Snort mailing list archives
RE: start snort in IDS mode
From: "William Fitzgerald" <wfitzgerald () tssg org>
Date: Fri, 11 Feb 2005 13:26:38 -0000
your welcome regards, Will. William M. Fitzgerald (MSc,BSc), Applied Researcher, Telecommunications Software & Systems Group, Waterford Institute of Technology, Cork Rd. Waterford. Office Ph: +353 51 302937 Mobile Ph: +353 87 9527083 -----Original Message----- From: Plantier, Spencer [mailto:spencer.plantier () stratech com] Sent: 11 February 2005 13:28 To: wfitzgerald () tssg org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] start snort in IDS mode Thanks that worked. I used windows notepad maybe that messed it up. Thanks, Spencer _____ From: William Fitzgerald [mailto:wfitzgerald () tssg org] Sent: Friday, February 11, 2005 4:01 AM To: Plantier, Spencer Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] start snort in IDS mode Spencer, I got your config working. i beleive there was some hidden tags around the var HOME_NET. to get it to run entirely with my older verion of snort I have to comment out the sfPortscan preprocessor. any how it should work for your new version now regards, Will -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Plantier, Spencer Sent: 10 February 2005 15:38 To: wfitzgerald () tssg org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] start snort in IDS mode I still get this error: Initializing rule chains... ERROR: /opt/snort/etc/snort.conf(43) => NULL rule type Fatal Error, Quitting.. Thanks, Spencer _____ From: William Fitzgerald [mailto:wfitzgerald () tssg org] Sent: Thursday, February 10, 2005 10:33 AM To: Plantier, Spencer Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] start snort in IDS mode So i guess your up and running so :-) Glad to be of some help. -----Original Message----- From: Plantier, Spencer [mailto:spencer.plantier () stratech com] Sent: 10 February 2005 15:33 To: wfitzgerald () tssg org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] start snort in IDS mode This is what I have. Example of snort.conf include $RULE_PATH /opt/snort/rules/smtp.rules^M include $RULE_PATH /opt/snort/rules/imap.rules^M include $RULE_PATH /opt/snort/rules/pop2.rules^M include $RULE_PATH /opt/snort/rules/pop3.rules^M Thanks, opt/snort/etc # ls -l total 706 -rw-r--r-- 1 root other 6004 Feb 10 08:36 Makefile -rw-r--r-- 1 root other 230 Feb 10 08:36 Makefile.am -rw-r--r-- 1 root other 5464 Feb 10 08:36 Makefile.in -rw-r--r-- 1 root other 3521 Feb 10 08:36 classification.config -rw-r--r-- 1 root other 8066 Feb 10 08:36 gen-msg.map -rw-r--r-- 1 root other 1622 Feb 10 08:36 generators -rw-r--r-- 1 root other 608 Feb 10 08:36 reference.config -rw-r--r-- 1 root other 58 Feb 10 08:36 sid -rw-r--r-- 1 root other 235477 Feb 10 08:36 sid-msg.map -rw-r--r-- 1 root other 28162 Feb 10 09:37 snort.conf -rw-r--r-- 1 root other 2319 Feb 10 08:36 threshold.conf -rw-r--r-- 1 root other 53841 Feb 10 08:36 unicode.map # # cd .. # ls -l total 12 drwxr-xr-x 2 root other 512 Feb 10 08:33 bin drwxr-xr-x 2 root other 512 Feb 10 09:35 etc drwxr-xr-x 2 root other 512 Feb 10 08:35 folder drwxr-xr-x 3 root other 512 Feb 10 08:33 man drwxr-xr-x 2 root other 1536 Feb 10 08:36 rules # cd rules # ls -l total 2018 -rw-r--r-- 1 root other 6551 Feb 10 08:36 Makefile -rw-r--r-- 1 root other 777 Feb 10 08:36 Makefile.am -rw-r--r-- 1 root other 6009 Feb 10 08:36 Makefile.in -rw-r--r-- 1 root other 4768 Feb 10 08:36 attack-responses.rules -rw-r--r-- 1 root other 16612 Feb 10 08:36 backdoor.rules -rw-r--r-- 1 root other 3000 Feb 10 08:36 bad-traffic.rules -rw-r--r-- 1 root other 7212 Feb 10 08:36 chat.rules -rw-r--r-- 1 root other 6783 Feb 10 08:36 ddos.rules -rw-r--r-- 1 root other 63449 Feb 10 08:36 deleted.rules -rw-r--r-- 1 root other 5381 Feb 10 08:36 dns.rules -rw-r--r-- 1 root other 4831 Feb 10 08:36 dos.rules -rw-r--r-- 1 root other 471 Feb 10 08:36 experimental.rules -rw-r--r-- 1 root other 24415 Feb 10 08:36 exploit.rules -rw-r--r-- 1 root other 3112 Feb 10 08:36 finger.rules -rw-r--r-- 1 root other 20491 Feb 10 08:36 ftp.rules -rw-r--r-- 1 root other 15618 Feb 10 08:36 icmp-info.rules -rw-r--r-- 1 root other 4488 Feb 10 08:36 icmp.rules -rw-r--r-- 1 root other 12577 Feb 10 08:36 imap.rules -rw-r--r-- 1 root other 2430 Feb 10 08:36 info.rules -rw-r--r-- 1 root other 199 Feb 10 08:36 local.rules -rw-r--r-- 1 root other 16657 Feb 10 08:36 misc.rules -rw-r--r-- 1 root other 2866 Feb 10 08:36 multimedia.rules -rw-r--r-- 1 root other 816 Feb 10 08:36 mysql.rules -rw-r--r-- 1 root other 118680 Feb 10 08:36 netbios.rules -rw-r--r-- 1 root other 3895 Feb 10 08:36 nntp.rules -rw-r--r-- 1 root other 176913 Feb 10 08:36 oracle.rules -rw-r--r-- 1 root other 1383 Feb 10 08:36 other-ids.rules -rw-r--r-- 1 root other 3953 Feb 10 08:36 p2p.rules -rw-r--r-- 1 root other 5323 Feb 10 08:36 policy.rules -rw-r--r-- 1 root other 1228 Feb 10 08:36 pop2.rules -rw-r--r-- 1 root other 8578 Feb 10 08:36 pop3.rules -rw-r--r-- 1 root other 5061 Feb 10 08:36 porn.rules -rw-r--r-- 1 root other 51378 Feb 10 08:36 rpc.rules -rw-r--r-- 1 root other 2920 Feb 10 08:36 rservices.rules -rw-r--r-- 1 root other 4088 Feb 10 08:36 scan.rules -rw-r--r-- 1 root other 4727 Feb 10 08:36 shellcode.rules -rw-r--r-- 1 root other 22090 Feb 10 08:36 smtp.rules -rw-r--r-- 1 root other 4915 Feb 10 08:36 snmp.rules -rw-r--r-- 1 root other 14409 Feb 10 08:36 sql.rules -rw-r--r-- 1 root other 3572 Feb 10 08:36 telnet.rules -rw-r--r-- 1 root other 2560 Feb 10 08:36 tftp.rules -rw-r--r-- 1 root other 1211 Feb 10 08:36 virus.rules -rw-r--r-- 1 root other 10229 Feb 10 08:36 web-attacks.rules -rw-r--r-- 1 root other 100668 Feb 10 08:36 web-cgi.rules -rw-r--r-- 1 root other 7419 Feb 10 08:36 web-client.rules -rw-r--r-- 1 root other 9166 Feb 10 08:36 web-coldfusion.rules -rw-r--r-- 1 root other 9484 Feb 10 08:36 web-frontpage.rules -rw-r--r-- 1 root other 37230 Feb 10 08:36 web-iis.rules -rw-r--r-- 1 root other 94963 Feb 10 08:36 web-misc.rules -rw-r--r-- 1 root other 35801 Feb 10 08:36 web-php.rules -rw-r--r-- 1 root other 573 Feb 10 08:36 x11.rules Spencer _____ From: William Fitzgerald [mailto:wfitzgerald () tssg org] Sent: Thursday, February 10, 2005 9:23 AM To: Plantier, Spencer; snort-users () lists sourceforge net Subject: RE: [Snort-users] start snort in IDS mode I wonder if you have the rules directory in the correct place. you should have: /opt/snort/etc /opt/snort/rules in the snort.conf file: # Path to your rules files (this can be a relative path) var RULE_PATH ../rules this goes up one directory from etc to rules. if you copied the rules to the etc directory then change the RULES_PATH to reflect this. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Plantier, Spencer Sent: 10 February 2005 14:17 To: snort-users () lists sourceforge net Subject: [Snort-users] start snort in IDS mode I got IDS to start but I got the following output: opt/snort/bin/snort -c /opt/snort/etc/snort.conf -i hme0 Running in IDS mode Initializing Network Interface hme0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface hme0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /opt/snort/etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /opt/snort/etc/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 ERROR: /opt/snort/etc/../rules(1) => NULL rule type Fatal Error, Quitting.. #
Current thread:
- start snort in IDS mode Plantier, Spencer (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- <Possible follow-ups>
- RE: start snort in IDS mode Plantier, Spencer (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- RE: start snort in IDS mode Plantier, Spencer (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 10)
- RE: start snort in IDS mode William Fitzgerald (Feb 11)
- RE: start snort in IDS mode William Fitzgerald (Feb 11)
- RE: start snort in IDS mode Plantier, Spencer (Feb 11)
- RE: start snort in IDS mode William Fitzgerald (Feb 11)
- RE: start snort in IDS mode Alex Butcher, ISC/ISYS (Feb 16)