Re: [Snort-users] Figured it out!: Snort not outputting statistics on exit
This is a discussion on Re: [Snort-users] Figured it out!: Snort not outputting statistics on exit within the Snort forums, part of the System Security and Security Related category; On Sun, Nov 16, 2003 at 04:00:50PM -0500, Mark Ewert wrote: > Greetings, > > I figured it ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-17-2003
|
|||
|
|||
Re: [Snort-users] Figured it out!: Snort not outputting statistics on exit
On Sun, Nov 16, 2003 at 04:00:50PM -0500, Mark Ewert wrote:
> Greetings, > > I figured it out. I had been searching and searching google for an > answer and finally found it. Seems there is a bug in snort.c (located > within the /src subdirectory of the install package). Here's a link to > the fix provided by Chris Green cmg@sourcefire.com: > http://www.pantek.com/library/genera...t-devel/msg005 > 22.html . > > Here's the detail: > > This problem seems only to occur in Daemon mode. To fix it: > > Change In snort.c > > /* Print Statistics */ > if(!pv.test_mode_flag) > { > fpShowEventStats(); > DropStats(0); > } > > to > /* Print Statistics */ > if(!pv.test_mode_flag) > { > fpShowEventStats(); > pv.quiet_flag = 0; > DropStats(0); > pv.quiet_flag = 1; > } > > After doing this Snort not only properly outputs stats in > /var/log/messages on exit but it also tells me which libpcap I am using > on startup which is great because I'm experimenting with Phil Wood's For grins, start your snort and include PCAP_VERBOSE=1 where you might be setting PCAP_FRAMES=max. It will dump a line to stderr which shows what is really going on after all is said and done. Example default (no setting PCAP_FRAMES to the max: # PCAP_VERBOSE=1 tcpdump -i eth0 -c 1 -n libpcap version: 0.8 Kernel filter, Protocol 0300, MMAP mode (600 frames, snapshot 96), socket type: Raw Later, > libpcap8 with ring support and wasn't sure how to tell if Snort was > actually using it! Sorry I didn't find the solution before posting to > the group. I'm going to try the same fix (if required) after installing > v2.0.4 > > Mark > > --------------------------------------------- > Mark F. Ewert, Principal Systems Architect > Integrated Healthcare Information Services > www.ihcis.com > > > -----Original Message----- > From: Mark Ewert > Sent: Sunday, November 16, 2003 3:27 PM > To: snort-users@lists.sourceforge.net > Subject: Snort not outputting statistics on exit > > Greetings, > > I'm having an odd problem that just started with my Snort sensors. When > I shutdown Snort (either via kill or the stop command with the startup > script) Snort no longer outputs its performance statistics in > /var/log/messages - it just lists: Snort Exiting. I may be going crazy > but I believe it used to output the stats there - I've seen them > recently as I've been working to improve Snort rule performance and am > looking for the packet loss data. Any idea what I'm doing wrong? > > Here's my Snort command line from one of my sensors: snort -c > /etc/snort/snort.conf -i eth1 -D . I'm using the unified log and alert > output options and mudpit to process them. Oh - currently running: Snort > 2.0.2 but will be upgrading to 2.0.4 ASAP. > > Here's the snort.conf from the same sensor - it's an un-tuned test > sensor so it's definitely not optimized: > > # > ## Variables > ## --------- > var HOME_NET 192.168.1.0/24 > var EXTERNAL_NET any > var SMTP_SERVERS $HOME_NET > var TELNET_SERVERS $HOME_NET > var ORACLE_PORTS 1521 > var AIM_SERVERS > [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24, > 64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] > var RULE_PATH /etc/snort > var DNS_SERVERS 192.168.1.200 > var HTTP_SERVERS [192.168.1.200/32,192.168.1.117/32] > var HTTP_PORTS 80 > var SQL_SERVERS [192.168.1.117/32,192,168.1.200/32] > # > ## Preprocessor Support > ## -------------------- > preprocessor http_decode: 80 unicode iis_alt_unicode double_encode > iis_flip_slash full_whitespace > preprocessor rpc_decode: 111 32771 > preprocessor bo > preprocessor stream4: detect_scans, disable_evasion_alerts > preprocessor stream4_reassemble > #preprocessor portscan: $HOME_NET 4 3 portscan.log > #preprocessor portscan-ignorehosts: 0.0.0.0 > #preprocessor conversation: allowed_ip_protocols all, timeout 60, > max_conversations 3000 > #preprocessor portscan2: scanners_max 256, targets_max 1024, > target_limit 5, port_limit 20, timeout 60 > preprocessor frag2 > preprocessor telnet_decode > #preprocessor arpspoof > #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 > # > # > ## Output Modules > ## -------------- > output log_unified: filename /var/log/snort1/unified_log, limit 128 > # > output alert_unified: filename /var/log/snort1/unified_alert, limit 128 > # > ## Custom Rules > ## ------------ > config disable_decode_alerts > config disable_decode_alerts > config disable_tcpopt_experimental_alerts > config disable_tcpopt_obsolete_alerts > config disable_ttcp_alerts > config disable_tcpopt_alerts > config disable_ipopt_alerts > config detection: search-method lowmem > ## Include Files > ## ------------- > include classification.config > include reference.config > # > include $RULE_PATH/bad-traffic.rules > include $RULE_PATH/exploit.rules > include $RULE_PATH/scan.rules > include $RULE_PATH/finger.rules > include $RULE_PATH/ftp.rules > include $RULE_PATH/telnet.rules > include $RULE_PATH/rpc.rules > include $RULE_PATH/rservices.rules > include $RULE_PATH/dos.rules > include $RULE_PATH/ddos.rules > include $RULE_PATH/dns.rules > include $RULE_PATH/tftp.rules > include $RULE_PATH/web-cgi.rules > include $RULE_PATH/web-coldfusion.rules > include $RULE_PATH/web-iis.rules > include $RULE_PATH/web-frontpage.rules > include $RULE_PATH/web-misc.rules > include $RULE_PATH/web-client.rules > include $RULE_PATH/web-php.rules > include $RULE_PATH/sql.rules > include $RULE_PATH/x11.rules > include $RULE_PATH/icmp.rules > include $RULE_PATH/netbios.rules > include $RULE_PATH/misc.rules > include $RULE_PATH/attack-responses.rules > include $RULE_PATH/oracle.rules > include $RULE_PATH/mysql.rules > include $RULE_PATH/snmp.rules > include $RULE_PATH/smtp.rules > include $RULE_PATH/imap.rules > include $RULE_PATH/pop2.rules > include $RULE_PATH/pop3.rules > include $RULE_PATH/nntp.rules > include $RULE_PATH/other-ids.rules > #include $RULE_PATH/web-attacks.rules > #include $RULE_PATH/backdoor.rules > #include $RULE_PATH/shellcode.rules > #include $RULE_PATH/policy.rules > #include $RULE_PATH/porn.rules > #include $RULE_PATH/info.rules > #include $RULE_PATH/icmp-info.rules > #include $RULE_PATH/virus.rules > #include $RULE_PATH/chat.rules > #include $RULE_PATH/multimedia.rules > #include $RULE_PATH/p2p.rules > include $RULE_PATH/experimental.rules > include $RULE_PATH/local.rules > > and the output from snort -T -i eth1 -c /etc/snort/snort.conf : > > -*> Snort! <*- > Version 2.0.2 (Build 92) > By Martin Roesch (roesch@sourcefire.com, www.snort.org) > > Snort sucessfully loaded all rules and checked all rule chains! > Snort exiting > [root@vlnxsvr5 root]# snort -T -i eth1 -c /etc/snort/snort.conf > Running in IDS mode > Log directory = /var/log/snort > > Initializing Network Interface eth1 > OpenPcap() device eth1 network lookup: > eth1: no IPv4 address assigned > > --== Initializing Snort ==-- > Initializing Output Plugins! > Decoding Ethernet on interface eth1 > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort/snort.conf > > ++++++++++++++++++++++++++++++++++++++++++++++++++ + > Initializing rule chains... > http_decode arguments: > Unicode decoding > IIS alternate Unicode decoding > IIS double encoding vuln > Flip backslash to slash > Include additional whitespace separators > Ports to decode http on: 80 > rpc_decode arguments: > Ports to decode RPC on: 111 32771 > alert_fragments: INACTIVE > alert_large_fragments: ACTIVE > alert_incomplete: ACTIVE > alert_multiple_requests: ACTIVE > Stream4 config: > Stateful inspection: ACTIVE > Session statistics: INACTIVE > Session timeout: 30 seconds > Session memory cap: 8388608 bytes > State alerts: INACTIVE > Evasion alerts: INACTIVE > Scan alerts: ACTIVE > Log Flushed Streams: INACTIVE > MinTTL: 1 > TTL Limit: 5 > Async Link: 0 > State Protection: 0 > Self preservation threshold: 50 > Self preservation period: 90 > Suspend threshold: 200 > Suspend period: 30 > Stream4_reassemble config: > Server reassembly: INACTIVE > Client reassembly: ACTIVE > Reassembler alerts: ACTIVE > Zero out flushed packets: INACTIVE > flush_data_diff_size: 500 > Ports: 21 23 25 53 80 110 111 143 513 1433 > Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 > No arguments to frag2 directive, setting defaults to: > Fragment timeout: 60 seconds > Fragment memory cap: 4194304 bytes > Fragment min_ttl: 0 > Fragment ttl_limit: 5 > Fragment Problems: 0 > Self preservation threshold: 500 > Self preservation period: 90 > Suspend threshold: 1000 > Suspend period: 30 > telnet_decode arguments: > Ports to decode telnet on: 21 23 25 119 > 1458 Snort rules read... > 1458 Option Chains linked into 163 Chain Headers > 0 Dynamic rules > ++++++++++++++++++++++++++++++++++++++++++++++++++ + > > Rule application order: ->activation->dynamic->alert->pass->log > > --== Initialization Complete ==-- > > -*> Snort! <*- > Version 2.0.2 (Build 92) > By Martin Roesch (roesch@sourcefire.com, www.snort.org) > > Snort sucessfully loaded all rules and checked all rule chains! > Snort exiting > > THANKS IN ADVANCE. > > Mark > > ------------------------------------------- > Mark F. Ewert, Principal Systems Architect > Integrated Healthcare Information Services > > --------------------------------------------------------------------------- > This e-mail and the information transmitted within it is intended only > for the recipient(s) to which it is addressed and may contain confidential > and/or privileged material. Any review, retransmission, dissemination or > other use of; or taking of any action in reliance upon this information > by persons or entities other than the intended recipient is prohibited. > If you received this in error, please send the e-mail back to notify the > sender and delete the message and its contents from any computers and > network systems involved in its receipt. Thank you. > > > ------------------------------------------------------- > This SF. Net email is sponsored by: GoToMyPC > GoToMyPC is the fast, easy and secure way to access your computer from > any Web browser or wireless device. Click here to Try it Free! > https://www.gotomypc.com/tr/OSDN/AW/...______________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list -- Phil Wood (cpw_at_lanl.gov) ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/...=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
