timeout: 3600 seconds
>>
>> Aug 27 17:50:21 snort snort[1414]: Memcap (for reassembly packet
>> storage): 8388608
>>
>> Aug 27 17:50:21 snort snort[1414]: Track UDP sessions: ACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: Max UDP sessions: 131072
>>
>> Aug 27 17:50:21 snort snort[1414]: UDP cache pruning timeout: 30 seconds
>>
>> Aug 27 17:50:21 snort snort[1414]: UDP cache nominal timeout: 180 seconds
>>
>> Aug 27 17:50:21 snort snort[1414]: Track ICMP sessions: INACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: Track IP sessions: INACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: Log info if session memory consumption
>> exceeds 1048576
>>
>> Aug 27 17:50:21 snort snort[1414]: Send up to 2 active responses
>>
>> Aug 27 17:50:21 snort snort[1414]: Wait at least 5 seconds between
>> responses
>>
>> Aug 27 17:50:21 snort snort[1414]: Protocol Aware Flushing: ACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: Maximum Flush Point: 16000
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Expected Streams: 768
>>
>> Aug 27 17:50:21 snort snort[1414]: Stream5 TCP Policy config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Bound Address: default
>>
>> Aug 27 17:50:21 snort snort[1414]: Reassembly Policy: WINDOWS
>>
>> Aug 27 17:50:21 snort snort[1414]: Timeout: 180 seconds
>>
>> Aug 27 17:50:21 snort snort[1414]: Limit on TCP Overlaps: 10
>>
>> Aug 27 17:50:21 snort snort[1414]: Maximum number of bytes to queue per
>> session: 1048576
>>
>> Aug 27 17:50:21 snort snort[1414]: Maximum number of segs to queue per
>> session: 2621
>>
>> Aug 27 17:50:21 snort snort[1414]: Options:
>>
>> Aug 27 17:50:21 snort snort[1414]: Require 3-Way Handshake: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: 3-Way Handshake Timeout: 180
>>
>> Aug 27 17:50:21 snort snort[1414]: Detect Anomalies: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Reassembly Ports:
>>
>> Aug 27 17:50:21 snort snort[1414]: 21 client (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 22 client (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 23 client (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 25 client (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 36 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 42 client (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 53 client (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 70 client (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 79 client (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 80 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 81 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 82 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 83 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 84 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 85 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 86 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 87 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 88 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 89 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: 90 client (Footprint) server
>> (Footprint)
>>
>> Aug 27 17:50:21 snort snort[1414]: additional ports configured but not
>> printed.
>>
>> Aug 27 17:50:21 snort snort[1414]: Stream5 UDP Policy config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Timeout: 180 seconds
>>
>> Aug 27 17:50:21 snort snort[1414]: HttpInspect Config:
>>
>> Aug 27 17:50:21 snort snort[1414]: GLOBAL CONFIG
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Pipeline Requests:    0
>>
>> Aug 27 17:50:21 snort snort[1414]: Inspection Type:          STATELESS
>>
>> Aug 27 17:50:21 snort snort[1414]: Detect Proxy Usage:       NO
>>
>> Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map Filename:
>> /etc/snort/unicode.map
>>
>> Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map Codepage: 1252
>>
>> Aug 27 17:50:21 snort snort[1414]: Memcap used for logging URI and
>> Hostname: 150994944
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Gzip Memory: 838860
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Gzip Sessions: 5518
>>
>> Aug 27 17:50:21 snort snort[1414]: Gzip Compress Depth: 65535
>>
>> Aug 27 17:50:21 snort snort[1414]: Gzip Decompress Depth: 65535
>>
>> Aug 27 17:50:21 snort snort[1414]: DEFAULT SERVER CONFIG:
>>
>> Aug 27 17:50:21 snort snort[1414]: Server profile: All
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports (PAF): 36 80 81 82 83 84 85 86
>> 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533
>> 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000
>> 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510
>> 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118
>> 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983
>> 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489
>> 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252
>> 55555 56712
>>
>> Aug 27 17:50:21 snort snort[1414]: Server Flow Depth: 0
>>
>> Aug 27 17:50:21 snort snort[1414]: Client Flow Depth: 0
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Chunk Length: 500000
>>
>> Aug 27 17:50:21 snort snort[1414]: Small Chunk Length Evasion: chunk size
>> <= 10, threshold >= 5 times
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Header Field Length: 750
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Number Header Fields: 100
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Number of WhiteSpaces allowed with
>> header folding: 200
>>
>> Aug 27 17:50:21 snort snort[1414]: Inspect Pipeline Requests: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: URI Discovery Strict Mode: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Allow Proxy Usage: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Disable Alerting: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Oversize Dir Length: 500
>>
>> Aug 27 17:50:21 snort snort[1414]: Only inspect URI: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Normalize HTTP Headers: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Inspect HTTP Cookies: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Inspect HTTP Responses: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Extract Gzip from responses: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Unlimited decompression of gzip data
>> from responses: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Normalize Javascripts in HTTP
>> Responses: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Number of WhiteSpaces allowed with
>> Javascript Obfuscation in HTTP responses: 200
>>
>> Aug 27 17:50:21 snort snort[1414]: Normalize HTTP Cookies: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Enable XFF and True Client IP: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Log HTTP URI data: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Log HTTP Hostname data: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Extended ASCII code support in URI: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Ascii: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Double Decoding: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: %U Encoding: YES alert: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Bare Byte: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: UTF 8: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: IIS Unicode: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Multiple Slash: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: IIS Backslash: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Directory Traversal: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Web Root Traversal: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Apache WhiteSpace: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: IIS Delimiter: YES alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map: GLOBAL IIS UNICODE
>> MAP CONFIG
>>
>> Aug 27 17:50:21 snort snort[1414]: Non-RFC Compliant Characters: 0x00
>> 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>
>> Aug 27 17:50:21 snort snort[1414]: Whitespace Characters: 0x09 0x0b 0x0c
>> 0x0d
>>
>> Aug 27 17:50:21 snort snort[1414]: rpc_decode arguments:
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports to decode RPC on: 111 32770
>> 32771 32772 32773 32774 32775 32776 32777 32778 32779
>>
>> Aug 27 17:50:21 snort snort[1414]: alert_fragments: INACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: alert_large_fragments: INACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: alert_incomplete: INACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: alert_multiple_requests: INACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: FTPTelnet Config:
>>
>> Aug 27 17:50:21 snort snort[1414]: GLOBAL CONFIG
>>
>> Aug 27 17:50:21 snort snort[1414]: Inspection Type: stateful
>>
>> Aug 27 17:50:21 snort snort[1414]: Check for Encrypted Traffic: YES
>> alert: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: Continue to check encrypted data: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: TELNET CONFIG:
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports: 23
>>
>> Aug 27 17:50:21 snort snort[1414]: Are You There Threshold: 20
>>
>> Aug 27 17:50:21 snort snort[1414]: Normalize: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Detect Anomalies: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: FTP CONFIG:
>>
>> Aug 27 17:50:21 snort snort[1414]: FTP Server: default
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports (PAF): 21 2100 3535
>>
>> Aug 27 17:50:21 snort snort[1414]: Check for Telnet Cmds: YES alert: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Ignore Telnet Cmd Operations: YES
>> alert: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Ignore open data channels: NO
>>
>> Aug 27 17:50:21 snort snort[1414]: FTP Client: default
>>
>> Aug 27 17:50:21 snort snort[1414]: Check for Bounce Attacks: YES alert:
>> YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Check for Telnet Cmds: YES alert: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Ignore Telnet Cmd Operations: YES
>> alert: YES
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Response Length: 256
>>
>> Aug 27 17:50:21 snort snort[1414]: SMTP Config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports: 25 465 587 691
>>
>> Aug 27 17:50:21 snort snort[1414]: Inspection Type: Stateful
>>
>> Aug 27 17:50:21 snort snort[1414]: Normalize: ATRN AUTH BDAT DATA DEBUG
>> EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU
>> QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY
>> X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN
>> XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50
>>
>> Aug 27 17:50:21 snort snort[1414]: Ignore Data: No
>>
>> Aug 27 17:50:21 snort snort[1414]: Ignore TLS Data: No
>>
>> Aug 27 17:50:21 snort snort[1414]: Ignore SMTP Alerts: No
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Command Line Length: 512
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Specific Command Line Length:
>>
>> Aug 27 17:50:21 snort snort[1414]: ATRN:255 AUTH:246 BDAT:255 DATA:246
>> DEBUG:255
>>
>> Aug 27 17:50:21 snort snort[1414]: EHLO:500 EMAL:255 ESAM:255 ESND:255
>> ESOM:255
>>
>> Aug 27 17:50:21 snort snort[1414]: ETRN:246 EVFY:255 EXPN:255 HELO:500
>> HELP:500
>>
>> Aug 27 17:50:21 snort snort[1414]: IDENT:255 MAIL:260 NOOP:255 ONEX:246
>> QUEU:246
>>
>> Aug 27 17:50:21 snort snort[1414]: QUIT:246 RCPT:300 RSET:246 SAML:246
>> SEND:246
>>
>> Aug 27 17:50:21 snort snort[1414]: SIZE:255 STARTTLS:246 SOML:246
>> TICK:246 TIME:246
>>
>> Aug 27 17:50:21 snort snort[1414]: TURN:246 TURNME:246 VERB:246 VRFY:255
>> X-EXPS:246
>>
>> Aug 27 17:50:21 snort snort[1414]: XADR:246 XAUTH:246 XCIR:246
>> XEXCH50:246 XGEN:246
>>
>> Aug 27 17:50:21 snort snort[1414]: XLICENSE:246 X-LINK2STATE:246 XQUE:246
>> XSTA:246 XTRN:246
>>
>> Aug 27 17:50:21 snort snort[1414]: XUSR:246
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Header Line Length: 1000
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Response Line Length: 512
>>
>> Aug 27 17:50:21 snort snort[1414]: X-Link2State Alert: Yes
>>
>> Aug 27 17:50:21 snort snort[1414]: Drop on X-Link2State Alert: No
>>
>> Aug 27 17:50:21 snort snort[1414]: Alert on commands: None
>>
>> Aug 27 17:50:21 snort snort[1414]: Alert on unknown commands: No
>>
>> Aug 27 17:50:21 snort snort[1414]: SMTP Memcap: 838860
>>
>> Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860
>>
>> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth:
>> Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment
>> Extraction: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction
>> Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Log Attachment filename: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Log MAIL FROM Address: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Log RCPT TO Addresses: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Log Email Headers: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Email Hdrs Log Depth: 1464
>>
>> Aug 27 17:50:21 snort snort[1414]: SSH config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Autodetection: ENABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Challenge-Response Overflow Alert:
>> ENABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: SSH1 CRC32 Alert: ENABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Server Version String Overflow Alert:
>> ENABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Protocol Mismatch Alert: ENABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Bad Message Direction Alert: DISABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Bad Payload Size Alert: DISABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Unrecognized Version Alert: DISABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Encrypted Packets: 20
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Server Version String Length: 100
>>
>> Aug 27 17:50:21 snort snort[1414]: MaxClientBytes: 19600 (Default)
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports:
>>
>> Aug 27 17:50:21 snort snort[1414]: 22
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: DCE/RPC 2 Preprocessor Configuration
>>
>> Aug 27 17:50:21 snort snort[1414]: Global Configuration
>>
>> Aug 27 17:50:21 snort snort[1414]: DCE/RPC Defragmentation: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Memcap: 102400 KB
>>
>> Aug 27 17:50:21 snort snort[1414]: Events: co
>>
>> Aug 27 17:50:21 snort snort[1414]: SMB Fingerprint policy: Disabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Server Default Configuration
>>
>> Aug 27 17:50:21 snort snort[1414]: Policy: WinXP
>>
>> Aug 27 17:50:21 snort snort[1414]: Detect ports (PAF)
>>
>> Aug 27 17:50:21 snort snort[1414]: SMB: 139 445
>>
>> Aug 27 17:50:21 snort snort[1414]: TCP: 135
>>
>> Aug 27 17:50:21 snort snort[1414]: UDP: 135
>>
>> Aug 27 17:50:21 snort snort[1414]: RPC over HTTP server: 593
>>
>> Aug 27 17:50:21 snort snort[1414]: RPC over HTTP proxy: None
>>
>> Aug 27 17:50:21 snort snort[1414]: Autodetect ports (PAF)
>>
>> Aug 27 17:50:21 snort snort[1414]: SMB: None
>>
>> Aug 27 17:50:21 snort snort[1414]: TCP: 1025-65535
>>
>> Aug 27 17:50:21 snort snort[1414]: UDP: 1025-65535
>>
>> Aug 27 17:50:21 snort snort[1414]: RPC over HTTP server: 1025-65535
>>
>> Aug 27 17:50:21 snort snort[1414]: RPC over HTTP proxy: None
>>
>> Aug 27 17:50:21 snort snort[1414]: Invalid SMB shares: C$ D$ ADMIN$
>>
>> Aug 27 17:50:21 snort snort[1414]: Maximum SMB command chaining: 3
>> commands
>>
>> Aug 27 17:50:21 snort snort[1414]: SMB file inspection: Disabled
>>
>> Aug 27 17:50:21 snort snort[1414]: DNS config:
>>
>> Aug 27 17:50:21 snort snort[1414]: DNS Client rdata txt Overflow Alert:
>> ACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: Obsolete DNS RR Types Alert: INACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: Experimental DNS RR Types Alert:
>> INACTIVE
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports:
>>
>> Aug 27 17:50:21 snort snort[1414]: 53
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: SSLPP config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Encrypted packets: not inspected
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports:
>>
>> Aug 27 17:50:21 snort snort[1414]: 443      465      563      636      989
>>
>> Aug 27 17:50:21 snort snort[1414]: 992      993      994      995     5061
>>
>> Aug 27 17:50:21 snort snort[1414]: 7801     7802     7900     7901
>> 7902
>>
>> Aug 27 17:50:21 snort snort[1414]: 7903     7904     7905     7906
>> 7907
>>
>> Aug 27 17:50:21 snort snort[1414]: 7908     7909     7910     7911
>> 7912
>>
>> Aug 27 17:50:21 snort snort[1414]: 7913     7914     7915     7916
>> 7917
>>
>> Aug 27 17:50:21 snort snort[1414]: 7918     7919     7920
>>
>> Aug 27 17:50:21 snort snort[1414]: Server side data is trusted
>>
>> Aug 27 17:50:21 snort snort[1414]: Sensitive Data preprocessor config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Global Alert Threshold: 25
>>
>> Aug 27 17:50:21 snort snort[1414]: Masked Output: DISABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: SIP config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Max number of sessions: 40000
>>
>> Aug 27 17:50:21 snort snort[1414]: Max number of dialogs in a session: 4
>> (Default)
>>
>> Aug 27 17:50:21 snort snort[1414]: Status: ENABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Ignore media channel: DISABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Max URI length: 512
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Call ID length: 80
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Request name length: 20 (Default)
>>
>> Aug 27 17:50:21 snort snort[1414]: Max From length: 256 (Default)
>>
>> Aug 27 17:50:21 snort snort[1414]: Max To length: 256 (Default)
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Via length: 1024 (Default)
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Contact length: 512
>>
>> Aug 27 17:50:21 snort snort[1414]: Max Content length: 2048
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports:
>>
>> Aug 27 17:50:21 snort snort[1414]: 5060
>>
>> Aug 27 17:50:21 snort snort[1414]: 5061
>>
>> Aug 27 17:50:21 snort snort[1414]: 5600
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: Methods:
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: invite
>>
>> Aug 27 17:50:21 snort snort[1414]: cancel
>>
>> Aug 27 17:50:21 snort snort[1414]: ack
>>
>> Aug 27 17:50:21 snort snort[1414]: bye
>>
>> Aug 27 17:50:21 snort snort[1414]: register
>>
>> Aug 27 17:50:21 snort snort[1414]: options
>>
>> Aug 27 17:50:21 snort snort[1414]: refer
>>
>> Aug 27 17:50:21 snort snort[1414]: subscribe
>>
>> Aug 27 17:50:21 snort snort[1414]: update
>>
>> Aug 27 17:50:21 snort snort[1414]: join
>>
>> Aug 27 17:50:21 snort snort[1414]: info
>>
>> Aug 27 17:50:21 snort snort[1414]: message
>>
>> Aug 27 17:50:21 snort snort[1414]: notify
>>
>> Aug 27 17:50:21 snort snort[1414]: benotify
>>
>> Aug 27 17:50:21 snort snort[1414]: do
>>
>> Aug 27 17:50:21 snort snort[1414]: qauth
>>
>> Aug 27 17:50:21 snort snort[1414]: sprack
>>
>> Aug 27 17:50:21 snort snort[1414]: publish
>>
>> Aug 27 17:50:21 snort snort[1414]: service
>>
>> Aug 27 17:50:21 snort snort[1414]: unsubscribe
>>
>> Aug 27 17:50:21 snort snort[1414]: prack
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: IMAP Config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports: 143
>>
>> Aug 27 17:50:21 snort snort[1414]: IMAP Memcap: 838860
>>
>> Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860
>>
>> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth:
>> Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment
>> Extraction: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction
>> Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: POP Config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports: 110
>>
>> Aug 27 17:50:21 snort snort[1414]: POP Memcap: 838860
>>
>> Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860
>>
>> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth:
>> Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment
>> Extraction: Enabled
>>
>> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction
>> Depth: Unlimited
>>
>> Aug 27 17:50:21 snort snort[1414]: Modbus config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports:
>>
>> Aug 27 17:50:21 snort snort[1414]: 502
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: DNP3 config:
>>
>> Aug 27 17:50:21 snort snort[1414]: Memcap: 262144
>>
>> Aug 27 17:50:21 snort snort[1414]: Check Link-Layer CRCs: ENABLED
>>
>> Aug 27 17:50:21 snort snort[1414]: Ports:
>>
>> Aug 27 17:50:21 snort snort[1414]: 20000
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]: Reputation config:
>>
>> Aug 27 17:50:21 snort snort[1414]: WARNING: Can't find any
>> whitelist/blacklist entries. Reputation Preprocessor disabled.
>>
>> Aug 27 17:50:21 snort snort[1414]:
>>
>> Aug 27 17:50:21 snort snort[1414]:
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> Aug 27 17:50:21 snort snort[1414]: Initializing rule chains...
>>
>> Aug 27 17:50:22 snort snort[1414]: 5125 Snort rules read
>>
>> Aug 27 17:50:22 snort snort[1414]: 5125 detection rules
>>
>> Aug 27 17:50:22 snort snort[1414]: 0 decoder rules
>>
>> Aug 27 17:50:22 snort snort[1414]: 0 preprocessor rules
>>
>> Aug 27 17:50:22 snort snort[1414]: 5125 Option Chains linked into 228
>> Chain Headers
>>
>> Aug 27 17:50:22 snort snort[1414]: 0 Dynamic rules
>>
>> Aug 27 17:50:22 snort snort[1414]:
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> Aug 27 17:50:22 snort snort[1414]:
>>
>> Aug 27 17:50:23 snort snort[1414]: +-------------------[Rule Port
>> Counts]---------------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]: |             tcp     udp    icmp
>> ip
>>
>> Aug 27 17:50:23 snort snort[1414]: |     src    1737       7
>> 0       0
>>
>> Aug 27 17:50:23 snort snort[1414]: |     dst    2679     594
>> 0       0
>>
>> Aug 27 17:50:23 snort snort[1414]: |     any     104       2
>> 3       0
>>
>> Aug 27 17:50:23 snort snort[1414]: |      nc      14       0
>>      0       0
>>
>> Aug 27 17:50:23 snort snort[1414]: |     s+d       1       1
>> 0       0
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +----------------------------------------------------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]:
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +-----------------------[detection-filter-config]------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +-----------------------[detection-filter-rules]-------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> -------------------------------------------------------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]:
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +-----------------------[rate-filter-config]-----------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +-----------------------[rate-filter-rules]------------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]: | none
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> -------------------------------------------------------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]:
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +-----------------------[event-filter-config]----------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +-----------------------[event-filter-global]----------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +-----------------------[event-filter-local]-----------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]: | none
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> +-----------------------[suppression]------------------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]: | none
>>
>> Aug 27 17:50:23 snort snort[1414]:
>> -------------------------------------------------------------------------------
>>
>> Aug 27 17:50:23 snort snort[1414]: Rule application order:
>> activation->dynamic->pass->drop->sdrop->reject->alert->log
>>
>> Aug 27 17:50:23 snort snort[1414]: Verifying Preprocessor Configurations!
>>
>> Aug 27 17:50:23 snort snort[1414]: ICMP tracking disabled, no ICMP
>> sessions allocated
>>
>> Aug 27 17:50:23 snort snort[1414]: IP tracking disabled, no IP sessions
>> allocated
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'acunetix-scan'
>> is set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'kit.blackhole'
>> is set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'ssl_handshake'
>> is set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.dmg' is
>> checked but not ever set.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.msi' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.fpx' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key
>> 'tlsv1.0_handshake' is set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key
>> 'tlsv1.2_handshake' is set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.htc' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.wri' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.hhk' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key
>> 'tlsv1.1_handshake' is set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'spyrat_bd' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key
>> 'file.zip.winrar.spoof' is set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'imap.cram_md5'
>> is set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.lanman' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.xfdl' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.vwr' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.ram' is
>> checked but not ever set.
>>
>> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'hornet.2' is
>> set but not ever checked.
>>
>> Aug 27 17:50:23 snort snort[1414]: 130 out of 1024 flowbits in use.
>>
>> Aug 27 17:50:29 snort snort[1414]:
>>
>> Aug 27 17:50:29 snort snort[1414]: [ Port Based Pattern Matching Memory ]
>>
>> Aug 27 17:50:29 snort snort[1414]: +- [ Aho-Corasick Summary ]
>> -------------------------------------
>>
>> Aug 27 17:50:29 snort snort[1414]: | Storage Format    : Full-Q
>>
>> Aug 27 17:50:29 snort snort[1414]: | Finite Automaton  : DFA
>>
>> Aug 27 17:50:29 snort snort[1414]: | Alphabet Size     : 256 Chars
>>
>> Aug 27 17:50:29 snort snort[1414]: | Sizeof State      : Variable (1,2,4
>> bytes)
>>
>> Aug 27 17:50:29 snort snort[1414]: | Instances         : 162
>>
>> Aug 27 17:50:29 snort snort[1414]: |     1 byte states : 152
>>
>> Aug 27 17:50:29 snort snort[1414]: |     2 byte states : 10
>>
>> Aug 27 17:50:29 snort snort[1414]: |     4 byte states : 0
>>
>> Aug 27 17:50:29 snort snort[1414]: | Characters        : 94220
>>
>> Aug 27 17:50:29 snort snort[1414]: | States            : 72484
>>
>> Aug 27 17:50:29 snort snort[1414]: | Transitions       : 7893243
>>
>> Aug 27 17:50:29 snort snort[1414]: | State Density     : 42.5%
>>
>> Aug 27 17:50:29 snort snort[1414]: | Patterns          : 5159
>>
>> Aug 27 17:50:29 snort snort[1414]: | Match States      : 5800
>>
>> Aug 27 17:50:29 snort snort[1414]: | Memory (MB)       : 37.42
>>
>> Aug 27 17:50:29 snort snort[1414]: |   Patterns        : 0.57
>>
>> Aug 27 17:50:29 snort snort[1414]: |   Match Lists     : 1.26
>>
>> Aug 27 17:50:29 snort snort[1414]: |   DFA
>>
>> Aug 27 17:50:29 snort snort[1414]: |     1 byte states : 0.94
>>
>> Aug 27 17:50:29 snort snort[1414]: |     2 byte states : 34.36
>>
>> Aug 27 17:50:29 snort snort[1414]: |     4 byte states : 0.00
>>
>> Aug 27 17:50:29 snort snort[1414]:
>> +----------------------------------------------------------------
>>
>> Aug 27 17:50:29 snort snort[1414]: [ Number of patterns truncated to 20
>> bytes: 318 ]
>>
>> Aug 27 17:50:29 snort snort[1414]: pcap DAQ configured to passive.
>>
>> Aug 27 17:50:29 snort snort[1414]: Acquiring network traffic from
>> "enp0s3".
>>
>> Aug 27 17:50:29 snort snort[1414]: Initializing daemon mode
>>
>> Aug 27 17:50:29 snort snort[1415]: Daemon initialized, signaled parent
>> pid: 1414
>>
>> Aug 27 17:50:29 snort snort[1415]: Reload thread starting...
>>
>> Aug 27 17:50:29 snort snort[1415]: Reload thread started, thread
>> 0x7fee608f3700 (1416)
>>
>> Aug 27 17:50:29 snort snort[1415]: Decoding Ethernet
>>
>> Aug 27 17:50:29 snort snort[1415]: Checking PID path...
>>
>> Aug 27 17:50:29 snort snort[1415]: PID path stat checked out ok, PID path
>> set to /var/run/
>>
>> Aug 27 17:50:29 snort snort[1415]: Writing PID "1415" to file
>> "/var/run//snort_enp0s3.pid"
>>
>> Aug 27 17:50:29 snort kernel: device enp0s3 entered promiscuous mode
>>
>> Aug 27 17:50:29 snort snort[1415]: Set gid to 40000
>>
>> Aug 27 17:50:29 snort snort[1415]: Set uid to 40000
>>
>> Aug 27 17:50:29 snort snort[1415]:
>>
>> Aug 27 17:50:29 snort snort[1415]: --== Initialization Complete ==--
>>
>> Aug 27 17:50:29 snort snort[1415]: Commencing packet processing (pid=1415)
>>
>>
>>
>>
>>
>> When I check status I get following
>>
>>
>>
>>                                 [root at ...2306... bin]# ./snort status
>>
>> Running in packet dump mode
>>
>>
>>
>>         --== Initializing Snort ==--
>>
>> Initializing Output Plugins!
>>
>> Snort BPF option: status
>>
>> pcap DAQ configured to passive.
>>
>> Acquiring network traffic from "enp0s3".
>>
>> ERROR: Can't set DAQ BPF filter to 'status' (pcap_daq_set_filter:
>> pcap_compile: syntax error)!
>>
>> Fatal Error, Quitting..
>>
>>
>>
>>
>>
>> How do I fix this issue?
>>
>>
>>
>>
>>
>> Sharif Uddin
>> *Development/Support Engineer*
>> -------------------
>>
>>  *Spectrum Geo Ltd*
>> Dukes Court, Duke Street
>> Woking, Surrey
>> GU21 5BH
>> UNITED KINGDOM
>>
>>  Tel: +44 (0) 1483 730201
>> Fax: +44 (0) 1483 762620
>>
>>
>>
>> www.spectrum*asa*.com <http://www.spectrumasa.com/>
>>
>>
>>
>> IMPORTANT - This message and any attached files contain information
>> intended for the exclusive use of the party or parties to whom it is
>> addressed and may contain information that is proprietary, privileged,
>> confidential and/or exempt from disclosure under applicable law. If you are
>> not an intended recipient, you are hereby notified that any viewing,
>> copying, disclosure or distribution of this information may be subject to
>> legal restriction or sanction. Please notify the sender immediately and
>> delete the original message without making any copies. Copyright in this
>> email and any attachments belong to Spectrum Geo Limited.
>> We cannot guarantee the security or confidentiality of email
>> communications. We do not accept any liability for losses or damages that
>> you may suffer as a result of your receipt of this email.
>> Email communication with Spectrum Geo Ltd., may be monitored as permitted
>> by UK legislation.
>> Spectrum Geo Limited, is a limited company registered in England and
>> Wales. Registered number: 1979422. Registered office: 95 Aldwych, London
>> WC2B 4JF.
>>
>>
>> ------------------------------------------------------------------------------
>> Slashdot TV.
>> Video for Nerds.  Stuff that matters.
>> http://tv.slashdot.org/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/67d63e46/attachment.html>


More information about the Snort-users mailing list