Snort mailing list archives
I finish installing the managment and 2 sensors !! I have small p roblem please help !
From: Juan Fernandez <Juan.Fernandez () deltathree com>
Date: Fri, 17 Sep 2004 14:12:29 +0300
Hi ! I use FC1 and followed the manual of Harper. When I start snort manually e.g. /etc/init.d/snort start I see in /var/log/messeges : [root@sensjrlan root]# tail -f /var/log/messages Sep 17 13:24:06 sensjrlan snort: Suspend threshold: 1000 Sep 17 13:24:06 sensjrlan snort: Suspend period: 30 Sep 17 13:24:06 sensjrlan snort: WARNING /etc/snort/snort.conf(261) => Unknown stream4: option: min_ttl Sep 17 13:24:06 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(286) => Invalid configuration token '80'. The first configuration must start with a 'global' configuration type. Sep 17 13:35:44 sensjrlan sshd(pam_unix)[1836]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=208.170.171.181 user=juanb Sep 17 13:35:47 sensjrlan sshd(pam_unix)[1838]: session opened for user juanb by (uid=500) Sep 17 13:43:08 sensjrlan su(pam_unix)[1878]: session opened for user root by juanb(uid=500) Sep 17 13:50:18 sensjrlan sshd(pam_unix)[1926]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=208.170.171.181 user=juanb Sep 17 13:50:21 sensjrlan sshd(pam_unix)[1928]: session opened for user juanb by (uid=500) Sep 17 13:50:45 sensjrlan su(pam_unix)[1968]: session opened for user root by juanb(uid=500) Sep 17 13:52:49 sensjrlan snort: OpenPcap() device eth1 network lookup: ^Ieth1: no IPv4 address assigned Sep 17 13:52:49 sensjrlan snort: Initializing daemon mode Sep 17 13:52:49 sensjrlan snort: PID path stat checked out ok, PID path set to /var/run/ Sep 17 13:52:49 sensjrlan snort: Writing PID "2038" to file "/var/run//snort_eth1.pid" Sep 17 13:52:49 sensjrlan snort: ,-----------[Flow Config]---------------------- Sep 17 13:52:49 sensjrlan snort: | Stats Interval: 0 Sep 17 13:52:49 sensjrlan snort: | Hash Method: 2 Sep 17 13:52:49 sensjrlan snort: | Memcap: 10485760 Sep 17 13:52:49 sensjrlan snort: | Rows : 4099 Sep 17 13:52:49 sensjrlan snort: | Overhead Bytes: 16400(%0.16) Sep 17 13:52:49 sensjrlan snort: `---------------------------------------------- Sep 17 13:52:49 sensjrlan snort: [*] Frag2 config: Sep 17 13:52:49 sensjrlan snort: Fragment timeout: 35 seconds Sep 17 13:52:49 sensjrlan snort: Fragment memory cap: 4194304 bytes Sep 17 13:52:49 sensjrlan snort: Fragment min_ttl: 3 Sep 17 13:52:49 sensjrlan snort: Fragment ttl_limit: 8 Sep 17 13:52:49 sensjrlan snort: Fragment Problems: 0 Sep 17 13:52:49 sensjrlan snort: State Protection: 0 Sep 17 13:52:49 sensjrlan snort: Self preservation threshold: 500 Sep 17 13:52:49 sensjrlan snort: Self preservation period: 90 Sep 17 13:52:49 sensjrlan snort: Suspend threshold: 1000 Sep 17 13:52:49 sensjrlan snort: Suspend period: 30 Sep 17 13:52:49 sensjrlan snort: WARNING /etc/snort/snort.conf(261) => Unknown stream4: option: min_ttl Sep 17 13:52:49 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(286) => Invalid configuration token '80'. The first configuration must start with a 'global' configuration type. The thing is that I didn't touch line 286 and line 261 in snort.conf at all!! here I inserted the relevant lines so you can help me debug: ( with the :set number option): 255 # 10 Stealth scan: NMAP XMAS scan 256 # 11 Stealth scan: Vecna scan 257 # 12 Stealth scan: NMAP fingerprint scan stateful detect 258 # 13 Stealth scan: SYN-FIN scan 259 # 14 TCP forward overlap 260 261 preprocessor stream4: detect_scans, timeout 35, memcap 8388608, min_ttl 3 , ttl_limit 8 262 263 # tcp stream reassembly directive 264 # no arguments loads the default configuration 265 # Only reassemble the client, 266 # Only reassemble the default list of ports (See below), 267 # Give alerts for "bad" streams 268 # 269 # Available options (comma delimited): 270 # clientonly - reassemble traffic for the client side of a connection only 271 # serveronly - reassemble traffic for the server side of a connection only 272 # both - reassemble both sides of a session 273 # noalerts - turn off alerts from the stream reassembly stage of stream4 274 # ports [list] - use the space separated list of ports in [list], "all" 275 # will turn on reassembly for all ports, "default" will turn 276 # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 277 # and 513 278 279 preprocessor stream4_reassemble: both, ports all 280 281 # http_inspect: normalize and detect HTTP traffic and protocol anomalies 282 # 283 # lots of options available here. See doc/README.http_inspect. 284 # unicode.map should be wherever your snort.conf lives, or given 285 # a full path to where snort can find it. 286 preprocessor http_inspect: 80 443 8080 unicode iis_alt_unicode 287 double_encode iis_flip_slash full_whitespace Thanks very much to all of you !!
Current thread:
- I finish installing the managment and 2 sensors !! I have small p roblem please help ! Juan Fernandez (Sep 17)