Snort mailing list archives
Re: Figured it out!: Snort not outputting statistics on exit
From: Phil Wood <cpw () lanl gov>
Date: Sun, 16 Nov 2003 19:26:41 -0700
On Sun, Nov 16, 2003 at 04:00:50PM -0500, Mark Ewert wrote:
Greetings, I figured it out. I had been searching and searching google for an answer and finally found it. Seems there is a bug in snort.c (located within the /src subdirectory of the install package). Here's a link to the fix provided by Chris Green cmg () sourcefire com: http://www.pantek.com/library/general/lists/snort.org/snort-devel/msg005 22.html . Here's the detail: This problem seems only to occur in Daemon mode. To fix it: Change In snort.c /* Print Statistics */ if(!pv.test_mode_flag) { fpShowEventStats(); DropStats(0); } to /* Print Statistics */ if(!pv.test_mode_flag) { fpShowEventStats(); pv.quiet_flag = 0; DropStats(0); pv.quiet_flag = 1; } After doing this Snort not only properly outputs stats in /var/log/messages on exit but it also tells me which libpcap I am using on startup which is great because I'm experimenting with Phil Wood's
For grins, start your snort and include PCAP_VERBOSE=1 where you might be setting PCAP_FRAMES=max. It will dump a line to stderr which shows what is really going on after all is said and done. Example default (no setting PCAP_FRAMES to the max: # PCAP_VERBOSE=1 tcpdump -i eth0 -c 1 -n libpcap version: 0.8 Kernel filter, Protocol 0300, MMAP mode (600 frames, snapshot 96), socket type: Raw Later,
libpcap8 with ring support and wasn't sure how to tell if Snort was actually using it! Sorry I didn't find the solution before posting to the group. I'm going to try the same fix (if required) after installing v2.0.4 Mark --------------------------------------------- Mark F. Ewert, Principal Systems Architect Integrated Healthcare Information Services www.ihcis.com -----Original Message----- From: Mark Ewert Sent: Sunday, November 16, 2003 3:27 PM To: snort-users () lists sourceforge net Subject: Snort not outputting statistics on exit Greetings, I'm having an odd problem that just started with my Snort sensors. When I shutdown Snort (either via kill or the stop command with the startup script) Snort no longer outputs its performance statistics in /var/log/messages - it just lists: Snort Exiting. I may be going crazy but I believe it used to output the stats there - I've seen them recently as I've been working to improve Snort rule performance and am looking for the packet loss data. Any idea what I'm doing wrong? Here's my Snort command line from one of my sensors: snort -c /etc/snort/snort.conf -i eth1 -D . I'm using the unified log and alert output options and mudpit to process them. Oh - currently running: Snort 2.0.2 but will be upgrading to 2.0.4 ASAP. Here's the snort.conf from the same sensor - it's an un-tuned test sensor so it's definitely not optimized: # ## Variables ## --------- var HOME_NET 192.168.1.0/24 var EXTERNAL_NET any var SMTP_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24, 64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort var DNS_SERVERS 192.168.1.200 var HTTP_SERVERS [192.168.1.200/32,192.168.1.117/32] var HTTP_PORTS 80 var SQL_SERVERS [192.168.1.117/32,192,168.1.200/32] # ## Preprocessor Support ## -------------------- preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble #preprocessor portscan: $HOME_NET 4 3 portscan.log #preprocessor portscan-ignorehosts: 0.0.0.0 #preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 preprocessor frag2 preprocessor telnet_decode #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # # ## Output Modules ## -------------- output log_unified: filename /var/log/snort1/unified_log, limit 128 # output alert_unified: filename /var/log/snort1/unified_alert, limit 128 # ## Custom Rules ## ------------ config disable_decode_alerts config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config detection: search-method lowmem ## Include Files ## ------------- include classification.config include reference.config # include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules #include $RULE_PATH/web-attacks.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/shellcode.rules #include $RULE_PATH/policy.rules #include $RULE_PATH/porn.rules #include $RULE_PATH/info.rules #include $RULE_PATH/icmp-info.rules #include $RULE_PATH/virus.rules #include $RULE_PATH/chat.rules #include $RULE_PATH/multimedia.rules #include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules and the output from snort -T -i eth1 -c /etc/snort/snort.conf : -*> Snort! <*- Version 2.0.2 (Build 92) By Martin Roesch (roesch () sourcefire com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! Snort exiting [root@vlnxsvr5 root]# snort -T -i eth1 -c /etc/snort/snort.conf Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 1458 Snort rules read... 1458 Option Chains linked into 163 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.2 (Build 92) By Martin Roesch (roesch () sourcefire com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! Snort exiting THANKS IN ADVANCE. Mark ------------------------------------------- Mark F. Ewert, Principal Systems Architect Integrated Healthcare Information Services --------------------------------------------------------------------------- This e-mail and the information transmitted within it is intended only for the recipient(s) to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of; or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please send the e-mail back to notify the sender and delete the message and its contents from any computers and network systems involved in its receipt. Thank you. ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Phil Wood (cpw_at_lanl.gov) ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Figured it out!: Snort not outputting statistics on exit Mark Ewert (Nov 16)
- Re: Figured it out!: Snort not outputting statistics on exit Phil Wood (Nov 16)