RE: [Snort-users] snort not reporting
This is a discussion on RE: [Snort-users] snort not reporting within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_01A8_01C4E0D6.774CEDD0 Content-Type: text/plain; charset="us-ascii" ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-13-2004
|
|||
|
|||
RE: [Snort-users] snort not reporting
This is a multi-part message in MIME format.
------=_NextPart_000_01A8_01C4E0D6.774CEDD0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit first, be patient. reposting 10 hours later will not get you an answer faster. Sunday evening ya know. second. what are you plugged into? also what I see first I is the following. Snort received 8244 packets Analyzed: 8244(100.000%) Dropped: 0(0.000%) ================================================== ========================== === Breakdown by protocol: TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) also, what is happening on this interface? Initializing Network Interface ppp0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding PPP on interface ppp0 Patrick S. Harper | CISSP RHCT MCSE www.internetsecurityguru.com www.ntsug.org - Snort Users Group "If there is no light at the end of the tunnel, get down there and light the damn thing yourself!" _____ From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Allan Jensen Sent: Monday, December 13, 2004 3:49 AM To: snort-users@lists.sourceforge.net Subject: [Snort-users] snort not reporting I installed snort 2.2.0 on Mac OS X 10.3.6 together with ACID 0.9.6b23. Everything went fine. When I start snort: sudo snort -dvi -c /etc/snort/snort.conf I get the following: Running in IDS mode Log directory = /var/log/snort Initializing Network Interface ppp0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding PPP on interface ppp0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf ++++++++++++++++++++++++++++++++++++++++++++++++++ + Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = root database: password is set database: database name = snort database: host = localhost Node unique name is: 80.134.161.187 database: sensor name = 80.134.161.187 database: sensor id = 6 database: schema version = 106 database: using the "alert" facility 2180 Snort rules read... 2180 Option Chains linked into 176 Chain Headers 0 Dynamic rules ++++++++++++++++++++++++++++++++++++++++++++++++++ + Warning: flowbits key 'realplayer.playlist' is checked but not ever set. +-----------------------[thresholding-config]------------------------------- --- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]------------------------------- --- | none +-----------------------[thresholding-local]-------------------------------- --- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2924 type=Threshold tracking=src count=10 seconds=60 | gen-id=1 sig-id=2923 type=Threshold tracking=src count=10 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 +-----------------------[suppression]--------------------------------------- --- ---------------------------------------------------------------------------- --- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.2.0 (Build 30) By Martin Roesch (roesch@sourcefire.com, www.snort.org) However after a while when I control-c : ^C ================================================== ========================== === Snort received 8244 packets Analyzed: 8244(100.000%) Dropped: 0(0.000%) ================================================== ========================== === Breakdown by protocol: TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ================================================== ========================== === Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 ================================================== ========================== === Final Flow Statistics ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) Overhead blocks: 1 Could Hold: (0) IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s finds: 0 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0 database: Closing connection to database "p" Snort exiting Nothing gets reported. I have configured snort.conf like this: var HOME_NET any and var EXTERNAL_NET any and output database: alert, mysql, user=root password=<mypassword> dbname=snort host=localhost Can anyone help? Thanks, Allan ------=_NextPart_000_01A8_01C4E0D6.774CEDD0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><SPAN class=3D980223611-13122004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>first, be patient. reposting 10 hours = later will not=20 get you an answer faster. Sunday evening ya = know.</FONT></SPAN></DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D980223611-13122004><FONT = face=3DArial=20 color=3D#0000ff size=3D2></FONT></SPAN> </DIV> <DIV dir=3Dltr align=3Dleft><SPAN class=3D980223611-13122004><FONT = face=3DArial=20 color=3D#0000ff size=3D2>second. what are you plugged into? = also what I=20 see first I is the following. </FONT></SPAN></DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV><STRONG>Snort received 8244 packets<BR>Analyzed: = 8244(100.000%)<BR>Dropped:=20 0(0.000%)<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>Breakdown=20 by protocol:<BR>TCP: 0 (0.000%)<BR>UDP: 0 (0.000%)<BR>ICMP: 0 = (0.000%)<BR>ARP: 0=20 (0.000%)<BR>EAPOL: 0 (0.000%)<BR>IPv6: 0 (0.000%)<BR>IPX: 0 = (0.000%)<BR>OTHER: 0=20 (0.000%)<BR>DISCARD: 0 (0.000%)</STRONG><BR></DIV> <DIV><SPAN class=3D980223611-13122004><FONT face=3DArial color=3D#0000ff = size=3D2>also,=20 what is happening on this interface?</FONT></SPAN></DIV> <DIV><SPAN class=3D980223611-13122004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D980223611-13122004><FONT size=3D2> <P>Initializing Network Interface ppp0</P> <P>--=3D=3D Initializing Snort =3D=3D--</P> <P>Initializing Output Plugins!</P> <P>Decoding PPP on interface ppp0</P></FONT></SPAN></DIV><!-- Converted = from text/plain format --><BR><BR> <P><FONT size=3D2>Patrick S. Harper | CISSP RHCT=20 MCSE<BR>www.internetsecurityguru.com<BR><BR>www.ntsug.org - Snort Users=20 Group<BR><BR>"If there is no light at the end of the tunnel, get down = there and=20 light the damn thing yourself!"<BR></FONT></P> <DIV> </DIV><BR> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> = snort-users-admin@lists.sourceforge.net=20 [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of = </B>Allan=20 Jensen<BR><B>Sent:</B> Monday, December 13, 2004 3:49 AM<BR><B>To:</B>=20 snort-users@lists.sourceforge.net<BR><B>Subject:</B> [Snort-users] snort = not=20 reporting<BR></FONT><BR></DIV> <DIV></DIV>I installed snort 2.2.0 on Mac OS X 10.3.6 together with ACID = 0.9.6b23. Everything went fine. When I start snort:<BR><BR>sudo snort = -dvi -c=20 /etc/snort/snort.conf<BR><BR>I get the following:<BR><BR><B>Running in = IDS=20 mode<BR>Log directory =3D /var/log/snort<BR><BR>Initializing Network = Interface=20 ppp0<BR><BR>--=3D=3D Initializing Snort =3D=3D--<BR>Initializing Output=20 Plugins!<BR>Decoding PPP on interface ppp0<BR>Initializing=20 Preprocessors!<BR>Initializing Plug-ins!<BR>Parsing Rules file=20 /etc/snort/snort.conf<BR><BR>++++++++++++++++++++++++++++++++ ++++++++++++= +++++++<BR>Initializing=20 rule chains...<BR>,-----------[Flow Config]----------------------<BR>| = Stats=20 Interval: 0<BR>| Hash Method: 2<BR>| Memcap: 10485760<BR>| Rows : = 4099<BR>|=20 Overhead Bytes:=20 16400(%0.16)<BR>`----------------------------------------------<BR>No = arguments=20 to frag2 directive, setting defaults to:<BR>Fragment timeout: 60=20 seconds<BR>Fragment memory cap: 4194304 bytes<BR>Fragment min_ttl: = 0<BR>Fragment=20 ttl_limit: 5<BR>Fragment Problems: 0<BR>Self preservation threshold: = 500<BR>Self=20 preservation period: 90<BR>Suspend threshold: 1000<BR>Suspend period:=20 30<BR>Stream4 config:<BR>Stateful inspection: ACTIVE<BR>Session = statistics:=20 INACTIVE<BR>Session timeout: 30 seconds<BR>Session memory cap: 8388608=20 bytes<BR>State alerts: INACTIVE<BR>Evasion alerts: INACTIVE<BR>Scan = alerts:=20 INACTIVE<BR>Log Flushed Streams: INACTIVE<BR>MinTTL: 1<BR>TTL Limit: = 5<BR>Async=20 Link: 0<BR>State Protection: 0<BR>Self preservation threshold: = 50<BR>Self=20 preservation period: 90<BR>Suspend threshold: 200<BR>Suspend period:=20 30<BR>Stream4_reassemble config:<BR>Server reassembly: = INACTIVE<BR>Client=20 reassembly: ACTIVE<BR>Reassembler alerts: ACTIVE<BR>Zero out flushed = packets:=20 INACTIVE<BR>flush_data_diff_size: 500<BR>Ports: 21 23 25 53 80 110 111 = 143 513=20 1433<BR>Emergency Ports: 21 23 25 53 80 110 111 143 513 = 1433<BR>HttpInspect=20 Config:<BR>GLOBAL CONFIG<BR>Max Pipeline Requests: 0<BR>Inspection Type: = STATELESS<BR>Detect Proxy Usage: NO<BR>IIS Unicode Map Filename:=20 /etc/snort/unicode.map<BR>IIS Unicode Map Codepage: 1252<BR>DEFAULT = SERVER=20 CONFIG:<BR>Ports: 80 8080 8180<BR>Flow Depth: 300<BR>Max Chunk Length:=20 500000<BR>Inspect Pipeline Requests: YES<BR>URI Discovery Strict Mode:=20 NO<BR>Allow Proxy Usage: NO<BR>Disable Alerting: NO<BR>Oversize Dir = Length:=20 500<BR>Only inspect URI: NO<BR>Ascii: YES alert: NO<BR>Double Decoding: = YES=20 alert: YES<BR>%U Encoding: YES alert: YES<BR>Bare Byte: YES alert:=20 YES<BR>Base36: OFF<BR>UTF 8: OFF<BR>IIS Unicode: YES alert: = YES<BR>Multiple=20 Slash: YES alert: NO<BR>IIS Backslash: YES alert: NO<BR>Directory = Traversal: YES=20 alert: NO<BR>Web Root Traversal: YES alert: YES<BR>Apache WhiteSpace: = YES alert:=20 YES<BR>IIS Delimiter: YES alert: YES<BR>IIS Unicode Map: GLOBAL IIS = UNICODE MAP=20 CONFIG<BR>Non-RFC Compliant Characters: NONE<BR>rpc_decode = arguments:<BR>Ports=20 to decode RPC on: 111 32771<BR>alert_fragments:=20 INACTIVE<BR>alert_large_fragments: ACTIVE<BR>alert_incomplete:=20 ACTIVE<BR>alert_multiple_requests: ACTIVE<BR>telnet_decode = arguments:<BR>Ports=20 to decode telnet on: 21 23 25 119<BR>database: compiled support for ( = mysql=20 )<BR>database: configured to use mysql<BR>database: user =3D = root<BR>database:=20 password is set<BR>database: database name =3D snort<BR>database: host = =3D=20 localhost<BR>Node unique name is: 80.134.161.187<BR>database: sensor = name =3D=20 80.134.161.187<BR>database: sensor id =3D 6<BR>database: schema version = =3D=20 106<BR>database: using the "alert" facility<BR>2180 Snort rules = read...<BR>2180=20 Option Chains linked into 176 Chain Headers<BR>0 Dynamic=20 rules<BR>+++++++++++++++++++++++++++++++++++++++++ ++++++++++<BR><BR>Warni= ng:=20 flowbits key 'realplayer.playlist' is checked but not ever=20 set.<BR><BR>+-----------------------[thresholding-config]----------------= ------------------<BR>|=20 memory-cap : 1048576=20 bytes<BR>+-----------------------[thresholding-global]-------------------= ---------------<BR>|=20 none<BR>+-----------------------[thresholding-local]---------------------= --------------<BR>|=20 gen-id=3D1 sig-id=3D2275 type=3DThreshold tracking=3Ddst count=3D5 = seconds=3D60<BR>|=20 gen-id=3D1 sig-id=3D2924 type=3DThreshold tracking=3Dsrc count=3D10 = seconds=3D60<BR>|=20 gen-id=3D1 sig-id=3D2923 type=3DThreshold tracking=3Dsrc count=3D10 = seconds=3D60<BR>|=20 gen-id=3D1 sig-id=3D2523 type=3DBoth tracking=3Ddst count=3D10 = seconds=3D10<BR>| gen-id=3D1=20 sig-id=3D2496 type=3DBoth tracking=3Ddst count=3D20 seconds=3D60<BR>| = gen-id=3D1 sig-id=3D2494=20 type=3DBoth tracking=3Ddst count=3D20 seconds=3D60<BR>| gen-id=3D1 = sig-id=3D2495 type=3DBoth=20 tracking=3Ddst count=3D20=20 seconds=3D60<BR>+-----------------------[suppression]--------------------= ----------------------<BR>-----------------------------------------------= --------------------------------<BR>Rule=20 application order:=20 ->activation->dynamic->alert->pass->log<BR><BR>--=3D=3D=20 Initialization Complete =3D=3D--<BR><BR>-*> Snort! <*-<BR>Version = 2.2.0 (Build=20 30)<BR>By Martin Roesch (roesch@sourcefire.com,=20 www.snort.org)</B><BR><BR>However after a while when I control-c=20 :<BR><BR><B>^C<BR><BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Snort= 20 received 8244 packets<BR>Analyzed: 8244(100.000%)<BR>Dropped:=20 0(0.000%)<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D<BR>Breakdown=20 by protocol:<BR>TCP: 0 (0.000%)<BR>UDP: 0 (0.000%)<BR>ICMP: 0 = (0.000%)<BR>ARP: 0=20 (0.000%)<BR>EAPOL: 0 (0.000%)<BR>IPv6: 0 (0.000%)<BR>IPX: 0 = (0.000%)<BR>OTHER: 0=20 (0.000%)<BR>DISCARD: 0=20 (0.000%)<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D<BR>Action=20 Stats:<BR>ALERTS: 0<BR>LOGGED: 0<BR>PASSED:=20 0<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D<BR>Final=20 Flow Statistics<BR>,----[ FLOWCACHE STATS ]----------<BR>Memcap: = 10485760=20 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1) Overhead blocks: 1 = Could=20 Hold: (0)<BR>IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff:=20 0h:00:00s<BR>finds: 0 reversed: 0(%0.000000)<BR>find_sucess: 0 = find_fail: 0=20 percent_success: (%0.000000) new_flows: 0<BR>database: Closing = connection to=20 database "p"<BR>Snort exiting<BR></B><BR>Nothing gets reported. I have=20 configured snort.conf like this:<BR><BR><B>var HOME_NET = any<BR>and<BR>var=20 EXTERNAL_NET any<BR>and<BR>output database: alert, mysql, user=3Droot=20 password=3D<mypassword> dbname=3Dsnort = host=3Dlocalhost</B><BR><BR>Can anyone=20 help?<BR><BR>Thanks,<BR>Allan</BODY></HTML> ------=_NextPart_000_01A8_01C4E0D6.774CEDD0-- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
