[Snort-users] Snort not outputting statistics on exit
This is a discussion on [Snort-users] Snort not outputting statistics on exit within the Snort forums, part of the System Security and Security Related category; Greetings, I'm having an odd problem that just started with my Snort sensors. When I shutdown Snort (either via ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-16-2003
|
|||
|
|||
[Snort-users] Snort not outputting statistics on exit
Greetings,
I'm having an odd problem that just started with my Snort sensors. When I shutdown Snort (either via kill or the stop command with the startup script) Snort no longer outputs its performance statistics in /var/log/messages - it just lists: Snort Exiting. I may be going crazy but I believe it used to output the stats there - I've seen them recently as I've been working to improve Snort rule performance and am looking for the packet loss data. Any idea what I'm doing wrong?=20 Here's my Snort command line from one of my sensors: snort -c /etc/snort/snort.conf -i eth1 -D . I'm using the unified log and alert output options and mudpit to process them. Oh - currently running: Snort 2.0.2 but will be upgrading to 2.0.4 ASAP.=20 Here's the snort.conf from the same sensor - it's an un-tuned test sensor so it's definitely not optimized: # ## Variables ## --------- var HOME_NET 192.168.1.0/24 var EXTERNAL_NET any var SMTP_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24, 64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort var DNS_SERVERS 192.168.1.200 var HTTP_SERVERS [192.168.1.200/32,192.168.1.117/32] var HTTP_PORTS 80 var SQL_SERVERS [192.168.1.117/32,192,168.1.200/32] # ## Preprocessor Support ## -------------------- preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble #preprocessor portscan: $HOME_NET 4 3 portscan.log #preprocessor portscan-ignorehosts: 0.0.0.0 #preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 preprocessor frag2 preprocessor telnet_decode #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # # ## Output Modules ## -------------- output log_unified: filename /var/log/snort1/unified_log, limit 128 # output alert_unified: filename /var/log/snort1/unified_alert, limit 128 # ## Custom Rules ## ------------ config disable_decode_alerts config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config detection: search-method lowmem ## Include Files ## ------------- include classification.config include reference.config # include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/shellcode.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/porn.rules #include $RULE_PATH/info.rules #include $RULE_PATH/icmp-info.rules #include $RULE_PATH/virus.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules and the output from snort -T -i eth1 -c /etc/snort/snort.conf : -*> Snort! <*- Version 2.0.2 (Build 92) By Martin Roesch (roesch@sourcefire.com, www.snort.org) =20 Snort sucessfully loaded all rules and checked all rule chains! Snort exiting [root@vlnxsvr5 root]# snort -T -i eth1 -c /etc/snort/snort.conf Running in IDS mode Log directory =3D /var/log/snort =20 Initializing Network Interface eth1 OpenPcap() device eth1 network lookup:=20 =20 eth1: no IPv4 address assigned =20 =20 --=3D=3D Initializing Snort =3D=3D-- Initializing Output Plugins! Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf =20 ++++++++++++++++++++++++++++++++++++++++++++++++++ + Initializing rule chains... http_decode arguments: =20 Unicode decoding =20 IIS alternate Unicode decoding =20 IIS double encoding vuln =20 Flip backslash to slash =20 Include additional whitespace separators =20 Ports to decode http on: 80=20 rpc_decode arguments: =20 Ports to decode RPC on: 111 32771=20 =20 alert_fragments: INACTIVE =20 alert_large_fragments: ACTIVE =20 alert_incomplete: ACTIVE =20 alert_multiple_requests: ACTIVE Stream4 config: =20 Stateful inspection: ACTIVE =20 Session statistics: INACTIVE =20 Session timeout: 30 seconds =20 Session memory cap: 8388608 bytes =20 State alerts: INACTIVE =20 Evasion alerts: INACTIVE =20 Scan alerts: ACTIVE =20 Log Flushed Streams: INACTIVE =20 MinTTL: 1 =20 TTL Limit: 5 =20 Async Link: 0 =20 State Protection: 0 =20 Self preservation threshold: 50 =20 Self preservation period: 90 =20 Suspend threshold: 200 =20 Suspend period: 30 Stream4_reassemble config: =20 Server reassembly: INACTIVE =20 Client reassembly: ACTIVE =20 Reassembler alerts: ACTIVE =20 Zero out flushed packets: INACTIVE =20 flush_data_diff_size: 500 =20 Ports: 21 23 25 53 80 110 111 143 513 1433=20 =20 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433=20 No arguments to frag2 directive, setting defaults to: =20 Fragment timeout: 60 seconds =20 Fragment memory cap: 4194304 bytes =20 Fragment min_ttl: 0 =20 Fragment ttl_limit: 5 =20 Fragment Problems: 0 =20 Self preservation threshold: 500 =20 Self preservation period: 90 =20 Suspend threshold: 1000 =20 Suspend period: 30 telnet_decode arguments: =20 Ports to decode telnet on: 21 23 25 119=20 1458 Snort rules read... 1458 Option Chains linked into 163 Chain Headers 0 Dynamic rules ++++++++++++++++++++++++++++++++++++++++++++++++++ + =20 Rule application order: ->activation->dynamic->alert->pass->log =20 =20 --=3D=3D Initialization Complete =3D=3D-- =20 -*> Snort! <*- Version 2.0.2 (Build 92) By Martin Roesch (roesch@sourcefire.com, www.snort.org) =20 Snort sucessfully loaded all rules and checked all rule chains! Snort exiting THANKS IN ADVANCE. Mark ------------------------------------------- Mark F. Ewert, Principal Systems Architect Integrated Healthcare Information Services -------------------------------------------------------------------------= -- This e-mail and the information transmitted within it is intended only for the recipient(s) to which it is addressed and may contain confidentia= l and/or privileged material. Any review, retransmission, dissemination or = other use of; or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.=20 If you received this in error, please send the e-mail back to notify the sender and delete the message and its contents from any computers and network systems involved in its receipt. Thank you. ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/...=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
