Matt M. | 30 Aug 00:29 2014
Picon

Unknown ClassType: web-application-attack

Hey Guys,

Been pounding the pig all day and still have a few kinks to work out.

I've installed snort and pulledpork via brew on OSX.  With this groups help, I was able to get pulledpork functioning.  Now I'm getting the following error when trying to run snort with this command...

sudo snort -c /etc/snort/snort.conf -l /var/log/snort/

ERROR:

Initializing rule chains...

ERROR: /etc/snort/rules/app-detect.rules(33) Unknown ClassType: web-application-attack

Fatal Error, Quitting..


Any ideas on what I'm missing?

I did comment out the following (because I was getting a different error around black lists):

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
#   memcap 500, \
#   priority whitelist, \
#   nested_ip inner, \
#   whitelist $WHITE_LIST_PATH/white_list.rules, \
#   blacklist $BLACK_LIST_PATH/black_list.rules 

Thanks for any thoughts,
--
M., CISSP, GCFE, GCFA

To disagree leads to study, to study leads to understanding, to understand is to appreciate, to appreciate is to love. So maybe I’ll end up loving your theory.” -John Wheeler
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Weir, Jason | 29 Aug 21:43 2014

PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

I’m testing PP 0.7.0 and seeing what looks like a bug but want to confirm it’s not a config issue on my end.

 

As I tune the sensor I add entries in each of the config files (enablesid,disablesid,modifysid conf files) and then run pulledpork and restart snort

 

/usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf –vv

 

If there are no rule updates to download (from either VRT or ET) I get this output

 

 

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.0 - Swine Flu!

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings

  <at> _/        /  66\_  cummingsj <at> gmail.com

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Config File Variable Debug /usr/local/etc/snort/pulledpork.conf

        snort_path = /usr/local/bin/snort

        enablesid = /usr/local/etc/snort/enablesid.conf

        modifysid = /usr/local/etc/snort/modifysid.conf

        IPRVersion = /usr/local/etc/snort/rules/iplists

        rule_path = /usr/local/etc/snort/rules/snort.rules

        ignore = deleted.rules,experimental.rules,local.rules

        state_order = disable,drop,enable

        snort_control = /usr/local/bin/snort_control

        rule_url = ARRAY(0x8e1aac8)

        sid_msg_version = 2

        sid_changelog = /var/log/sid_changes.log

        sid_msg = /usr/local/etc/snort/sid-msg.map

        config_path = /usr/local/etc/snort/snort.conf

        temp_path = /tmp

        distro = Debian-6-0

        version = 0.7.0

        sorule_path = /usr/local/lib/snort_dynamicrules/

        disablesid = /usr/local/etc/snort/disablesid.conf

        dropsid = /usr/local/etc/snort/dropsid.conf

        local_rules = /usr/local/etc/snort/rules/local.rules

MISC (CLI and Autovar) Variable Debug:

        arch Def is: i386

        Config Path is: /usr/local/etc/snort/pulledpork.conf

        Distro Def is: Debian-6-0

        Disabled policy specified

        local.rules path is: /usr/local/etc/snort/rules/local.rules

        Rules file is: /usr/local/etc/snort/rules/snort.rules

        Path to disablesid file: /usr/local/etc/snort/disablesid.conf

        Path to dropsid file: /usr/local/etc/snort/dropsid.conf

        Path to enablesid file: /usr/local/etc/snort/enablesid.conf

        Path to modifysid file: /usr/local/etc/snort/modifysid.conf

        sid changes will be logged to: /var/log/sid_changes.log

        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map

        Snort Version is: 2.9.6.2

        Snort Config File: /usr/local/etc/snort/snort.conf

        Snort Path is: /usr/local/bin/snort

        SO Output Path is: /usr/local/lib/snort_dynamicrules/

        Will process SO rules

        Extra Verbose Flag is Set

        Verbose Flag is Set

 

*********** Removed Download Logging where the checksums matched and there were no new rules to download *********************

 

Cleanup....

        removed 0 temporary snort files or directories from /tmp/tha_rules!

Writing /var/log/sid_changes.log....

        Done

 

No Rule Changes

 

No IP Blacklist Changes

 

Done

Please review /var/log/sid_changes.log for additional details

Fly Piggy Fly!

 

If I delete all the rules and re-run PP I get the following output

 

 

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.0 - Swine Flu!

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings

  <at> _/        /  66\_  cummingsj <at> gmail.com

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Config File Variable Debug /usr/local/etc/snort/pulledpork.conf

        snort_path = /usr/local/bin/snort

        enablesid = /usr/local/etc/snort/enablesid.conf

        modifysid = /usr/local/etc/snort/modifysid.conf

        IPRVersion = /usr/local/etc/snort/rules/iplists

        rule_path = /usr/local/etc/snort/rules/snort.rules

        ignore = deleted.rules,experimental.rules,local.rules

        state_order = disable,drop,enable

        snort_control = /usr/local/bin/snort_control

        rule_url = ARRAY(0xa41cac8)

        sid_msg_version = 2

        sid_changelog = /var/log/sid_changes.log

        sid_msg = /usr/local/etc/snort/sid-msg.map

        config_path = /usr/local/etc/snort/snort.conf

        temp_path = /tmp

        distro = Debian-6-0

        version = 0.7.0

        sorule_path = /usr/local/lib/snort_dynamicrules/

        disablesid = /usr/local/etc/snort/disablesid.conf

        dropsid = /usr/local/etc/snort/dropsid.conf

        local_rules = /usr/local/etc/snort/rules/local.rules

MISC (CLI and Autovar) Variable Debug:

        arch Def is: i386

        Config Path is: /usr/local/etc/snort/pulledpork.conf

        Distro Def is: Debian-6-0

        Disabled policy specified

        local.rules path is: /usr/local/etc/snort/rules/local.rules

        Rules file is: /usr/local/etc/snort/rules/snort.rules

        Path to disablesid file: /usr/local/etc/snort/disablesid.conf

        Path to dropsid file: /usr/local/etc/snort/dropsid.conf

        Path to enablesid file: /usr/local/etc/snort/enablesid.conf

        Path to modifysid file: /usr/local/etc/snort/modifysid.conf

        sid changes will be logged to: /var/log/sid_changes.log

        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map

        Snort Version is: 2.9.6.2

        Snort Config File: /usr/local/etc/snort/snort.conf

        Snort Path is: /usr/local/bin/snort

        SO Output Path is: /usr/local/lib/snort_dynamicrules/

        Will process SO rules

        Extra Verbose Flag is Set

        Verbose Flag is Set

 

*********** Removed Download Logging where the checksums didn’t match and the rules files were downloaded *********************

 

Prepping rules from opensource.gz for work....

                **************removed extra logging *****************

Prepping rules from snortrules-snapshot-2962.tar.gz for work....

                **************removed extra logging *****************

Prepping rules from emerging.rules.tar.gz for work....

                **************removed extra logging *****************

Prepping rules from community-rules.tar.gz for work....

                **************removed extra logging *****************

Generating Stub Rules....

       Generating shared object stubs via:/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/tmp/tha_rules/so_rules/

        An error occurred: WARNING: ip4 normalizations disabled because not inline.

 

        An error occurred: WARNING: tcp normalizations disabled because not inline.

 

        An error occurred: WARNING: icmp4 normalizations disabled because not inline.

 

        An error occurred: WARNING: ip6 normalizations disabled because not inline.

 

        An error occurred: WARNING: icmp6 normalizations disabled because not inline.

 

        Dumping dynamic rules...

                **************removed extra logging *****************

          Finished dumping dynamic rules.

        Done

        Reading rules...

        Reading rules...

Cleanup....

        removed 202 temporary snort files or directories from /tmp/tha_rules!

Modifying Sids....

        Done!

Processing /usr/local/etc/snort/disablesid.conf....

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Modified 8 rules

        Done

Processing /usr/local/etc/snort/dropsid.conf....

        Modified 0 rules

        Done

Processing /usr/local/etc/snort/enablesid.conf....

        Modified 0 rules

        Done

Setting Flowbit State....

        Enabled 119 flowbits

        Done

Writing /usr/local/etc/snort/rules/snort.rules....

        Done

Generating sid-msg.map....

        Done

Writing v2 /usr/local/etc/snort/sid-msg.map....

        Done

Writing /var/log/sid_changes.log....

        Done

Rule Stats...

        New:-------344

        Deleted:---16

        Enabled Rules:----21793

       Dropped Rules:----0

        Disabled Rules:---20007

        Total Rules:------41800

No IP Blacklist Changes

 

Done

Please review /var/log/sid_changes.log for additional details

Fly Piggy Fly!

 

Next if I go into disablesid.conf and add another entry and re-run pp I get the same output as the first run – the new entry in disablesid.conf doesn’t get parsed or disabled in the snort.rules file.

 

Any ideas?

 

Jason

 

 

 

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Matt M. | 29 Aug 21:37 2014
Picon

Pulled Pork 404 Errors?

Total Noob Here,

I'm receiving the following error and cannot seem to figure out how to resolve it:

>Checking latest MD5 for snortrules-snapshot-2962.tar.gz....

>A 404 error occurred, please verify your filenames and urls for your tarball!

>Error 404 when fetching https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 463.

>main::md5file('<oinkcode>', 'snortrules-snapshot-2962.tar.gz', '/tmp/', 'https://www.snort.org/rules/') called at /usr/local/bin/pulledpork.pl line 1847


I'm on OSX and used brew to install snort and pulled pork v0.7.0.  I've tried modifying both the pullpork.pl and conf file to adjust the url's by removing the ...org/reg-rules/ and change it to ...org/rules/ and even tried to remove the "S" from HTTPS in the url's as well.

I'm I even in the right ballpark?

Thanks for any assistance with this,


--
M, CISSP, GCFE, GCFA

To disagree leads to study, to study leads to understanding, to understand is to appreciate, to appreciate is to love. So maybe I’ll end up loving your theory.” -John Wheeler
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
kinomakino | 28 Aug 20:47 2014
Picon

snort syslog to siem

Thanks for your help as always.
I am configuring syslog for sending snort alerts to a SIEM (OSSIM)
I have this setup snort:
alert_syslog output: host = *********: 514, LOG_AUTH LOG_ALERT

This way I export the logs to the local syslog, to var / log / messages.
Any idea how to properly configure the sending of syslog from snort to rsyslog other systems?

Thank you !!!

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Millott | 27 Aug 22:15 2014

snort -> barnyard2 -> splunk

Anyone have some good suggestions on getting Snort into Splunk?  I've seen some directions for snort -> barnyard2 -> syslog -> syslog-ng -> splunk, but I don't see the need for syslog. I've also seen snort -> splunk via alert_fast, but I already have barnyard2, and from what I hear, using barnyard2 will help optimize snort by relieveing some of the processing it must do.

Can barnyard2 send directly to splunk in a format splunk will understand is originally snort data?

--
Robert Millott
President, Millott and Associates
(443) 255-3588
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Starner, Mark | 27 Aug 20:24 2014
Picon

Bug in 2.9.6.2???

A rule (ET Rule 2012647) has the following threshold in the rule:  threshold: type limit, count 1, seconds 300, track by_src

 

Prior to upgrading to 2.9.6.2, this worked as expected, one alert every 5 minutes.

Since upgrading to 2.9.6.2 on 8/15, now we are seeing the behavior where the rule will fire, wait 5 minutes, then fire again, and again and again.

 

But, it doesn’t start out this way. After a restart of Snort (STOP and START) it is fine, it alerts once every 5 minutes, for a while, and then at some point during the day, it will start reporting all alerts, until snort is STOPped and STARTed. Then it goes back to the proper behavior. (A Kill –HUP of the snort process does NOT reset  to the proper behavior, only a STOP/START temporarily fixes it).

 

Anyone else see this or have any suggestions?

 

Is this a Bug in 2.9.6.2???

 

 

Mark Starner  Global Infrastructure - Systems  |  Unisys IT

Unisys  |  443-921-0355


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

 

 

Attachment (smime.p7s): application/pkcs7-signature, 12 KiB
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Weir, Jason | 27 Aug 20:28 2014

Performance Issues, disk io?

I've been updating my docs to use the latest versions of Snort 2.9.6.2, Barnyard2-1.13, Pulled Pork 0.7.0,
libpcap 1.6.1, daq 2.0.2 and mysql 5.6.19 on the latest Debian 7.6 version.

Base is stuck on 1.4.5 and libdnet at 1.12 seemingly forever....

Anyways, I've got everything installed and working without error but I seem to have what looks like a huge
performance issue centered around disk io on the mysql drive. I have the database on it's own drive with
nothing else.

I first noticed it on startup - snort would take 100% cpu for 30 seconds to a minute, the barnyard2 would go
100% for 2-4 minutes, both with almost no disk usage, after that mysql goes 100% for a minute or 2 and the disk
%utilization goes to 90%+

After that things seem to settle down and I start seeing events show up in the Base console, cpu and memory
usage are minimal, disk usage stays under 20%.  I'm on minimal hardware so I'm happy with what I'm seeing.

Now if I go into Base and try to delete events,  disk utilization goes to 100% and stays there until the alerts
are deleted.

Deleting 100 events just took 30 seconds, and 650 events took 90 seconds where under previous versions it
would happen almost instantly.

Any idea where to start?

Jason

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Sharif Uddin | 27 Aug 18:52 2014

installation help

Hello

 

 

I have followed this guide to install snort https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/002/original/snort296x_centos6x.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1409153064&Signature=TBLNp6Ze%2FN9F3smCPMgm1AWkl6g%3D

 

I am using a vm on virtual box with centos 7 64bit minimal install.

 

 

 

So far I can run following command

 

[root <at> snort bin]# ./snort -A fast -b -d -D -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Spawning daemon child...

My daemon child 1415 lives...

Daemon parent exiting (0)

 

 

In the log file I get the following

 

 

 

Aug 27 17:50:21 snort snort[1414]: Running in IDS mode

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: --== Initializing Snort ==--

Aug 27 17:50:21 snort snort[1414]: Initializing Output Plugins!

Aug 27 17:50:21 snort snort[1414]: Initializing Preprocessors!

Aug 27 17:50:21 snort snort[1414]: Initializing Plug-ins!

Aug 27 17:50:21 snort snort[1414]: Parsing Rules file "/etc/snort/snort.conf"

Aug 27 17:50:21 snort snort[1414]: PortVar 'HTTP_PORTS' defined :

Aug 27 17:50:21 snort snort[1414]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: PortVar 'SHELLCODE_PORTS' defined :

Aug 27 17:50:21 snort snort[1414]: [ 0:79 81:65535 ]

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: PortVar 'ORACLE_PORTS' defined :

Aug 27 17:50:21 snort snort[1414]: [ 1024:65535 ]

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: PortVar 'SSH_PORTS' defined :

Aug 27 17:50:21 snort snort[1414]: [ 22 ]

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: PortVar 'FTP_PORTS' defined :

Aug 27 17:50:21 snort snort[1414]: [ 21 2100 3535 ]

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: PortVar 'SIP_PORTS' defined :

Aug 27 17:50:21 snort snort[1414]: [ 5060:5061 5600 ]

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: PortVar 'FILE_DATA_PORTS' defined :

Aug 27 17:50:21 snort snort[1414]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: PortVar 'GTP_PORTS' defined :

Aug 27 17:50:21 snort snort[1414]: [ 2123 2152 3386 ]

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: Detection:

Aug 27 17:50:21 snort snort[1414]: Search-Method = AC-Full-Q

Aug 27 17:50:21 snort snort[1414]: Split Any/Any group = enabled

Aug 27 17:50:21 snort snort[1414]: Search-Method-Optimizations = enabled

Aug 27 17:50:21 snort snort[1414]: Maximum pattern length = 20

Aug 27 17:50:21 snort snort[1414]: Tagged Packet Limit: 256

Aug 27 17:50:21 snort snort[1414]: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...

Aug 27 17:50:21 snort snort[1414]: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.

Aug 27 17:50:21 snort snort[1414]: Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules

Aug 27 17:50:21 snort snort[1414]: Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...

Aug 27 17:50:21 snort snort[1414]: done

Aug 27 17:50:21 snort snort[1414]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/

Aug 27 17:50:21 snort snort[1414]: Log directory = /var/log/snort

Aug 27 17:50:21 snort snort[1414]: WARNING: ip4 normalizations disabled because not inline.

Aug 27 17:50:21 snort snort[1414]: WARNING: tcp normalizations disabled because not inline.

Aug 27 17:50:21 snort snort[1414]: WARNING: icmp4 normalizations disabled because not inline.

Aug 27 17:50:21 snort snort[1414]: WARNING: ip6 normalizations disabled because not inline.

Aug 27 17:50:21 snort snort[1414]: WARNING: icmp6 normalizations disabled because not inline.

Aug 27 17:50:21 snort snort[1414]: Frag3 global config:

Aug 27 17:50:21 snort snort[1414]: Max frags: 65536

Aug 27 17:50:21 snort snort[1414]: Fragment memory cap: 4194304 bytes

Aug 27 17:50:21 snort snort[1414]: Frag3 engine config:

Aug 27 17:50:21 snort snort[1414]: Bound Address: default

Aug 27 17:50:21 snort snort[1414]: Target-based policy: WINDOWS

Aug 27 17:50:21 snort snort[1414]: Fragment timeout: 180 seconds

Aug 27 17:50:21 snort snort[1414]: Fragment min_ttl:   1

Aug 27 17:50:21 snort snort[1414]: Fragment Anomalies: Alert

Aug 27 17:50:21 snort snort[1414]: Overlap Limit:     10

Aug 27 17:50:21 snort snort[1414]: Min fragment Length:     100

Aug 27 17:50:21 snort snort[1414]: Stream5 global config:

Aug 27 17:50:21 snort snort[1414]: Track TCP sessions: ACTIVE

Aug 27 17:50:21 snort snort[1414]: Max TCP sessions: 262144

Aug 27 17:50:21 snort snort[1414]: TCP cache pruning timeout: 30 seconds

Aug 27 17:50:21 snort snort[1414]: TCP cache nominal timeout: 3600 seconds

Aug 27 17:50:21 snort snort[1414]: Memcap (for reassembly packet storage): 8388608

Aug 27 17:50:21 snort snort[1414]: Track UDP sessions: ACTIVE

Aug 27 17:50:21 snort snort[1414]: Max UDP sessions: 131072

Aug 27 17:50:21 snort snort[1414]: UDP cache pruning timeout: 30 seconds

Aug 27 17:50:21 snort snort[1414]: UDP cache nominal timeout: 180 seconds

Aug 27 17:50:21 snort snort[1414]: Track ICMP sessions: INACTIVE

Aug 27 17:50:21 snort snort[1414]: Track IP sessions: INACTIVE

Aug 27 17:50:21 snort snort[1414]: Log info if session memory consumption exceeds 1048576

Aug 27 17:50:21 snort snort[1414]: Send up to 2 active responses

Aug 27 17:50:21 snort snort[1414]: Wait at least 5 seconds between responses

Aug 27 17:50:21 snort snort[1414]: Protocol Aware Flushing: ACTIVE

Aug 27 17:50:21 snort snort[1414]: Maximum Flush Point: 16000

Aug 27 17:50:21 snort snort[1414]: Max Expected Streams: 768

Aug 27 17:50:21 snort snort[1414]: Stream5 TCP Policy config:

Aug 27 17:50:21 snort snort[1414]: Bound Address: default

Aug 27 17:50:21 snort snort[1414]: Reassembly Policy: WINDOWS

Aug 27 17:50:21 snort snort[1414]: Timeout: 180 seconds

Aug 27 17:50:21 snort snort[1414]: Limit on TCP Overlaps: 10

Aug 27 17:50:21 snort snort[1414]: Maximum number of bytes to queue per session: 1048576

Aug 27 17:50:21 snort snort[1414]: Maximum number of segs to queue per session: 2621

Aug 27 17:50:21 snort snort[1414]: Options:

Aug 27 17:50:21 snort snort[1414]: Require 3-Way Handshake: YES

Aug 27 17:50:21 snort snort[1414]: 3-Way Handshake Timeout: 180

Aug 27 17:50:21 snort snort[1414]: Detect Anomalies: YES

Aug 27 17:50:21 snort snort[1414]: Reassembly Ports:

Aug 27 17:50:21 snort snort[1414]: 21 client (Footprint)

Aug 27 17:50:21 snort snort[1414]: 22 client (Footprint)

Aug 27 17:50:21 snort snort[1414]: 23 client (Footprint)

Aug 27 17:50:21 snort snort[1414]: 25 client (Footprint)

Aug 27 17:50:21 snort snort[1414]: 36 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 42 client (Footprint)

Aug 27 17:50:21 snort snort[1414]: 53 client (Footprint)

Aug 27 17:50:21 snort snort[1414]: 70 client (Footprint)

Aug 27 17:50:21 snort snort[1414]: 79 client (Footprint)

Aug 27 17:50:21 snort snort[1414]: 80 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 81 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 82 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 83 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 84 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 85 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 86 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 87 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 88 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 89 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: 90 client (Footprint) server (Footprint)

Aug 27 17:50:21 snort snort[1414]: additional ports configured but not printed.

Aug 27 17:50:21 snort snort[1414]: Stream5 UDP Policy config:

Aug 27 17:50:21 snort snort[1414]: Timeout: 180 seconds

Aug 27 17:50:21 snort snort[1414]: HttpInspect Config:

Aug 27 17:50:21 snort snort[1414]: GLOBAL CONFIG

Aug 27 17:50:21 snort snort[1414]: Max Pipeline Requests:    0

Aug 27 17:50:21 snort snort[1414]: Inspection Type:          STATELESS

Aug 27 17:50:21 snort snort[1414]: Detect Proxy Usage:       NO

Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map Filename: /etc/snort/unicode.map

Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map Codepage: 1252

Aug 27 17:50:21 snort snort[1414]: Memcap used for logging URI and Hostname: 150994944

Aug 27 17:50:21 snort snort[1414]: Max Gzip Memory: 838860

Aug 27 17:50:21 snort snort[1414]: Max Gzip Sessions: 5518

Aug 27 17:50:21 snort snort[1414]: Gzip Compress Depth: 65535

Aug 27 17:50:21 snort snort[1414]: Gzip Decompress Depth: 65535

Aug 27 17:50:21 snort snort[1414]: DEFAULT SERVER CONFIG:

Aug 27 17:50:21 snort snort[1414]: Server profile: All

Aug 27 17:50:21 snort snort[1414]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712

Aug 27 17:50:21 snort snort[1414]: Server Flow Depth: 0

Aug 27 17:50:21 snort snort[1414]: Client Flow Depth: 0

Aug 27 17:50:21 snort snort[1414]: Max Chunk Length: 500000

Aug 27 17:50:21 snort snort[1414]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times

Aug 27 17:50:21 snort snort[1414]: Max Header Field Length: 750

Aug 27 17:50:21 snort snort[1414]: Max Number Header Fields: 100

Aug 27 17:50:21 snort snort[1414]: Max Number of WhiteSpaces allowed with header folding: 200

Aug 27 17:50:21 snort snort[1414]: Inspect Pipeline Requests: YES

Aug 27 17:50:21 snort snort[1414]: URI Discovery Strict Mode: NO

Aug 27 17:50:21 snort snort[1414]: Allow Proxy Usage: NO

Aug 27 17:50:21 snort snort[1414]: Disable Alerting: NO

Aug 27 17:50:21 snort snort[1414]: Oversize Dir Length: 500

Aug 27 17:50:21 snort snort[1414]: Only inspect URI: NO

Aug 27 17:50:21 snort snort[1414]: Normalize HTTP Headers: NO

Aug 27 17:50:21 snort snort[1414]: Inspect HTTP Cookies: YES

Aug 27 17:50:21 snort snort[1414]: Inspect HTTP Responses: YES

Aug 27 17:50:21 snort snort[1414]: Extract Gzip from responses: YES

Aug 27 17:50:21 snort snort[1414]: Unlimited decompression of gzip data from responses: YES

Aug 27 17:50:21 snort snort[1414]: Normalize Javascripts in HTTP Responses: YES

Aug 27 17:50:21 snort snort[1414]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200

Aug 27 17:50:21 snort snort[1414]: Normalize HTTP Cookies: NO

Aug 27 17:50:21 snort snort[1414]: Enable XFF and True Client IP: NO

Aug 27 17:50:21 snort snort[1414]: Log HTTP URI data: NO

Aug 27 17:50:21 snort snort[1414]: Log HTTP Hostname data: NO

Aug 27 17:50:21 snort snort[1414]: Extended ASCII code support in URI: NO

Aug 27 17:50:21 snort snort[1414]: Ascii: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: Double Decoding: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: %U Encoding: YES alert: YES

Aug 27 17:50:21 snort snort[1414]: Bare Byte: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: UTF 8: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: IIS Unicode: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: Multiple Slash: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: IIS Backslash: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: Directory Traversal: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: Web Root Traversal: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: Apache WhiteSpace: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: IIS Delimiter: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

Aug 27 17:50:21 snort snort[1414]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07

Aug 27 17:50:21 snort snort[1414]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d

Aug 27 17:50:21 snort snort[1414]: rpc_decode arguments:

Aug 27 17:50:21 snort snort[1414]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779

Aug 27 17:50:21 snort snort[1414]: alert_fragments: INACTIVE

Aug 27 17:50:21 snort snort[1414]: alert_large_fragments: INACTIVE

Aug 27 17:50:21 snort snort[1414]: alert_incomplete: INACTIVE

Aug 27 17:50:21 snort snort[1414]: alert_multiple_requests: INACTIVE

Aug 27 17:50:21 snort snort[1414]: FTPTelnet Config:

Aug 27 17:50:21 snort snort[1414]: GLOBAL CONFIG

Aug 27 17:50:21 snort snort[1414]: Inspection Type: stateful

Aug 27 17:50:21 snort snort[1414]: Check for Encrypted Traffic: YES alert: NO

Aug 27 17:50:21 snort snort[1414]: Continue to check encrypted data: YES

Aug 27 17:50:21 snort snort[1414]: TELNET CONFIG:

Aug 27 17:50:21 snort snort[1414]: Ports: 23

Aug 27 17:50:21 snort snort[1414]: Are You There Threshold: 20

Aug 27 17:50:21 snort snort[1414]: Normalize: YES

Aug 27 17:50:21 snort snort[1414]: Detect Anomalies: YES

Aug 27 17:50:21 snort snort[1414]: FTP CONFIG:

Aug 27 17:50:21 snort snort[1414]: FTP Server: default

Aug 27 17:50:21 snort snort[1414]: Ports (PAF): 21 2100 3535

Aug 27 17:50:21 snort snort[1414]: Check for Telnet Cmds: YES alert: YES

Aug 27 17:50:21 snort snort[1414]: Ignore Telnet Cmd Operations: YES alert: YES

Aug 27 17:50:21 snort snort[1414]: Ignore open data channels: NO

Aug 27 17:50:21 snort snort[1414]: FTP Client: default

Aug 27 17:50:21 snort snort[1414]: Check for Bounce Attacks: YES alert: YES

Aug 27 17:50:21 snort snort[1414]: Check for Telnet Cmds: YES alert: YES

Aug 27 17:50:21 snort snort[1414]: Ignore Telnet Cmd Operations: YES alert: YES

Aug 27 17:50:21 snort snort[1414]: Max Response Length: 256

Aug 27 17:50:21 snort snort[1414]: SMTP Config:

Aug 27 17:50:21 snort snort[1414]: Ports: 25 465 587 691

Aug 27 17:50:21 snort snort[1414]: Inspection Type: Stateful

Aug 27 17:50:21 snort snort[1414]: Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50

Aug 27 17:50:21 snort snort[1414]: Ignore Data: No

Aug 27 17:50:21 snort snort[1414]: Ignore TLS Data: No

Aug 27 17:50:21 snort snort[1414]: Ignore SMTP Alerts: No

Aug 27 17:50:21 snort snort[1414]: Max Command Line Length: 512

Aug 27 17:50:21 snort snort[1414]: Max Specific Command Line Length:

Aug 27 17:50:21 snort snort[1414]: ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255

Aug 27 17:50:21 snort snort[1414]: EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255

Aug 27 17:50:21 snort snort[1414]: ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500

Aug 27 17:50:21 snort snort[1414]: IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246

Aug 27 17:50:21 snort snort[1414]: QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246

Aug 27 17:50:21 snort snort[1414]: SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246

Aug 27 17:50:21 snort snort[1414]: TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246

Aug 27 17:50:21 snort snort[1414]: XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246

Aug 27 17:50:21 snort snort[1414]: XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246

Aug 27 17:50:21 snort snort[1414]: XUSR:246

Aug 27 17:50:21 snort snort[1414]: Max Header Line Length: 1000

Aug 27 17:50:21 snort snort[1414]: Max Response Line Length: 512

Aug 27 17:50:21 snort snort[1414]: X-Link2State Alert: Yes

Aug 27 17:50:21 snort snort[1414]: Drop on X-Link2State Alert: No

Aug 27 17:50:21 snort snort[1414]: Alert on commands: None

Aug 27 17:50:21 snort snort[1414]: Alert on unknown commands: No

Aug 27 17:50:21 snort snort[1414]: SMTP Memcap: 838860

Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860

Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction: Enabled

Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Log Attachment filename: Enabled

Aug 27 17:50:21 snort snort[1414]: Log MAIL FROM Address: Enabled

Aug 27 17:50:21 snort snort[1414]: Log RCPT TO Addresses: Enabled

Aug 27 17:50:21 snort snort[1414]: Log Email Headers: Enabled

Aug 27 17:50:21 snort snort[1414]: Email Hdrs Log Depth: 1464

Aug 27 17:50:21 snort snort[1414]: SSH config:

Aug 27 17:50:21 snort snort[1414]: Autodetection: ENABLED

Aug 27 17:50:21 snort snort[1414]: Challenge-Response Overflow Alert: ENABLED

Aug 27 17:50:21 snort snort[1414]: SSH1 CRC32 Alert: ENABLED

Aug 27 17:50:21 snort snort[1414]: Server Version String Overflow Alert: ENABLED

Aug 27 17:50:21 snort snort[1414]: Protocol Mismatch Alert: ENABLED

Aug 27 17:50:21 snort snort[1414]: Bad Message Direction Alert: DISABLED

Aug 27 17:50:21 snort snort[1414]: Bad Payload Size Alert: DISABLED

Aug 27 17:50:21 snort snort[1414]: Unrecognized Version Alert: DISABLED

Aug 27 17:50:21 snort snort[1414]: Max Encrypted Packets: 20

Aug 27 17:50:21 snort snort[1414]: Max Server Version String Length: 100

Aug 27 17:50:21 snort snort[1414]: MaxClientBytes: 19600 (Default)

Aug 27 17:50:21 snort snort[1414]: Ports:

Aug 27 17:50:21 snort snort[1414]: 22

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: DCE/RPC 2 Preprocessor Configuration

Aug 27 17:50:21 snort snort[1414]: Global Configuration

Aug 27 17:50:21 snort snort[1414]: DCE/RPC Defragmentation: Enabled

Aug 27 17:50:21 snort snort[1414]: Memcap: 102400 KB

Aug 27 17:50:21 snort snort[1414]: Events: co

Aug 27 17:50:21 snort snort[1414]: SMB Fingerprint policy: Disabled

Aug 27 17:50:21 snort snort[1414]: Server Default Configuration

Aug 27 17:50:21 snort snort[1414]: Policy: WinXP

Aug 27 17:50:21 snort snort[1414]: Detect ports (PAF)

Aug 27 17:50:21 snort snort[1414]: SMB: 139 445

Aug 27 17:50:21 snort snort[1414]: TCP: 135

Aug 27 17:50:21 snort snort[1414]: UDP: 135

Aug 27 17:50:21 snort snort[1414]: RPC over HTTP server: 593

Aug 27 17:50:21 snort snort[1414]: RPC over HTTP proxy: None

Aug 27 17:50:21 snort snort[1414]: Autodetect ports (PAF)

Aug 27 17:50:21 snort snort[1414]: SMB: None

Aug 27 17:50:21 snort snort[1414]: TCP: 1025-65535

Aug 27 17:50:21 snort snort[1414]: UDP: 1025-65535

Aug 27 17:50:21 snort snort[1414]: RPC over HTTP server: 1025-65535

Aug 27 17:50:21 snort snort[1414]: RPC over HTTP proxy: None

Aug 27 17:50:21 snort snort[1414]: Invalid SMB shares: C$ D$ ADMIN$

Aug 27 17:50:21 snort snort[1414]: Maximum SMB command chaining: 3 commands

Aug 27 17:50:21 snort snort[1414]: SMB file inspection: Disabled

Aug 27 17:50:21 snort snort[1414]: DNS config:

Aug 27 17:50:21 snort snort[1414]: DNS Client rdata txt Overflow Alert: ACTIVE

Aug 27 17:50:21 snort snort[1414]: Obsolete DNS RR Types Alert: INACTIVE

Aug 27 17:50:21 snort snort[1414]: Experimental DNS RR Types Alert: INACTIVE

Aug 27 17:50:21 snort snort[1414]: Ports:

Aug 27 17:50:21 snort snort[1414]: 53

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: SSLPP config:

Aug 27 17:50:21 snort snort[1414]: Encrypted packets: not inspected

Aug 27 17:50:21 snort snort[1414]: Ports:

Aug 27 17:50:21 snort snort[1414]: 443      465      563      636      989

Aug 27 17:50:21 snort snort[1414]: 992      993      994      995     5061

Aug 27 17:50:21 snort snort[1414]: 7801     7802     7900     7901     7902

Aug 27 17:50:21 snort snort[1414]: 7903     7904     7905     7906     7907

Aug 27 17:50:21 snort snort[1414]: 7908     7909     7910     7911     7912

Aug 27 17:50:21 snort snort[1414]: 7913     7914     7915     7916     7917

Aug 27 17:50:21 snort snort[1414]: 7918     7919     7920

Aug 27 17:50:21 snort snort[1414]: Server side data is trusted

Aug 27 17:50:21 snort snort[1414]: Sensitive Data preprocessor config:

Aug 27 17:50:21 snort snort[1414]: Global Alert Threshold: 25

Aug 27 17:50:21 snort snort[1414]: Masked Output: DISABLED

Aug 27 17:50:21 snort snort[1414]: SIP config:

Aug 27 17:50:21 snort snort[1414]: Max number of sessions: 40000

Aug 27 17:50:21 snort snort[1414]: Max number of dialogs in a session: 4 (Default)

Aug 27 17:50:21 snort snort[1414]: Status: ENABLED

Aug 27 17:50:21 snort snort[1414]: Ignore media channel: DISABLED

Aug 27 17:50:21 snort snort[1414]: Max URI length: 512

Aug 27 17:50:21 snort snort[1414]: Max Call ID length: 80

Aug 27 17:50:21 snort snort[1414]: Max Request name length: 20 (Default)

Aug 27 17:50:21 snort snort[1414]: Max From length: 256 (Default)

Aug 27 17:50:21 snort snort[1414]: Max To length: 256 (Default)

Aug 27 17:50:21 snort snort[1414]: Max Via length: 1024 (Default)

Aug 27 17:50:21 snort snort[1414]: Max Contact length: 512

Aug 27 17:50:21 snort snort[1414]: Max Content length: 2048

Aug 27 17:50:21 snort snort[1414]: Ports:

Aug 27 17:50:21 snort snort[1414]: 5060

Aug 27 17:50:21 snort snort[1414]: 5061

Aug 27 17:50:21 snort snort[1414]: 5600

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: Methods:

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: invite

Aug 27 17:50:21 snort snort[1414]: cancel

Aug 27 17:50:21 snort snort[1414]: ack

Aug 27 17:50:21 snort snort[1414]: bye

Aug 27 17:50:21 snort snort[1414]: register

Aug 27 17:50:21 snort snort[1414]: options

Aug 27 17:50:21 snort snort[1414]: refer

Aug 27 17:50:21 snort snort[1414]: subscribe

Aug 27 17:50:21 snort snort[1414]: update

Aug 27 17:50:21 snort snort[1414]: join

Aug 27 17:50:21 snort snort[1414]: info

Aug 27 17:50:21 snort snort[1414]: message

Aug 27 17:50:21 snort snort[1414]: notify

Aug 27 17:50:21 snort snort[1414]: benotify

Aug 27 17:50:21 snort snort[1414]: do

Aug 27 17:50:21 snort snort[1414]: qauth

Aug 27 17:50:21 snort snort[1414]: sprack

Aug 27 17:50:21 snort snort[1414]: publish

Aug 27 17:50:21 snort snort[1414]: service

Aug 27 17:50:21 snort snort[1414]: unsubscribe

Aug 27 17:50:21 snort snort[1414]: prack

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: IMAP Config:

Aug 27 17:50:21 snort snort[1414]: Ports: 143

Aug 27 17:50:21 snort snort[1414]: IMAP Memcap: 838860

Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860

Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction: Enabled

Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: POP Config:

Aug 27 17:50:21 snort snort[1414]: Ports: 110

Aug 27 17:50:21 snort snort[1414]: POP Memcap: 838860

Aug 27 17:50:21 snort snort[1414]: MIME Max Mem: 838860

Aug 27 17:50:21 snort snort[1414]: Base64 Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Base64 Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Quoted-Printable Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding: Enabled

Aug 27 17:50:21 snort snort[1414]: Unix-to-Unix Decoding Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction: Enabled

Aug 27 17:50:21 snort snort[1414]: Non-Encoded MIME attachment Extraction Depth: Unlimited

Aug 27 17:50:21 snort snort[1414]: Modbus config:

Aug 27 17:50:21 snort snort[1414]: Ports:

Aug 27 17:50:21 snort snort[1414]: 502

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: DNP3 config:

Aug 27 17:50:21 snort snort[1414]: Memcap: 262144

Aug 27 17:50:21 snort snort[1414]: Check Link-Layer CRCs: ENABLED

Aug 27 17:50:21 snort snort[1414]: Ports:

Aug 27 17:50:21 snort snort[1414]: 20000

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: Reputation config:

Aug 27 17:50:21 snort snort[1414]: WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor disabled.

Aug 27 17:50:21 snort snort[1414]:

Aug 27 17:50:21 snort snort[1414]: +++++++++++++++++++++++++++++++++++++++++++++++++++

Aug 27 17:50:21 snort snort[1414]: Initializing rule chains...

Aug 27 17:50:22 snort snort[1414]: 5125 Snort rules read

Aug 27 17:50:22 snort snort[1414]: 5125 detection rules

Aug 27 17:50:22 snort snort[1414]: 0 decoder rules

Aug 27 17:50:22 snort snort[1414]: 0 preprocessor rules

Aug 27 17:50:22 snort snort[1414]: 5125 Option Chains linked into 228 Chain Headers

Aug 27 17:50:22 snort snort[1414]: 0 Dynamic rules

Aug 27 17:50:22 snort snort[1414]: +++++++++++++++++++++++++++++++++++++++++++++++++++

Aug 27 17:50:22 snort snort[1414]:

Aug 27 17:50:23 snort snort[1414]: +-------------------[Rule Port Counts]---------------------------------------

Aug 27 17:50:23 snort snort[1414]: |             tcp     udp    icmp      ip

Aug 27 17:50:23 snort snort[1414]: |     src    1737       7       0       0

Aug 27 17:50:23 snort snort[1414]: |     dst    2679     594       0       0

Aug 27 17:50:23 snort snort[1414]: |     any     104       2       3       0

Aug 27 17:50:23 snort snort[1414]: |      nc      14       0       0       0

Aug 27 17:50:23 snort snort[1414]: |     s+d       1       1       0       0

Aug 27 17:50:23 snort snort[1414]: +----------------------------------------------------------------------------

Aug 27 17:50:23 snort snort[1414]:

Aug 27 17:50:23 snort snort[1414]: +-----------------------[detection-filter-config]------------------------------

Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes

Aug 27 17:50:23 snort snort[1414]: +-----------------------[detection-filter-rules]-------------------------------

Aug 27 17:50:23 snort snort[1414]: -------------------------------------------------------------------------------

Aug 27 17:50:23 snort snort[1414]:

Aug 27 17:50:23 snort snort[1414]: +-----------------------[rate-filter-config]-----------------------------------

Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes

Aug 27 17:50:23 snort snort[1414]: +-----------------------[rate-filter-rules]------------------------------------

Aug 27 17:50:23 snort snort[1414]: | none

Aug 27 17:50:23 snort snort[1414]: -------------------------------------------------------------------------------

Aug 27 17:50:23 snort snort[1414]:

Aug 27 17:50:23 snort snort[1414]: +-----------------------[event-filter-config]----------------------------------

Aug 27 17:50:23 snort snort[1414]: | memory-cap : 1048576 bytes

Aug 27 17:50:23 snort snort[1414]: +-----------------------[event-filter-global]----------------------------------

Aug 27 17:50:23 snort snort[1414]: +-----------------------[event-filter-local]-----------------------------------

Aug 27 17:50:23 snort snort[1414]: | none

Aug 27 17:50:23 snort snort[1414]: +-----------------------[suppression]------------------------------------------

Aug 27 17:50:23 snort snort[1414]: | none

Aug 27 17:50:23 snort snort[1414]: -------------------------------------------------------------------------------

Aug 27 17:50:23 snort snort[1414]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log

Aug 27 17:50:23 snort snort[1414]: Verifying Preprocessor Configurations!

Aug 27 17:50:23 snort snort[1414]: ICMP tracking disabled, no ICMP sessions allocated

Aug 27 17:50:23 snort snort[1414]: IP tracking disabled, no IP sessions allocated

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'acunetix-scan' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'kit.blackhole' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'ssl_handshake' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.dmg' is checked but not ever set.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.msi' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.fpx' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'tlsv1.0_handshake' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'tlsv1.2_handshake' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.htc' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.wri' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.hhk' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'tlsv1.1_handshake' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'spyrat_bd' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.zip.winrar.spoof' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'imap.cram_md5' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.lanman' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.xfdl' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.vwr' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'file.ram' is checked but not ever set.

Aug 27 17:50:23 snort snort[1414]: WARNING: flowbits key 'hornet.2' is set but not ever checked.

Aug 27 17:50:23 snort snort[1414]: 130 out of 1024 flowbits in use.

Aug 27 17:50:29 snort snort[1414]:

Aug 27 17:50:29 snort snort[1414]: [ Port Based Pattern Matching Memory ]

Aug 27 17:50:29 snort snort[1414]: +- [ Aho-Corasick Summary ] -------------------------------------

Aug 27 17:50:29 snort snort[1414]: | Storage Format    : Full-Q

Aug 27 17:50:29 snort snort[1414]: | Finite Automaton  : DFA

Aug 27 17:50:29 snort snort[1414]: | Alphabet Size     : 256 Chars

Aug 27 17:50:29 snort snort[1414]: | Sizeof State      : Variable (1,2,4 bytes)

Aug 27 17:50:29 snort snort[1414]: | Instances         : 162

Aug 27 17:50:29 snort snort[1414]: |     1 byte states : 152

Aug 27 17:50:29 snort snort[1414]: |     2 byte states : 10

Aug 27 17:50:29 snort snort[1414]: |     4 byte states : 0

Aug 27 17:50:29 snort snort[1414]: | Characters        : 94220

Aug 27 17:50:29 snort snort[1414]: | States            : 72484

Aug 27 17:50:29 snort snort[1414]: | Transitions       : 7893243

Aug 27 17:50:29 snort snort[1414]: | State Density     : 42.5%

Aug 27 17:50:29 snort snort[1414]: | Patterns          : 5159

Aug 27 17:50:29 snort snort[1414]: | Match States      : 5800

Aug 27 17:50:29 snort snort[1414]: | Memory (MB)       : 37.42

Aug 27 17:50:29 snort snort[1414]: |   Patterns        : 0.57

Aug 27 17:50:29 snort snort[1414]: |   Match Lists     : 1.26

Aug 27 17:50:29 snort snort[1414]: |   DFA

Aug 27 17:50:29 snort snort[1414]: |     1 byte states : 0.94

Aug 27 17:50:29 snort snort[1414]: |     2 byte states : 34.36

Aug 27 17:50:29 snort snort[1414]: |     4 byte states : 0.00

Aug 27 17:50:29 snort snort[1414]: +----------------------------------------------------------------

Aug 27 17:50:29 snort snort[1414]: [ Number of patterns truncated to 20 bytes: 318 ]

Aug 27 17:50:29 snort snort[1414]: pcap DAQ configured to passive.

Aug 27 17:50:29 snort snort[1414]: Acquiring network traffic from "enp0s3".

Aug 27 17:50:29 snort snort[1414]: Initializing daemon mode

Aug 27 17:50:29 snort snort[1415]: Daemon initialized, signaled parent pid: 1414

Aug 27 17:50:29 snort snort[1415]: Reload thread starting...

Aug 27 17:50:29 snort snort[1415]: Reload thread started, thread 0x7fee608f3700 (1416)

Aug 27 17:50:29 snort snort[1415]: Decoding Ethernet

Aug 27 17:50:29 snort snort[1415]: Checking PID path...

Aug 27 17:50:29 snort snort[1415]: PID path stat checked out ok, PID path set to /var/run/

Aug 27 17:50:29 snort snort[1415]: Writing PID "1415" to file "/var/run//snort_enp0s3.pid"

Aug 27 17:50:29 snort kernel: device enp0s3 entered promiscuous mode

Aug 27 17:50:29 snort snort[1415]: Set gid to 40000

Aug 27 17:50:29 snort snort[1415]: Set uid to 40000

Aug 27 17:50:29 snort snort[1415]:

Aug 27 17:50:29 snort snort[1415]: --== Initialization Complete ==--

Aug 27 17:50:29 snort snort[1415]: Commencing packet processing (pid=1415)

 

 

When I check status I get following

 

                                [root <at> snort bin]# ./snort status

Running in packet dump mode

 

        --== Initializing Snort ==--

Initializing Output Plugins!

Snort BPF option: status

pcap DAQ configured to passive.

Acquiring network traffic from "enp0s3".

ERROR: Can't set DAQ BPF filter to 'status' (pcap_daq_set_filter: pcap_compile: syntax error)!

Fatal Error, Quitting..

 

 

How do I fix this issue?

 

 

Sharif Uddin
Development/Support Engineer
-------------------

Spectrum Geo Ltd
Dukes Court, Duke Street
Woking, Surrey
GU21 5BH
UNITED KINGDOM

Tel: +44 (0) 1483 730201
Fax: +44 (0) 1483 762620

 

www.spectrumasa.com

 


IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Richard Smollett | 27 Aug 15:52 2014
Picon

trouble with inline mode

IP setup looks like this.

root <at> snort:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:fd:b5:c4
          inet addr:172.28.61.104  Bcast:172.28.61.127  Mask:255.255.255.128
          inet6 addr: fe80::a00:27ff:fefd:b5c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:472894 errors:5 dropped:15 overruns:0 frame:0
          TX packets:15266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:129789824 (123.7 MiB)  TX bytes:2332609 (2.2 MiB)
          Interrupt:10 Base address:0xd020

eth1      Link encap:Ethernet  HWaddr 08:00:27:97:66:ff
          inet addr:192.168.123.1  Bcast:192.168.123.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe97:66ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:438796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:962 (962.0 B)  TX bytes:123829936 (118.0 MiB)
          Interrupt:9 Base address:0xd240

The eth0 interface is the outside and eth1 is inside. I'm starting snort with this command.

snort --daq afpacket -i eth0:eth1 --daq-mode inline -c /etc/snort/snort.conf

But I still cannot ping an inside host from the outside. I can ping between the snort device and inside/ouside hosts. If I ping an inside host from the outside, tcpdump shows the icmp echo request arriving but no reply. Inside host ip is 192.168.123.2.

Can anyone recommend some other troubleshooting steps or suggest where I may have left anything out of the setup?
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Bad so_rules on file snortrules-snapshot-2961.tar.gz

Hi guys, i’m having some troubles with the last file rule from yestarday.

 

The so_rules from that file are not updated like it should. Instead, they are the old files from 5 of August.

 

Joel, can you comfirm this?

 

Thanks!!!

 

 

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Bankole Agunbiade | 27 Aug 10:54 2014
Picon

Urgent

I am in dying need of ideas regarding my thesis, which has to do with snort as an IDS (Topic is: evaluation of IDS with Snort as case study). i have done the basic experimental setup of snort in a VMware and configured snort to generate logs and alerts which has worked perfectly well but i was asked to dig deeper and do more complicated and interesting experiments with snort, like working on its vulnerabilities or finding means of visualising snort rules and all of that.

I have been looking for ideas in what direction to take my work but i have not found much, so am wondering if u could expose me to more stuffs about snort and point me in a direction to go.

Many Thanks

Bankole
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane