RE: [Snort-users] snort not reporting
This is a discussion on RE: [Snort-users] snort not reporting within the Snort forums, part of the System Security and Security Related category; Sorry, the second mail was a mistake. I thought the first one had not been delivered. I'm connected to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-13-2004
|
|||
|
|||
RE: [Snort-users] snort not reporting
Sorry, the second mail was a mistake. I thought the
first one had not been delivered. I'm connected to the internet through my ISP. I see that snort has analyzed the 8244 packets but cannot believe that I never get any bad traffic - not even if I let http://scan.sygatetech.com/ scan my computer leaving my firewall open. Is there any way I can get snort to react - some kind of test - just to see if the application is working? I have altready tried portscanning localhost with nmap - still without anything showing up in snort/ACID. ppp0 is my interface for connecting to the internet. Allan Jensen --- "Patrick S. Harper" <patrick@internetsecurityguru.com> wrote: > first, be patient. reposting 10 hours later will > not get you an answer > faster. Sunday evening ya know. > > second. what are you plugged into? also what I see > first I is the > following. > > Snort received 8244 packets > Analyzed: 8244(100.000%) > Dropped: 0(0.000%) > ================================================== ========================== > === > Breakdown by protocol: > TCP: 0 (0.000%) > UDP: 0 (0.000%) > ICMP: 0 (0.000%) > ARP: 0 (0.000%) > EAPOL: 0 (0.000%) > IPv6: 0 (0.000%) > IPX: 0 (0.000%) > OTHER: 0 (0.000%) > DISCARD: 0 (0.000%) > > also, what is happening on this interface? > > Initializing Network Interface ppp0 > > --== Initializing Snort ==-- > > Initializing Output Plugins! > > Decoding PPP on interface ppp0 > > > > Patrick S. Harper | CISSP RHCT MCSE > www.internetsecurityguru.com > > www.ntsug.org - Snort Users Group > > "If there is no light at the end of the tunnel, get > down there and light the > damn thing yourself!" > > > > > _____ > > From: snort-users-admin@lists.sourceforge.net > [mailto:snort-users-admin@lists.sourceforge.net] On > Behalf Of Allan Jensen > Sent: Monday, December 13, 2004 3:49 AM > To: snort-users@lists.sourceforge.net > Subject: [Snort-users] snort not reporting > > > I installed snort 2.2.0 on Mac OS X 10.3.6 together > with ACID 0.9.6b23. > Everything went fine. When I start snort: > > sudo snort -dvi -c /etc/snort/snort.conf > > I get the following: > > Running in IDS mode > Log directory = /var/log/snort > > Initializing Network Interface ppp0 > > --== Initializing Snort ==-- > Initializing Output Plugins! > Decoding PPP on interface ppp0 > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort/snort.conf > > ++++++++++++++++++++++++++++++++++++++++++++++++++ + > Initializing rule chains... > ,-----------[Flow Config]---------------------- > | Stats Interval: 0 > | Hash Method: 2 > | Memcap: 10485760 > | Rows : 4099 > | Overhead Bytes: 16400(%0.16) > `---------------------------------------------- > No arguments to frag2 directive, setting defaults > to: > Fragment timeout: 60 seconds > Fragment memory cap: 4194304 bytes > Fragment min_ttl: 0 > Fragment ttl_limit: 5 > Fragment Problems: 0 > Self preservation threshold: 500 > Self preservation period: 90 > Suspend threshold: 1000 > Suspend period: 30 > Stream4 config: > Stateful inspection: ACTIVE > Session statistics: INACTIVE > Session timeout: 30 seconds > Session memory cap: 8388608 bytes > State alerts: INACTIVE > Evasion alerts: INACTIVE > Scan alerts: INACTIVE > Log Flushed Streams: INACTIVE > MinTTL: 1 > TTL Limit: 5 > Async Link: 0 > State Protection: 0 > Self preservation threshold: 50 > Self preservation period: 90 > Suspend threshold: 200 > Suspend period: 30 > Stream4_reassemble config: > Server reassembly: INACTIVE > Client reassembly: ACTIVE > Reassembler alerts: ACTIVE > Zero out flushed packets: INACTIVE > flush_data_diff_size: 500 > Ports: 21 23 25 53 80 110 111 143 513 1433 > Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 > HttpInspect Config: > GLOBAL CONFIG > Max Pipeline Requests: 0 > Inspection Type: STATELESS > Detect Proxy Usage: NO > IIS Unicode Map Filename: /etc/snort/unicode.map > IIS Unicode Map Codepage: 1252 > DEFAULT SERVER CONFIG: > Ports: 80 8080 8180 > Flow Depth: 300 > Max Chunk Length: 500000 > Inspect Pipeline Requests: YES > URI Discovery Strict Mode: NO > Allow Proxy Usage: NO > Disable Alerting: NO > Oversize Dir Length: 500 > Only inspect URI: NO > Ascii: YES alert: NO > Double Decoding: YES alert: YES > %U Encoding: YES alert: YES > Bare Byte: YES alert: YES > Base36: OFF > UTF 8: OFF > IIS Unicode: YES alert: YES > Multiple Slash: YES alert: NO > IIS Backslash: YES alert: NO > Directory Traversal: YES alert: NO > Web Root Traversal: YES alert: YES > Apache WhiteSpace: YES alert: YES > IIS Delimiter: YES alert: YES > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG > Non-RFC Compliant Characters: NONE > rpc_decode arguments: > Ports to decode RPC on: 111 32771 > alert_fragments: INACTIVE > alert_large_fragments: ACTIVE > alert_incomplete: ACTIVE > alert_multiple_requests: ACTIVE > telnet_decode arguments: > Ports to decode telnet on: 21 23 25 119 > database: compiled support for ( mysql ) > database: configured to use mysql > database: user = root > database: password is set > database: database name = snort > database: host = localhost > Node unique name is: 80.134.161.187 > database: sensor name = 80.134.161.187 > database: sensor id = 6 > database: schema version = 106 > database: using the "alert" facility > 2180 Snort rules read... > 2180 Option Chains linked into 176 Chain Headers > 0 Dynamic rules > ++++++++++++++++++++++++++++++++++++++++++++++++++ + > > Warning: flowbits key 'realplayer.playlist' is > checked but not ever set. > > +-----------------------[thresholding-config]------------------------------- > --- > | memory-cap : 1048576 bytes > +-----------------------[thresholding-global]------------------------------- > --- > | none > +-----------------------[thresholding-local]-------------------------------- > --- > | gen-id=1 sig-id=2275 type=Threshold tracking=dst > count=5 seconds=60 > | gen-id=1 sig-id=2924 type=Threshold tracking=src > count=10 seconds=60 > | gen-id=1 sig-id=2923 type=Threshold tracking=src > count=10 seconds=60 > | gen-id=1 sig-id=2523 type=Both tracking=dst > count=10 seconds=10 > | gen-id=1 sig-id=2496 type=Both tracking=dst > count=20 seconds=60 > | gen-id=1 sig-id=2494 type=Both tracking=dst > count=20 seconds=60 > | gen-id=1 sig-id=2495 type=Both tracking=dst > count=20 seconds=60 > +-----------------------[suppression]--------------------------------------- > --- > ---------------------------------------------------------------------------- > --- > Rule application order: > ->activation->dynamic->alert->pass->log > > --== Initialization Complete ==-- > > -*> Snort! <*- > Version 2.2.0 (Build 30) > By Martin Roesch (roesch@sourcefire.com, > www.snort.org) > > However after a while when I control-c : > > ^C > > ================================================== ========================== > === > > Snort received 8244 packets > Analyzed: 8244(100.000%) > Dropped: 0(0.000%) > ================================================== ========================== > === > Breakdown by protocol: > TCP: 0 (0.000%) > UDP: 0 (0.000%) > ICMP: 0 (0.000%) > ARP: 0 (0.000%) > EAPOL: 0 (0.000%) > IPv6: 0 (0.000%) > IPX: 0 (0.000%) > OTHER: 0 (0.000%) > DISCARD: 0 (0.000%) > ================================================== ========================== > === > Action Stats: > ALERTS: 0 > LOGGED: 0 > PASSED: 0 > ================================================== ========================== > === > Final Flow Statistics > ,----[ FLOWCACHE STATS ]---------- > Memcap: 10485760 Overhead Bytes 16400 > used(%0.156403)/blocks (16400/1) > Overhead blocks: 1 Could Hold: (0) > IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, > diff: 0h:00:00s > finds: 0 reversed: 0(%0.000000) > find_sucess: 0 find_fail: 0 percent_success: > (%0.000000) new_flows: 0 > database: Closing connection to database "p" > Snort exiting > > Nothing gets reported. I have configured snort.conf > like this: > > var HOME_NET any > and > var EXTERNAL_NET any > and > output database: alert, mysql, user=root > password=<mypassword> dbname=snort > host=localhost > > Can anyone help? > > Thanks, > Allan > __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
