[Snort-users] installation help

Robert Millott robm at ...16885...
Wed Aug 27 13:46:57 EDT 2014


Nope, actually, everything looks fine.

snort     1415  0.0 25.8 588920 263360 ?       Ssl  17:50   0:00 ./snort -A
fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort

is the running snort process.
Your start up command line looks like "./snort -A fast -b -d -D -i enp0s3
-u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort"

>From looking at that, snort is running jsut fine.  Do you suspect something
is wrong? are you seeing alerts?


On Wed, Aug 27, 2014 at 1:34 PM, Sharif Uddin <Sharif.Uddin at ...16962...>
wrote:

>  I assumed there was something wrong.
>
>
>
>
>
>
>
>
>
> [root at ...2306... bin]# ps aux | grep -i "snort"
>
> avahi      575  0.0  0.1  27944  1500 ?        Ss   16:43   0:00
> avahi-daemon: running [snort.local]
>
> snort     1415  0.0 25.8 588920 263360 ?       Ssl  17:50   0:00 ./snort
> -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l
> /var/log/snort
>
> root      1447  0.0  0.0 107932   620 pts/1    S+   18:02   0:00 tail -f
> /var/log/messages /var/log/snort/alert
>
> root      1457  0.0  0.0 112640   980 pts/0    R+   18:32   0:00 grep
> --color=auto -i snort
>
>
>
>
>
> I have a tail running which does not seem to append any output in the log
> file.
>
>
>
>
>
> I have tried pinging the snort server from another internal machine.
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* Robert Millott [mailto:robm at ...16885...]
> *Sent:* 27 August 2014 18:29
> *To:* Sharif Uddin
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] installation help
>
>
>
> I run snort with daq settings as well. I have never tried ./snort status,
> but I just did and I get a similiar error.
>
> snort status
>
> Running in packet dump mode
>
>
>
>         --== Initializing Snort ==--
>
> Initializing Output Plugins!
>
> Snort BPF option: status
>
> ERROR: Can't find pcap DAQ!
>
> Fatal Error, Quitting..
>
>
>
> My snort is running just fine and has been for months, so I'm not sure
> that what you are seeing is a problem.  Try just running
>
>
>
> ps ax | grep snort
>
>
>
> to make sure snort is running
>
>
>
>
>
> On Wed, Aug 27, 2014 at 12:52 PM, Sharif Uddin <
> Sharif.Uddin at ...16962...> wrote:
>
> Hello
>
>
>
>
>
> I have followed this guide to install snort
> https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/002/original/snort296x_centos6x.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1409153064&Signature=TBLNp6Ze%2FN9F3smCPMgm1AWkl6g%3D
>
>
>
> I am using a vm on virtual box with centos 7 64bit minimal install.
>
>
>
>
>
>
>
> So far I can run following command
>
>
>
> [root at ...2306... bin]# ./snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort
>
> Spawning daemon child...
>
> My daemon child 1415 lives...
>
> Daemon parent exiting (0)
>
>
>
>
>
> In the log file I get the following
>
>
>
>
>
>
>
> Aug 27 17:50:21 snort snort[1414]: Running in IDS mode
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: --== Initializing Snort ==--
>
> Aug 27 17:50:21 snort snort[1414]: Initializing Output Plugins!
>
> Aug 27 17:50:21 snort snort[1414]: Initializing Preprocessors!
>
> Aug 27 17:50:21 snort snort[1414]: Initializing Plug-ins!
>
> Aug 27 17:50:21 snort snort[1414]: Parsing Rules file
> "/etc/snort/snort.conf"
>
> Aug 27 17:50:21 snort snort[1414]: PortVar 'HTTP_PORTS' defined :
>
> Aug 27 17:50:21 snort snort[1414]: [ 36 80:90 311 383 555 591 593 631 801
> 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980
> 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173
> 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028
> 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344
> 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443
> 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
> 44449 50000 50002 51423 53331 55252 55555 56712 ]
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: PortVar 'SHELLCODE_PORTS' defined :
>
> Aug 27 17:50:21 snort snort[1414]: [ 0:79 81:65535 ]
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: PortVar 'ORACLE_PORTS' defined :
>
> Aug 27 17:50:21 snort snort[1414]: [ 1024:65535 ]
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: PortVar 'SSH_PORTS' defined :
>
> Aug 27 17:50:21 snort snort[1414]: [ 22 ]
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: PortVar 'FTP_PORTS' defined :
>
> Aug 27 17:50:21 snort snort[1414]: [ 21 2100 3535 ]
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: PortVar 'SIP_PORTS' defined :
>
> Aug 27 17:50:21 snort snort[1414]: [ 5060:5061 5600 ]
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: PortVar 'FILE_DATA_PORTS' defined :
>
> Aug 27 17:50:21 snort snort[1414]: [ 36 80:90 110 143 311 383 555 591 593
> 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381
> 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600
> 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014
> 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333
> 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443
> 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080
> 44449 50000 50002 51423 53331 55252 55555 56712 ]
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: PortVar 'GTP_PORTS' defined :
>
> Aug 27 17:50:21 snort snort[1414]: [ 2123 2152 3386 ]
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: Detection:
>
> Aug 27 17:50:21 snort snort[1414]: Search-Method = AC-Full-Q
>
> Aug 27 17:50:21 snort snort[1414]: Split Any/Any group = enabled
>
> Aug 27 17:50:21 snort snort[1414]: Search-Method-Optimizations = enabled
>
> Aug 27 17:50:21 snort snort[1414]: Maximum pattern length = 20
>
> Aug 27 17:50:21 snort snort[1414]: Tagged Packet Limit: 256
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading all dynamic detection libs from
> /usr/local/lib/snort_dynamicrules...
>
> Aug 27 17:50:21 snort snort[1414]: WARNING: No dynamic libraries found in
> directory /usr/local/lib/snort_dynamicrules.
>
> Aug 27 17:50:21 snort snort[1414]: Finished Loading all dynamic detection
> libs from /usr/local/lib/snort_dynamicrules
>
> Aug 27 17:50:21 snort snort[1414]: Loading all dynamic preprocessor libs
> from /usr/local/lib/snort_dynamicpreprocessor/...
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
>
> Aug 27 17:50:21 snort snort[1414]: done
>
> Aug 27 17:50:21 snort snort[1414]: Finished Loading all dynamic
> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>
> Aug 27 17:50:21 snort snort[1414]: Log directory = /var/log/snort
>
> Aug 27 17:50:21 snort snort[1414]: WARNING: ip4 normalizations disabled
> because not inline.
>
> Aug 27 17:50:21 snort snort[1414]: WARNING: tcp normalizations disabled
> because not inline.
>
> Aug 27 17:50:21 snort snort[1414]: WARNING: icmp4 normalizations disabled
> because not inline.
>
> Aug 27 17:50:21 snort snort[1414]: WARNING: ip6 normalizations disabled
> because not inline.
>
> Aug 27 17:50:21 snort snort[1414]: WARNING: icmp6 normalizations disabled
> because not inline.
>
> Aug 27 17:50:21 snort snort[1414]: Frag3 global config:
>
> Aug 27 17:50:21 snort snort[1414]: Max frags: 65536
>
> Aug 27 17:50:21 snort snort[1414]: Fragment memory cap: 4194304 bytes
>
> Aug 27 17:50:21 snort snort[1414]: Frag3 engine config:
>
> Aug 27 17:50:21 snort snort[1414]: Bound Address: default
>
> Aug 27 17:50:21 snort snort[1414]: Target-based policy: WINDOWS
>
> Aug 27 17:50:21 snort snort[1414]: Fragment timeout: 180 seconds
>
> Aug 27 17:50:21 snort snort[1414]: Fragment min_ttl:   1
>
> Aug 27 17:50:21 snort snort[1414]: Fragment Anomalies: Alert
>
> Aug 27 17:50:21 snort snort[1414]: Overlap Limit:     10
>
> Aug 27 17:50:21 snort snort[1414]: Min fragment Length:     100
>
> Aug 27 17:50:21 snort snort[1414]: Stream5 global config:
>
> Aug 27 17:50:21 snort snort[1414]: Track TCP sessions: ACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: Max TCP sessions: 262144
>
> Aug 27 17:50:21 snort snort[1414]: TCP cache pruning timeout: 30 seconds
>
> Aug 27 17:50:21 snort snort[1414]: TCP cache nominal timeout: 3600 seconds
>
> Aug 27 17:50:21 snort snort[1414]: Memcap (for reassembly packet storage):
> 8388608
>
> Aug 27 17:50:21 snort snort[1414]: Track UDP sessions: ACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: Max UDP sessions: 131072
>
> Aug 27 17:50:21 snort snort[1414]: UDP cache pruning timeout: 30 seconds
>
> Aug 27 17:50:21 snort snort[1414]: UDP cache nominal timeout: 180 seconds
>
> Aug 27 17:50:21 snort snort[1414]: Track ICMP sessions: INACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: Track IP sessions: INACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: Log info if session memory consumption
> exceeds 1048576
>
> Aug 27 17:50:21 snort snort[1414]: Send up to 2 active responses
>
> Aug 27 17:50:21 snort snort[1414]: Wait at least 5 seconds between
> responses
>
> Aug 27 17:50:21 snort snort[1414]: Protocol Aware Flushing: ACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: Maximum Flush Point: 16000
>
> Aug 27 17:50:21 snort snort[1414]: Max Expected Streams: 768
>
> Aug 27 17:50:21 snort snort[1414]: Stream5 TCP Policy config:
>
> Aug 27 17:50:21 snort snort[1414]: Bound Address: default
>
> Aug 27 17:50:21 snort snort[1414]: Reassembly Policy: WINDOWS
>
> Aug 27 17:50:21 snort snort[1414]: Timeout: 180 seconds
>
> Aug 27 17:50:21 snort snort[1414]: Limit on TCP Overlaps: 10
>
> Aug 27 17:50:21 snort snort[1414]: Maximum number of bytes to queue per
> session: 1048576
>
> Aug 27 17:50:21 snort snort[1414]: Maximum number of segs to queue per
> session: 2621
>
> Aug 27 17:50:21 snort snort[1414]: Options:
>
> Aug 27 17:50:21 snort snort[1414]: Require 3-Way Handshake: YES
>
> Aug 27 17:50:21 snort snort[1414]: 3-Way Handshake Timeout: 180
>
> Aug 27 17:50:21 snort snort[1414]: Detect Anomalies: YES
>
> Aug 27 17:50:21 snort snort[1414]: Reassembly Ports:
>
> Aug 27 17:50:21 snort snort[1414]: 21 client (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 22 client (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 23 client (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 25 client (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 36 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 42 client (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 53 client (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 70 client (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 79 client (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 80 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 81 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 82 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 83 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 84 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 85 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 86 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 87 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 88 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 89 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: 90 client (Footprint) server (Footprint)
>
> Aug 27 17:50:21 snort snort[1414]: additional ports configured but not
> printed.
>
> Aug 27 17:50:21 snort snort[1414]: Stream5 UDP Policy config:
>
> Aug 27 17:50:21 snort snort[1414]: Timeout: 180 seconds
>
> Aug 27 17:50:21 snort snort[1414]: HttpInspect Config:
>
> Aug 27 17:50:21 snort snort[1414]: GLOBAL CONFIG
>
> Aug 27 17:50:21 snort snort[1414]: Max Pipeline Requests:    0
>
> Aug 27 17:50:21 snort snort[1414]: Inspection Type:          STATELESS
>
> Aug 27 17:50:21 snort snort[1414]: Detect Proxy Usage:       NO
>
> Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map Filename:
> /etc/snort/unicode.map
>
> Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map Codepage: 1252
>
> Aug 27 17:50:21 snort snort[1414]: Memcap used for logging URI and
> Hostname: 150994944
>
> Aug 27 17:50:21 snort snort[1414]: Max Gzip Memory: 838860
>
> Aug 27 17:50:21 snort snort[1414]: Max Gzip Sessions: 5518
>
> Aug 27 17:50:21 snort snort[1414]: Gzip Compress Depth: 65535
>
> Aug 27 17:50:21 snort snort[1414]: Gzip Decompress Depth: 65535
>
> Aug 27 17:50:21 snort snort[1414]: DEFAULT SERVER CONFIG:
>
> Aug 27 17:50:21 snort snort[1414]: Server profile: All
>
> Aug 27 17:50:21 snort snort[1414]: Ports (PAF): 36 80 81 82 83 84 85 86 87
> 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533
> 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000
> 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510
> 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118
> 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983
> 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489
> 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252
> 55555 56712
>
> Aug 27 17:50:21 snort snort[1414]: Server Flow Depth: 0
>
> Aug 27 17:50:21 snort snort[1414]: Client Flow Depth: 0
>
> Aug 27 17:50:21 snort snort[1414]: Max Chunk Length: 500000
>
> Aug 27 17:50:21 snort snort[1414]: Small Chunk Length Evasion: chunk size
> <= 10, threshold >= 5 times
>
> Aug 27 17:50:21 snort snort[1414]: Max Header Field Length: 750
>
> Aug 27 17:50:21 snort snort[1414]: Max Number Header Fields: 100
>
> Aug 27 17:50:21 snort snort[1414]: Max Number of WhiteSpaces allowed with
> header folding: 200
>
> Aug 27 17:50:21 snort snort[1414]: Inspect Pipeline Requests: YES
>
> Aug 27 17:50:21 snort snort[1414]: URI Discovery Strict Mode: NO
>
> Aug 27 17:50:21 snort snort[1414]: Allow Proxy Usage: NO
>
> Aug 27 17:50:21 snort snort[1414]: Disable Alerting: NO
>
> Aug 27 17:50:21 snort snort[1414]: Oversize Dir Length: 500
>
> Aug 27 17:50:21 snort snort[1414]: Only inspect URI: NO
>
> Aug 27 17:50:21 snort snort[1414]: Normalize HTTP Headers: NO
>
> Aug 27 17:50:21 snort snort[1414]: Inspect HTTP Cookies: YES
>
> Aug 27 17:50:21 snort snort[1414]: Inspect HTTP Responses: YES
>
> Aug 27 17:50:21 snort snort[1414]: Extract Gzip from responses: YES
>
> Aug 27 17:50:21 snort snort[1414]: Unlimited decompression of gzip data
> from responses: YES
>
> Aug 27 17:50:21 snort snort[1414]: Normalize Javascripts in HTTP
> Responses: YES
>
> Aug 27 17:50:21 snort snort[1414]: Max Number of WhiteSpaces allowed with
> Javascript Obfuscation in HTTP responses: 200
>
> Aug 27 17:50:21 snort snort[1414]: Normalize HTTP Cookies: NO
>
> Aug 27 17:50:21 snort snort[1414]: Enable XFF and True Client IP: NO
>
> Aug 27 17:50:21 snort snort[1414]: Log HTTP URI data: NO
>
> Aug 27 17:50:21 snort snort[1414]: Log HTTP Hostname data: NO
>
> Aug 27 17:50:21 snort snort[1414]: Extended ASCII code support in URI: NO
>
> Aug 27 17:50:21 snort snort[1414]: Ascii: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: Double Decoding: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: %U Encoding: YES alert: YES
>
> Aug 27 17:50:21 snort snort[1414]: Bare Byte: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: UTF 8: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: IIS Unicode: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: Multiple Slash: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: IIS Backslash: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: Directory Traversal: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: Web Root Traversal: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: Apache WhiteSpace: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: IIS Delimiter: YES alert: NO
>
> Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map: GLOBAL IIS UNICODE MAP
> CONFIG
>
> Aug 27 17:50:21 snort snort[1414]: Non-RFC Compliant Characters: 0x00 0x01
> 0x02 0x03 0x04 0x05 0x06 0x07
>
> Aug 27 17:50:21 snort snort[1414]: Whitespace Characters: 0x09 0x0b 0x0c
> 0x0d
>
> Aug 27 17:50:21 snort snort[1414]: rpc_decode arguments:
>
> Aug 27 17:50:21 snort snort[1414]: Ports to decode RPC on: 111 32770 32771
> 32772 32773 32774 32775 32776 32777 32778 32779
>
> Aug 27 17:50:21 snort snort[1414]: alert_fragments: INACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: alert_large_fragments: INACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: alert_incomplete: INACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: alert_multiple_requests: INACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: FTPTelnet Config:
>
> Aug 27 17:50:21 snort snort[1414]: GLOBAL CONFIG
>
> Aug 27 17:50:21 snort snort[1414]: Inspection Type: stateful
>
> Aug 27 17:50:21 snort snort[1414]: Check for Encrypted Traffic: YES alert:
> NO
>
> Aug 27 17:50:21 snort snort[1414]: Continue to check encrypted data: YES
>
> Aug 27 17:50:21 snort snort[1414]: TELNET CONFIG:
>
> Aug 27 17:50:21 snort snort[1414]: Ports: 23
>
> Aug 27 17:50:21 snort snort[1414]: Are You There Threshold: 20
>
> Aug 27 17:50:21 snort snort[1414]: Normalize: YES
>
> Aug 27 17:50:21 snort snort[1414]: Detect Anomalies: YES
>
> Aug 27 17:50:21 snort snort[1414]: FTP CONFIG:
>
> Aug 27 17:50:21 snort snort[1414]: FTP Server: default
>
> Aug 27 17:50:21 snort snort[1414]: Ports (PAF): 21 2100 3535
>
> Aug 27 17:50:21 snort snort[1414]: Check for Telnet Cmds: YES alert: YES
>
> Aug 27 17:50:21 snort snort[1414]: Ignore Telnet Cmd Operations: YES
> alert: YES
>
> Aug 27 17:50:21 snort snort[1414]: Ignore open data channels: NO
>
> Aug 27 17:50:21 snort snort[1414]: FTP Client: default
>
> Aug 27 17:50:21 snort snort[1414]: Check for Bounce Attacks: YES alert: YES
>
> Aug 27 17:50:21 snort snort[1414]: Check for Telnet Cmds: YES alert: YES
>
> Aug 27 17:50:21 snort snort[1414]: Ignore Telnet Cmd Operations: YES
> alert: YES
>
> Aug 27 17:50:21 snort snort[1414]: Max Response Length: 256
>
> Aug 27 17:50:21 snort snort[1414]: SMTP Config:
>
> Aug 27 17:50:21 snort snort[1414]: Ports: 25 465 587 691
>
> Aug 27 17:50:21 snort snort[1414]: Inspection Type: Stateful
>
> Aug 27 17:50:21 snort snort[1414]: Normalize: ATRN AUTH BDAT DATA DEBUG
> EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU
> QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY
> X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN
> XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50
>
> Aug 27 17:50:21 snort snort[1414]: Ignore Data: No
>
> Aug 27 17:50:21 snort snort[1414]: Ignore TLS Data: No
>
> Aug 27 17:50:21 snort snort[1414]: Ignore SMTP Alerts: No
>
> Aug 27 17:50:21 snort snort[1414]: Max Command Line Length: 512
>
> Aug 27 17:50:21 snort snort[1414]: Max Specific Command Line Length:
>
> Aug 27 17:50:21 snort snort[1414]: ATRN:255 AUTH:246 BDAT:255 DATA:246
> DEBUG:255
>
> Aug 27 17:50:21 snort snort[1414]: EHLO:500 EMAL:255 ESAM:255 ESND:255
> ESOM:255
>
> Aug 27 17:50:21 snort snort[1414]: ETRN:246 EVFY:255 EXPN:255 HELO:500
> HELP:500
>
> Aug 27 17:50:21 snort snort[1414]: IDENT:255 MAIL:260 NOOP:255 ONEX:246
> QUEU:246
>
> Aug 27 17:50:21 snort snort[1414]: QUIT:246 RCPT:300 RSET:246 SAML:246
> SEND:246
>
> Aug 27 17:50:21 snort snort[1414]: SIZE:255 STARTTLS:246 SOML:246 TICK:246
> TIME:246
>
> Aug 27 17:50:21 snort snort[1414]: TURN:246 TURNME:246 VERB:246 VRFY:255
> X-EXPS:246
>
> Aug 27 17:50:21 snort snort[1414]: XADR:246 XAUTH:246 XCIR:246 XEXCH50:246
> XGEN:246
>
> Aug 27 17:50:21 snort snort[1414]: XLICENSE:246 X-LINK2STATE:246 XQUE:246
> XSTA:246 XTRN:246
>
> Aug 27 17:50:21 snort snort[1414]: XUSR:246
>
> Aug 27 17:50:21 snort snort[1414]: Max Header Line Length: 1000
>
> Aug 27 17:50:21 snort snort[1414]: Max Response Line Length: 512
>
> Aug 27 17:50:21 snort snort[1414]: X-Link2State Alert: Yes
>
> Aug 27 17:50:21 snort snort[1414]: Drop on X-Link2State Alert: No
>
> Aug 27 17:50:21 snort snort[1414]: Alert on commands: None
>
> Aug 27 17:50:21 snort snort[1414]: Alert on unknown commands: No
>
> Aug 27 17:50:21 snort snort[1414]: SMTP Memcap: 838860
>
> Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860
>
> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth:
> Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction:
> Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction
> Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Log Attachment filename: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Log MAIL FROM Address: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Log RCPT TO Addresses: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Log Email Headers: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Email Hdrs Log Depth: 1464
>
> Aug 27 17:50:21 snort snort[1414]: SSH config:
>
> Aug 27 17:50:21 snort snort[1414]: Autodetection: ENABLED
>
> Aug 27 17:50:21 snort snort[1414]: Challenge-Response Overflow Alert:
> ENABLED
>
> Aug 27 17:50:21 snort snort[1414]: SSH1 CRC32 Alert: ENABLED
>
> Aug 27 17:50:21 snort snort[1414]: Server Version String Overflow Alert:
> ENABLED
>
> Aug 27 17:50:21 snort snort[1414]: Protocol Mismatch Alert: ENABLED
>
> Aug 27 17:50:21 snort snort[1414]: Bad Message Direction Alert: DISABLED
>
> Aug 27 17:50:21 snort snort[1414]: Bad Payload Size Alert: DISABLED
>
> Aug 27 17:50:21 snort snort[1414]: Unrecognized Version Alert: DISABLED
>
> Aug 27 17:50:21 snort snort[1414]: Max Encrypted Packets: 20
>
> Aug 27 17:50:21 snort snort[1414]: Max Server Version String Length: 100
>
> Aug 27 17:50:21 snort snort[1414]: MaxClientBytes: 19600 (Default)
>
> Aug 27 17:50:21 snort snort[1414]: Ports:
>
> Aug 27 17:50:21 snort snort[1414]: 22
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: DCE/RPC 2 Preprocessor Configuration
>
> Aug 27 17:50:21 snort snort[1414]: Global Configuration
>
> Aug 27 17:50:21 snort snort[1414]: DCE/RPC Defragmentation: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Memcap: 102400 KB
>
> Aug 27 17:50:21 snort snort[1414]: Events: co
>
> Aug 27 17:50:21 snort snort[1414]: SMB Fingerprint policy: Disabled
>
> Aug 27 17:50:21 snort snort[1414]: Server Default Configuration
>
> Aug 27 17:50:21 snort snort[1414]: Policy: WinXP
>
> Aug 27 17:50:21 snort snort[1414]: Detect ports (PAF)
>
> Aug 27 17:50:21 snort snort[1414]: SMB: 139 445
>
> Aug 27 17:50:21 snort snort[1414]: TCP: 135
>
> Aug 27 17:50:21 snort snort[1414]: UDP: 135
>
> Aug 27 17:50:21 snort snort[1414]: RPC over HTTP server: 593
>
> Aug 27 17:50:21 snort snort[1414]: RPC over HTTP proxy: None
>
> Aug 27 17:50:21 snort snort[1414]: Autodetect ports (PAF)
>
> Aug 27 17:50:21 snort snort[1414]: SMB: None
>
> Aug 27 17:50:21 snort snort[1414]: TCP: 1025-65535
>
> Aug 27 17:50:21 snort snort[1414]: UDP: 1025-65535
>
> Aug 27 17:50:21 snort snort[1414]: RPC over HTTP server: 1025-65535
>
> Aug 27 17:50:21 snort snort[1414]: RPC over HTTP proxy: None
>
> Aug 27 17:50:21 snort snort[1414]: Invalid SMB shares: C$ D$ ADMIN$
>
> Aug 27 17:50:21 snort snort[1414]: Maximum SMB command chaining: 3 commands
>
> Aug 27 17:50:21 snort snort[1414]: SMB file inspection: Disabled
>
> Aug 27 17:50:21 snort snort[1414]: DNS config:
>
> Aug 27 17:50:21 snort snort[1414]: DNS Client rdata txt Overflow Alert:
> ACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: Obsolete DNS RR Types Alert: INACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: Experimental DNS RR Types Alert:
> INACTIVE
>
> Aug 27 17:50:21 snort snort[1414]: Ports:
>
> Aug 27 17:50:21 snort snort[1414]: 53
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: SSLPP config:
>
> Aug 27 17:50:21 snort snort[1414]: Encrypted packets: not inspected
>
> Aug 27 17:50:21 snort snort[1414]: Ports:
>
> Aug 27 17:50:21 snort snort[1414]: 443      465      563      636      989
>
> Aug 27 17:50:21 snort snort[1414]: 992      993      994      995     5061
>
> Aug 27 17:50:21 snort snort[1414]: 7801     7802     7900     7901     7902
>
> Aug 27 17:50:21 snort snort[1414]: 7903     7904     7905     7906     7907
>
> Aug 27 17:50:21 snort snort[1414]: 7908     7909     7910     7911     7912
>
> Aug 27 17:50:21 snort snort[1414]: 7913     7914     7915     7916     7917
>
> Aug 27 17:50:21 snort snort[1414]: 7918     7919     7920
>
> Aug 27 17:50:21 snort snort[1414]: Server side data is trusted
>
> Aug 27 17:50:21 snort snort[1414]: Sensitive Data preprocessor config:
>
> Aug 27 17:50:21 snort snort[1414]: Global Alert Threshold: 25
>
> Aug 27 17:50:21 snort snort[1414]: Masked Output: DISABLED
>
> Aug 27 17:50:21 snort snort[1414]: SIP config:
>
> Aug 27 17:50:21 snort snort[1414]: Max number of sessions: 40000
>
> Aug 27 17:50:21 snort snort[1414]: Max number of dialogs in a session: 4
> (Default)
>
> Aug 27 17:50:21 snort snort[1414]: Status: ENABLED
>
> Aug 27 17:50:21 snort snort[1414]: Ignore media channel: DISABLED
>
> Aug 27 17:50:21 snort snort[1414]: Max URI length: 512
>
> Aug 27 17:50:21 snort snort[1414]: Max Call ID length: 80
>
> Aug 27 17:50:21 snort snort[1414]: Max Request name length: 20 (Default)
>
> Aug 27 17:50:21 snort snort[1414]: Max From length: 256 (Default)
>
> Aug 27 17:50:21 snort snort[1414]: Max To length: 256 (Default)
>
> Aug 27 17:50:21 snort snort[1414]: Max Via length: 1024 (Default)
>
> Aug 27 17:50:21 snort snort[1414]: Max Contact length: 512
>
> Aug 27 17:50:21 snort snort[1414]: Max Content length: 2048
>
> Aug 27 17:50:21 snort snort[1414]: Ports:
>
> Aug 27 17:50:21 snort snort[1414]: 5060
>
> Aug 27 17:50:21 snort snort[1414]: 5061
>
> Aug 27 17:50:21 snort snort[1414]: 5600
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: Methods:
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: invite
>
> Aug 27 17:50:21 snort snort[1414]: cancel
>
> Aug 27 17:50:21 snort snort[1414]: ack
>
> Aug 27 17:50:21 snort snort[1414]: bye
>
> Aug 27 17:50:21 snort snort[1414]: register
>
> Aug 27 17:50:21 snort snort[1414]: options
>
> Aug 27 17:50:21 snort snort[1414]: refer
>
> Aug 27 17:50:21 snort snort[1414]: subscribe
>
> Aug 27 17:50:21 snort snort[1414]: update
>
> Aug 27 17:50:21 snort snort[1414]: join
>
> Aug 27 17:50:21 snort snort[1414]: info
>
> Aug 27 17:50:21 snort snort[1414]: message
>
> Aug 27 17:50:21 snort snort[1414]: notify
>
> Aug 27 17:50:21 snort snort[1414]: benotify
>
> Aug 27 17:50:21 snort snort[1414]: do
>
> Aug 27 17:50:21 snort snort[1414]: qauth
>
> Aug 27 17:50:21 snort snort[1414]: sprack
>
> Aug 27 17:50:21 snort snort[1414]: publish
>
> Aug 27 17:50:21 snort snort[1414]: service
>
> Aug 27 17:50:21 snort snort[1414]: unsubscribe
>
> Aug 27 17:50:21 snort snort[1414]: prack
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: IMAP Config:
>
> Aug 27 17:50:21 snort snort[1414]: Ports: 143
>
> Aug 27 17:50:21 snort snort[1414]: IMAP Memcap: 838860
>
> Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860
>
> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth:
> Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction:
> Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction
> Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: POP Config:
>
> Aug 27 17:50:21 snort snort[1414]: Ports: 110
>
> Aug 27 17:50:21 snort snort[1414]: POP Memcap: 838860
>
> Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860
>
> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth:
> Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction:
> Enabled
>
> Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction
> Depth: Unlimited
>
> Aug 27 17:50:21 snort snort[1414]: Modbus config:
>
> Aug 27 17:50:21 snort snort[1414]: Ports:
>
> Aug 27 17:50:21 snort snort[1414]: 502
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: DNP3 config:
>
> Aug 27 17:50:21 snort snort[1414]: Memcap: 262144
>
> Aug 27 17:50:21 snort snort[1414]: Check Link-Layer CRCs: ENABLED
>
> Aug 27 17:50:21 snort snort[1414]: Ports:
>
> Aug 27 17:50:21 snort snort[1414]: 20000
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]: Reputation config:
>
> Aug 27 17:50:21 snort snort[1414]: WARNING: Can't find any
> whitelist/blacklist entries. Reputation Preprocessor disabled.
>
> Aug 27 17:50:21 snort snort[1414]:
>
> Aug 27 17:50:21 snort snort[1414]:
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Aug 27 17:50:21 snort snort[1414]: Initializing rule chains...
>
> Aug 27 17:50:22 snort snort[1414]: 5125 Snort rules read
>
> Aug 27 17:50:22 snort snort[1414]: 5125 detection rules
>
> Aug 27 17:50:22 snort snort[1414]: 0 decoder rules
>
> Aug 27 17:50:22 snort snort[1414]: 0 preprocessor rules
>
> Aug 27 17:50:22 snort snort[1414]: 5125 Option Chains linked into 228
> Chain Headers
>
> Aug 27 17:50:22 snort snort[1414]: 0 Dynamic rules
>
> Aug 27 17:50:22 snort snort[1414]:
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Aug 27 17:50:22 snort snort[1414]:
>
> Aug 27 17:50:23 snort snort[1414]: +-------------------[Rule Port
> Counts]---------------------------------------
>
> Aug 27 17:50:23 snort snort[1414]: |             tcp     udp    icmp
> ip
>
> Aug 27 17:50:23 snort snort[1414]: |     src    1737       7       0
> 0
>
> Aug 27 17:50:23 snort snort[1414]: |     dst    2679     594       0
> 0
>
> Aug 27 17:50:23 snort snort[1414]: |     any     104       2       3
> 0
>
> Aug 27 17:50:23 snort snort[1414]: |      nc      14       0       0
> 0
>
> Aug 27 17:50:23 snort snort[1414]: |     s+d       1       1       0
> 0
>
> Aug 27 17:50:23 snort snort[1414]:
> +----------------------------------------------------------------------------
>
> Aug 27 17:50:23 snort snort[1414]:
>
> Aug 27 17:50:23 snort snort[1414]:
> +-----------------------[detection-filter-config]------------------------------
>
> Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes
>
> Aug 27 17:50:23 snort snort[1414]:
> +-----------------------[detection-filter-rules]-------------------------------
>
> Aug 27 17:50:23 snort snort[1414]:
> -------------------------------------------------------------------------------
>
> Aug 27 17:50:23 snort snort[1414]:
>
> Aug 27 17:50:23 snort snort[1414]:
> +-----------------------[rate-filter-config]-----------------------------------
>
> Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes
>
> Aug 27 17:50:23 snort snort[1414]:
> +-----------------------[rate-filter-rules]------------------------------------
>
> Aug 27 17:50:23 snort snort[1414]: | none
>
> Aug 27 17:50:23 snort snort[1414]:
> -------------------------------------------------------------------------------
>
> Aug 27 17:50:23 snort snort[1414]:
>
> Aug 27 17:50:23 snort snort[1414]:
> +-----------------------[event-filter-config]----------------------------------
>
> Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes
>
> Aug 27 17:50:23 snort snort[1414]:
> +-----------------------[event-filter-global]----------------------------------
>
> Aug 27 17:50:23 snort snort[1414]:
> +-----------------------[event-filter-local]-----------------------------------
>
> Aug 27 17:50:23 snort snort[1414]: | none
>
> Aug 27 17:50:23 snort snort[1414]:
> +-----------------------[suppression]------------------------------------------
>
> Aug 27 17:50:23 snort snort[1414]: | none
>
> Aug 27 17:50:23 snort snort[1414]:
> -------------------------------------------------------------------------------
>
> Aug 27 17:50:23 snort snort[1414]: Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
>
> Aug 27 17:50:23 snort snort[1414]: Verifying Preprocessor Configurations!
>
> Aug 27 17:50:23 snort snort[1414]: ICMP tracking disabled, no ICMP
> sessions allocated
>
> Aug 27 17:50:23 snort snort[1414]: IP tracking disabled, no IP sessions
> allocated
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'acunetix-scan'
> is set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'kit.blackhole'
> is set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'ssl_handshake'
> is set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.dmg' is
> checked but not ever set.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.msi' is set
> but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.fpx' is set
> but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key
> 'tlsv1.0_handshake' is set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key
> 'tlsv1.2_handshake' is set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.htc' is set
> but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.wri' is set
> but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.hhk' is set
> but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key
> 'tlsv1.1_handshake' is set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'spyrat_bd' is
> set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key
> 'file.zip.winrar.spoof' is set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'imap.cram_md5'
> is set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.lanman' is
> set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.xfdl' is
> set but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.vwr' is set
> but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.ram' is
> checked but not ever set.
>
> Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'hornet.2' is set
> but not ever checked.
>
> Aug 27 17:50:23 snort snort[1414]: 130 out of 1024 flowbits in use.
>
> Aug 27 17:50:29 snort snort[1414]:
>
> Aug 27 17:50:29 snort snort[1414]: [ Port Based Pattern Matching Memory ]
>
> Aug 27 17:50:29 snort snort[1414]: +- [ Aho-Corasick Summary ]
> -------------------------------------
>
> Aug 27 17:50:29 snort snort[1414]: | Storage Format    : Full-Q
>
> Aug 27 17:50:29 snort snort[1414]: | Finite Automaton  : DFA
>
> Aug 27 17:50:29 snort snort[1414]: | Alphabet Size     : 256 Chars
>
> Aug 27 17:50:29 snort snort[1414]: | Sizeof State      : Variable (1,2,4
> bytes)
>
> Aug 27 17:50:29 snort snort[1414]: | Instances         : 162
>
> Aug 27 17:50:29 snort snort[1414]: |     1 byte states : 152
>
> Aug 27 17:50:29 snort snort[1414]: |     2 byte states : 10
>
> Aug 27 17:50:29 snort snort[1414]: |     4 byte states : 0
>
> Aug 27 17:50:29 snort snort[1414]: | Characters        : 94220
>
> Aug 27 17:50:29 snort snort[1414]: | States            : 72484
>
> Aug 27 17:50:29 snort snort[1414]: | Transitions       : 7893243
>
> Aug 27 17:50:29 snort snort[1414]: | State Density     : 42.5%
>
> Aug 27 17:50:29 snort snort[1414]: | Patterns          : 5159
>
> Aug 27 17:50:29 snort snort[1414]: | Match States      : 5800
>
> Aug 27 17:50:29 snort snort[1414]: | Memory (MB)       : 37.42
>
> Aug 27 17:50:29 snort snort[1414]: |   Patterns        : 0.57
>
> Aug 27 17:50:29 snort snort[1414]: |   Match Lists     : 1.26
>
> Aug 27 17:50:29 snort snort[1414]: |   DFA
>
> Aug 27 17:50:29 snort snort[1414]: |     1 byte states : 0.94
>
> Aug 27 17:50:29 snort snort[1414]: |     2 byte states : 34.36
>
> Aug 27 17:50:29 snort snort[1414]: |     4 byte states : 0.00
>
> Aug 27 17:50:29 snort snort[1414]:
> +----------------------------------------------------------------
>
> Aug 27 17:50:29 snort snort[1414]: [ Number of patterns truncated to 20
> bytes: 318 ]
>
> Aug 27 17:50:29 snort snort[1414]: pcap DAQ configured to passive.
>
> Aug 27 17:50:29 snort snort[1414]: Acquiring network traffic from "enp0s3".
>
> Aug 27 17:50:29 snort snort[1414]: Initializing daemon mode
>
> Aug 27 17:50:29 snort snort[1415]: Daemon initialized, signaled parent
> pid: 1414
>
> Aug 27 17:50:29 snort snort[1415]: Reload thread starting...
>
> Aug 27 17:50:29 snort snort[1415]: Reload thread started, thread
> 0x7fee608f3700 (1416)
>
> Aug 27 17:50:29 snort snort[1415]: Decoding Ethernet
>
> Aug 27 17:50:29 snort snort[1415]: Checking PID path...
>
> Aug 27 17:50:29 snort snort[1415]: PID path stat checked out ok, PID path
> set to /var/run/
>
> Aug 27 17:50:29 snort snort[1415]: Writing PID "1415" to file
> "/var/run//snort_enp0s3.pid"
>
> Aug 27 17:50:29 snort kernel: device enp0s3 entered promiscuous mode
>
> Aug 27 17:50:29 snort snort[1415]: Set gid to 40000
>
> Aug 27 17:50:29 snort snort[1415]: Set uid to 40000
>
> Aug 27 17:50:29 snort snort[1415]:
>
> Aug 27 17:50:29 snort snort[1415]: --== Initialization Complete ==--
>
> Aug 27 17:50:29 snort snort[1415]: Commencing packet processing (pid=1415)
>
>
>
>
>
> When I check status I get following
>
>
>
>                                 [root at ...2306... bin]# ./snort status
>
> Running in packet dump mode
>
>
>
>         --== Initializing Snort ==--
>
> Initializing Output Plugins!
>
> Snort BPF option: status
>
> pcap DAQ configured to passive.
>
> Acquiring network traffic from "enp0s3".
>
> ERROR: Can't set DAQ BPF filter to 'status' (pcap_daq_set_filter:
> pcap_compile: syntax error)!
>
> Fatal Error, Quitting..
>
>
>
>
>
> How do I fix this issue?
>
>
>
>
>
> Sharif Uddin
> *Development/Support Engineer*
> -------------------
>
> *Spectrum Geo Ltd*
> Dukes Court, Duke Street
> Woking, Surrey
> GU21 5BH
> UNITED KINGDOM
>
> Tel: +44 (0) 1483 730201
> Fax: +44 (0) 1483 762620
>
>
>
> www.spectrum*asa*.com <http://www.spectrumasa.com/>
>
>
>
>
> IMPORTANT - This message and any attached files contain information
> intended for the exclusive use of the party or parties to whom it is
> addressed and may contain information that is proprietary, privileged,
> confidential and/or exempt from disclosure under applicable law. If you are
> not an intended recipient, you are hereby notified that any viewing,
> copying, disclosure or distribution of this information may be subject to
> legal restriction or sanction. Please notify the sender immediately and
> delete the original message without making any copies. Copyright in this
> email and any attachments belong to Spectrum Geo Limited.
> We cannot guarantee the security or confidentiality of email
> communications. We do not accept any liability for losses or damages that
> you may suffer as a result of your receipt of this email.
> Email communication with Spectrum Geo Ltd., may be monitored as permitted
> by UK legislation.
> Spectrum Geo Limited, is a limited company registered in England and
> Wales. Registered number: 1979422. Registered office: 95 Aldwych, London
> WC2B 4JF.
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
>
> IMPORTANT - This message and any attached files contain information
> intended for the exclusive use of the party or parties to whom it is
> addressed and may contain information that is proprietary, privileged,
> confidential and/or exempt from disclosure under applicable law. If you are
> not an intended recipient, you are hereby notified that any viewing,
> copying, disclosure or distribution of this information may be subject to
> legal restriction or sanction. Please notify the sender immediately and
> delete the original message without making any copies. Copyright in this
> email and any attachments belong to Spectrum Geo Limited.
> We cannot guarantee the security or confidentiality of email
> communications. We do not accept any liability for losses or damages that
> you may suffer as a result of your receipt of this email.
> Email communication with Spectrum Geo Ltd., may be monitored as permitted
> by UK legislation.
> Spectrum Geo Limited, is a limited company registered in England and
> Wales. Registered number: 1979422. Registered office: 95 Aldwych, London
> WC2B 4JF.
>



-- 
Robert Millott
President, Millott and Associates
(443) 255-3588
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/8a158129/attachment.html>


More information about the Snort-users mailing list