Snort Now Auto Updates !!!

Davc

Got the Snort running and blocking now…yeah.  :D

There seems to be issues on the filter keyword rules in "SQL.rules" & "smtp.rules".  :-[

jamesdean

Thanks for the nice words Davc

A new Developer named Thompsa made major changes to the snort repos including binaries these past few weeks, so I will get back to you in a lil bit.

Im not saying its his fault just that I have to go through and see what he has done.

James

simby

WB Jamesdean :)

I have problem with last snort v. today with this error and stop working (also problem with emergenc). Will you be so nice to check, please :)

kernel: em1: promiscuous mode disabled
Mar 8 22:01:02 kernel: pid 1721 (snort), uid 1003: exited on signal 11
Mar 8 22:00:42 snort[1721]: Not Using PCAP_FRAMES
Mar 8 22:00:42 snort[1721]: Not Using PCAP_FRAMES
Mar 8 22:00:42 snort[1721]: Snort initialization completed successfully (pid=1721)
Mar 8 22:00:42 snort[1721]: Snort initialization completed successfully (pid=1721)
Mar 8 22:00:42 snort[1721]: –== Initialization Complete ==--
Mar 8 22:00:42 snort[1721]: –== Initialization Complete ==--
Mar 8 22:00:42 snort[1721]:
Mar 8 22:00:42 snort[1721]:
Mar 8 22:00:42 snort[1721]: +–-----------------------------------------------
Mar 8 22:00:42 snort[1721]: +–-----------------------------------------------
Mar 8 22:00:42 snort[1721]: | Transitions : 28.86M
Mar 8 22:00:42 snort[1721]: | Transitions : 28.86M
Mar 8 22:00:42 snort[1721]: | Match Lists : 32.38M
Mar 8 22:00:42 snort[1721]: | Match Lists : 32.38M
Mar 8 22:00:42 snort[1721]: | Patterns : 11.29M
Mar 8 22:00:42 snort[1721]: | Patterns : 11.29M
Mar 8 22:00:42 snort[1721]: | Memory : 72.74Mbytes
Mar 8 22:00:42 snort[1721]: | Memory : 72.74Mbytes
Mar 8 22:00:42 snort[1721]: | Num Match States : 537666
Mar 8 22:00:42 snort[1721]: | Num Match States : 537666
Mar 8 22:00:42 snort[1721]: | Num States : 2464276
Mar 8 22:00:42 snort[1721]: | Num States : 2464276
Mar 8 22:00:42 snort[1721]: | Pattern Chars : 3648965
Mar 8 22:00:42 snort[1721]: | Pattern Chars : 3648965
Mar 8 22:00:42 snort[1721]: | Patterns : 341433
Mar 8 22:00:42 snort[1721]: | Patterns : 341433
Mar 8 22:00:42 snort[1721]: | Instances : 882
Mar 8 22:00:42 snort[1721]: | Instances : 882
Mar 8 22:00:42 snort[1721]: +-[AC-BNFA Search Info Summary]–----------------------------
Mar 8 22:00:42 snort[1721]: +-[AC-BNFA Search Info Summary]–----------------------------
Mar 8 22:00:42 snort[1721]: [ Port Based Pattern Matching Memory ]
Mar 8 22:00:42 snort[1721]: [ Port Based Pattern Matching Memory ]
Mar 8 22:00:42 snort[1721]:
Mar 8 22:00:42 snort[1721]:
Mar 8 22:00:24 snort[1721]: Decoding Ethernet on interface em1
Mar 8 22:00:24 snort[1721]: Decoding Ethernet on interface em1
Mar 8 22:00:24 snort[1721]: Writing PID "1721" to file "/var/run//snort_em10em1.pid"
Mar 8 22:00:24 snort[1721]: Writing PID "1721" to file "/var/run//snort_em10em1.pid"
Mar 8 22:00:24 snort[1721]: PID path stat checked out ok, PID path set to /var/run/
Mar 8 22:00:24 snort[1721]: PID path stat checked out ok, PID path set to /var/run/
Mar 8 22:00:24 snort[1721]: Checking PID path…
Mar 8 22:00:24 snort[1721]: Checking PID path…
Mar 8 22:00:24 kernel: em1: promiscuous mode enabled
Mar 8 22:00:24 snort[1721]: Daemon initialized, signaled parent pid: 971
Mar 8 22:00:24 snort[1721]: Daemon initialized, signaled parent pid: 971
Mar 8 22:00:24 snort[971]: Daemon parent exiting
Mar 8 22:00:24 snort[971]: Daemon parent exiting
Mar 8 22:00:24 snort[971]: Initializing daemon mode

and with borken rules:

Mar 8 22:05:21 snort[3194]: Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead.
Mar 8 22:05:21 snort[3194]: Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead.
Mar 8 22:05:21 snort[3194]: Initializing rule chains…
Mar 8 22:05:21 snort[3194]: Initializing rule chains…
Mar 8 22:05:21 snort[3194]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Mar 8 22:05:21 snort[3194]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]: Server side data is trusted
Mar 8 22:05:21 snort[3194]: Server side data is trusted
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]: 990 992 993 994 995
Mar 8 22:05:21 snort[3194]: 990 992 993 994 995
Mar 8 22:05:21 snort[3194]: 443 465 563 636 989
Mar 8 22:05:21 snort[3194]: 443 465 563 636 989
Mar 8 22:05:21 snort[3194]: Ports:
Mar 8 22:05:21 snort[3194]: Ports:
Mar 8 22:05:21 snort[3194]: Encrypted packets: not inspected
Mar 8 22:05:21 snort[3194]: Encrypted packets: not inspected
Mar 8 22:05:21 snort[3194]: SSLPP config:
Mar 8 22:05:21 snort[3194]: SSLPP config:
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]: 53
Mar 8 22:05:21 snort[3194]: 53
Mar 8 22:05:21 snort[3194]: Ports:
Mar 8 22:05:21 snort[3194]: Ports:
Mar 8 22:05:21 snort[3194]: Experimental DNS RR Types Alert: INACTIVE
Mar 8 22:05:21 snort[3194]: Experimental DNS RR Types Alert: INACTIVE
Mar 8 22:05:21 snort[3194]: Obsolete DNS RR Types Alert: INACTIVE
Mar 8 22:05:21 snort[3194]: Obsolete DNS RR Types Alert: INACTIVE
Mar 8 22:05:21 snort[3194]: DNS Client rdata txt Overflow Alert: ACTIVE
Mar 8 22:05:21 snort[3194]: DNS Client rdata txt Overflow Alert: ACTIVE
Mar 8 22:05:21 snort[3194]: DNS config:
Mar 8 22:05:21 snort[3194]: DNS config:
Mar 8 22:05:21 snort[3194]: Maximum SMB command chaining: 3 commands
Mar 8 22:05:21 snort[3194]: Maximum SMB command chaining: 3 commands
Mar 8 22:05:21 snort[3194]: RPC over HTTP proxy: None
Mar 8 22:05:21 snort[3194]: RPC over HTTP proxy: None
Mar 8 22:05:21 snort[3194]: RPC over HTTP server: 1025-65535
Mar 8 22:05:21 snort[3194]: RPC over HTTP server: 1025-65535
Mar 8 22:05:21 snort[3194]: UDP: 1025-65535
Mar 8 22:05:21 snort[3194]: UDP: 1025-65535
Mar 8 22:05:21 snort[3194]: TCP: 1025-65535
Mar 8 22:05:21 snort[3194]: TCP: 1025-65535
Mar 8 22:05:21 snort[3194]: SMB: None
Mar 8 22:05:21 snort[3194]: SMB: None
Mar 8 22:05:21 snort[3194]: Autodetect ports
Mar 8 22:05:21 snort[3194]: Autodetect ports

Mar 8 22:08:30 kernel: em1: promiscuous mode disabled
Mar 8 22:08:30 kernel: pid 3609 (snort), uid 1003: exited on signal 11
Mar 8 22:08:30 snort[3609]: Not Using PCAP_FRAMES
Mar 8 22:08:30 snort[3609]: Not Using PCAP_FRAMES
Mar 8 22:08:30 snort[3609]: Snort initialization completed successfully (pid=3609)
Mar 8 22:08:30 snort[3609]: Snort initialization completed successfully (pid=3609)
Mar 8 22:08:30 snort[3609]: –== Initialization Complete ==--
Mar 8 22:08:30 snort[3609]: –== Initialization Complete ==--
Mar 8 22:08:30 snort[3609]:
Mar 8 22:08:30 snort[3609]:
Mar 8 22:08:30 snort[3609]: +–-----------------------------------------------
Mar 8 22:08:30 snort[3609]: +–-----------------------------------------------
Mar 8 22:08:30 snort[3609]: | Transitions : 31.68M
Mar 8 22:08:30 snort[3609]: | Transitions : 31.68M
Mar 8 22:08:30 snort[3609]: | Match Lists : 34.18M
Mar 8 22:08:30 snort[3609]: | Match Lists : 34.18M
Mar 8 22:08:30 snort[3609]: | Patterns : 12.35M
Mar 8 22:08:30 snort[3609]: | Patterns : 12.35M
Mar 8 22:08:30 snort[3609]: | Memory : 78.41Mbytes
Mar 8 22:08:30 snort[3609]: | Memory : 78.41Mbytes
Mar 8 22:08:30 snort[3609]: | Num Match States : 575415
Mar 8 22:08:30 snort[3609]: | Num Match States : 575415
Mar 8 22:08:30 snort[3609]: | Num States : 2712025
Mar 8 22:08:30 snort[3609]: | Num States : 2712025
Mar 8 22:08:30 snort[3609]: | Pattern Chars : 4060599
Mar 8 22:08:30 snort[3609]: | Pattern Chars : 4060599
Mar 8 22:08:30 snort[3609]: | Patterns : 370435
Mar 8 22:08:30 snort[3609]: | Patterns : 370435
Mar 8 22:08:30 snort[3609]: | Instances : 881
Mar 8 22:08:30 snort[3609]: | Instances : 881
Mar 8 22:08:30 snort[3609]: +-[AC-BNFA Search Info Summary]–----------------------------
Mar 8 22:08:30 snort[3609]: +-[AC-BNFA Search Info Summary]–----------------------------
Mar 8 22:08:30 snort[3609]: [ Port Based Pattern Matching Memory ]
Mar 8 22:08:30 snort[3609]: [ Port Based Pattern Matching Memory ]
Mar 8 22:08:30 snort[3609]:
Mar 8 22:08:30 snort[3609]:
Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
Mar 8 22:08:10 barnyard2[3611]:
Mar 8 22:08:10 barnyard2[3611]:
Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
Mar 8 22:08:10 barnyard2[3611]:
Mar 8 22:08:10 barnyard2[3611]:
Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
Mar 8 22:08:10 barnyard2[3611]: ERROR: Unable to open Reference file '0em1' (No such file or directory)
Mar 8 22:08:10 barnyard2[3611]: ERROR: Unable to open Reference file '0em1' (No such file or directory)
Mar 8 22:08:10 snort[3609]: Decoding Ethernet on interface em1
Mar 8 22:08:10 snort[3609]: Decoding Ethernet on interface em1
Mar 8 22:08:10 snort[3609]: Writing PID "3609" to file "/var/run//snort_em10em1.pid"
Mar 8 22:08:10 snort[3609]: Writing PID "3609" to file "/var/run//snort_em10em1.pid"
Mar 8 22:08:10 snort[3609]: PID path stat checked out ok, PID path set to /var/run/
Mar 8 22:08:10 snort[3609]: PID path stat checked out ok, PID path set to /var/run/
Mar 8 22:08:10 snort[3609]: Checking PID path…
Mar 8 22:08:10 snort[3609]: Checking PID path…
Mar 8 22:08:10 kernel: em1: promiscuous mode enabled
Mar 8 22:08:10 snort[3609]: Daemon initialized, signaled parent pid: 3541
Mar 8 22:08:10 snort[3609]: Daemon initialized, signaled parent pid: 3541
Mar 8 22:08:10 snort[3541]: Daemon parent exiting
Mar 8 22:08:10 snort[3541]: Daemon parent exiting
Mar 8 22:08:10 snort[3541]: Initializing daemon mode
Mar 8 22:08:10 snort[3541]: Initializing daemon mode
Mar 8 22:08:10 snort[3541]: Initializing Network Interface em1
Mar 8 22:08:10 snort[3541]: Initializing Network Interface em1
Mar 8 22:08:10 snort[3541]: 460 out of 512 flowbits in use.
Mar 8 22:08:10 snort[3541]: 460 out of 512 flowbits in use.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'csv.download' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'csv.download' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.asf' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.asf' is checked but not ever set.
Mar 8 22:08:10 kernel: em1: promiscuous mode disabled
Mar 8 22:08:10 kernel: em1: promiscuous mode enabled
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'visio.request' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'visio.request' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.eps.download' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.eps.download' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'realmedia_file.request' is set but not ever checked.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'realmedia_file.request' is set but not ever checke

d.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.wma' is set but not ever checked.

jamesdean

The log post is not help ing me out.

Please post pfsense version and snort version.

I need you start snort manually in the terminal. Please post the output of these commands.

ls /usr/local/etc/snort/

snort -c /usr/local/etc/snort/snort_whatever_interface_number_real/snort.conf -l /var/log/snort -D -i what_ever_name -q

P.S. I'll add code to make truble shooting easier.

simby

---

*** interface device lookup found: em0

---

Initializing Network Interface em0
Decoding Ethernet on interface em0
re
[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]–----------------------------
| Instances        : 907
| Patterns        : 381151
| Pattern Chars    : 4171811
| Num States      : 2783753
| Num Match States : 591167
| Memory          :  80.36Mbytes
|  Patterns      :  12.70M
|  Match Lists    :  34.93M
|  Transitions    :  32.52M
+-------------------------------------------------

--== Initialization Complete ==--

,,_    -> Snort! <-
  o"  )~  Version 2.8.5.3 (Build 124)  FreeBSD
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2009 Sourcefire, Inc., et al.
          Using PCRE version: 8.00 2009-10-19

___  Built Date for Snort on Pfsense 1.2.3 is March 7 2010.
/ f \  Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya.
/ p _/Sense
_/  \  Using Snort.org dynamic plugins and Orion IPS source.
    __/  Using MMX and 3DNOW.

Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <build 17="">Rules Object: web-misc  Version 1.0  <build 1="">Rules Object: chat  Version 1.0  <build 1="">Rules Object: dos  Version 1.0  <build 1="">Rules Object: exploit  Version 1.0  <build 1="">Rules Object: icmp  Version 1.0  <build 1="">Rules Object: imap  Version 1.0  <build 1="">Rules Object: misc  Version 1.0  <build 1="">Rules Object: multimedia  Version 1.0  <build 1="">Rules Object: netbios  Version 1.0  <build 1="">Rules Object: nntp  Version 1.0  <build 1="">Rules Object: p2p  Version 1.0  <build 1="">Rules Object: smtp  Version 1.0  <build 1="">Rules Object: sql  Version 1.0  <build 1="">Rules Object: web-activex  Version 1.0  <build 1="">Rules Object: web-client  Version 1.0  <build 1="">Rules Object: web-iis  Version 1.0  <build 1="">Rules Object: bad-traffic  Version 1.0  <build 1="">Preprocessor Object: SF_SSLPP  Version 1.1  <build 3="">Preprocessor Object: SF_SSH  Version 1.1  <build 2="">Preprocessor Object: SF_SMTP  Version 1.1  <build 8="">Preprocessor Object: SF_FTPTELNET  Version 1.2  <build 12="">Preprocessor Object: SF_DNS  Version 1.1  <build 3="">Preprocessor Object: SF_DCERPC2  Version 1.0  <build 2="">Preprocessor Object: SF_DCERPC  Version 1.1  <build 5="">Not Using PCAP_FRAMES

+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Encoded Rule Plugin SID: 13416, GID: 3 not registered properly.  Disabling this rule.
Verifying Preprocessor Configurations!
Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
Warning: flowbits key 'aiff_file.request' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'realmedia_file.request' is set but not ever checked.
Warning: flowbits key 'http.eps.download' is checked but not ever set.
Warning: flowbits key 'http.pls.download' is set but not ever checked.
Warning: flowbits key 'csv.download' is checked but not ever set.
Warning: flowbits key 'http.asf' is checked but not ever set.
Warning: flowbits key 'works.download' is checked but not ever set.
Warning: flowbits key 'http.bmp' is checked but not ever set.
Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
Warning: flowbits key 'Backdoor.Bersek.Init' is set but not ever checked.
Warning: flowbits key 'download.pecompact.binary' is checked but not ever set.
Warning: flowbits key 'http.m3u.download' is set but not ever checked.
Warning: flowbits key 'wav_file.request' is set but not ever checked.
Warning: flowbits key 'excel.download' is set but not ever checked.
Warning: flowbits key 'visio.request' is checked but not ever set.
Warning: flowbits key 'caff_request' is set but not ever checked.
Warning: flowbits key 'irc.trojan' is set but not ever checked.
Warning: flowbits key 'PtakkS_Keepalive' is set but not ever checked.
Warning: flowbits key 'BS.SSL.Server.Hello.Done' is set but not ever checked.
Warning: flowbits key 'snipernet' is set but not ever checked.
Warning: flowbits key 'http.wma' is set but not ever checked.
Warning: flowbits key 'wmp.playlist.download' is checked but not ever set.
461 out of 512 flowbits in use.
***
*** interface device lookup found: em0
***
Initializing Network Interface em0
ERROR: Bpf compilation failed: syntax error.  PCAP filter: -.
Fatal Error, Quitting..
# reset
Erase is backspace.
# reset
cleErase is backspace.
# clear
# snort -c /usr/local/etc/snort/snort_0em1/snort.conf - | /var/log/snort/ -D izvoz.txt -q
/var/log/snort/: Permission denied.
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort/snort_0em1/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
PortVar 'AUTH_PORTS' defined :  [ 113 ]
PortVar 'DNS_PORTS' defined :  [ 53 ]
PortVar 'FINGER_PORTS' defined :  [ 79 ]
PortVar 'FTP_PORTS' defined :  [ 21 ]
PortVar 'IMAP_PORTS' defined :  [ 143 ]
PortVar 'IRC_PORTS' defined :  [ 6665:6669 7000 ]
PortVar 'MSSQL_PORTS' defined :  [ 1433 ]
PortVar 'NNTP_PORTS' defined :  [ 119 ]
PortVar 'POP2_PORTS' defined :  [ 109 ]
PortVar 'POP3_PORTS' defined :  [ 110 ]
PortVar 'SUNRPC_PORTS' defined :  [ 111 32770:32779 ]
PortVar 'RLOGIN_PORTS' defined :  [ 513 ]
PortVar 'RSH_PORTS' defined :  [ 514 ]
PortVar 'SMB_PORTS' defined :  [ 139 445 ]
PortVar 'SMTP_PORTS' defined :  [ 25 ]
PortVar 'SNMP_PORTS' defined :  [ 161 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'TELNET_PORTS' defined :  [ 23 ]
PortVar 'MAIL_PORTS' defined :  [ 25 143 465 691 ]
PortVar 'SSL_PORTS' defined :  [ 25 443 465 636 993 995 ]
PortVar 'SIP_PROXY_PORTS' defined :  [ 5060:5090 16384:32768 ]
PortVar 'DCERPC_NCACN_IP_TCP' defined :  [ 139 445 ]
PortVar 'DCERPC_NCADG_IP_UDP' defined :  [ 138 1024:65535 ]
PortVar 'DCERPC_NCACN_IP_LONG' defined :  [ 135 139 445 593 1024:65535 ]
PortVar 'DCERPC_NCACN_UDP_LONG' defined :  [ 135 1024:65535 ]
PortVar 'DCERPC_NCACN_UDP_SHORT' defined :  [ 135 593 1024:65535 ]
PortVar 'DCERPC_NCACN_TCP' defined :  [ 2103 2105 2107 ]
PortVar 'DCERPC_BRIGHTSTORE' defined :  [ 6503:6504 ]
Detection:
   Search-Method = AC-BNFA-Q
Tagged Packet Limit: 256
Snort BPF option: -
Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/...
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-iis.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-client.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-activex.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//sql.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//smtp.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//p2p.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//nntp.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//netbios.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//multimedia.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//misc.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//imap.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//icmp.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//exploit.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//dos.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//chat.so... done
  Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-misc.so... done
  Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/
Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
Log directory = /var/log/snort
Frag3 global config:
    Max frags: 8192
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: BSD
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment Problems: 1
    Overlap Limit:     0
    Min fragment Length:     0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: ACTIVE
    Max UDP sessions: 131072
    Track ICMP sessions: ACTIVE
    Max ICMP sessions: 65536
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: BSD
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      0 client (Footprint) server (Footprint)
      1 client (Footprint) server (Footprint)
      2 client (Footprint) server (Footprint)
      3 client (Footprint) server (Footprint)
      4 client (Footprint) server (Footprint)
      5 client (Footprint) server (Footprint)
      6 client (Footprint) server (Footprint)
      7 client (Footprint) server (Footprint)
      8 client (Footprint) server (Footprint)
      9 client (Footprint) server (Footprint)
      10 client (Footprint) server (Footprint)
      11 client (Footprint) server (Footprint)
      12 client (Footprint) server (Footprint)
      13 client (Footprint) server (Footprint)
      14 client (Footprint) server (Footprint)
      15 client (Footprint) server (Footprint)
      16 client (Footprint) server (Footprint)
      17 client (Footprint) server (Footprint)
      18 client (Footprint) server (Footprint)
      19 client (Footprint) server (Footprint)
Stream5 UDP Policy config:
    Timeout: 30 seconds
Stream5 ICMP Policy config:
    Timeout: 30 seconds
PerfMonitor config:
    Time:           300 seconds
    Flow Stats:     INACTIVE
    Event Stats:    INACTIVE
    Max Perf Stats: INACTIVE
    Console Mode:   INACTIVE
    File Mode:      /var/log/snort/snort_0em1.stats
    SnortFile Mode: INACTIVE
    Packet Count:   10000
    Dump Summary:   No
    Max file size:  2147483648
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /usr/local/etc/snort/snort_0em1/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080
      Server Flow Depth: 0
      Client Flow Depth: 300
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 0
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Medium
    Memcap (in bytes): 10000000
    Number of Nodes:   36900
    Ignore Scanner IP List:
        10.135.147.0 / 255.255.255.0
       my.wan.ip / 255.255.255.255
        my.gw.ip / 255.255.255.255
        193.2.1.66 / 255.255.255.255
        193.2.1.72 / 255.255.255.255
        127.0.0.1 / 255.255.255.255
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateless
      Check for Encrypted Traffic: OFF
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: OFF
        Ignore Telnet Cmd Operations: OFF
        Identify open data channels: NO
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: OFF
        Max Response Length: 256
SMTP Config:
    Ports: 25 465 691
    Inspection Type: Stateful
    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XSTA XTRN XUSR PIPELINING CHUNKING DSN XQUEU
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length:
       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
       XLICENSE:246 X-LINK2STATE:246 XSTA:246 XTRN:246 XUSR:246
       PIPELINING:246 CHUNKING:246 DSN:246 XQUEU:246
    Max Header Line Length: 1000
    Max Response Line Length: 512
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
DCE/RPC 2 Preprocessor Configuration
  Global Configuration
    DCE/RPC Defragmentation: Enabled
    Memcap: 102400 KB
    Events: smb co cl
  Server Default Configuration
    Policy: WinXP
    Detect ports
      SMB: 139 445
      TCP: 135
      UDP: 135
      RPC over HTTP server: 593
      RPC over HTTP proxy: None
    Autodetect ports
      SMB: None
      TCP: 1025-65535
      UDP: 1025-65535
      RPC over HTTP server: 1025-65535
      RPC over HTTP proxy: None
    Maximum SMB command chaining: 3 commands
DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
SSLPP config:
    Encrypted packets: not inspected
    Ports:
      443      465      563      636      989
      990      992      993      994      995
    Server side data is trusted

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead.

| gen-id=1      sig-id=2406150    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=12295      type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=2500058    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=6192       type=Limit     tracking=src count=1   seconds=300
| gen-id=1      sig-id=6365       type=Limit     tracking=src count=1   seconds=600
| gen-id=1      sig-id=2406647    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2406181    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500167    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=2500056    type=Limit     tracking=src count=1   seconds=60
| gen-id=1      sig-id=8073       type=Limit     tracking=src count=1   seconds=300
| gen-id=3      sig-id=15851      type=Both      tracking=dst count=12  seconds=1  
| gen-id=3      sig-id=15474      type=Threshold tracking=src count=50  seconds=10
| gen-id=3      sig-id=15912      type=Threshold tracking=src count=200 seconds=30
| gen-id=3      sig-id=15522      type=Threshold tracking=dst count=200 seconds=30
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Encoded Rule Plugin SID: 13416, GID: 3 not registered properly.  Disabling this rule.
Verifying Preprocessor Configurations!
Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
Warning: flowbits key 'BS.SSL.Server.Hello.Done' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'http.eps.download' is checked but not ever set.
Warning: flowbits key 'irc.trojan' is set but not ever checked.
Warning: flowbits key 'Backdoor.Bersek.Init' is set but not ever checked.
Warning: flowbits key 'http.wma' is set but not ever checked.
Warning: flowbits key 'download.pecompact.binary' is checked but not ever set.
Warning: flowbits key 'PtakkS_Keepalive' is set but not ever checked.
Warning: flowbits key 'http.bmp' is checked but not ever set.
Warning: flowbits key 'wav_file.request' is set but not ever checked.
Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
Warning: flowbits key 'realmedia_file.request' is set but not ever checked.
Warning: flowbits key 'wmp.playlist.download' is checked but not ever set.
Warning: flowbits key 'visio.request' is checked but not ever set.
Warning: flowbits key 'http.m3u.download' is set but not ever checked.
Warning: flowbits key 'excel.download' is set but not ever checked.
Warning: flowbits key 'aiff_file.request' is set but not ever checked.
Warning: flowbits key 'http.pls.download' is set but not ever checked.
Warning: flowbits key 'snipernet' is set but not ever checked.
Warning: flowbits key 'csv.download' is checked but not ever set.
Warning: flowbits key 'http.asf' is checked but not ever set.
Warning: flowbits key 'caff_request' is set but not ever checked.
Warning: flowbits key 'works.download' is checked but not ever set.
461 out of 512 flowbits in use.
***
*** interface device lookup found: em0
***
Initializing Network Interface em0
ERROR: Bpf compilation failed: syntax error.  PCAP filter: -.
Fatal Error, Quitting..
#
#
# 

Is this OK? :)

p.s.: link (green) to start snort on interface status is not working / firefox 3.6 ;)</build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build>

jamesdean

I have to rebuild the snort-dev binaries tonight.
There seems to be a bug because I compiled with MMX and 3DNOW code.

P.S. Snort is only crashing when using so.rules on my end.

Try to reinstall tomorrow morning.

Sorry
James

simby

THANKS!!!!

simby

Snort is now ok,… but no log and no blocking IP ;)

simby

I think when user ping my ip, i can t see blocked IP in snort log. Before it was working.

I have also try with grc.com scan,… no blocked IP.

There are currently no items being blocked by snort.

Will snort now only drop this packet?

jamesdean

Should be working now.

One of the pfsense dev removed the blocking option for some reson.

James

simby

it's a live  ;D

Thanks snort master :)