Snort mailing list archives
RE: SNORT newbie looking for some help with Snort o n Win2k
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Wed, 15 May 2002 09:20:17 -0600
Lots of weird issues with that IDS center. Not 100% certain, but seems that most individuals resort to command line in order to get snort to work on win2k...at least that is how I managed to get it to function correctly -----Original Message----- From: Richard Roy [mailto:royr () justicetrax com] Sent: Wednesday, May 15, 2002 8:50 AM To: snort-users () lists sourceforge net Subject: [Snort-users] SNORT newbie looking for some help with Snort on Win2k I set up SNORT using IDSCentre and tested the config using the applet. I received no error messages, the SNORT window is minimized and things appear to work, yet there are no alerts, no log entries, nothing. I know we are under hits all the time, my firewall reports blocking them. Setup: W2K Pro p3 733. On a hub with router and firewall external interface. I have 64 public IP's and I'd like to scan the range if possible. I am including the following.
From IDSCentre the command line it fires, the snort.conf file and the screen
output from the minimized snort window. I can't quite figure out what is wrong. Another set of eyes looking at this is what I am hoping someone will do and see a problem. TIA for your help Rich PS Sorry it is a long post, but I did not want to do an attachment. [Begin config] [************cmd line*********] c:\snort\Snort.exe -c "c:\snort\snort.conf" -l "c:\snort\log" -h aaa.bbb.ccc.ddd/32 -i 1 -a -b -C -d -e -O -X -I -G basic -U -y [*NOTE, yes I blanked out my IP above. It is a public IP*] [***********snort.conf**************] #-------------------------------------------------- # http://www.activeworx.com <http://www.activeworx.com> Snort 1.8.6 Ruleset # IDS Policy Manager Version: 1.3 Build(31) # Current Database Updated -- May 10, 2002 10:55 AM #-------------------------------------------------- # ## Variables ## --------- #var HOME_NET 10.1.1.0/24 #var HOME_NET $eth0_ADDRESS #var HOME_NET [10.1.1.0/24,192.168.1.0/24] var HOME_NET any var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET #var RULE_PATH ./ var RULE_PATH c:\snort\rules var SHELLCODE_PORTS !80 #var SPADEDIR . # ## Preprocessor Support ## -------------------- preprocessor http_decode: 80 -cginull -unicode preprocessor rpc_decode: 111 32771 preprocessor bo: preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor portscan: $HOME_NET 4 3 portscan.log #preprocessor portscan-ignorehosts: 0.0.0.0 preprocessor frag2 preprocessor telnet_decode # # ## Output Modules ## -------------- #output database: log, unixodbc, dbname=snort user=snort host=localhost password=test output CSV: log default output log_tcpdump: snorttcp.log #output xml: Log, file=/var/log/snortxml output log_unified: filename snort.log, limit 128 # #output alert_syslog: LOG_AUTH LOG_ALERT #output alert_unified: filename snort.alert, limit 128 #output trap_snmp: alert, 7, inform -v 3 -p 162 -l authPriv -u snortUser -x DES -X "" -a SHA -A "" myTrapListener # ## Custom Rules ## ------------ ruletype suspicious { type log output log_tcpdump: suspicious.log } ruletype redalert { type alert output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost } #ruletype <New_Custom_Rules> #{ #} # ## Include Files ## ------------- include classification.config # include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules #include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules {*********Snort Screen*************} Log directory = c:\snort\log Initializing Network Interface \ --== Initializing Snort ==-- Decoding Ethernet on interface \Device\Packet_NdisWanIp Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file c:\snort\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD Using GMT time No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes ProcessFileOption: c:\snort\log/log WARNING: command line overrides rules file logging plugin! WARNING: command line overrides rules file logging plugin! WARNING: command line overrides rules file logging plugin! 980 Snort rules read... 980 Option Chains linked into 100 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log->suspicious->red alert --== Initialization Complete ==-- -*> Snort! <*- Version 1.8-WIN32 (Build 103) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) (based on code from 1.7 port) [End config]
Current thread:
- RE: SNORT newbie looking for some help with Snort o n Win2k Slighter, Tim (May 15)
- <Possible follow-ups>
- RE: SNORT newbie looking for some help with Snort o n Win2k Richard Roy (May 16)