[Snort-users] SnortSAM + Snort 2.3.3

This is a discussion on [Snort-users] SnortSAM + Snort 2.3.3 within the Snort forums, part of the System Security and Security Related category; I have recently problems with Snort 2.3.3 and SnortSAM. Snort can detect the attack but doesn't send ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] SnortSAM + Snort 2.3.3

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-04-2005
Xavier Cabrera
 
Posts: n/a
Default [Snort-users] SnortSAM + Snort 2.3.3
I have recently problems with Snort 2.3.3 and SnortSAM.

Snort can detect the attack but doesn't send the packet to SnortSAM
machine.

What can be happend??

Previusly i made them work with previus releases.

Can anyone help me???

This its my INFO

###############################
### /var/log/messages##############
##############################

May 2 13:52:52 core snort: Initializing daemon mode
May 2 13:52:52 core snort: DEBUG => [Alert_FWsam](AlertFWsamSetup)
Output plugin is plugged in...

!

May 2 13:52:53 core snort: command line overrides rules file alert plugin!
May 2 13:52:53 core snort: IIS Unicode: YES alert: YES
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: Multiple Slash: YES alert: NO
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: 5minutes
May 2 13:52:53 core snort: IIS Backslash: YES alert: NO
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: Directory Traversal: YES alert: NO
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,5minutes
May 2 13:52:53 core snort: Web Root Traversal: YES alert: YES
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: Apache WhiteSpace: YES alert: NO
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,5minutes
May 2 13:52:53 core snort: IIS Delimiter: YES alert: NO
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: IIS Unicode Map: GLOBAL IIS UNICODE
MAP CONFIG
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,5minutes
May 2 13:52:53 core snort: Non-RFC Compliant Characters: NONE
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: rpc_decode arguments:
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,1minutes
May 2 13:52:53 core snort: Ports to decode RPC on: 111 32771
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: alert_fragments: INACTIVE
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,1minutes
May 2 13:52:53 core snort: alert_large_fragments: ACTIVE
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: alert_incomplete: ACTIVE
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,1minutes
May 2 13:52:53 core snort: alert_multiple_requests: ACTIVE
May 2 13:52:53 core snort: telnet_decode arguments:
May 2 13:52:53 core snort: Ports to decode telnet on: 21 23 25 119
May 2 13:52:53 core snort: Portscan Detection Config:
May 2 13:52:53 core snort: Detect Protocols: TCP UDP ICMP IP
May 2 13:52:53 core snort: Detect Scan Type: portscan portsweep
decoy_portscan distributed_portscan
May 2 13:52:53 core snort: Sensitivity Level: Low
May 2 13:52:53 core snort: Memcap (in bytes): 10000000
May 2 13:52:53 core snort: Number of Nodes: 36900
May 2 13:52:53 core snort:
May 2 13:52:53 core snort: command line overrides rules file alert plugin!
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: 5minutes
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,5minutes
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,5minutes
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,5minutes
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,1minutes
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,1minutes
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
FWsamOptionInit is parsing...
May 2 13:52:53 core snort: DEBUG => [Alert_FWsam](AlertFWamOptionInit)
Parse Options Args: src,1minutes


#########################################
######## /etc/snortsam/snortsam.conf #########
########################################

defaultkey mypassword

port 898

accept 127.0.0.1/32, mypassword

bindip 127.0.0.1

########################################
#########/etc/snort/snort.conf ##############
########################################

output alert_fwsam: 127.0.0.1:898/mypassword


#######################################
######## /var/log/eth0/alert ###############
######################################

05/02-13:51:53.460764 [**] [1:499:4] ICMP Large ICMP Packet Protegida
por SnortSAM 5 minutos [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {ICMP} x.y.z.10 -> a.b.c.1





-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 01:32 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0