Snort mailing list archives
Re: "modprobe: can't locate.." related to snort: Yes.
From: John Sage <jsage () finchhaven com>
Date: Wed, 25 Jul 2001 21:49:37 -0700
I've narrowed down the syslog message ("modprobe: Can't locate module [reading from a ") created by snort 1.8.1.beta4, to its being created when I run a secondary set of rules against all packets logged over an extended period of time by my primary rule sets.
The primary rules binary-log *everything* and do just a little alerting for some specific ports - nothing fancy.
The secondary ruleset is basically the box-stock snort.conf that comes with 1.8.1-b4
So what about all this is trying to locate a module? Command line: snort18 -b -i ppp0 -c /usr/local/snort-1.8.1-beta4/snort18.conf & Output from adding -T --== Initializing Snort ==-- Checking PID path... PATH_VARRUN is set to /var/run/ on this operating system Initializing Network Interface ppp0 Decoding raw data on interface ppp0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /usr/local/snort-1.8.1-beta4/snort18check.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time ProcessFileOption: /var/log/snort/./alert-check.full Linking FullAlert functions to call lists... 908 Snort rules read... 908 Option Chains linked into 135 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.1-beta4 (Build 54) By Martin Roesch (roesch () sourcefire com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! Stuff set up by snort18check.conf: preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log output alert_full: ./alert-check.full include classification.config include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-iis.rules include web-misc.rules include sql.rules include x11.rules include icmp.rules # include shellcode.rules include misc.rules # include policy.rules # include info.rules # include icmp-info.rules # include virus.rules include local.rules John Sage wrote:
Hello world..snort.1.8.1-beta4 is up and running well in binary mode, pretty much box-stock as it comes from the current *.tar.gzI've got psionic's logcheck running, and now suddenly it's reporting this:Unusual System Events =-=-=-=-=-=-=-=-=-=-=Jul 25 06:40:49 greatwall snort: [1:0:0] TCP to 1024-60999 {TCP} 207.217.120.208:25 -> 12.82.128.60:1631Jul 25 06:41:27 greatwall modprobe: modprobe: Can't locate module [reading from aJul 25 06:41:49 greatwall snort: [1:0:0] TCP to 1024-60999 {TCP} 207.217.120.208:25 -> 12.82.128.60:1631 Jul 25 06:42:49 greatwall snort: [1:0:0] TCP to 1024-60999 {TCP} 207.217.120.208:25 -> 12.82.128.60:1631: : <snip> What's this:> Jul 25 06:41:27 greatwall modprobe: modprobe: Can't locate module [reading from aIt stops just like that: "...[reading from a "
<snip> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "modprobe: can't locate.." related to snort? John Sage (Jul 25)
- Installation of Snort 1.8 on Redhat Linux 7.1 using MYSQL Larry E. Smith Jr. (Jul 25)
- RE: Installation of Snort 1.8 on Redhat Linux 7.1 using MYSQL Jason Lewis (Jul 25)
- Re: "modprobe: can't locate.." related to snort: Yes. John Sage (Jul 25)
- snort causes "modprobe: can't locate.." in syslog John Sage (Jul 26)
- Re: snort causes "modprobe: can't locate.." in syslog Kiira Triea (Jul 26)
- Re: snort causes "modprobe: can't locate.." in syslog John Sage (Jul 26)
- Re: snort causes "modprobe: can't locate.." in syslog Ian Jones (Jul 26)
- Re: Fixed: "modprobe: can't locate.." in syslog John Sage (Jul 27)
- Re: snort causes "modprobe: can't locate.." in syslog Kiira Triea (Jul 26)
- Installation of Snort 1.8 on Redhat Linux 7.1 using MYSQL Larry E. Smith Jr. (Jul 25)