No subject


Thu Nov 23 16:36:19 EST 2017


output from the minimized snort window.  I can't quite figure out what is
wrong.  Another set of eyes looking at this is what I am hoping someone will
do and see a problem.

TIA for your help 

Rich 
PS Sorry it is a long post, but I did not want to do an attachment. 

[Begin config] 
[************cmd line*********] 
c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h
aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y

[*NOTE, yes I blanked out my IP above.  It is a public IP*] 


[***********snort.conf**************] 
#-------------------------------------------------- 
#   http://www.activeworx.com <http://www.activeworx.com>  Snort 1.8.6
Ruleset 
#     IDS Policy Manager Version: 1.3 Build(31) 
# Current Database Updated -- May 10, 2002 10:55 AM 
#-------------------------------------------------- 
# 
## Variables 
## --------- 
#var HOME_NET 10.1.1.0/24 
#var HOME_NET $eth0_ADDRESS 
#var HOME_NET [10.1.1.0/24,192.168.1.0/24] 
var HOME_NET any 
var EXTERNAL_NET any 
var SMTP $HOME_NET 
var HTTP_SERVERS $HOME_NET 
var SQL_SERVERS $HOME_NET 
var DNS_SERVERS $HOME_NET 
#var RULE_PATH ./ 
var RULE_PATH c:\snort\rules 
var SHELLCODE_PORTS !80 
#var SPADEDIR . 
# 
## Preprocessor Support 
## -------------------- 
preprocessor http_decode: 80 -cginull -unicode 
preprocessor rpc_decode: 111 32771 
preprocessor bo: 
preprocessor stream4: detect_scans 
preprocessor stream4_reassemble 
preprocessor portscan: $HOME_NET 4 3 portscan.log 
#preprocessor portscan-ignorehosts: 0.0.0.0 
preprocessor frag2 
preprocessor telnet_decode 
# 
# 
## Output Modules 
## -------------- 
#output database: log, unixodbc, dbname=snort user=snort host=localhost
password=test 
output CSV: log default 
output log_tcpdump: snorttcp.log 
#output xml: Log, file=/var/log/snortxml 
output log_unified: filename snort.log, limit 128 
# 
#output alert_syslog: LOG_AUTH LOG_ALERT 
#output alert_unified: filename snort.alert, limit 128 
#output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x
DES -X "" -a SHA -A "" myTrapListener 
# 
## Custom Rules 
## ------------ 
ruletype suspicious 
{ 
 type log 
 output log_tcpdump: suspicious.log 
} 
ruletype redalert 
{ 
 type alert 
 output alert_syslog: LOG_AUTH LOG_ALERT 
# output database: log, mysql, user=snort dbname=snort host=localhost 
} 
#ruletype <New_Custom_Rules> 
#{ 
#} 
# 
## Include Files 
## ------------- 
include classification.config 
# 
include $RULE_PATH/bad-traffic.rules 
include $RULE_PATH/exploit.rules 
include $RULE_PATH/scan.rules 
include $RULE_PATH/finger.rules 
include $RULE_PATH/ftp.rules 
include $RULE_PATH/telnet.rules 
include $RULE_PATH/smtp.rules 
include $RULE_PATH/rpc.rules 
include $RULE_PATH/rservices.rules 
include $RULE_PATH/dos.rules 
include $RULE_PATH/ddos.rules 
include $RULE_PATH/dns.rules 
include $RULE_PATH/tftp.rules 
include $RULE_PATH/web-cgi.rules 
include $RULE_PATH/web-coldfusion.rules 
include $RULE_PATH/web-iis.rules 
include $RULE_PATH/web-frontpage.rules 
include $RULE_PATH/web-misc.rules 
include $RULE_PATH/web-attacks.rules 
include $RULE_PATH/sql.rules 
include $RULE_PATH/x11.rules 
include $RULE_PATH/icmp.rules 
include $RULE_PATH/netbios.rules 
include $RULE_PATH/misc.rules 
include $RULE_PATH/attack-responses.rules 
include $RULE_PATH/backdoor.rules 
include $RULE_PATH/shellcode.rules 
include $RULE_PATH/policy.rules 
include $RULE_PATH/porn.rules 
include $RULE_PATH/info.rules 
include $RULE_PATH/icmp-info.rules 
include $RULE_PATH/virus.rules 
#include $RULE_PATH/experimental.rules 
include $RULE_PATH/local.rules 


{*********Snort Screen*************} 

Log directory = c:\snort\log 

Initializing Network Interface \ 

        --== Initializing Snort ==-- 
Decoding Ethernet on interface \Device\Packet_NdisWanIp 
Initializing Preprocessors! 
Initializing Plug-ins! 
Initializating Output Plugins! 
Parsing Rules file c:\snort\snort.conf 

+++++++++++++++++++++++++++++++++++++++++++++++++++ 
Initializing rule chains... 
Stream4 config: 
    Stateful inspection: ACTIVE 
    Session statistics: INACTIVE 
    Session timeout: 30 seconds 
    Session memory cap: 8388608 bytes 
    State alerts: INACTIVE 
    Scan alerts: ACTIVE 
    Log Flushed Streams: INACTIVE 
No arguments to stream4_reassemble, setting defaults: 
     Reassemble client: ACTIVE 
     Reassemble server: INACTIVE 
     Reassemble ports: 21 23 25 53 80 143 110 111 513 
     Reassembly alerts: ACTIVE 
     Reassembly method: FAVOR_OLD 
Using GMT time 
No arguments to frag2 directive, setting defaults to: 
    Fragment timeout: 60 seconds 
    Fragment memory cap: 4194304 bytes 
ProcessFileOption: c:\snort\log/log 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
WARNING: command line overrides rules file logging plugin! 
980 Snort rules read... 
980 Option Chains linked into 100 Chain Headers 
0 Dynamic rules 
+++++++++++++++++++++++++++++++++++++++++++++++++++ 

Rule application order:
->activation->dynamic->alert->pass->log->suspicious->red 
alert 

        --== Initialization Complete ==-- 

-*> Snort! <*- 
Version 1.8-WIN32 (Build 103) 
By Martin Roesch (roesch at ...1935..., www.snort.org) 
1.7-WIN32 Port By Michael Davis (mike at ...92...,
www.datanerds.net/~mike) 
1.8-WIN32 Port By Chris Reid (chris.reid at ...3029...) 
          (based on code from 1.7 port) 

[End config] 


------_=_NextPart_001_01C1FC24.04FA4FA0
Content-Type: text/html;
	charset="ISO-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<TITLE>SNORT newbie looking for some help with Snort on Win2k</TITLE>

<META content="MSHTML 5.50.4915.500" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=190391815-15052002><FONT face=Arial color=#0000ff size=2>Lots 
of weird issues with that IDS center.  Not 100% certain, but seems that 
most individuals resort to command line in order to get snort to work on 
win2k...at least that is how I managed to get it to function 
correctly</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma 
  size=2>-----Original Message-----<BR><B>From:</B> Richard Roy 
  [mailto:royr at ...5882...]<BR><B>Sent:</B> Wednesday, May 15, 2002 8:50 
  AM<BR><B>To:</B> snort-users at lists.sourceforge.net<BR><B>Subject:</B> 
  [Snort-users] SNORT newbie looking for some help with Snort on 
  Win2k<BR><BR></FONT></DIV>
  <P><FONT face=Arial size=2>I set up SNORT using IDSCentre and tested the 
  config using the applet.  I received no error messages, the SNORT window 
  is minimized and things appear to work, yet there are no alerts, no log 
  entries, nothing.  I know we are under hits all the time, my firewall 
  reports blocking them.  </FONT></P>
  <P><FONT face=Arial size=2>Setup:</FONT> <BR><FONT face=Arial size=2>W2K Pro 
  p3 733.  On a hub with router and firewall external interface.  I 
  have 64 public IP's and I'd like to scan the range if possible.  I am 
  including the following.   </FONT></P>
  <P><FONT face=Arial size=2>From IDSCentre the command line it fires, the 
  snort.conf file and the screen output from the minimized snort window.  I 
  can't quite figure out what is wrong.  Another set of eyes looking at 
  this is what I am hoping someone will do and see a problem.</FONT></P>
  <P><FONT face=Arial size=2>TIA for your help</FONT> </P>
  <P><FONT face=Arial size=2>Rich</FONT> <BR><FONT face=Arial size=2>PS Sorry it 
  is a long post, but I did not want to do an attachment.</FONT> </P>
  <P><FONT face=Arial size=2>[Begin config]</FONT> <BR><FONT face=Arial 
  size=2>[************cmd line*********]</FONT> <BR><FONT face=Arial 
  size=2>c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h 
  aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y</FONT></P>
  <P><FONT face=Arial size=2>[*NOTE, yes I blanked out my IP above.  It is 
  a public IP*]</FONT> </P><BR>
  <P><FONT face=Arial size=2>[***********snort.conf**************]</FONT> 
  <BR><FONT face=Arial 
  size=2>#--------------------------------------------------</FONT> <BR><FONT 
  face=Arial size=2>#   <A target=_blank 
  href="http://www.activeworx.com">http://www.activeworx.com</A> Snort 1.8.6 
  Ruleset</FONT> <BR><FONT face=Arial size=2>#     IDS 
  Policy Manager Version: 1.3 Build(31)</FONT> <BR><FONT face=Arial size=2># 
  Current Database Updated -- May 10, 2002 10:55 AM</FONT> <BR><FONT face=Arial 
  size=2>#--------------------------------------------------</FONT> <BR><FONT 
  face=Arial size=2>#</FONT> <BR><FONT face=Arial size=2>## Variables</FONT> 
  <BR><FONT face=Arial size=2>## ---------</FONT> <BR><FONT face=Arial 
  size=2>#var HOME_NET 10.1.1.0/24</FONT> <BR><FONT face=Arial size=2>#var 
  HOME_NET $eth0_ADDRESS</FONT> <BR><FONT face=Arial size=2>#var HOME_NET 
  [10.1.1.0/24,192.168.1.0/24]</FONT> <BR><FONT face=Arial size=2>var HOME_NET 
  any</FONT> <BR><FONT face=Arial size=2>var EXTERNAL_NET any</FONT> <BR><FONT 
  face=Arial size=2>var SMTP $HOME_NET</FONT> <BR><FONT face=Arial size=2>var 
  HTTP_SERVERS $HOME_NET</FONT> <BR><FONT face=Arial size=2>var SQL_SERVERS 
  $HOME_NET</FONT> <BR><FONT face=Arial size=2>var DNS_SERVERS $HOME_NET</FONT> 
  <BR><FONT face=Arial size=2>#var RULE_PATH ./</FONT> <BR><FONT face=Arial 
  size=2>var RULE_PATH c:\snort\rules</FONT> <BR><FONT face=Arial size=2>var 
  SHELLCODE_PORTS !80</FONT> <BR><FONT face=Arial size=2>#var SPADEDIR .</FONT> 
  <BR><FONT face=Arial size=2>#</FONT> <BR><FONT face=Arial size=2>## 
  Preprocessor Support</FONT> <BR><FONT face=Arial size=2>## 
  --------------------</FONT> <BR><FONT face=Arial size=2>preprocessor 
  http_decode: 80 -cginull -unicode</FONT> <BR><FONT face=Arial 
  size=2>preprocessor rpc_decode: 111 32771</FONT> <BR><FONT face=Arial 
  size=2>preprocessor bo:</FONT> <BR><FONT face=Arial size=2>preprocessor 
  stream4: detect_scans</FONT> <BR><FONT face=Arial size=2>preprocessor 
  stream4_reassemble</FONT> <BR><FONT face=Arial size=2>preprocessor portscan: 
  $HOME_NET 4 3 portscan.log</FONT> <BR><FONT face=Arial size=2>#preprocessor 
  portscan-ignorehosts: 0.0.0.0</FONT> <BR><FONT face=Arial size=2>preprocessor 
  frag2</FONT> <BR><FONT face=Arial size=2>preprocessor telnet_decode</FONT> 
  <BR><FONT face=Arial size=2>#</FONT> <BR><FONT face=Arial size=2>#</FONT> 
  <BR><FONT face=Arial size=2>## Output Modules</FONT> <BR><FONT face=Arial 
  size=2>## --------------</FONT> <BR><FONT face=Arial size=2>#output database: 
  log, unixodbc, dbname=snort user=snort host=localhost password=test</FONT> 
  <BR><FONT face=Arial size=2>output CSV: log default</FONT> <BR><FONT 
  face=Arial size=2>output log_tcpdump: snorttcp.log</FONT> <BR><FONT face=Arial 
  size=2>#output xml: Log, file=/var/log/snortxml</FONT> <BR><FONT face=Arial 
  size=2>output log_unified: filename snort.log, limit 128</FONT> <BR><FONT 
  face=Arial size=2>#</FONT> <BR><FONT face=Arial size=2>#output alert_syslog: 
  LOG_AUTH LOG_ALERT</FONT> <BR><FONT face=Arial size=2>#output alert_unified: 
  filename snort.alert, limit 128</FONT> <BR><FONT face=Arial size=2>#output 
  trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x DES -X "" 
  -a SHA -A "" myTrapListener</FONT> <BR><FONT face=Arial size=2>#</FONT> 
  <BR><FONT face=Arial size=2>## Custom Rules</FONT> <BR><FONT face=Arial 
  size=2>## ------------</FONT> <BR><FONT face=Arial size=2>ruletype 
  suspicious</FONT> <BR><FONT face=Arial size=2>{</FONT> <BR><FONT face=Arial 
  size=2> type log</FONT> <BR><FONT face=Arial size=2> output 
  log_tcpdump: suspicious.log</FONT> <BR><FONT face=Arial size=2>}</FONT> 
  <BR><FONT face=Arial size=2>ruletype redalert</FONT> <BR><FONT face=Arial 
  size=2>{</FONT> <BR><FONT face=Arial size=2> type alert</FONT> <BR><FONT 
  face=Arial size=2> output alert_syslog: LOG_AUTH LOG_ALERT</FONT> 
  <BR><FONT face=Arial size=2># output database: log, mysql, user=snort 
  dbname=snort host=localhost</FONT> <BR><FONT face=Arial size=2>}</FONT> 
  <BR><FONT face=Arial size=2>#ruletype <New_Custom_Rules></FONT> 
  <BR><FONT face=Arial size=2>#{</FONT> <BR><FONT face=Arial size=2>#}</FONT> 
  <BR><FONT face=Arial size=2>#</FONT> <BR><FONT face=Arial size=2>## Include 
  Files</FONT> <BR><FONT face=Arial size=2>## -------------</FONT> <BR><FONT 
  face=Arial size=2>include classification.config</FONT> <BR><FONT face=Arial 
  size=2>#</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/bad-traffic.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/exploit.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/scan.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/finger.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/ftp.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/telnet.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/smtp.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/rpc.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/rservices.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/dos.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/ddos.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/dns.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/tftp.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/web-cgi.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/web-coldfusion.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/web-iis.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/web-frontpage.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/web-misc.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/web-attacks.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/sql.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/x11.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/icmp.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/netbios.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/misc.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/attack-responses.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/backdoor.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/shellcode.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/policy.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/porn.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/info.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/icmp-info.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/virus.rules</FONT> <BR><FONT face=Arial size=2>#include 
  $RULE_PATH/experimental.rules</FONT> <BR><FONT face=Arial size=2>include 
  $RULE_PATH/local.rules</FONT> </P><BR>
  <P><FONT face=Arial size=2>{*********Snort Screen*************}</FONT> </P>
  <P><FONT face=Arial size=2>Log directory = c:\snort\log</FONT> </P>
  <P><FONT face=Arial size=2>Initializing Network Interface \</FONT> </P>
  <P><FONT face=Arial size=2>        --== 
  Initializing Snort ==--</FONT> <BR><FONT face=Arial size=2>Decoding Ethernet 
  on interface \Device\Packet_NdisWanIp</FONT> <BR><FONT face=Arial 
  size=2>Initializing Preprocessors!</FONT> <BR><FONT face=Arial 
  size=2>Initializing Plug-ins!</FONT> <BR><FONT face=Arial 
  size=2>Initializating Output Plugins!</FONT> <BR><FONT face=Arial 
  size=2>Parsing Rules file c:\snort\snort.conf</FONT> </P>
  <P><FONT face=Arial 
  size=2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT> <BR><FONT 
  face=Arial size=2>Initializing rule chains...</FONT> <BR><FONT face=Arial 
  size=2>Stream4 config:</FONT> <BR><FONT face=Arial size=2>    
  Stateful inspection: ACTIVE</FONT> <BR><FONT face=Arial 
  size=2>    Session statistics: INACTIVE</FONT> <BR><FONT 
  face=Arial size=2>    Session timeout: 30 seconds</FONT> 
  <BR><FONT face=Arial size=2>    Session memory cap: 8388608 
  bytes</FONT> <BR><FONT face=Arial size=2>    State alerts: 
  INACTIVE</FONT> <BR><FONT face=Arial size=2>    Scan alerts: 
  ACTIVE</FONT> <BR><FONT face=Arial size=2>    Log Flushed 
  Streams: INACTIVE</FONT> <BR><FONT face=Arial size=2>No arguments to 
  stream4_reassemble, setting defaults:</FONT> <BR><FONT face=Arial 
  size=2>     Reassemble client: ACTIVE</FONT> <BR><FONT 
  face=Arial size=2>     Reassemble server: INACTIVE</FONT> 
  <BR><FONT face=Arial size=2>     Reassemble ports: 21 23 
  25 53 80 143 110 111 513</FONT> <BR><FONT face=Arial 
  size=2>     Reassembly alerts: ACTIVE</FONT> <BR><FONT 
  face=Arial size=2>     Reassembly method: FAVOR_OLD</FONT> 
  <BR><FONT face=Arial size=2>Using GMT time</FONT> <BR><FONT face=Arial 
  size=2>No arguments to frag2 directive, setting defaults to:</FONT> <BR><FONT 
  face=Arial size=2>    Fragment timeout: 60 seconds</FONT> 
  <BR><FONT face=Arial size=2>    Fragment memory cap: 4194304 
  bytes</FONT> <BR><FONT face=Arial size=2>ProcessFileOption: 
  c:\snort\log/log</FONT> <BR><FONT face=Arial size=2>WARNING: command line 
  overrides rules file logging plugin!</FONT> <BR><FONT face=Arial 
  size=2>WARNING: command line overrides rules file logging plugin!</FONT> 
  <BR><FONT face=Arial size=2>WARNING: command line overrides rules file logging 
  plugin!</FONT> <BR><FONT face=Arial size=2>980 Snort rules read...</FONT> 
  <BR><FONT face=Arial size=2>980 Option Chains linked into 100 Chain 
  Headers</FONT> <BR><FONT face=Arial size=2>0 Dynamic rules</FONT> <BR><FONT 
  face=Arial size=2>+++++++++++++++++++++++++++++++++++++++++++++++++++</FONT> 
  </P>
  <P><FONT face=Arial size=2>Rule application order: 
  ->activation->dynamic->alert->pass->log->suspicious->red</FONT> 
  <BR><FONT face=Arial size=2>alert</FONT> </P>
  <P><FONT face=Arial size=2>        --== 
  Initialization Complete ==--</FONT> </P>
  <P><FONT face=Arial size=2>-*> Snort! <*-</FONT> <BR><FONT face=Arial 
  size=2>Version 1.8-WIN32 (Build 103)</FONT> <BR><FONT face=Arial size=2>By 
  Martin Roesch (roesch at ...1935..., www.snort.org)</FONT> <BR><FONT 
  face=Arial size=2>1.7-WIN32 Port By Michael Davis (mike at ...92..., 
  www.datanerds.net/~mike)</FONT> <BR><FONT face=Arial size=2>1.8-WIN32 Port By 
  Chris Reid (chris.reid at ...3029...)</FONT> <BR><FONT face=Arial 
  size=2>          (based on code 
  from 1.7 port)</FONT> </P>
  <P><FONT face=Arial size=2>[End config]</FONT> </P></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C1FC24.04FA4FA0--




More information about the Snort-users mailing list