Kyle Cummings | 26 May 23:48 2016
Picon
Gravatar

Snort Capabilities

I was wondering if Snort is capable of either of the following:
  1. Deny / terminate requests based on the geographic location of the IP.
  2. Detect and "block" potential DoS / DDoS attacks.

I've tried reading around, and came across several security.stackexchange.com posts, but they all seem to be from 2013 or older, and I would imagine that Snort would have evolved significantly since then.

I know that the former can technically be done by a list of firewall rules. However, typing and / or maintaining such a list manually is pretty much pure insanity. So, is there any other method with Snort? Or would I have to either enter things in manually into the configuration file or maybe write a script that does it for me?


--
Thanks,
Kyle M. Cummings
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
justin hyland | 26 May 23:04 2016
Picon
Gravatar

Having a problem getting Snort rules implemented

Hello, new Snort user here. I just installed the latest version of Snort on a new CentOS7 server, following the instructions from this article: http://www.unixmen.com/install-snort-nids-centos-7/ 

It seemed to go pretty smoothly, except when I execute Snort, I get an error saying the rules at /usr/local/lib/snort_dynamicrules don't exist. And when I look through the community rules I downloaded, I dont see that in there at all. When I go and comment out the three dynamic rules lines and execute Snort again, I get another error, saying that /etc/snort/rules/local.rules doesn't exist.

The only thing in the /etc/snort/rules directory, is an iplists folder, which contains a default.blacklist.

Did I do something wrong? or miss a step in the article? I'm not sure how to get these rules setup. It walks you through installing pulledpork, but thats it.


// ---------------------------
Justin Hyland
Linux Engineer/Software Developer/Technology Enthusiast

It is the mark of an educated mind to be able to entertain a thought without accepting it. - Aristotle

M: 602.740.0620
E:  jhyland87 <at> gmail.com
W: www.justinhyland.com
LI: https://www.linkedin.com/in/justin-hyland-a0b34b10
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
justin hyland | 26 May 18:37 2016
Picon
Gravatar

Questions regarding Snort subscription plans

Hello,

 

I'm looking at Snort as a potential monitoring solution, and had a couple questions regarding the subscription plans.

 

What I'm primarily looking to monitor is our production environment, which consists of 6 VMs running CentOS 7. I was looking at the products page to see which plan would suffice, but there doesn’t seem to be much details listed.

 

Can you provide some detail about the differences between the subscription plans? I clicked Purchase on the Business license, and created an account using this email, but there wasn’t much to view once I logged into the account. 


The Snort homepage has some steps for getting started, but it’s not very clear as to what the steps are walking you through installing (main Snort server/service? Snort monitoring agent? Etc.) 

 

Also, does Snort have the ability to perform any actions when it detects something? Or is it strictly for detection and notification?

 

Thank you

 

Justin Hyland



// ---------------------------
Justin Hyland
Linux Engineer/Software Developer/Technology Enthusiast

It is the mark of an educated mind to be able to entertain a thought without accepting it. - Aristotle

M: 602.740.0620
E:  jhyland87 <at> gmail.com
W: www.justinhyland.com
LI: https://www.linkedin.com/in/justin-hyland-a0b34b10
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Nicolas Matovelle Trigo | 26 May 13:56 2016

Activate and dynamic rules

Hi, I've just started using snort and I can't get it working.

I've installed it in a CentOS 7.2 virtual machine and configured it to act as gateway for other network and it works. At the first moment I set only the following rule:

"alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP response"; sid:123)"

And I could saw the responses on the alert file.

But now I'm trying to use a dynamic rule like the following:

activate tcp $HOME_NET any -> $EXTERNAL_NET 1024 (msg:"Activating"; sid:100; activates:1;)
dynamic tcp any any <> any any (msg:"Dynamic not activated"; sid:101; activated_by:1; count: 10000;)

The actual behavior is that snort alerts the "Activating" rule, but I never see the "Dynamic not activated" message. The only thing not common in my configuration is that I commented out the line "dynamicdetection directory /usr/local/lib/snort_dynamicrules" from the snort.conf as I don't have such directory and snort failed to start with that line.

Thanks in advance for your attention,
Nico.
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Matthew White | 26 May 02:59 2016
Picon

FATAL ERROR - FATAL ERROR: Unknown rule option: 'disable'.

After modifying my pulledpork.conf file I now get the following.

FATAL ERROR: /etc/snort/rules/snort.rules(9844) Unknown rule option: 'disable'.

Not seeing this in forums. Any ideas?
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Matthew White | 25 May 18:17 2016
Picon

FATAL ERROR - Preproc Rule Help - rule duplicates

I am trying to tune Snort at the processor level in the flow before info is processed to lighten the CPU usage.

Steps I have tried to no avail
1. Commenting the rule out using #.
2. Changing alert to pass instead of alert to get the following error.

FATAL ERROR: /etc/snort/preproc_rules/preprocessor.rules(29) GID 119 SID 15 in rule duplicates previous rule, with different type.

Instructions I am following


Is there something else I am missing?

Thanks,

Matthew



------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Chris Sandford | 20 May 15:37 2016

Unable to process the IP address

Hi,

 

When configuring some rules in testing I get the following error

 

 

The command entered was;

 

Snort –I 1 –c c:\snort\etc\snort.conf –A console.

 

I am early stages and very new to Snort and was testing very simple rule sets entered into the local rules folder.

 

The only IP entered is my Home net.

 

please advise, thank you.

 

Chris

SMS Head Office : Starling House, Lancelot Road, Beacon Park, Gorleston-on-Sea, Great Yarmouth, Norfolk, NR31 7BF
Tel: +44 (0)1493

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Gardner, Warren (IHG | 19 May 17:14 2016

Signature numbering significance

 

Hello,

 

I’ve just begun to investigate some of the Snort signatures blocked by my firewall and don’t really understand the naming convention and the significance of the numbers. I read the FAQ which simply stated that number must be > 10,000 for community submitted submissions but that didn’t really give me the knowledge I was looking for.

 

I have seen man of 1:16301:14 attempts on port 80; when I searched the snort DB it returned “Your search returned no results”. I removed the :14 hoping that might be just a submission or release number and the search returned “1-16301 - This event is generated when an attempt is made to exploit a known vulnerability in Internet Explorer”. Because it was a port 80 request the messaged about an IE vulnerability seemed to make sense (even if it did relate to v5 and v6).

 

A similar thing happened with 1:21516:9 once I removed the :9 the search returned “This event is generated when an attempt is made to exploit a known vulnerability in jboss application server.”

 

My question is what significance to the colon separated values have(if any)? If the snort.org search returns no matches to a signature is there anywhere else I can find more information about a signature?

 

 

 

Warren Gardner

 

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Arkam Uzair | 19 May 17:16 2016
Picon

Re: Snort not detecting rule and nothing being written to log or U2(Binary) Files

Jason,

Thank you for your reply.

It is already disabled.

arkam <at> Arkam:~$ ethtool --show-offload eth0 | grep -i check
rx-checksumming: off [fixed]
tx-checksumming: off

Arkam


On Thu, May 19, 2016 at 2:13 PM, Jason <jason <at> brvenik.com> wrote:
2 bucks says it is checksums.... disable checksum checking if running
on the same system as you are trying to test from but be aware that it
creates evasion opportunities. Alternatively you can disable checksum
offload.

https://wiki.wireshark.org/CaptureSetup/Offloading

On Thu, May 19, 2016 at 11:07 AM, Arkam Uzair <arkamu <at> gmail.com> wrote:
> Guys,
>
> I am facing an issue with snort. I installed snort and checked the config
> file with Snort -v and Snort -T etc and it was fine. Then I added a rule for
> icmp in local rules file. Started snort and no error.
>
> Tried the following
>
> a- Pinging another PC from the Guest running snort
> b- Self Pinging on my eth0 port(The one on which snort listens)
> c- Pinging this from another PC
>
> Nothing gets written to log or U2 File.
>
> Even with snort -U Console it just says it is processing packets stuff but
> nothing is shown.
>
> Why it is not capturing this ICMP Alert.
> **********************************************************
>
> Some Useful Info. Here is my rule
>
> ___________________________________________________________________________
> arkam <at> Arkam:~$ grep -i icmp /etc/snort/rules/local.rules
>
> alert icmp any any -> 192.168.88.131/24 any ( msg:"ICMP test Detected";
> GID:1; sid:10000001; rev:001; classtype:icmp-event;)
> _______________________________________________________________________________
>
> My permission of log directory are also fine
>
> ___________________________________________________________________________
>
> arkam <at> Arkam:~$ ls -lrt /var/log/snort/*
>
> -rwxrwxr-t 1 snort snort    0 May 12 07:06
> /var/log/snort/snort.u2.1463033164
> -rwxrwxr-t 1 snort snort    0 May 18 01:04
> /var/log/snort/snort.u2.1463529861
> -rwxrwxr-t 1 snort snort    0 May 18 01:12 /var/log/snort/barnyard2.waldo
> -rw------- 1 snort snort    0 May 18 14:00
> /var/log/snort/snort.log.1463576405
> -rw------- 1 snort snort    0 May 18 14:14
> /var/log/snort/snort.log.1463577285
> -rw------- 1 snort snort    0 May 18 14:16
> /var/log/snort/snort.log.1463577374
> -rw------- 1 snort snort    0 May 18 14:21
> /var/log/snort/snort.log.1463577686
> _____________________________________________________________________________
>
> Snort Configuration is fine
>
> _____________________________________________-
> arkam <at> Arkam:~$ snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.8.2 GRE (Build 335)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.5.3
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
> Snort Testing is fine and It does shows my ICMP Rule
> ______________________________________________________________________
> arkam <at> Arkam:~$ sudo snort -T -c /etc/snort/snort.conf -i eth0
> [sudo] password for arkam:
> Running in Test mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/snort/snort.conf"
> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741
> 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145
> 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181
> 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371
> 34443:34444 41080 50002 55555 ]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined :  [ 22 ]
> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
> PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901
> 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
> 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090
> 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091
> 9443 9999 11371 34443:34444 41080 50002 55555 ]
> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
> Detection:
>    Search-Method = AC-Full-Q
>     Split Any/Any group = enabled
>     Search-Method-Optimizations = enabled
>     Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> done
> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
> WARNING: No dynamic libraries found in directory
> /usr/local/lib/snort_dynamicrules.
>   Finished Loading all dynamic detection libs from
> /usr/local/lib/snort_dynamicrules
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>   Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> WARNING: ip4 normalizations disabled because not inline.
> WARNING: tcp normalizations disabled because not inline.
> WARNING: icmp4 normalizations disabled because not inline.
> WARNING: ip6 normalizations disabled because not inline.
> WARNING: icmp6 normalizations disabled because not inline.
> Frag3 global config:
>     Max frags: 65536
>     Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>     Bound Address: default
>     Target-based policy: WINDOWS
>     Fragment timeout: 180 seconds
>     Fragment min_ttl:   1
>     Fragment Anomalies: Alert
>     Overlap Limit:     10
>     Min fragment Length:     100
>       Max Expected Streams: 768
> Stream global config:
>     Track TCP sessions: ACTIVE
>     Max TCP sessions: 262144
>     TCP cache pruning timeout: 30 seconds
>     TCP cache nominal timeout: 3600 seconds
>     Memcap (for reassembly packet storage): 8388608
>     Track UDP sessions: ACTIVE
>     Max UDP sessions: 131072
>     UDP cache pruning timeout: 30 seconds
>     UDP cache nominal timeout: 180 seconds
>     Track ICMP sessions: INACTIVE
>     Track IP sessions: INACTIVE
>     Log info if session memory consumption exceeds 1048576
>     Send up to 2 active responses
>     Wait at least 5 seconds between responses
>     Protocol Aware Flushing: ACTIVE
>         Maximum Flush Point: 16000
> Stream TCP Policy config:
>     Bound Address: default
>     Reassembly Policy: WINDOWS
>     Timeout: 180 seconds
>     Limit on TCP Overlaps: 10
>     Maximum number of bytes to queue per session: 1048576
>     Maximum number of segs to queue per session: 2621
>     Options:
>         Require 3-Way Handshake: YES
>         3-Way Handshake Timeout: 180
>         Detect Anomalies: YES
>     Reassembly Ports:
>       21 client (Footprint)
>       22 client (Footprint)
>       23 client (Footprint)
>       25 client (Footprint)
>       42 client (Footprint)
>       53 client (Footprint)
>       79 client (Footprint)
>       80 client (Footprint) server (Footprint)
>       81 client (Footprint) server (Footprint)
>       109 client (Footprint)
>       110 client (Footprint)
>       111 client (Footprint)
>       113 client (Footprint)
>       119 client (Footprint)
>       135 client (Footprint)
>       136 client (Footprint)
>       137 client (Footprint)
>       139 client (Footprint)
>       143 client (Footprint)
>       161 client (Footprint)
>       additional ports configured but not printed.
> Stream UDP Policy config:
>     Timeout: 180 seconds
> HttpInspect Config:
>     GLOBAL CONFIG
>       Detect Proxy Usage:       NO
>       IIS Unicode Map Filename: /etc/snort/unicode.map
>       IIS Unicode Map Codepage: 1252
>       Memcap used for logging URI and Hostname: 150994944
>       Max Gzip Memory: 838860
>       Max Gzip Sessions: 2621
>       Gzip Compress Depth: 65535
>       Gzip Decompress Depth: 65535
>     DEFAULT SERVER CONFIG:
>       Server profile: All
>       Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381
> 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779
> 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300
> 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080
> 50002 55555
>       Server Flow Depth: 0
>       Client Flow Depth: 0
>       Max Chunk Length: 500000
>       Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
>       Max Header Field Length: 750
>       Max Number Header Fields: 100
>       Max Number of WhiteSpaces allowed with header folding: 200
>       Inspect Pipeline Requests: YES
>       URI Discovery Strict Mode: NO
>       Allow Proxy Usage: NO
>       Disable Alerting: NO
>       Oversize Dir Length: 500
>       Only inspect URI: NO
>       Normalize HTTP Headers: NO
>       Inspect HTTP Cookies: YES
>       Inspect HTTP Responses: YES
>       Extract Gzip from responses: YES
>       Decompress response files:
>       Unlimited decompression of gzip data from responses: YES
>       Normalize Javascripts in HTTP Responses: YES
>       Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP
> responses: 200
>       Normalize HTTP Cookies: NO
>       Enable XFF and True Client IP: NO
>       Log HTTP URI data: NO
>       Log HTTP Hostname data: NO
>       Extended ASCII code support in URI: NO
>       Ascii: YES alert: NO
>       Double Decoding: YES alert: NO
>       %U Encoding: YES alert: YES
>       Bare Byte: YES alert: NO
>       UTF 8: YES alert: NO
>       IIS Unicode: YES alert: NO
>       Multiple Slash: YES alert: NO
>       IIS Backslash: YES alert: NO
>       Directory Traversal: YES alert: NO
>       Web Root Traversal: YES alert: NO
>       Apache WhiteSpace: YES alert: NO
>       IIS Delimiter: YES alert: NO
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
> 32777 32778 32779
>     alert_fragments: INACTIVE
>     alert_large_fragments: INACTIVE
>     alert_incomplete: INACTIVE
>     alert_multiple_requests: INACTIVE
> FTPTelnet Config:
>     GLOBAL CONFIG
>       Inspection Type: stateful
>       Check for Encrypted Traffic: YES alert: NO
>       Continue to check encrypted data: YES
>     TELNET CONFIG:
>       Ports: 23
>       Are You There Threshold: 20
>       Normalize: YES
>       Detect Anomalies: YES
>     FTP CONFIG:
>       FTP Server: default
>         Ports (PAF): 21 2100 3535
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Ignore open data channels: NO
>       FTP Client: default
>         Check for Bounce Attacks: YES alert: YES
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Max Response Length: 256
> SMTP Config:
>     Ports: 25 465 587 691
>     Inspection Type: Stateful
>     Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY
> EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS
> SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN
> XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP
> X-EXCH50
>     Ignore Data: No
>     Ignore TLS Data: No
>     Ignore SMTP Alerts: No
>     Max Command Line Length: 512
>     Max auth Command Line Length: 1000
>     Max Specific Command Line Length:
>        ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
>        EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
>        ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
>        IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
>        QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
>        SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
>        TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
>        XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
>        XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
>        XUSR:246
>     Max Header Line Length: 1000
>     Max Response Line Length: 512
>     X-Link2State Alert: Yes
>     Drop on X-Link2State Alert: No
>     Alert on commands: None
>     Alert on unknown commands: No
>     SMTP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>     Log Attachment filename: Enabled
>     Log MAIL FROM Address: Enabled
>     Log RCPT TO Addresses: Enabled
>     Log Email Headers: Enabled
>     Email Hdrs Log Depth: 1464
> SSH config:
>     Autodetection: ENABLED
>     Challenge-Response Overflow Alert: ENABLED
>     SSH1 CRC32 Alert: ENABLED
>     Server Version String Overflow Alert: ENABLED
>     Protocol Mismatch Alert: ENABLED
>     Bad Message Direction Alert: DISABLED
>     Bad Payload Size Alert: DISABLED
>     Unrecognized Version Alert: DISABLED
>     Max Encrypted Packets: 20
>     Max Server Version String Length: 100
>     MaxClientBytes: 19600 (Default)
>     Ports:
>         22
> DCE/RPC 2 Preprocessor Configuration
>   Global Configuration
>     DCE/RPC Defragmentation: Enabled
>     Memcap: 102400 KB
>     Events: co
>     SMB Fingerprint policy: Disabled
>   Server Default Configuration
>     Policy: WinXP
>     Detect ports (PAF)
>       SMB: 139 445
>       TCP: 135
>       UDP: 135
>       RPC over HTTP server: 593
>       RPC over HTTP proxy: None
>     Autodetect ports (PAF)
>       SMB: None
>       TCP: 1025-65535
>       UDP: 1025-65535
>       RPC over HTTP server: 1025-65535
>       RPC over HTTP proxy: None
>     Invalid SMB shares: C$ D$ ADMIN$
>     Maximum SMB command chaining: 3 commands
>     SMB file inspection: Disabled
> DNS config:
>     DNS Client rdata txt Overflow Alert: ACTIVE
>     Obsolete DNS RR Types Alert: INACTIVE
>     Experimental DNS RR Types Alert: INACTIVE
>     Ports: 53
> SSLPP config:
>     Encrypted packets: not inspected
>     Ports:
>       443      465      563      636      989
>       992      993      994      995     7801
>      7802     7900     7901     7902     7903
>      7904     7905     7906     7907     7908
>      7909     7910     7911     7912     7913
>      7914     7915     7916     7917     7918
>      7919     7920
>     Server side data is trusted
>     Maximum SSL Heartbeat length: 0
> Sensitive Data preprocessor config:
>     Global Alert Threshold: 25
>     Masked Output: DISABLED
> SIP config:
>     Max number of sessions: 40000
>     Max number of dialogs in a session: 4 (Default)
>     Status: ENABLED
>     Ignore media channel: DISABLED
>     Max URI length: 512
>     Max Call ID length: 80
>     Max Request name length: 20 (Default)
>     Max From length: 256 (Default)
>     Max To length: 256 (Default)
>     Max Via length: 1024 (Default)
>     Max Contact length: 512
>     Max Content length: 2048
>     Ports:
>         5060    5061    5600
>     Methods:
>           invite cancel ack bye register options refer subscribe update join
> info message notify benotify do qauth sprack publish service unsubscribe
> prack
> IMAP Config:
>     Ports: 143
>     IMAP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
> POP Config:
>     Ports: 110
>     POP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
> Modbus config:
>     Ports:
>         502
> DNP3 config:
>     Memcap: 262144
>     Check Link-Layer CRCs: ENABLED
>     Ports:
>         20000
> Reputation config:
> WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor
> disabled.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 1 Snort rules read
>     1 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 1 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> +-------------------[Rule Port
> Counts]---------------------------------------
> |             tcp     udp    icmp      ip
> |     src       0       0       0       0
> |     dst       0       0       0       0
> |     any       0       0       1       0
> |      nc       0       0       1       0
> |     s+d       0       0       0       0
> +----------------------------------------------------------------------------
>
> +-----------------------[detection-filter-config]------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[detection-filter-rules]-------------------------------
> | none
> -------------------------------------------------------------------------------
>
> +-----------------------[rate-filter-config]-----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[rate-filter-rules]------------------------------------
> | none
> -------------------------------------------------------------------------------
>
> +-----------------------[event-filter-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[event-filter-global]----------------------------------
> +-----------------------[event-filter-local]-----------------------------------
> | none
> +-----------------------[suppression]------------------------------------------
> | none
> -------------------------------------------------------------------------------
> Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> Verifying Preprocessor Configurations!
>
> [ Port Based Pattern Matching Memory ]
> [ Number of patterns truncated to 20 bytes: 0 ]
> pcap DAQ configured to passive.
> Acquiring network traffic from "eth0".
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.8.2 GRE (Build 335)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.5.3
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.6  <Build 1>
>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
>
> Snort successfully validated the configuration!
> Snort exiting
> arkam <at> Arkam:~$
> ___________________________________________________________________
>
>
> the address of my etho port is correctly configured om the snort config file
>
> ___________________________--
> arkam <at> Arkam:~$ ip addr
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
> default
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UNKNOWN group default qlen 1000
>     link/ether 00:0c:29:67:8d:ee brd ff:ff:ff:ff:ff:ff
>     inet 192.168.88.131/24 brd 192.168.88.255 scope global eth0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::20c:29ff:fe67:8dee/64 scope link
>        valid_lft forever preferred_lft forever
> 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state
> DOWN group default
>     link/ether 66:08:42:f4:37:b4 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
>        valid_lft forever preferred_lft forever
>
> arkam <at> Arkam:~$ grep -i home_net /etc/snort/snort.conf | grep -i '\.'
>
> ipvar HOME_NET 192.168.88.131/24
> _________________________________
>
> the local_rules file is enabled
>
> ______________________________
>
> arkam <at> Arkam:~$ grep -i local.rules /etc/snort/snort.conf
>
> include $RULE_PATH/local.rules
> _________________________________________________
>
> The log writinig thing is not commeented in log file and no stamp is also
> removed. I am trying to writing in binary sso currently u2 line is enabled
> but even if i do snort.log result is same
>
> _____________________________________
>
> arkam <at> Arkam:~$ grep -i snort.u2 /etc/snort/snort.conf
>
>   output unified2: filename snort.u2,   limit 128
>
> ___________________________________________________________
>
> Now switched on  Snort with Console and Status display option
>
> ______________________________________________________-
>
> arkam <at> Arkam:~$ sudo /usr/local/bin/snort -A console -u snort -g snort -c
> /etc/snort/snort.conf -i eth0
> [sudo] password for arkam:
>
> Running in IDS mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/snort/snort.conf"
> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741
> 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145
> 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181
> 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371
> 34443:34444 41080 50002 55555 ]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined :  [ 22 ]
> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
> PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901
> 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
> 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090
> 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091
> 9443 9999 11371 34443:34444 41080 50002 55555 ]
> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
> Detection:
>    Search-Method = AC-Full-Q
>     Split Any/Any group = enabled
>     Search-Method-Optimizations = enabled
>     Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> done
> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
> WARNING: No dynamic libraries found in directory
> /usr/local/lib/snort_dynamicrules.
>   Finished Loading all dynamic detection libs from
> /usr/local/lib/snort_dynamicrules
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
> done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>   Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>   Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> WARNING: ip4 normalizations disabled because not inline.
> WARNING: tcp normalizations disabled because not inline.
> WARNING: icmp4 normalizations disabled because not inline.
> WARNING: ip6 normalizations disabled because not inline.
> WARNING: icmp6 normalizations disabled because not inline.
> Frag3 global config:
>     Max frags: 65536
>     Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>     Bound Address: default
>     Target-based policy: WINDOWS
>     Fragment timeout: 180 seconds
>     Fragment min_ttl:   1
>     Fragment Anomalies: Alert
>     Overlap Limit:     10
>     Min fragment Length:     100
>       Max Expected Streams: 768
> Stream global config:
>     Track TCP sessions: ACTIVE
>     Max TCP sessions: 262144
>     TCP cache pruning timeout: 30 seconds
>     TCP cache nominal timeout: 3600 seconds
>     Memcap (for reassembly packet storage): 8388608
>     Track UDP sessions: ACTIVE
>     Max UDP sessions: 131072
>     UDP cache pruning timeout: 30 seconds
>     UDP cache nominal timeout: 180 seconds
>     Track ICMP sessions: INACTIVE
>     Track IP sessions: INACTIVE
>     Log info if session memory consumption exceeds 1048576
>     Send up to 2 active responses
>     Wait at least 5 seconds between responses
>     Protocol Aware Flushing: ACTIVE
>         Maximum Flush Point: 16000
> Stream TCP Policy config:
>     Bound Address: default
>     Reassembly Policy: WINDOWS
>     Timeout: 180 seconds
>     Limit on TCP Overlaps: 10
>     Maximum number of bytes to queue per session: 1048576
>     Maximum number of segs to queue per session: 2621
>     Options:
>         Require 3-Way Handshake: YES
>         3-Way Handshake Timeout: 180
>         Detect Anomalies: YES
>     Reassembly Ports:
>       21 client (Footprint)
>       22 client (Footprint)
>       23 client (Footprint)
>       25 client (Footprint)
>       42 client (Footprint)
>       53 client (Footprint)
>       79 client (Footprint)
>       80 client (Footprint) server (Footprint)
>       81 client (Footprint) server (Footprint)
>       109 client (Footprint)
>       110 client (Footprint)
>       111 client (Footprint)
>       113 client (Footprint)
>       119 client (Footprint)
>       135 client (Footprint)
>       136 client (Footprint)
>       137 client (Footprint)
>       139 client (Footprint)
>       143 client (Footprint)
>       161 client (Footprint)
>       additional ports configured but not printed.
> Stream UDP Policy config:
>     Timeout: 180 seconds
> HttpInspect Config:
>     GLOBAL CONFIG
>       Detect Proxy Usage:       NO
>       IIS Unicode Map Filename: /etc/snort/unicode.map
>       IIS Unicode Map Codepage: 1252
>       Memcap used for logging URI and Hostname: 150994944
>       Max Gzip Memory: 838860
>       Max Gzip Sessions: 2621
>       Gzip Compress Depth: 65535
>       Gzip Decompress Depth: 65535
>     DEFAULT SERVER CONFIG:
>       Server profile: All
>       Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381
> 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779
> 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300
> 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080
> 50002 55555
>       Server Flow Depth: 0
>       Client Flow Depth: 0
>       Max Chunk Length: 500000
>       Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
>       Max Header Field Length: 750
>       Max Number Header Fields: 100
>       Max Number of WhiteSpaces allowed with header folding: 200
>       Inspect Pipeline Requests: YES
>       URI Discovery Strict Mode: NO
>       Allow Proxy Usage: NO
>       Disable Alerting: NO
>       Oversize Dir Length: 500
>       Only inspect URI: NO
>       Normalize HTTP Headers: NO
>       Inspect HTTP Cookies: YES
>       Inspect HTTP Responses: YES
>       Extract Gzip from responses: YES
>       Decompress response files:
>       Unlimited decompression of gzip data from responses: YES
>       Normalize Javascripts in HTTP Responses: YES
>       Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP
> responses: 200
>       Normalize HTTP Cookies: NO
>       Enable XFF and True Client IP: NO
>       Log HTTP URI data: NO
>       Log HTTP Hostname data: NO
>       Extended ASCII code support in URI: NO
>       Ascii: YES alert: NO
>       Double Decoding: YES alert: NO
>       %U Encoding: YES alert: YES
>       Bare Byte: YES alert: NO
>       UTF 8: YES alert: NO
>       IIS Unicode: YES alert: NO
>       Multiple Slash: YES alert: NO
>       IIS Backslash: YES alert: NO
>       Directory Traversal: YES alert: NO
>       Web Root Traversal: YES alert: NO
>       Apache WhiteSpace: YES alert: NO
>       IIS Delimiter: YES alert: NO
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
> 32777 32778 32779
>     alert_fragments: INACTIVE
>     alert_large_fragments: INACTIVE
>     alert_incomplete: INACTIVE
>     alert_multiple_requests: INACTIVE
> FTPTelnet Config:
>     GLOBAL CONFIG
>       Inspection Type: stateful
>       Check for Encrypted Traffic: YES alert: NO
>       Continue to check encrypted data: YES
>     TELNET CONFIG:
>       Ports: 23
>       Are You There Threshold: 20
>       Normalize: YES
>       Detect Anomalies: YES
>     FTP CONFIG:
>       FTP Server: default
>         Ports (PAF): 21 2100 3535
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Ignore open data channels: NO
>       FTP Client: default
>         Check for Bounce Attacks: YES alert: YES
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Max Response Length: 256
> SMTP Config:
>     Ports: 25 465 587 691
>     Inspection Type: Stateful
>     Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY
> EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS
> SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN
> XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP
> X-EXCH50
>     Ignore Data: No
>     Ignore TLS Data: No
>     Ignore SMTP Alerts: No
>     Max Command Line Length: 512
>     Max auth Command Line Length: 1000
>     Max Specific Command Line Length:
>        ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
>        EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
>        ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
>        IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
>        QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
>        SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
>        TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
>        XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
>        XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
>        XUSR:246
>     Max Header Line Length: 1000
>     Max Response Line Length: 512
>     X-Link2State Alert: Yes
>     Drop on X-Link2State Alert: No
>     Alert on commands: None
>     Alert on unknown commands: No
>     SMTP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
>     Log Attachment filename: Enabled
>     Log MAIL FROM Address: Enabled
>     Log RCPT TO Addresses: Enabled
>     Log Email Headers: Enabled
>     Email Hdrs Log Depth: 1464
> SSH config:
>     Autodetection: ENABLED
>     Challenge-Response Overflow Alert: ENABLED
>     SSH1 CRC32 Alert: ENABLED
>     Server Version String Overflow Alert: ENABLED
>     Protocol Mismatch Alert: ENABLED
>     Bad Message Direction Alert: DISABLED
>     Bad Payload Size Alert: DISABLED
>     Unrecognized Version Alert: DISABLED
>     Max Encrypted Packets: 20
>     Max Server Version String Length: 100
>     MaxClientBytes: 19600 (Default)
>     Ports:
>         22
> DCE/RPC 2 Preprocessor Configuration
>   Global Configuration
>     DCE/RPC Defragmentation: Enabled
>     Memcap: 102400 KB
>     Events: co
>     SMB Fingerprint policy: Disabled
>   Server Default Configuration
>     Policy: WinXP
>     Detect ports (PAF)
>       SMB: 139 445
>       TCP: 135
>       UDP: 135
>       RPC over HTTP server: 593
>       RPC over HTTP proxy: None
>     Autodetect ports (PAF)
>       SMB: None
>       TCP: 1025-65535
>       UDP: 1025-65535
>       RPC over HTTP server: 1025-65535
>       RPC over HTTP proxy: None
>     Invalid SMB shares: C$ D$ ADMIN$
>     Maximum SMB command chaining: 3 commands
>     SMB file inspection: Disabled
> DNS config:
>     DNS Client rdata txt Overflow Alert: ACTIVE
>     Obsolete DNS RR Types Alert: INACTIVE
>     Experimental DNS RR Types Alert: INACTIVE
>     Ports: 53
> SSLPP config:
>     Encrypted packets: not inspected
>     Ports:
>       443      465      563      636      989
>       992      993      994      995     7801
>      7802     7900     7901     7902     7903
>      7904     7905     7906     7907     7908
>      7909     7910     7911     7912     7913
>      7914     7915     7916     7917     7918
>      7919     7920
>     Server side data is trusted
>     Maximum SSL Heartbeat length: 0
> Sensitive Data preprocessor config:
>     Global Alert Threshold: 25
>     Masked Output: DISABLED
> SIP config:
>     Max number of sessions: 40000
>     Max number of dialogs in a session: 4 (Default)
>     Status: ENABLED
>     Ignore media channel: DISABLED
>     Max URI length: 512
>     Max Call ID length: 80
>     Max Request name length: 20 (Default)
>     Max From length: 256 (Default)
>     Max To length: 256 (Default)
>     Max Via length: 1024 (Default)
>     Max Contact length: 512
>     Max Content length: 2048
>     Ports:
>         5060    5061    5600
>     Methods:
>           invite cancel ack bye register options refer subscribe update join
> info message notify benotify do qauth sprack publish service unsubscribe
> prack
> IMAP Config:
>     Ports: 143
>     IMAP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
> POP Config:
>     Ports: 110
>     POP Memcap: 838860
>     MIME Max Mem: 838860
>     Base64 Decoding: Enabled
>     Base64 Decoding Depth: Unlimited
>     Quoted-Printable Decoding: Enabled
>     Quoted-Printable Decoding Depth: Unlimited
>     Unix-to-Unix Decoding: Enabled
>     Unix-to-Unix Decoding Depth: Unlimited
>     Non-Encoded MIME attachment Extraction: Enabled
>     Non-Encoded MIME attachment Extraction Depth: Unlimited
> Modbus config:
>     Ports:
>         502
> DNP3 config:
>     Memcap: 262144
>     Check Link-Layer CRCs: ENABLED
>     Ports:
>         20000
> Reputation config:
> WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor
> disabled.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 1 Snort rules read
>     1 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 1 Option Chains linked into 1 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> +-------------------[Rule Port
> Counts]---------------------------------------
> |             tcp     udp    icmp      ip
> |     src       0       0       0       0
> |     dst       0       0       0       0
> |     any       0       0       1       0
> |      nc       0       0       1       0
> |     s+d       0       0       0       0
> +----------------------------------------------------------------------------
>
> +-----------------------[detection-filter-config]------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[detection-filter-rules]-------------------------------
> | none
> -------------------------------------------------------------------------------
>
> +-----------------------[rate-filter-config]-----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[rate-filter-rules]------------------------------------
> | none
> -------------------------------------------------------------------------------
>
> +-----------------------[event-filter-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[event-filter-global]----------------------------------
> +-----------------------[event-filter-local]-----------------------------------
> | none
> +-----------------------[suppression]------------------------------------------
> | none
> -------------------------------------------------------------------------------
> Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> Verifying Preprocessor Configurations!
>
> [ Port Based Pattern Matching Memory ]
> [ Number of patterns truncated to 20 bytes: 0 ]
> pcap DAQ configured to passive.
> Acquiring network traffic from "eth0".
> Reload thread starting...
> Reload thread started, thread 0xa5e48b40 (3493)
> Decoding Ethernet
> Set gid to 1001
> Set uid to 999
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.8.2 GRE (Build 335)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.5.3
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.6  <Build 1>
>            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
>            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
>            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
>            Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
>            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
>            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
> Commencing packet processing (pid=3492)
>
> ____________________________________________
>
> Self pinged the geust eth0 port to generate ICMP Traffic
>
> _______________________________________________
>
> PING 192.168.88.131 (192.168.88.131) 56(84) bytes of data.
>
> 64 bytes from 192.168.88.131: icmp_seq=1 ttl=64 time=0.072 ms
> 64 bytes from 192.168.88.131: icmp_seq=2 ttl=64 time=0.068 ms
> 64 bytes from 192.168.88.131: icmp_seq=3 ttl=64 time=0.062 ms
> 64 bytes from 192.168.88.131: icmp_seq=4 ttl=64 time=0.073 ms
>
> Nothing is display in the snort Display and if i check my folder for snort
> logs then nothing is happening
>
> ____________________________________________
>
> arkam <at> Arkam:~$ ls -lrt /var/log/snort/*
>
> -rwxrwxr-t 1 snort snort    0 May 12 07:06
> /var/log/snort/snort.u2.1463033164
> -rwxrwxr-t 1 snort snort    0 May 18 01:04
> /var/log/snort/snort.u2.1463529861
> -rwxrwxr-t 1 snort snort    0 May 18 01:12 /var/log/snort/barnyard2.waldo
> -rw------- 1 snort snort    0 May 18 14:00
> /var/log/snort/snort.log.1463576405
> -rw------- 1 snort snort    0 May 18 14:14
> /var/log/snort/snort.log.1463577285
> -rw------- 1 snort snort    0 May 18 14:16
> /var/log/snort/snort.log.1463577374
> -rw------- 1 snort snort    0 May 18 14:21
> /var/log/snort/snort.log.1463577686
>
> _________________________________________________________-
>
> Does any one has an idea what is the problem?
>
> This is first post from a novice user. Any help will be really appreciated.
>
> Kind Regards,
>
> Arkam
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Snort-users mailing list
> Snort-users <at> lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Arkam Uzair | 19 May 17:07 2016
Picon

Snort not detecting rule and nothing being written to log or U2(Binary) Files

Guys,

I am facing an issue with snort. I installed snort and checked the config file with Snort -v and Snort -T etc and it was fine. Then I added a rule for icmp in local rules file. Started snort and no error.

Tried the following

a- Pinging another PC from the Guest running snort
b- Self Pinging on my eth0 port(The one on which snort listens)
c- Pinging this from another PC

Nothing gets written to log or U2 File.

Even with snort -U Console it just says it is processing packets stuff but nothing is shown.

Why it is not capturing this ICMP Alert.
**********************************************************

Some Useful Info. Here is my rule

___________________________________________________________________________
arkam <at> Arkam:~$ grep -i icmp /etc/snort/rules/local.rules

alert icmp any any -> 192.168.88.131/24 any ( msg:"ICMP test Detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
_______________________________________________________________________________

My permission of log directory are also fine

___________________________________________________________________________

arkam <at> Arkam:~$ ls -lrt /var/log/snort/*

-rwxrwxr-t 1 snort snort    0 May 12 07:06 /var/log/snort/snort.u2.1463033164
-rwxrwxr-t 1 snort snort    0 May 18 01:04 /var/log/snort/snort.u2.1463529861
-rwxrwxr-t 1 snort snort    0 May 18 01:12 /var/log/snort/barnyard2.waldo
-rw------- 1 snort snort    0 May 18 14:00 /var/log/snort/snort.log.1463576405
-rw------- 1 snort snort    0 May 18 14:14 /var/log/snort/snort.log.1463577285
-rw------- 1 snort snort    0 May 18 14:16 /var/log/snort/snort.log.1463577374
-rw------- 1 snort snort    0 May 18 14:21 /var/log/snort/snort.log.1463577686
_____________________________________________________________________________

Snort Configuration is fine

_____________________________________________-
arkam <at> Arkam:~$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.2 GRE (Build 335)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

Snort Testing is fine and It does shows my ICMP Rule
______________________________________________________________________
arkam <at> Arkam:~$ sudo snort -T -c /etc/snort/snort.conf -i eth0
[sudo] password for arkam:
Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
  Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inline.
WARNING: tcp normalizations disabled because not inline.
WARNING: icmp4 normalizations disabled because not inline.
WARNING: ip6 normalizations disabled because not inline.
WARNING: icmp6 normalizations disabled because not inline.
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Bound Address: default
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment Anomalies: Alert
    Overlap Limit:     10
    Min fragment Length:     100
      Max Expected Streams: 768
Stream global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 262144
    TCP cache pruning timeout: 30 seconds
    TCP cache nominal timeout: 3600 seconds
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: ACTIVE
    Max UDP sessions: 131072
    UDP cache pruning timeout: 30 seconds
    UDP cache nominal timeout: 180 seconds
    Track ICMP sessions: INACTIVE
    Track IP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
    Send up to 2 active responses
    Wait at least 5 seconds between responses
    Protocol Aware Flushing: ACTIVE
        Maximum Flush Point: 16000
Stream TCP Policy config:
    Bound Address: default
    Reassembly Policy: WINDOWS
    Timeout: 180 seconds
    Limit on TCP Overlaps: 10
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Require 3-Way Handshake: YES
        3-Way Handshake Timeout: 180
        Detect Anomalies: YES
    Reassembly Ports:
      21 client (Footprint)
      22 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      79 client (Footprint)
      80 client (Footprint) server (Footprint)
      81 client (Footprint) server (Footprint)
      109 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      113 client (Footprint)
      119 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      161 client (Footprint)
      additional ports configured but not printed.
Stream UDP Policy config:
    Timeout: 180 seconds
HttpInspect Config:
    GLOBAL CONFIG
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip Sessions: 2621
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
      Server Flow Depth: 0
      Client Flow Depth: 0
      Max Chunk Length: 500000
      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
      Max Header Field Length: 750
      Max Number Header Fields: 100
      Max Number of WhiteSpaces allowed with header folding: 200
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Inspect HTTP Cookies: YES
      Inspect HTTP Responses: YES
      Extract Gzip from responses: YES
      Decompress response files:
      Unlimited decompression of gzip data from responses: YES
      Normalize Javascripts in HTTP Responses: YES
      Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200
      Normalize HTTP Cookies: NO
      Enable XFF and True Client IP: NO
      Log HTTP URI data: NO
      Log HTTP Hostname data: NO
      Extended ASCII code support in URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: NO
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: NO
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: NO
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: INACTIVE
    alert_incomplete: INACTIVE
    alert_multiple_requests: INACTIVE
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: NO
      Continue to check encrypted data: YES
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 20
      Normalize: YES
      Detect Anomalies: YES
    FTP CONFIG:
      FTP Server: default
        Ports (PAF): 21 2100 3535
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: YES alert: YES
        Ignore open data channels: NO
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: YES alert: YES
        Max Response Length: 256
SMTP Config:
    Ports: 25 465 587 691
    Inspection Type: Stateful
    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: 512
    Max auth Command Line Length: 1000
    Max Specific Command Line Length:
       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
       XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
       XUSR:246
    Max Header Line Length: 1000
    Max Response Line Length: 512
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
    Alert on unknown commands: No
    SMTP Memcap: 838860
    MIME Max Mem: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
    Log Attachment filename: Enabled
    Log MAIL FROM Address: Enabled
    Log RCPT TO Addresses: Enabled
    Log Email Headers: Enabled
    Email Hdrs Log Depth: 1464
SSH config:
    Autodetection: ENABLED
    Challenge-Response Overflow Alert: ENABLED
    SSH1 CRC32 Alert: ENABLED
    Server Version String Overflow Alert: ENABLED
    Protocol Mismatch Alert: ENABLED
    Bad Message Direction Alert: DISABLED
    Bad Payload Size Alert: DISABLED
    Unrecognized Version Alert: DISABLED
    Max Encrypted Packets: 20
    Max Server Version String Length: 100
    MaxClientBytes: 19600 (Default)
    Ports:
        22
DCE/RPC 2 Preprocessor Configuration
  Global Configuration
    DCE/RPC Defragmentation: Enabled
    Memcap: 102400 KB
    Events: co
    SMB Fingerprint policy: Disabled
  Server Default Configuration
    Policy: WinXP
    Detect ports (PAF)
      SMB: 139 445
      TCP: 135
      UDP: 135
      RPC over HTTP server: 593
      RPC over HTTP proxy: None
    Autodetect ports (PAF)
      SMB: None
      TCP: 1025-65535
      UDP: 1025-65535
      RPC over HTTP server: 1025-65535
      RPC over HTTP proxy: None
    Invalid SMB shares: C$ D$ ADMIN$
    Maximum SMB command chaining: 3 commands
    SMB file inspection: Disabled
DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
SSLPP config:
    Encrypted packets: not inspected
    Ports:
      443      465      563      636      989
      992      993      994      995     7801
     7802     7900     7901     7902     7903
     7904     7905     7906     7907     7908
     7909     7910     7911     7912     7913
     7914     7915     7916     7917     7918
     7919     7920
    Server side data is trusted
    Maximum SSL Heartbeat length: 0
Sensitive Data preprocessor config:
    Global Alert Threshold: 25
    Masked Output: DISABLED
SIP config:
    Max number of sessions: 40000
    Max number of dialogs in a session: 4 (Default)
    Status: ENABLED
    Ignore media channel: DISABLED
    Max URI length: 512
    Max Call ID length: 80
    Max Request name length: 20 (Default)
    Max From length: 256 (Default)
    Max To length: 256 (Default)
    Max Via length: 1024 (Default)
    Max Contact length: 512
    Max Content length: 2048
    Ports:
        5060    5061    5600
    Methods:
          invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack
IMAP Config:
    Ports: 143
    IMAP Memcap: 838860
    MIME Max Mem: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
POP Config:
    Ports: 110
    POP Memcap: 838860
    MIME Max Mem: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
Modbus config:
    Ports:
        502
DNP3 config:
    Memcap: 262144
    Check Link-Layer CRCs: ENABLED
    Ports:
        20000
Reputation config:
WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       0       0       1       0
|      nc       0       0       1       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
[ Number of patterns truncated to 20 bytes: 0 ]
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.2 GRE (Build 335)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.6  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>

Snort successfully validated the configuration!
Snort exiting
arkam <at> Arkam:~$
___________________________________________________________________


the address of my etho port is correctly configured om the snort config file

___________________________--
arkam <at> Arkam:~$ ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:67:8d:ee brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.131/24 brd 192.168.88.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe67:8dee/64 scope link
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 66:08:42:f4:37:b4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever

arkam <at> Arkam:~$ grep -i home_net /etc/snort/snort.conf | grep -i '\.'

ipvar HOME_NET 192.168.88.131/24
_________________________________

the local_rules file is enabled

______________________________

arkam <at> Arkam:~$ grep -i local.rules /etc/snort/snort.conf

include $RULE_PATH/local.rules
_________________________________________________

The log writinig thing is not commeented in log file and no stamp is also removed. I am trying to writing in binary sso currently u2 line is enabled  but even if i do snort.log result is same

_____________________________________

arkam <at> Arkam:~$ grep -i snort.u2 /etc/snort/snort.conf

  output unified2: filename snort.u2,   limit 128

___________________________________________________________

Now switched on  Snort with Console and Status display option

______________________________________________________-

arkam <at> Arkam:~$ sudo /usr/local/bin/snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0
[sudo] password for arkam:

Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
  Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inline.
WARNING: tcp normalizations disabled because not inline.
WARNING: icmp4 normalizations disabled because not inline.
WARNING: ip6 normalizations disabled because not inline.
WARNING: icmp6 normalizations disabled because not inline.
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Bound Address: default
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment Anomalies: Alert
    Overlap Limit:     10
    Min fragment Length:     100
      Max Expected Streams: 768
Stream global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 262144
    TCP cache pruning timeout: 30 seconds
    TCP cache nominal timeout: 3600 seconds
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: ACTIVE
    Max UDP sessions: 131072
    UDP cache pruning timeout: 30 seconds
    UDP cache nominal timeout: 180 seconds
    Track ICMP sessions: INACTIVE
    Track IP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
    Send up to 2 active responses
    Wait at least 5 seconds between responses
    Protocol Aware Flushing: ACTIVE
        Maximum Flush Point: 16000
Stream TCP Policy config:
    Bound Address: default
    Reassembly Policy: WINDOWS
    Timeout: 180 seconds
    Limit on TCP Overlaps: 10
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Require 3-Way Handshake: YES
        3-Way Handshake Timeout: 180
        Detect Anomalies: YES
    Reassembly Ports:
      21 client (Footprint)
      22 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      79 client (Footprint)
      80 client (Footprint) server (Footprint)
      81 client (Footprint) server (Footprint)
      109 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      113 client (Footprint)
      119 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      161 client (Footprint)
      additional ports configured but not printed.
Stream UDP Policy config:
    Timeout: 180 seconds
HttpInspect Config:
    GLOBAL CONFIG
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip Sessions: 2621
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
      Server Flow Depth: 0
      Client Flow Depth: 0
      Max Chunk Length: 500000
      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
      Max Header Field Length: 750
      Max Number Header Fields: 100
      Max Number of WhiteSpaces allowed with header folding: 200
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Inspect HTTP Cookies: YES
      Inspect HTTP Responses: YES
      Extract Gzip from responses: YES
      Decompress response files:
      Unlimited decompression of gzip data from responses: YES
      Normalize Javascripts in HTTP Responses: YES
      Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200
      Normalize HTTP Cookies: NO
      Enable XFF and True Client IP: NO
      Log HTTP URI data: NO
      Log HTTP Hostname data: NO
      Extended ASCII code support in URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: NO
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: NO
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: NO
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: INACTIVE
    alert_incomplete: INACTIVE
    alert_multiple_requests: INACTIVE
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: NO
      Continue to check encrypted data: YES
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 20
      Normalize: YES
      Detect Anomalies: YES
    FTP CONFIG:
      FTP Server: default
        Ports (PAF): 21 2100 3535
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: YES alert: YES
        Ignore open data channels: NO
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: YES alert: YES
        Max Response Length: 256
SMTP Config:
    Ports: 25 465 587 691
    Inspection Type: Stateful
    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: 512
    Max auth Command Line Length: 1000
    Max Specific Command Line Length:
       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
       XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
       XUSR:246
    Max Header Line Length: 1000
    Max Response Line Length: 512
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
    Alert on unknown commands: No
    SMTP Memcap: 838860
    MIME Max Mem: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
    Log Attachment filename: Enabled
    Log MAIL FROM Address: Enabled
    Log RCPT TO Addresses: Enabled
    Log Email Headers: Enabled
    Email Hdrs Log Depth: 1464
SSH config:
    Autodetection: ENABLED
    Challenge-Response Overflow Alert: ENABLED
    SSH1 CRC32 Alert: ENABLED
    Server Version String Overflow Alert: ENABLED
    Protocol Mismatch Alert: ENABLED
    Bad Message Direction Alert: DISABLED
    Bad Payload Size Alert: DISABLED
    Unrecognized Version Alert: DISABLED
    Max Encrypted Packets: 20
    Max Server Version String Length: 100
    MaxClientBytes: 19600 (Default)
    Ports:
        22
DCE/RPC 2 Preprocessor Configuration
  Global Configuration
    DCE/RPC Defragmentation: Enabled
    Memcap: 102400 KB
    Events: co
    SMB Fingerprint policy: Disabled
  Server Default Configuration
    Policy: WinXP
    Detect ports (PAF)
      SMB: 139 445
      TCP: 135
      UDP: 135
      RPC over HTTP server: 593
      RPC over HTTP proxy: None
    Autodetect ports (PAF)
      SMB: None
      TCP: 1025-65535
      UDP: 1025-65535
      RPC over HTTP server: 1025-65535
      RPC over HTTP proxy: None
    Invalid SMB shares: C$ D$ ADMIN$
    Maximum SMB command chaining: 3 commands
    SMB file inspection: Disabled
DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
SSLPP config:
    Encrypted packets: not inspected
    Ports:
      443      465      563      636      989
      992      993      994      995     7801
     7802     7900     7901     7902     7903
     7904     7905     7906     7907     7908
     7909     7910     7911     7912     7913
     7914     7915     7916     7917     7918
     7919     7920
    Server side data is trusted
    Maximum SSL Heartbeat length: 0
Sensitive Data preprocessor config:
    Global Alert Threshold: 25
    Masked Output: DISABLED
SIP config:
    Max number of sessions: 40000
    Max number of dialogs in a session: 4 (Default)
    Status: ENABLED
    Ignore media channel: DISABLED
    Max URI length: 512
    Max Call ID length: 80
    Max Request name length: 20 (Default)
    Max From length: 256 (Default)
    Max To length: 256 (Default)
    Max Via length: 1024 (Default)
    Max Contact length: 512
    Max Content length: 2048
    Ports:
        5060    5061    5600
    Methods:
          invite cancel ack bye register options refer subscribe update join info message notify benotify do qauth sprack publish service unsubscribe prack
IMAP Config:
    Ports: 143
    IMAP Memcap: 838860
    MIME Max Mem: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
POP Config:
    Ports: 110
    POP Memcap: 838860
    MIME Max Mem: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
Modbus config:
    Ports:
        502
DNP3 config:
    Memcap: 262144
    Check Link-Layer CRCs: ENABLED
    Ports:
        20000
Reputation config:
WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    1 detection rules
    0 decoder rules
    0 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       0       0       1       0
|      nc       0       0       1       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
[ Number of patterns truncated to 20 bytes: 0 ]
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Reload thread starting...
Reload thread started, thread 0xa5e48b40 (3493)
Decoding Ethernet
Set gid to 1001
Set uid to 999

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.2 GRE (Build 335)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.6  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
Commencing packet processing (pid=3492)

____________________________________________

Self pinged the geust eth0 port to generate ICMP Traffic

_______________________________________________

PING 192.168.88.131 (192.168.88.131) 56(84) bytes of data.

64 bytes from 192.168.88.131: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from 192.168.88.131: icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from 192.168.88.131: icmp_seq=3 ttl=64 time=0.062 ms
64 bytes from 192.168.88.131: icmp_seq=4 ttl=64 time=0.073 ms

Nothing is display in the snort Display and if i check my folder for snort logs then nothing is happening

____________________________________________

arkam <at> Arkam:~$ ls -lrt /var/log/snort/*

-rwxrwxr-t 1 snort snort    0 May 12 07:06 /var/log/snort/snort.u2.1463033164
-rwxrwxr-t 1 snort snort    0 May 18 01:04 /var/log/snort/snort.u2.1463529861
-rwxrwxr-t 1 snort snort    0 May 18 01:12 /var/log/snort/barnyard2.waldo
-rw------- 1 snort snort    0 May 18 14:00 /var/log/snort/snort.log.1463576405
-rw------- 1 snort snort    0 May 18 14:14 /var/log/snort/snort.log.1463577285
-rw------- 1 snort snort    0 May 18 14:16 /var/log/snort/snort.log.1463577374
-rw------- 1 snort snort    0 May 18 14:21 /var/log/snort/snort.log.1463577686

_________________________________________________________-

Does any one has an idea what is the problem?

This is first post from a novice user. Any help will be really appreciated.

Kind Regards,

Arkam

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Asad, Hafiz ul | 17 May 16:55 2016
Picon

Snort rules Commented

Hi Snort users,

 

I have been using Snort for the last couple of months. I have been trying to do some evasion tests but was not getting any alerts. Then I realized that most of the alerts in the “snort.rules” (which I downloaded using pulledpork) were commented out. After uncommenting all the rules, I am now getting alerts for different evasion tests. Is this the right approach to use snort with registered and community rules?

 

 

asad



Hafiz ul Asad

Research Assistant

Center for Software Reliability 

School of Mathematics,  Computer Science & Engineering

City University London, EC1V 0HB London

Tel : +44 (0) 20 7040 8422

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane