[Snort-users] DPX starter kit output: No alert generated

Russ rucombs at cisco.com
Thu Oct 18 22:10:44 EDT 2018


Hey Jianyu,

As written, the dpx example only alerts on UDP.  If you want to alert on 
TCP, you will need to patch the code.  Here is a patch that changes to 
TCP.  If you save that to file you can do this in snort3_extra:

$ patch -p 1 < dpx.diff

Hope that helps get you going.
Russ

diff --git a/src/inspectors/dpx/dpx.cc b/src/inspectors/dpx/dpx.cc
index c3a541b..843bcfa 100644
--- a/src/inspectors/dpx/dpx.cc
+++ b/src/inspectors/dpx/dpx.cc
@@ -70,7 +70,7 @@ void Dpx::show(SnortConfig*)
  void Dpx::eval(Packet* p)
  {
      // precondition - what we registered for
-    assert(p->is_udp());
+    assert(p->is_tcp());

      if ( p->ptrs.dp == port && p->dsize > max )
          DetectionEngine::queue_event(DPX_GID, DPX_SID);
@@ -180,7 +180,7 @@ static const InspectApi dpx_api
          mod_dtor
      },
      IT_NETWORK,
-    PROTO_BIT__UDP,
+    PROTO_BIT__TCP,
      nullptr, // buffers
      nullptr, // service
      nullptr, // pinit

On 10/18/18 6:06 PM, Jianyu Li via Snort-users wrote:
>
> Hi Russ,
>
>
> I don't understand clearly, do you mean the dpx example provided by 
> Snort3 can only alert UDP packets? I changed the bpf from UDP to TCP 
> because I would like to alert TCP packets. Do you know if  there 
> is any way I can do it?
>
>
> Thanks,
>
> Jianyu Li
>
>
>
> ------------------------------------------------------------------------
> *From:* Snort-users <snort-users-bounces at lists.snort.org> on behalf of 
> Russ via Snort-users <snort-users at lists.snort.org>
> *Sent:* 18 October 2018 22:42
> *To:* snort-users at lists.snort.org
> *Subject:* Re: [Snort-users] DPX starter kit output: No alert generated
> Oops ... there's a copy/paste error.  That bpf should be udp not tcp.
>
> The Snort 3 example just alerts on a UDP packet on the configured port 
> with a length above the configured limit.
>
> On 10/18/18 3:37 PM, Jianyu Li via Snort-users wrote:
>>
>> Hi Russ,
>>
>>
>> Thank you very much for your reply!
>>
>>
>> I tried the commend you provided but there is no any output:
>>
>> /root at ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path 
>> /root/snort-3.0.0/lib/ -c /root/snort-3.0.0/etc/snort/snort.lua --lua 
>> "dpx={port=8, max=128}; ips.enable_builtin_rules=true" --bpf "tcp 
>> port 8" -r test.pcap -A csv -q/
>> /root at ubuntu1:/home/ubuntu#/
>> /
>> /
>> The output without "-q" is as followed:
>> /root at ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path 
>> /root/snort-3.0.0/lib/ -c /root/snort-3.0.0/etc/snort/snort.lua --lua 
>> "dpx={port=8, max=128}; ips.enable_builtin_rules=true" --bpf "tcp 
>> port 8" -r test.pcap -A csv/
>> /--------------------------------------------------/
>> /o")~   Snort++ 3.0.0-247/
>> /--------------------------------------------------/
>> /Loading /root/snort-3.0.0/etc/snort/snort.lua:/
>> /        ssh/
>> /        pop/
>> /        binder/
>> /        stream_tcp/
>> /        gtp_inspect/
>> /        dce_http_proxy/
>> /        stream_icmp/
>> /        normalizer/
>> /        ftp_server/
>> /        stream_udp/
>> /        dce_smb/
>> /        ips/
>> /        modbus/
>> /        rpc_decode/
>> /        latency/
>> /        wizard/
>> /        appid/
>> /        file_id/
>> /        ftp_data/
>> /        smtp/
>> /        back_orifice/
>> /        port_scan/
>> /        dce_http_server/
>> /        dce_tcp/
>> /        telnet/
>> /        ssl/
>> /        sip/
>> /        classifications/
>> /        http2_inspect/
>> /        http_inspect/
>> /        stream_user/
>> /        stream_ip/
>> /        dnp3/
>> /        ftp_client/
>> /        stream/
>> /        references/
>> /        arp_spoof/
>> /        dns/
>> /        dce_udp/
>> /        imap/
>> /        stream_file/
>> /Finished /root/snort-3.0.0/etc/snort/snort.lua./
>> /Loading builtin:/
>> /Finished builtin./
>> /--------------------------------------------------/
>> /rule counts/
>> /       total rules loaded: 471/
>> /            builtin rules: 471/
>> /            option chains: 471/
>> /            chain headers: 1/
>> /--------------------------------------------------/
>> /port rule counts/
>> /             tcp     udp    icmp      ip/
>> /     any     471       0       0       0/
>> /   total     471       0       0       0/
>> /Snort BPF option: tcp port 8/
>> /--------------------------------------------------/
>> /pcap DAQ configured to read-file./
>> /Commencing packet processing/
>> /++ [0] test.pcap/
>> /-- [0] test.pcap/
>> /--------------------------------------------------/
>> /Packet Statistics/
>> /--------------------------------------------------/
>> /daq/
>> /                    pcaps: 1/
>> /                 received: 4/
>> /                 analyzed: 4/
>> /                    allow: 4/
>> /                 rx_bytes: 216/
>> /--------------------------------------------------/
>> /codec/
>> /                    total: 4 (100.000%)/
>> /                      eth: 4 (100.000%)/
>> /                     ipv4: 4 (100.000%)/
>> /                      tcp: 4 (100.000%)/
>> /--------------------------------------------------/
>> /Module Statistics/
>> /--------------------------------------------------/
>> /detection/
>> /                 analyzed: 4/
>> /--------------------------------------------------/
>> /appid/
>> /                  packets: 4/
>> /        processed_packets: 2/
>> /          ignored_packets: 2/
>> /           total_sessions: 2/
>> /--------------------------------------------------/
>> /binder/
>> /                  packets: 2/
>> /                 inspects: 2/
>> /--------------------------------------------------/
>> /port_scan/
>> /                  packets: 4/
>> /--------------------------------------------------/
>> /stream_tcp/
>> /                 sessions: 2/
>> /                      max: 2/
>> /                  created: 2/
>> /                 released: 2/
>> /             instantiated: 2/
>> /                   setups: 2/
>> /         syn_ack_trackers: 2/
>> /                 syn_acks: 2/
>> /--------------------------------------------------/
>> /latency/
>> /            total_packets: 4/
>> /              total_usecs: 123/
>> /                max_usecs: 67/
>> /--------------------------------------------------/
>> /stream/
>> /                tcp_flows: 2/
>> /--------------------------------------------------/
>> /Summary Statistics/
>> /--------------------------------------------------/
>> /timing/
>> /                  runtime: 00:00:00/
>> /                  seconds: 0.215936/
>> /                  packets: 4/
>> /                 pkts/sec: 4/
>> /o")~   Snort exiting/
>>
>>
>> I didn't find any information about dpx inspector in the output, do 
>> you think I need to enable when the configuration of snort?
>> I followed the github readme to install snort3.
>> https://github.com/snort3/snort3
>>
>> The pcap file I used is:
>> /root at ubuntu1:/home/ubuntu# tcpdump -vr test.pcap/
>> /reading from file test.pcap, link-type EN10MB (Ethernet)/
>> /01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], 
>> proto TCP (6), length 40)/
>> /    10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d (correct), 
>> seq 1, win 256, length 0/
>> /01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags [none], 
>> proto TCP (6), length 40)/
>> /    10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b (correct), 
>> seq 1, ack 2, win 256, length 0/
>> /01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags [none], 
>> proto TCP (6), length 40)/
>> /    10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034 
>> (correct), ack 2, win 256, length 0/
>> /01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags [none], 
>> proto TCP (6), length 40)/
>> /    10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85 (correct), 
>> seq 1, win 256, length 0/
>> /01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], 
>> proto TCP (6), length 40)/
>> /    10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75 (correct), 
>> seq 1, ack 2, win 256, length 0/
>> /01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none], 
>> proto TCP (6), length 40)/
>> /    10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e 
>> (correct), ack 2, win 256, length 0/
>>
>> Thanks,
>> Jianyu Li
>>
>> ------------------------------------------------------------------------
>> *From:* Snort-users <snort-users-bounces at lists.snort.org> 
>> <mailto:snort-users-bounces at lists.snort.org> on behalf of Russ via 
>> Snort-users <snort-users at lists.snort.org> 
>> <mailto:snort-users at lists.snort.org>
>> *Sent:* 17 October 2018 23:36
>> *To:* snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>
>> *Subject:* Re: [Snort-users] DPX starter kit output: No alert generated
>> Hi - if you want to give Snort 3 a try instead, here is an example:
>>
>> $ src/snort --plugin-path install/lib -c install/etc/snort/snort.lua 
>> --lua "dpx = { port = 53, max = 128 }; ips.enable_builtin_rules = 
>> true" --bpf "udp port 53" -r test.pcap -A csv -q
>>
>> 10/17-18:40:25.535685, 1, UDP, raw, 157, C2S, 10.1.2.3:48620, 
>> 10.9.8.7:53, 256:1:1, allow
>>
>> On 10/17/18 5:45 PM, Jianyu Li via Snort-users wrote:
>>>
>>>     *From:* Snort-users <snort-users-bounces at lists.snort.org>
>>>     <mailto:snort-users-bounces at lists.snort.org> on behalf of
>>>     wkitty42--- via Snort-users <snort-users at lists.snort.org>
>>>     <mailto:snort-users at lists.snort.org>
>>>     *Sent:* 17 October 2018 21:22
>>>     *To:* snort-users at lists.snort.org
>>>     <mailto:snort-users at lists.snort.org>
>>>     *Subject:* Re: [Snort-users] DPX starter kit output: No alert
>>>     generated
>>>     On 10/17/18 4:07 PM, Jianyu Li via Snort-users wrote:
>>>     > I followed the link below to build DPX.
>>>     > https://www.snort.org/documents/dpx-readme
>>>
>>>     > 
>>>     > But there is no alert generated in the output of ./test.sh
>>>     > 
>>>     > I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox.
>>>
>>>
>>>     i don't know anything about dpx but what are the four short
>>>     rules and what
>>>     traffic was sent to be analyzed? the output looks to have passed
>>>     the traffic...
>>>     it may be that you need to add "-k none" to your snort command
>>>     line to ensure
>>>     that checksums are ignored...
>>>
>>>
>>>     -- 
>>>       NOTE: No off-list assistance is given without prior approval.
>>>     *Please keep mailing list traffic on the list unless*
>>>     *a signed and pre-paid contract is in effect with us.*
>>>     _______________________________________________
>>>     Snort-users mailing list
>>>     Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>>>     Go to this URL to change user options or unsubscribe:
>>>     https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>>     To unsubscribe, send an email to:
>>>     snort-users-leave at lists.snort.org
>>>     <mailto:snort-users-leave at lists.snort.org>
>>>
>>>     Please visit http://blog.snort.org <http://blog.snort.org/> to
>>>     stay current on all the latest Snort news!
>>>
>>>     Please follow these rules:
>>>     https://snort.org/faq/what-is-the-mailing-list-etiquette
>>>
>>>
>>>
>>> Hi  wkitty42,
>>>
>>>
>>> Thank you very much for your reply!
>>>
>>> I am new to snort. I tried to add the "-k none" in snort command 
>>> line but it didn't work, there is still no alert in the output.
>>>
>>>
>>> The content of test.sh is:
>>>
>>>     /root at ubuntu3:~/dpx-1.7# <mailto:root at ubuntu3:%7E/dpx-1.7#> cat
>>>     test.sh/
>>>     /#!/bin/bash/
>>>     /
>>>     /
>>>     /if [ ! -e setup.sh ] ; then/
>>>     /    echo "ERROR: you must echo SNORT=/path/to/snort/dir >
>>>     setup.sh first"/
>>>     /    exit -1/
>>>     /fi/
>>>     /
>>>     /
>>>     /. ./setup.sh/
>>>     /
>>>     /
>>>     /export SNORT_PP_DEBUG=0x80000000/
>>>     /$SNORT/src/snort -c test/snort.conf -A console:test -r
>>>     test/test.pcap/
>>>
>>>
>>> So I think the test/snort.conf is used as the configuration file, 
>>> the content of test/snort.conf is:
>>>
>>>     /root at ubuntu3:~/dpx-1.7/test#
>>>     <mailto:root at ubuntu3:%7E/dpx-1.7/test#> cat snort.conf/
>>>     /# default configuration/
>>>     /dynamicpreprocessor directory lib/snort_dynamicpreprocessor/
>>>     /preprocessor dpx: port 8/
>>>     /config binding: 10.1.conf net 10.1.0.0/16/
>>>     /include rules.conf/
>>>
>>>
>>> But there are only two snort rules inside rules.conf, I am not sure 
>>> why there are 4 snort rules showed in the result:
>>>
>>>     /root at ubuntu3:~/dpx-1.7/test#
>>>     <mailto:root at ubuntu3:%7E/dpx-1.7/test#> cat rules.conf/
>>>
>>>     /#config autogenerate_preprocessor_decoder_rules/
>>>     /alert ( msg:"tcp src port match"; gid:256; sid:1; )/
>>>     /alert ( msg:"tcp dst port match"; gid:256; sid:2; )/
>>>
>>>
>>> The test/test.pcap was sent to be analyzed:
>>>
>>>     /root at ubuntu3:~/dpx-1.7/test#
>>>     <mailto:root at ubuntu3:%7E/dpx-1.7/test#> tcpdump -vr test.pcap/
>>>     /reading from file test.pcap, link-type EN10MB (Ethernet)/
>>>     /01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags
>>>     [none], proto TCP (6), length 40)/
>>>     /    10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d
>>>     (correct), seq 1, win 256, length 0/
>>>     /01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags
>>>     [none], proto TCP (6), length 40)/
>>>     /    10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b
>>>     (correct), seq 1, ack 2, win 256, length 0/
>>>     /01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags
>>>     [none], proto TCP (6), length 40)/
>>>     /    10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034
>>>     (correct), ack 2, win 256, length 0/
>>>     /01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags
>>>     [none], proto TCP (6), length 40)/
>>>     /    10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85
>>>     (correct), seq 1, win 256, length 0/
>>>     /01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags
>>>     [none], proto TCP (6), length 40)/
>>>     /    10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75
>>>     (correct), seq 1, ack 2, win 256, length 0/
>>>     /01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags
>>>     [none], proto TCP (6), length 40)/
>>>     /    10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e
>>>     (correct), ack 2, win 256, length 0/
>>>
>>>
>>> In my understanding, the  DPX is a Dynamic Preprocessor Example, 
>>> which can be downloaded from the snort website. I was trying to test 
>>> the dynamic preprocessor example, the output should generate the 
>>> alerts since the dpx preprocessor will listen on port 8(according to 
>>> the 3rd line of snort.conf file), and the tcpdump showed that some 
>>> packets' ports are 8.
>>>
>>>
>>> Thanks,
>>> Jianyu Li
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Jianyu Li
>>> *Sent:* 17 October 2018 21:07:21
>>> *To:* snort-users at lists.snort.org <mailto:snort-users at lists.snort.org>
>>> *Subject:* DPX starter kit output: No alert generated
>>>
>>> Hi
>>>
>>>
>>> I followed the link below to build DPX.
>>>
>>> https://www.snort.org/documents/dpx-readme
>>>
>>>
>>> But there is no alert generated in the output of ./test.sh
>>>
>>>
>>> I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox.
>>>
>>>
>>> The following is the output of ./test.sh
>>>
>>>
>>> root at ubuntu3:~/dpx-1.7# <mailto:root at ubuntu3:%7E/dpx-1.7#> ./test.sh
>>> Running in IDS mode
>>>
>>>         --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> Parsing Rules file "test/snort.conf"
>>> Tagged Packet Limit: 256
>>> Loading all dynamic preprocessor libs from 
>>> lib/snort_dynamicpreprocessor...
>>>   Loading dynamic preprocessor library 
>>> lib/snort_dynamicpreprocessor/libdpx.so... done
>>>   Finished Loading all dynamic preprocessor libs from 
>>> lib/snort_dynamicpreprocessor
>>> Log directory = /var/log/snort
>>>
>>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>> Initializing rule chains...
>>> 4 Snort rules read
>>>     4 detection rules
>>>     0 decoder rules
>>>     0 preprocessor rules
>>> 2 Option Chains linked into 2 Chain Headers
>>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>>
>>> +-------------------[Rule Port 
>>> Counts]---------------------------------------
>>> |             tcp     udp    icmp ip
>>> |     src       0       0       0  0
>>> |     dst       0       0       0  0
>>> |     any       4       0       0  0
>>> |      nc       4       0       0  0
>>> |     s+d       0       0       0  0
>>> +----------------------------------------------------------------------------
>>>
>>> +-----------------------[detection-filter-config]------------------------------
>>> | memory-cap : 1048576 bytes
>>> +-----------------------[detection-filter-rules]-------------------------------
>>> | none
>>> -------------------------------------------------------------------------------
>>>
>>> +-----------------------[rate-filter-config]-----------------------------------
>>> | memory-cap : 1048576 bytes
>>> +-----------------------[rate-filter-rules]------------------------------------
>>> | none
>>> -------------------------------------------------------------------------------
>>>
>>> +-----------------------[event-filter-config]----------------------------------
>>> | memory-cap : 1048576 bytes
>>> +-----------------------[event-filter-global]----------------------------------
>>> +-----------------------[event-filter-local]-----------------------------------
>>> | none
>>> +-----------------------[suppression]------------------------------------------
>>> | none
>>> -------------------------------------------------------------------------------
>>> Rule application order: pass->drop->sdrop->reject->alert->log
>>> Verifying Preprocessor Configurations!
>>>
>>> [ Port Based Pattern Matching Memory ]
>>> pcap DAQ configured to read-file.
>>> Acquiring network traffic from "test/test.pcap".
>>> Reload thread starting...
>>> Reload thread started, thread 0x7f2fb2e68700 (4175)
>>>
>>>         --== Initialization Complete ==--
>>>
>>>    ,,_     -*> Snort! <*-
>>>   o"  )~   Version 2.9.12 GRE (Build 325)
>>>    ''''    By Martin Roesch & The Snort Team: 
>>> http://www.snort.org/contact#team <http://www.snort.org/contact#team>
>>>            Copyright (C) 2014-2018 Cisco and/or its affiliates. All 
>>> rights reserved.
>>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>>            Using libpcap version 1.8.1
>>>            Using PCRE version: 8.39 2016-06-14
>>>            Using ZLIB version: 1.2.11
>>>
>>>            Preprocessor Object: dpx Version 1.6  <Build 1>
>>> Commencing packet processing (pid=4174)
>>> ===============================================================================
>>> Run time for packet processing was 0.302 seconds
>>> Snort processed 6 packets.
>>> Snort ran for 0 days 0 hours 0 minutes 0 seconds
>>>    Pkts/sec:            6
>>> ===============================================================================
>>> Memory usage summary:
>>>   Total non-mmapped bytes (arena):  4296704
>>>   Bytes in mapped regions (hblkhd):   31576064
>>>   Total allocated space (uordblks):   3490960
>>>   Total free space (fordblks):  805744
>>>   Topmost releasable block (keepcost):  659328
>>> ===============================================================================
>>> Packet I/O Totals:
>>>    Received:            6
>>>    Analyzed:            6 (100.000%)
>>>     Dropped:            0 (  0.000%)
>>>    Filtered:            0 (  0.000%)
>>> Outstanding:            0 (  0.000%)
>>>    Injected:            0
>>> ===============================================================================
>>> Breakdown by protocol (includes rebuilt packets):
>>>         Eth:            6 (100.000%)
>>>        VLAN:            0 (  0.000%)
>>>         IP4:            6 (100.000%)
>>>        Frag:            0 (  0.000%)
>>>        ICMP:            0 (  0.000%)
>>>         UDP:            0 (  0.000%)
>>>         TCP:            6 (100.000%)
>>>         IP6:            0 (  0.000%)
>>>     IP6 Ext:            0 (  0.000%)
>>>    IP6 Opts:            0 (  0.000%)
>>>       Frag6:            0 (  0.000%)
>>>       ICMP6:            0 (  0.000%)
>>>        UDP6:            0 (  0.000%)
>>>        TCP6:            0 (  0.000%)
>>>      Teredo:            0 (  0.000%)
>>>     ICMP-IP:            0 (  0.000%)
>>>     IP4/IP4:            0 (  0.000%)
>>>     IP4/IP6:            0 (  0.000%)
>>>     IP6/IP4:            0 (  0.000%)
>>>     IP6/IP6:            0 (  0.000%)
>>>         GRE:            0 (  0.000%)
>>>     GRE Eth:            0 (  0.000%)
>>>    GRE VLAN:            0 (  0.000%)
>>>     GRE IP4:            0 (  0.000%)
>>>     GRE IP6:            0 (  0.000%)
>>> GRE IP6 Ext:            0 (  0.000%)
>>>    GRE PPTP:            0 (  0.000%)
>>>     GRE ARP:            0 (  0.000%)
>>>     GRE IPX:            0 (  0.000%)
>>>    GRE Loop:            0 (  0.000%)
>>>        MPLS:            0 (  0.000%)
>>>         ARP:            0 (  0.000%)
>>>         IPX:            0 (  0.000%)
>>>    Eth Loop:            0 (  0.000%)
>>>    Eth Disc:            0 (  0.000%)
>>>    IP4 Disc:            0 (  0.000%)
>>>    IP6 Disc:            0 (  0.000%)
>>>    TCP Disc:            0 (  0.000%)
>>>    UDP Disc:            0 (  0.000%)
>>>   ICMP Disc:            0 (  0.000%)
>>> All Discard:            0 (  0.000%)
>>>       Other:            0 (  0.000%)
>>> Bad Chk Sum:            0 (  0.000%)
>>>     Bad TTL:            0 (  0.000%)
>>>      S5 G 1:            0 (  0.000%)
>>>      S5 G 2:            0 (  0.000%)
>>>       Total:            6
>>> ===============================================================================
>>> Action Stats:
>>>      Alerts:            0 (  0.000%)
>>>      Logged:            0 (  0.000%)
>>>      Passed:            0 (  0.000%)
>>> Limits:
>>>       Match:            0
>>>       Queue:            0
>>>         Log:            0
>>>       Event:            0
>>>       Alert:            0
>>> Verdicts:
>>>       Allow:            6 (100.000%)
>>>       Block:            0 (  0.000%)
>>>     Replace:            0 (  0.000%)
>>>   Whitelist:            0 (  0.000%)
>>>   Blacklist:            0 (  0.000%)
>>>      Ignore:            0 (  0.000%)
>>>       Retry:            0 (  0.000%)
>>> ===============================================================================
>>> Snort exiting
>>>
>>>
>>> It would be greatful if you can help me to find out the problem.
>>>
>>>
>>> Thanks,
>>>
>>> Jianyu Li
>>>
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>> 	To unsubscribe, send an email to:
>>> 	snort-users-leave at lists.snort.org 
>>> <mailto:snort-users-leave at lists.snort.org>
>>>
>>> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>>>
>>> Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> 	To unsubscribe, send an email to:
>> 	snort-users-leave at lists.snort.org 
>> <mailto:snort-users-leave at lists.snort.org>
>>
>> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>>
>> Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181018/59719322/attachment.html>


More information about the Snort-users mailing list