[Snort-users] Could not read appName. Line Snort Differs AppKey

Damian Torres datorr2 at gmail.com
Fri Aug 3 12:00:11 EDT 2018


Mike,


I removed the -q option.  Here's the full output from the AppId
Configuration:

=================================================
AppId Configuration
    Detector Path:          /usr/local/lib
    appStats Files:         appstats-u2.log
    appStats Period:        60 secs
    appStats Rollover Size: 20971520 bytes
    appStats Rollover time: 86400 secs

Defaulting to monitoring all Snort traffic for AppID.
Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1
Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1
AppInfo: AppId 4109 is UNKNOWN
AppInfo: AppId 4043 is UNKNOWN
AppInfo: AppId 473 is UNKNOWN
AppInfo: AppId 4385 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
Invalid direct client application AppId, 4075, for 0x7f97c78ec700
0x5599a3133e00
AppInfo: AppId 4075 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
Invalid direct client application AppId, 2634, for 0x7f97c78ec700
0x5599a314cbc0
AppInfo: AppId 2634 is UNKNOWN
AppInfo: AppId 4115 is UNKNOWN
AppInfo: AppId 4385 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
Invalid direct client application AppId, 4126, for 0x7f97c78ec700
0x5599a3198520
AppInfo: AppId 4126 is UNKNOWN
    3rd Party Dir: /usr/local/lib/thirdparty
    Monitoring Networks for any zone:
        0.0.0.0-255.255.255.255 0038
        ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0038
    Excluded TCP Ports for Src:
    Excluded TCP Ports for Dst:
    Excluded UDP Ports Src:
    Excluded UDP Ports Dst:
WARNING: Directory /usr/local/lib/thirdparty does not exist.
=================================================

I also attached the full output, just in case.


Warm Regards,

Damian


On Fri, Aug 3, 2018 at 10:31 AM, Mike Stepanek (mstepane) <
mstepane at cisco.com> wrote:

> There was a similar discussion here... but it was never really conclusive
> whether that was the actual fatal error or not:
>
>
>
>     https://lists.snort.org/pipermail/snort-users/2018-July/071578.html
>
>
>
> Would you be able to post the entire output from Snort, so we can take
> more of a look?
>
>
>
> FYI, to fix that one issue, you can just remove the bogus first line of
> appMapping.data from your ODP install.
>
>
>
> - Mike Stepanek
>
>    mstepane at cisco.com
>
>
>
> *From: *Snort-users <snort-users-bounces at lists.snort.org> on behalf of
> Damian Torres via Snort-users <snort-users at lists.snort.org>
> *Reply-To: *Damian Torres <datorr2 at gmail.com>
> *Date: *Thursday, August 2, 2018 at 8:55 PM
> *To: *Snort-Users <snort-users at lists.snort.org>
> *Subject: *[Snort-users] Could not read appName. Line Snort Differs AppKey
>
>
>
> Greetings.
>
>
>
>
>
> I am currently working on trying to add OpenAppID support for my Snort
> installation, and I think I almost have it working.  However, I am
> receiving these errors and I'm not sure what to do to fix.
>
>
>
> === Error Output ===
>
> Could not read appName. Line Snort Differs AppKey vmware-remote-auth ->
> vmware-remote-a
>
> AppInfo: AppId 4109 is UNKNOWN
>
> AppInfo: AppId 4043 is UNKNOWN
>
> AppInfo: AppId 503 is UNKNOWN
>
> AppInfo: AppId 503 is UNKNOWN
>
> AppInfo: AppId 503 is UNKNOWN
>
> AppInfo: AppId 503 is UNKNOWN
>
> AppInfo: AppId 473 is UNKNOWN
>
> AppInfo: AppId 4385 is UNKNOWN
>
> AppInfo: AppId 4387 is UNKNOWN
>
> AppInfo: AppId 4387 is UNKNOWN
>
> AppInfo: AppId 4385 is UNKNOWN
>
> AppInfo: AppId 4387 is UNKNOWN
>
> AppInfo: AppId 4115 is UNKNOWN
>
> Invalid direct client application AppId, 4126, for 0x7f9850a09700
> 0x5603a0b58520
>
> AppInfo: AppId 4126 is UNKNOWN
>
> Invalid direct client application AppId, 4075, for 0x7f9850a09700
> 0x5603a0af3e00
>
> AppInfo: AppId 4075 is UNKNOWN
>
> Invalid direct client application AppId, 2634, for 0x7f9850a09700
> 0x5603a0b0cbc0
>
> AppInfo: AppId 2634 is UNKNOWN
>
> ====================
>
>
>
> I have Google'd this and haven't been able to find anything, other than
> someone else having a similar issue a few months ago, who received no
> response.
>
>
>
> http://seclists.org/snort/2018/q2/336
>
>
>
> Any help would be much appreciated.  Thank you.
>
>
>
>
> Warm Regards,
>
> Damian
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180803/b6722cac/attachment.html>
-------------- next part --------------
root at snort-box:/home/username/dev/snort-test# /usr/local/bin/snort -A console -k none -c /home/username/dev/snort-test/etc/snort.conf -r /home/username/Desktop/pcap.pcapng
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/home/username/dev/snort-test/etc/snort.conf"
PortVar 'FTP_PORTS' defined :  [ 21 ]
PortVar 'HTTP_PORTS' defined :  [ 80 311 591 593 901 1220 1414 1741 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 9090:9091 9443 9999 11371 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80 110 143 311 591 593 901 1220 1414 1741 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 9090:9091 9443 9999 11371 ]
PortVar 'GTP_PORTS' defined :  [ 2152 3386 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
WARNING: /home/username/dev/snort-test/etc/snort.conf(97) Reconfiguring detection options.
    Split Any/Any group = enabled
WARNING: /home/username/dev/snort-test/etc/snort.conf(228) Reconfiguring detection options.
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
  Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
HttpInspect Config:
    GLOBAL CONFIG
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /home/username/dev/snort-test/etc/unicode.map
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 176950857
      Max Gzip Memory: 46246078
      Max Gzip Sessions: 88934
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports (PAF): 80 443 1220 1741 2301 3128 3443 8000 8080 8180 8800 8888 
      Server Flow Depth: 0
      Client Flow Depth: 0
      Max Chunk Length: 500000
      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Max Number of WhiteSpaces allowed with header folding: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 0
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Inspect HTTP Cookies: YES
      Inspect HTTP Responses: YES
      Extract Gzip from responses: YES
      Decompress response files:   
      Unlimited decompression of gzip data from responses: YES
      Normalize Javascripts in HTTP Responses: NO
      Normalize HTTP Cookies: NO
      Enable XFF and True Client IP: YES
      Log HTTP URI data: NO
      Log HTTP Hostname data: NO
      Extended ASCII code support in URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d 
      Legacy mode: YES
Frag3 global config:
    Max frags: 27579
    Memory cap used to determine preallocated frag nodes: 90903551
Frag3 engine config:
    Bound Address: default
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment Anomalies: Alert
    Overlap Limit:     10
    Min fragment Length:     100
WARNING: tcp normalizations disabled because not inline.
PerfMonitor config:
  Sample Time:      300 seconds
  Packet Count:     10000
  Max File Size:    2147483647
  Base Stats:       ACTIVE
    Base Stats File:  INACTIVE
    Max Perf Stats:   INACTIVE
  Flow Stats:       INACTIVE
  Event Stats:      INACTIVE
  Flow IP Stats:    INACTIVE
  Console Mode:     INACTIVE
Portscan Detection Config:
    Portscan Detection: INACTIVE
    Memcap (in bytes): 28241880
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 
    alert_fragments: INACTIVE
    alert_large_fragments: INACTIVE
    alert_incomplete: INACTIVE
    alert_multiple_requests: INACTIVE
      Max Expected Streams: 425
Stream global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 107399
    TCP cache pruning timeout: 30 seconds
    TCP cache nominal timeout: 3600 seconds
    Memcap (for reassembly packet storage): 462460786
    Track UDP sessions: ACTIVE
    Max UDP sessions: 110319
    UDP cache pruning timeout: 30 seconds
    UDP cache nominal timeout: 180 seconds
    Track ICMP sessions: INACTIVE
    Track IP sessions: ACTIVE
    Max IP sessions: 10885
    Log info if session memory consumption exceeds 1048576
    Send up to 0 active responses
    Protocol Aware Flushing: ACTIVE
        Maximum Flush Point: 16384
Stream IP Policy config:
    Timeout: 60 seconds
Stream TCP Policy config:
    Bound Address: default
    Reassembly Policy: WINDOWS
    Timeout: 180 seconds
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2601
    Options:
        Don't queue packets on one-sided sessions: YES
    Reassembly Ports:
      21 client (Footprint) 
      23 client (Footprint) 
      25 client (Footprint) 
      42 client (Footprint) 
      53 client (Footprint) 
      80 client (Footprint) server (Footprint)
      110 client (Footprint) 
      111 client (Footprint) 
      135 client (Footprint) 
      136 client (Footprint) 
      137 client (Footprint) 
      139 client (Footprint) 
      143 client (Footprint) 
      443 client (Footprint) server (Footprint)
      445 client (Footprint) 
      465 client (Footprint) server (Footprint)
      513 client (Footprint) 
      636 client (Footprint) server (Footprint)
      992 client (Footprint) server (Footprint)
      993 client (Footprint) server (Footprint)
      additional ports configured but not printed.
Stream UDP Policy config:
    Timeout: 180 seconds
AppId Configuration
    Detector Path:          /usr/local/lib
    appStats Files:         appstats-u2.log
    appStats Period:        60 secs
    appStats Rollover Size: 20971520 bytes
    appStats Rollover time: 86400 secs

Defaulting to monitoring all Snort traffic for AppID.
Adding 0x00000000-0xFFFFFFFF (0x00000038) with zone -1
Adding ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (0x00000038) with zone -1
AppInfo: AppId 4109 is UNKNOWN
AppInfo: AppId 4043 is UNKNOWN
AppInfo: AppId 473 is UNKNOWN
AppInfo: AppId 4385 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
Invalid direct client application AppId, 4075, for 0x7f97c78ec700 0x5599a3133e00
AppInfo: AppId 4075 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
AppInfo: AppId 503 is UNKNOWN
Invalid direct client application AppId, 2634, for 0x7f97c78ec700 0x5599a314cbc0
AppInfo: AppId 2634 is UNKNOWN
AppInfo: AppId 4115 is UNKNOWN
AppInfo: AppId 4385 is UNKNOWN
AppInfo: AppId 4387 is UNKNOWN
Invalid direct client application AppId, 4126, for 0x7f97c78ec700 0x5599a3198520
AppInfo: AppId 4126 is UNKNOWN
    3rd Party Dir: /usr/local/lib/thirdparty
    Monitoring Networks for any zone:
        0.0.0.0-255.255.255.255 0038
        ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0038
    Excluded TCP Ports for Src:
    Excluded TCP Ports for Dst:
    Excluded UDP Ports Src:
    Excluded UDP Ports Dst:
WARNING: Directory /usr/local/lib/thirdparty does not exist.
DCE/RPC 2 Preprocessor Configuration
  Global Configuration
    DCE/RPC Defragmentation: Enabled
    Memcap: 51392 KB
    Events: memcap smb co cl 
    SMB Fingerprint policy: Disabled
  Server Default Configuration
    Policy: WinXP
    Detect ports (PAF)
      SMB: 139 445 
      TCP: 135 
      UDP: 135 
      RPC over HTTP server: 593 
      RPC over HTTP proxy: None
    Autodetect ports (PAF)
      SMB: None
      TCP: None
      UDP: None
      RPC over HTTP server: None
      RPC over HTTP proxy: None
    Invalid SMB shares: C$ D$ ADMIN$ 
    Maximum SMB command chaining: 3 commands
    SMB file inspection: Disabled
DNP3 config: 
    Memcap: 107399
    Check Link-Layer CRCs: DISABLED
    Ports:
	20000
DNS config: 
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: NO
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23 
      Are You There Threshold: 20
      Normalize: YES
      Detect Anomalies: YES
    FTP CONFIG:
      FTP Server: default
        Ports (PAF): 21 2100 3535 
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: YES alert: YES
        Ignore open data channels: NO
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: YES alert: YES
        Max Response Length: 256
GTP config: 
    Ports:
	2123	3386
IMAP Config:
    IMAP: INACTIVE
    Ports: 143 
    IMAP Memcap: 14960703
    MIME Max Mem: 419430
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 4000
    Quoted-Printable Decoding: Disabled
    Unix-to-Unix Decoding: Disabled
    Non-Encoded MIME attachment Extraction: Disabled
Modbus config: 
    Ports:
	502
POP Config:
    POP: INACTIVE
    Ports: 110 
    POP Memcap: 14960703
    MIME Max Mem: 419430
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 4000
    Quoted-Printable Decoding: Disabled
    Unix-to-Unix Decoding: Disabled
    Non-Encoded MIME attachment Extraction: Disabled
Sensitive Data preprocessor config: 
    Global Alert Threshold: 25
    Masked Output: ENABLED
SIP config: 
    Max number of sessions: 2147  
    Max number of dialogs in a session: 4 (Default) 
    Status: ENABLED
    Ignore media channel: ENABLED
    Max URI length: 256 (Default) 
    Max Call ID length: 256 (Default) 
    Max Request name length: 20 (Default) 
    Max From length: 256 (Default) 
    Max To length: 256 (Default) 
    Max Via length: 1024 (Default) 
    Max Contact length: 256 (Default) 
    Max Content length: 1024 (Default) 
    Ports:
	5060	5061
    Methods:
	(Default)  invite cancel ack bye register options
SMTP Config:
    Ports: 25 465 587 691 
    Inspection Type: Stateful
    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50 
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: 2000
    Max auth Command Line Length: 1000
    Max Specific Command Line Length: 
       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255 
       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255 
       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500 
       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246 
       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246 
       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246 
       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246 
       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246 
       XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246 
       XUSR:246 
    Max Header Line Length: 1000
    Max Response Line Length: 512
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
    Alert on unknown commands: No
    SMTP Memcap: 40274685
    MIME Max Mem: 18498431
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 4000
    Quoted-Printable Decoding: Disabled
    Unix-to-Unix Decoding: Disabled
    Non-Encoded MIME attachment Extraction/text: Disabled
    Log Attachment filename: Not Enabled
    Log MAIL FROM Address: Not Enabled
    Log RCPT TO Addresses: Not Enabled
    Log Email Headers: Not Enabled
SSH config: 
    Autodetection: ENABLED
    Challenge-Response Overflow Alert: ENABLED
    SSH1 CRC32 Alert: ENABLED
    Server Version String Overflow Alert: ENABLED
    Protocol Mismatch Alert: ENABLED
    Bad Message Direction Alert: ENABLED
    Bad Payload Size Alert: ENABLED
    Unrecognized Version Alert: DISABLED
    Max Encrypted Packets: 20  
    Max Server Version String Length: 100  
    MaxClientBytes: 19600 (Default) 
    Ports:
	22
SSLPP config:
    Encrypted packets: not inspected
    Ports:
      443      465      563      636      989
      992      993      994      995     7801
     7802     7900     7901     7902     7903
     7904     7905     7906     7907     7908
     7909     7910     7911     7912     7913
     7914     7915     7916     7917     7918
     7919     7920
    Server side data is trusted
    Maximum SSL Heartbeat length: 0

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       1       0       0       0
|      nc       0       0       0       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
1:1
  Fast pattern matcher: Normal Content
  Fast pattern set: no
  Fast pattern only: no
  Negated: no
  Pattern offset,length: none
  Pattern truncated: no
  Original pattern
    "FAST_PATTERN"
  Final pattern
    "FAST_PATTERN"

[ Port and Service Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 7
| Patterns         : 97
| Pattern Chars    : 454
| Num States       : 366
| Num Match States : 97
| Memory           :   24.05Kbytes
|   Patterns       :   4.23K
|   Match Lists    :   5.92K
|   Transitions    :   11.11K
+-------------------------------------------------

Packet Performance Monitor Config:
  ticks per usec  : 2305 ticks
  max packet time : 2560 usecs
  packet action   : fastpath-expensive-packets
  packet logging  : none 

Rule Performance Monitor Config:
  ticks per usec  : 2305 ticks
  max rule time   : 5120 usecs
  rule action     : suspend-expensive-rules
  rule threshold  : 3 
  suspend timeout : 10 secs
  rule logging    : none 
pcap DAQ configured to read-file.
Acquiring network traffic from "/home/username/Desktop/pcap.pcapng".
Reload thread starting...
Reload thread started, thread 0x7f97ad025700 (4383)

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.9.0 GRE (Build 56) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.11

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: appid  Version 1.1  <Build 5>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
Commencing packet processing (pid=4332)
===============================================================================
Run time for packet processing was 1.677 seconds
Snort processed 24 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
   Pkts/sec:           24
*** Opening /var/log/snort/appstats-u2.log.1533309857 for output
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       190140416
  Bytes in mapped regions (hblkhd):      30523392
  Total allocated space (uordblks):      10127552
  Total free space (fordblks):           180012864
  Topmost releasable block (keepcost):   56848
===============================================================================
Packet Performance Summary:
   max packet time       : 2560 usecs
   packet events         : 0
   avg pkt time          : 46.3202 usecs
Rule Performance Summary:
   max rule time         : 5120 usecs
   rule events           : 0
   avg rule time         : 12.2269 usecs
===============================================================================
Packet I/O Totals:
   Received:           24
   Analyzed:           24 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:           24 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:           24 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:           24 (100.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:           24
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:           24 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0         
    GET methods:                          1         
    HTTP Request Headers extracted:       1         
    HTTP Request Cookies extracted:       0         
    Post parameters extracted:            0         
    HTTP response Headers extracted:      0         
    HTTP Response Cookies extracted:      0         
    Unicode:                              0         
    Double unicode:                       0         
    Non-ASCII representable:              0         
    Directory traversals:                 0         
    Extra slashes ("//"):                 0         
    Self-referencing paths ("./"):        0         
    HTTP Response Gzip packets extracted: 0         
    Gzip Compressed Data Processed:       n/a       
    Gzip Decompressed Data Processed:     n/a       
    Http/2 Rebuilt Packets:               0         
    Total packets processed:              2         
===============================================================================
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
                  Drops: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
===============================================================================
Stream statistics:
            Total sessions: 1
              TCP sessions: 1
              UDP sessions: 0
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 1
TCP StreamTrackers Deleted: 1
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 9
     TCP Segments Released: 9
       TCP Rebuilt Packets: 2
         TCP Segments Used: 9
              TCP Discards: 0
                  TCP Gaps: 0
      UDP Sessions Created: 0
      UDP Sessions Deleted: 0
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
           Internal Events: 0
           TCP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 24
           UDP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 0
===============================================================================
Application Identification Preprocessor:
   Total packets received : 26
  Total packets processed : 24
    Total packets ignored : 2
Service State:
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 0
===============================================================================
GTP Preprocessor Statistics
  Total sessions: 0
===============================================================================
SIP Preprocessor Statistics
  Total sessions: 0
===============================================================================
SMTP Preprocessor Statistics
  Total sessions                                    : 0
  Max concurrent sessions                           : 0
===============================================================================
===============================================================================
Snort exiting


More information about the Snort-users mailing list