[Snort-users] Figured it out!: Snort not outputting statistics on exit

Greetings,

I figured it out. I had been searching and searching google for an
answer and finally found it. Seems there is a bug in snort.c (located
within the /src subdirectory of the install package). Here's a link to
the fix provided by Chris Green cmg@sourcefire.com:
http://www.pantek.com/library/genera...t-devel/msg005
22.html .

Here's the detail:

This problem seems only to occur in Daemon mode. To fix it:

Change In snort.c

=20 /* Print Statistics */
=20 if(!pv.test_mode_flag)
=20 {
=20 fpShowEventStats();
=20 DropStats(0);
=20 }

to
=20 /* Print Statistics */
=20 if(!pv.test_mode_flag)
=20 {
=20 fpShowEventStats();
=20 pv.quiet_flag =3D 0;
=20 DropStats(0);
=20 pv.quiet_flag =3D 1;
=20 }

After doing this Snort not only properly outputs stats in
/var/log/messages on exit but it also tells me which libpcap I am using
on startup which is great because I'm experimenting with Phil Wood's
libpcap8 with ring support and wasn't sure how to tell if Snort was
actually using it! Sorry I didn't find the solution before posting to
the group. I'm going to try the same fix (if required) after installing
v2.0.4

Mark

---------------------------------------------
Mark F. Ewert, Principal Systems Architect
Integrated Healthcare Information Services
www.ihcis.com


-----Original Message-----
From: Mark Ewert=20
Sent: Sunday, November 16, 2003 3:27 PM
To: snort-users@lists.sourceforge.net
Subject: Snort not outputting statistics on exit

Greetings,

I'm having an odd problem that just started with my Snort sensors. When
I shutdown Snort (either via kill or the stop command with the startup
script) Snort no longer outputs its performance statistics in
/var/log/messages - it just lists: Snort Exiting. I may be going crazy
but I believe it used to output the stats there - I've seen them
recently as I've been working to improve Snort rule performance and am
looking for the packet loss data. Any idea what I'm doing wrong?=20

Here's my Snort command line from one of my sensors: snort -c
/etc/snort/snort.conf -i eth1 -D . I'm using the unified log and alert
output options and mudpit to process them. Oh - currently running: Snort
2.0.2 but will be upgrading to 2.0.4 ASAP.=20

Here's the snort.conf from the same sensor - it's an un-tuned test
sensor so it's definitely not optimized:

#
## Variables
## ---------
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort
var DNS_SERVERS 192.168.1.200
var HTTP_SERVERS [192.168.1.200/32,192.168.1.117/32]
var HTTP_PORTS 80
var SQL_SERVERS [192.168.1.117/32,192,168.1.200/32]
#
## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor portscan: $HOME_NET 4 3 portscan.log
#preprocessor portscan-ignorehosts: 0.0.0.0
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000
#preprocessor portscan2: scanners_max 256, targets_max 1024,
target_limit 5, port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
#
#
## Output Modules
## --------------
output log_unified: filename /var/log/snort1/unified_log, limit 128
#
output alert_unified: filename /var/log/snort1/unified_alert, limit 128
#
## Custom Rules
## ------------
config disable_decode_alerts
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method lowmem
## Include Files
## -------------
include classification.config
include reference.config
#
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/porn.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

and the output from snort -T -i eth1 -c /etc/snort/snort.conf :

-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
=20
Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting
[root@vlnxsvr5 root]# snort -T -i eth1 -c /etc/snort/snort.conf
Running in IDS mode
Log directory =3D /var/log/snort
=20
Initializing Network Interface eth1
OpenPcap() device eth1 network lookup:=20
=20 eth1: no IPv4 address assigned
=20
=20 --=3D=3D Initializing Snort =3D=3D--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
=20
++++++++++++++++++++++++++++++++++++++++++++++++++ +
Initializing rule chains...
http_decode arguments:
=20 Unicode decoding
=20 IIS alternate Unicode decoding
=20 IIS double encoding vuln
=20 Flip backslash to slash
=20 Include additional whitespace separators
=20 Ports to decode http on: 80=20
rpc_decode arguments:
=20 Ports to decode RPC on: 111 32771=20
=20 alert_fragments: INACTIVE
=20 alert_large_fragments: ACTIVE
=20 alert_incomplete: ACTIVE
=20 alert_multiple_requests: ACTIVE
Stream4 config:
=20 Stateful inspection: ACTIVE
=20 Session statistics: INACTIVE
=20 Session timeout: 30 seconds
=20 Session memory cap: 8388608 bytes
=20 State alerts: INACTIVE
=20 Evasion alerts: INACTIVE
=20 Scan alerts: ACTIVE
=20 Log Flushed Streams: INACTIVE
=20 MinTTL: 1
=20 TTL Limit: 5
=20 Async Link: 0
=20 State Protection: 0
=20 Self preservation threshold: 50
=20 Self preservation period: 90
=20 Suspend threshold: 200
=20 Suspend period: 30
Stream4_reassemble config:
=20 Server reassembly: INACTIVE
=20 Client reassembly: ACTIVE
=20 Reassembler alerts: ACTIVE
=20 Zero out flushed packets: INACTIVE
=20 flush_data_diff_size: 500
=20 Ports: 21 23 25 53 80 110 111 143 513 1433=20
=20 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433=20
No arguments to frag2 directive, setting defaults to:
=20 Fragment timeout: 60 seconds
=20 Fragment memory cap: 4194304 bytes
=20 Fragment min_ttl: 0
=20 Fragment ttl_limit: 5
=20 Fragment Problems: 0
=20 Self preservation threshold: 500
=20 Self preservation period: 90
=20 Suspend threshold: 1000
=20 Suspend period: 30
telnet_decode arguments:
=20 Ports to decode telnet on: 21 23 25 119=20
1458 Snort rules read...
1458 Option Chains linked into 163 Chain Headers
0 Dynamic rules
++++++++++++++++++++++++++++++++++++++++++++++++++ +
=20
Rule application order: ->activation->dynamic->alert->pass->log
=20
=20 --=3D=3D Initialization Complete =3D=3D--
=20
-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
=20
Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting

THANKS IN ADVANCE.

Mark

-------------------------------------------
Mark F. Ewert, Principal Systems Architect
Integrated Healthcare Information Services

-------------------------------------------------------------------------=
--
This e-mail and the information transmitted within it is intended only
for the recipient(s) to which it is addressed and may contain confidentia=
l
and/or privileged material. Any review, retransmission, dissemination or =

other use of; or taking of any action in reliance upon this information
by persons or entities other than the intended recipient is prohibited.=20
If you received this in error, please send the e-mail back to notify the
sender and delete the message and its contents from any computers and
network systems involved in its receipt. Thank you.


-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/...=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users