Snort mailing list archives

Previous By Date Next
Previous By Thread Next

I finish installing the managment and 2 sensors !! I have small p roblem please help !

From: Juan Fernandez <Juan.Fernandez () deltathree com>
Date: Fri, 17 Sep 2004 14:12:29 +0300
            Hi !

 

I use FC1 and followed the manual of Harper.

 

When I start snort manually 

 

e.g. /etc/init.d/snort start    I see in /var/log/messeges :

 

[root@sensjrlan root]# tail -f /var/log/messages 

Sep 17 13:24:06 sensjrlan snort:     Suspend threshold: 1000 

Sep 17 13:24:06 sensjrlan snort:     Suspend period: 30 

Sep 17 13:24:06 sensjrlan snort: WARNING /etc/snort/snort.conf(261) =>
Unknown stream4: option: min_ttl 

Sep 17 13:24:06 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(286) =>
Invalid configuration token '80'.  The first configuration must start with a
'global' configuration type. 

Sep 17 13:35:44 sensjrlan sshd(pam_unix)[1836]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=208.170.171.181  user=juanb

Sep 17 13:35:47 sensjrlan sshd(pam_unix)[1838]: session opened for user
juanb by (uid=500)

Sep 17 13:43:08 sensjrlan su(pam_unix)[1878]: session opened for user root
by juanb(uid=500)

Sep 17 13:50:18 sensjrlan sshd(pam_unix)[1926]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=208.170.171.181  user=juanb

Sep 17 13:50:21 sensjrlan sshd(pam_unix)[1928]: session opened for user
juanb by (uid=500)

Sep 17 13:50:45 sensjrlan su(pam_unix)[1968]: session opened for user root
by juanb(uid=500)

Sep 17 13:52:49 sensjrlan snort: OpenPcap() device eth1 network lookup:
^Ieth1: no IPv4 address assigned 

Sep 17 13:52:49 sensjrlan snort: Initializing daemon mode 

Sep 17 13:52:49 sensjrlan snort: PID path stat checked out ok, PID path set
to /var/run/ 

Sep 17 13:52:49 sensjrlan snort: Writing PID "2038" to file
"/var/run//snort_eth1.pid" 

Sep 17 13:52:49 sensjrlan snort: ,-----------[Flow
Config]---------------------- 

Sep 17 13:52:49 sensjrlan snort: | Stats Interval:  0 

Sep 17 13:52:49 sensjrlan snort: | Hash Method:     2 

Sep 17 13:52:49 sensjrlan snort: | Memcap:          10485760 

Sep 17 13:52:49 sensjrlan snort: | Rows  :          4099 

Sep 17 13:52:49 sensjrlan snort: | Overhead Bytes:  16400(%0.16) 

Sep 17 13:52:49 sensjrlan snort:
`---------------------------------------------- 

Sep 17 13:52:49 sensjrlan snort: [*] Frag2 config: 

Sep 17 13:52:49 sensjrlan snort:     Fragment timeout: 35 seconds 

Sep 17 13:52:49 sensjrlan snort:     Fragment memory cap: 4194304 bytes 

Sep 17 13:52:49 sensjrlan snort:     Fragment min_ttl:   3 

Sep 17 13:52:49 sensjrlan snort:     Fragment ttl_limit: 8 

Sep 17 13:52:49 sensjrlan snort:     Fragment Problems: 0 

Sep 17 13:52:49 sensjrlan snort:     State Protection: 0 

Sep 17 13:52:49 sensjrlan snort:     Self preservation threshold: 500 

Sep 17 13:52:49 sensjrlan snort:     Self preservation period: 90 

Sep 17 13:52:49 sensjrlan snort:     Suspend threshold: 1000 

Sep 17 13:52:49 sensjrlan snort:     Suspend period: 30 

Sep 17 13:52:49 sensjrlan snort: WARNING /etc/snort/snort.conf(261) =>
Unknown stream4: option: min_ttl 

Sep 17 13:52:49 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(286) =>
Invalid configuration token '80'.  The first configuration must start with a
'global' configuration type.

 

The thing is that I didn't touch line 286 and line 261 in snort.conf at
all!! here I inserted the relevant lines so you can help me debug:  

 ( with the :set number option):

 

    255 #   10      Stealth scan: NMAP XMAS scan

    256 #   11      Stealth scan: Vecna scan

    257 #   12      Stealth scan: NMAP fingerprint scan stateful detect

    258 #   13      Stealth scan: SYN-FIN scan

    259 #   14      TCP forward overlap

    260 

    261 preprocessor stream4: detect_scans, timeout 35, memcap 8388608,
min_ttl 3 , ttl_limit 8

    262 

    263 # tcp stream reassembly directive

    264 # no arguments loads the default configuration

    265 #   Only reassemble the client,

    266 #   Only reassemble the default list of ports (See below),

    267 #   Give alerts for "bad" streams

    268 #

    269 # Available options (comma delimited):

    270 #   clientonly - reassemble traffic for the client side of a
connection only

    271 #   serveronly - reassemble traffic for the server side of a
connection only

    272 #   both - reassemble both sides of a session

    273 #   noalerts - turn off alerts from the stream reassembly stage of
stream4

    274 #   ports [list] - use the space separated list of ports in [list],
"all"

    275 #                  will turn on reassembly for all ports, "default"
will turn

    276 #                  on reassembly for ports 21, 23, 25, 53, 80, 143,
110, 111

    277 #                  and 513

    278 

    279 preprocessor stream4_reassemble: both, ports all

    280 

    281 # http_inspect: normalize and detect HTTP traffic and protocol
anomalies

    282 #

    283 # lots of options available here. See doc/README.http_inspect.

    284 # unicode.map should be wherever your snort.conf lives, or given

    285 # a full path to where snort can find it.

    286 preprocessor http_inspect: 80 443 8080 unicode iis_alt_unicode

    287     double_encode iis_flip_slash full_whitespace

 

 

Thanks very much to all of you !!
Previous By Date Next
Previous By Thread Next

Current thread: