Snort Now Auto Updates !!!
-
;D ;D I tryed to update snort about 10 minutes ago and the auto update worked so now it is working fine .
-
yes, I also now can update the snort rules. however, it still won't do any blocking. :-[
-
I have a list of blocked IPs. Do you and it still does not work?
-
yes, I also now can update the snort rules. however, it still won't do any blocking. :-[
[/quote]
Yes mine does seem to be blocking ip's !!!! -
I have a list of blocked IPs. Do you and it still does not work?
Yes mine seems to be blocking ip's .There is an error at bootup but it goes by to fast to read .
-
That is a strange issues on my Pfsense box. In the Index page "DashBox" , it show Snort Packages installation: Services: Snort 2.8.4.1_5 pkg v. 1.7.
However, when i click to the Snort Interface page, it title: Services: Snort 2.8.4.1_5 pkg v. 1.6
I have download the Pfsense Configuration file and check it is marked as Snort 2.8.4.1_5 pkg v. 1.7
Tried re-install and remove the package and install again. Same issues, I cannot block any ip or get any alert display in the interface.
Any suggestion or way to tell which version I am now running, thanks.
-
That is a strange issues on my Pfsense box. In the Index page "DashBox" , it show Snort Packages installation: Services: Snort 2.8.4.1_5 pkg v. 1.7.
However, when i click to the Snort Interface page, it title: Services: Snort 2.8.4.1_5 pkg v. 1.6
I have download the Pfsense Configuration file and check it is marked as Snort 2.8.4.1_5 pkg v. 1.7
Tried re-install and remove the package and install again. Same issues, I cannot block any ip or get any alert display in the interface.
Any suggestion or way to tell which version I am now running, thanks.
I have the same thing !!Services: Snort 2.8.4.1_5 pkg v. 1.6 it did say at one piont Services: Snort 2.8.4.1_5 pkg v. 1.7 a while ago .
-
Dont worry about the version number its prob a typo.
James
@cdx304:
That is a strange issues on my Pfsense box. In the Index page "DashBox" , it show Snort Packages installation: Services: Snort 2.8.4.1_5 pkg v. 1.7.
However, when i click to the Snort Interface page, it title: Services: Snort 2.8.4.1_5 pkg v. 1.6
I have download the Pfsense Configuration file and check it is marked as Snort 2.8.4.1_5 pkg v. 1.7
Tried re-install and remove the package and install again. Same issues, I cannot block any ip or get any alert display in the interface.
Any suggestion or way to tell which version I am now running, thanks.
I have the same thing !!Services: Snort 2.8.4.1_5 pkg v. 1.6 it did say at one piont Services: Snort 2.8.4.1_5 pkg v. 1.7 a while ago .
-
Dear James,
It is so nice to hear from you again in the forum. :D
My Snort packages did not get any alert messages nor there are any blocked ip. I have tried reinstall and install again without success.
I have now subscribed the "Snort.org subscriber" which now able me to update without the need to wait for 15 minutes. But still no use to the tackle the faulty problems of the snort sensor.
Regards,
Davec
-
Got the Snort running and blocking now…yeah. :D
There seems to be issues on the filter keyword rules in "SQL.rules" & "smtp.rules". :-[
-
Thanks for the nice words Davc
A new Developer named Thompsa made major changes to the snort repos including binaries these past few weeks, so I will get back to you in a lil bit.
Im not saying its his fault just that I have to go through and see what he has done.
James
-
WB Jamesdean :)
I have problem with last snort v. today with this error and stop working (also problem with emergenc). Will you be so nice to check, please :)
kernel: em1: promiscuous mode disabled
Mar 8 22:01:02 kernel: pid 1721 (snort), uid 1003: exited on signal 11
Mar 8 22:00:42 snort[1721]: Not Using PCAP_FRAMES
Mar 8 22:00:42 snort[1721]: Not Using PCAP_FRAMES
Mar 8 22:00:42 snort[1721]: Snort initialization completed successfully (pid=1721)
Mar 8 22:00:42 snort[1721]: Snort initialization completed successfully (pid=1721)
Mar 8 22:00:42 snort[1721]: –== Initialization Complete ==--
Mar 8 22:00:42 snort[1721]: –== Initialization Complete ==--
Mar 8 22:00:42 snort[1721]:
Mar 8 22:00:42 snort[1721]:
Mar 8 22:00:42 snort[1721]: +–-----------------------------------------------
Mar 8 22:00:42 snort[1721]: +–-----------------------------------------------
Mar 8 22:00:42 snort[1721]: | Transitions : 28.86M
Mar 8 22:00:42 snort[1721]: | Transitions : 28.86M
Mar 8 22:00:42 snort[1721]: | Match Lists : 32.38M
Mar 8 22:00:42 snort[1721]: | Match Lists : 32.38M
Mar 8 22:00:42 snort[1721]: | Patterns : 11.29M
Mar 8 22:00:42 snort[1721]: | Patterns : 11.29M
Mar 8 22:00:42 snort[1721]: | Memory : 72.74Mbytes
Mar 8 22:00:42 snort[1721]: | Memory : 72.74Mbytes
Mar 8 22:00:42 snort[1721]: | Num Match States : 537666
Mar 8 22:00:42 snort[1721]: | Num Match States : 537666
Mar 8 22:00:42 snort[1721]: | Num States : 2464276
Mar 8 22:00:42 snort[1721]: | Num States : 2464276
Mar 8 22:00:42 snort[1721]: | Pattern Chars : 3648965
Mar 8 22:00:42 snort[1721]: | Pattern Chars : 3648965
Mar 8 22:00:42 snort[1721]: | Patterns : 341433
Mar 8 22:00:42 snort[1721]: | Patterns : 341433
Mar 8 22:00:42 snort[1721]: | Instances : 882
Mar 8 22:00:42 snort[1721]: | Instances : 882
Mar 8 22:00:42 snort[1721]: +-[AC-BNFA Search Info Summary]–----------------------------
Mar 8 22:00:42 snort[1721]: +-[AC-BNFA Search Info Summary]–----------------------------
Mar 8 22:00:42 snort[1721]: [ Port Based Pattern Matching Memory ]
Mar 8 22:00:42 snort[1721]: [ Port Based Pattern Matching Memory ]
Mar 8 22:00:42 snort[1721]:
Mar 8 22:00:42 snort[1721]:
Mar 8 22:00:24 snort[1721]: Decoding Ethernet on interface em1
Mar 8 22:00:24 snort[1721]: Decoding Ethernet on interface em1
Mar 8 22:00:24 snort[1721]: Writing PID "1721" to file "/var/run//snort_em10em1.pid"
Mar 8 22:00:24 snort[1721]: Writing PID "1721" to file "/var/run//snort_em10em1.pid"
Mar 8 22:00:24 snort[1721]: PID path stat checked out ok, PID path set to /var/run/
Mar 8 22:00:24 snort[1721]: PID path stat checked out ok, PID path set to /var/run/
Mar 8 22:00:24 snort[1721]: Checking PID path…
Mar 8 22:00:24 snort[1721]: Checking PID path…
Mar 8 22:00:24 kernel: em1: promiscuous mode enabled
Mar 8 22:00:24 snort[1721]: Daemon initialized, signaled parent pid: 971
Mar 8 22:00:24 snort[1721]: Daemon initialized, signaled parent pid: 971
Mar 8 22:00:24 snort[971]: Daemon parent exiting
Mar 8 22:00:24 snort[971]: Daemon parent exiting
Mar 8 22:00:24 snort[971]: Initializing daemon modeand with borken rules:
Mar 8 22:05:21 snort[3194]: Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead.
Mar 8 22:05:21 snort[3194]: Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead.
Mar 8 22:05:21 snort[3194]: Initializing rule chains…
Mar 8 22:05:21 snort[3194]: Initializing rule chains…
Mar 8 22:05:21 snort[3194]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Mar 8 22:05:21 snort[3194]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]: Server side data is trusted
Mar 8 22:05:21 snort[3194]: Server side data is trusted
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]: 990 992 993 994 995
Mar 8 22:05:21 snort[3194]: 990 992 993 994 995
Mar 8 22:05:21 snort[3194]: 443 465 563 636 989
Mar 8 22:05:21 snort[3194]: 443 465 563 636 989
Mar 8 22:05:21 snort[3194]: Ports:
Mar 8 22:05:21 snort[3194]: Ports:
Mar 8 22:05:21 snort[3194]: Encrypted packets: not inspected
Mar 8 22:05:21 snort[3194]: Encrypted packets: not inspected
Mar 8 22:05:21 snort[3194]: SSLPP config:
Mar 8 22:05:21 snort[3194]: SSLPP config:
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]:
Mar 8 22:05:21 snort[3194]: 53
Mar 8 22:05:21 snort[3194]: 53
Mar 8 22:05:21 snort[3194]: Ports:
Mar 8 22:05:21 snort[3194]: Ports:
Mar 8 22:05:21 snort[3194]: Experimental DNS RR Types Alert: INACTIVE
Mar 8 22:05:21 snort[3194]: Experimental DNS RR Types Alert: INACTIVE
Mar 8 22:05:21 snort[3194]: Obsolete DNS RR Types Alert: INACTIVE
Mar 8 22:05:21 snort[3194]: Obsolete DNS RR Types Alert: INACTIVE
Mar 8 22:05:21 snort[3194]: DNS Client rdata txt Overflow Alert: ACTIVE
Mar 8 22:05:21 snort[3194]: DNS Client rdata txt Overflow Alert: ACTIVE
Mar 8 22:05:21 snort[3194]: DNS config:
Mar 8 22:05:21 snort[3194]: DNS config:
Mar 8 22:05:21 snort[3194]: Maximum SMB command chaining: 3 commands
Mar 8 22:05:21 snort[3194]: Maximum SMB command chaining: 3 commands
Mar 8 22:05:21 snort[3194]: RPC over HTTP proxy: None
Mar 8 22:05:21 snort[3194]: RPC over HTTP proxy: None
Mar 8 22:05:21 snort[3194]: RPC over HTTP server: 1025-65535
Mar 8 22:05:21 snort[3194]: RPC over HTTP server: 1025-65535
Mar 8 22:05:21 snort[3194]: UDP: 1025-65535
Mar 8 22:05:21 snort[3194]: UDP: 1025-65535
Mar 8 22:05:21 snort[3194]: TCP: 1025-65535
Mar 8 22:05:21 snort[3194]: TCP: 1025-65535
Mar 8 22:05:21 snort[3194]: SMB: None
Mar 8 22:05:21 snort[3194]: SMB: None
Mar 8 22:05:21 snort[3194]: Autodetect ports
Mar 8 22:05:21 snort[3194]: Autodetect portsMar 8 22:08:30 kernel: em1: promiscuous mode disabled
Mar 8 22:08:30 kernel: pid 3609 (snort), uid 1003: exited on signal 11
Mar 8 22:08:30 snort[3609]: Not Using PCAP_FRAMES
Mar 8 22:08:30 snort[3609]: Not Using PCAP_FRAMES
Mar 8 22:08:30 snort[3609]: Snort initialization completed successfully (pid=3609)
Mar 8 22:08:30 snort[3609]: Snort initialization completed successfully (pid=3609)
Mar 8 22:08:30 snort[3609]: –== Initialization Complete ==--
Mar 8 22:08:30 snort[3609]: –== Initialization Complete ==--
Mar 8 22:08:30 snort[3609]:
Mar 8 22:08:30 snort[3609]:
Mar 8 22:08:30 snort[3609]: +–-----------------------------------------------
Mar 8 22:08:30 snort[3609]: +–-----------------------------------------------
Mar 8 22:08:30 snort[3609]: | Transitions : 31.68M
Mar 8 22:08:30 snort[3609]: | Transitions : 31.68M
Mar 8 22:08:30 snort[3609]: | Match Lists : 34.18M
Mar 8 22:08:30 snort[3609]: | Match Lists : 34.18M
Mar 8 22:08:30 snort[3609]: | Patterns : 12.35M
Mar 8 22:08:30 snort[3609]: | Patterns : 12.35M
Mar 8 22:08:30 snort[3609]: | Memory : 78.41Mbytes
Mar 8 22:08:30 snort[3609]: | Memory : 78.41Mbytes
Mar 8 22:08:30 snort[3609]: | Num Match States : 575415
Mar 8 22:08:30 snort[3609]: | Num Match States : 575415
Mar 8 22:08:30 snort[3609]: | Num States : 2712025
Mar 8 22:08:30 snort[3609]: | Num States : 2712025
Mar 8 22:08:30 snort[3609]: | Pattern Chars : 4060599
Mar 8 22:08:30 snort[3609]: | Pattern Chars : 4060599
Mar 8 22:08:30 snort[3609]: | Patterns : 370435
Mar 8 22:08:30 snort[3609]: | Patterns : 370435
Mar 8 22:08:30 snort[3609]: | Instances : 881
Mar 8 22:08:30 snort[3609]: | Instances : 881
Mar 8 22:08:30 snort[3609]: +-[AC-BNFA Search Info Summary]–----------------------------
Mar 8 22:08:30 snort[3609]: +-[AC-BNFA Search Info Summary]–----------------------------
Mar 8 22:08:30 snort[3609]: [ Port Based Pattern Matching Memory ]
Mar 8 22:08:30 snort[3609]: [ Port Based Pattern Matching Memory ]
Mar 8 22:08:30 snort[3609]:
Mar 8 22:08:30 snort[3609]:
Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
Mar 8 22:08:10 barnyard2[3611]:
Mar 8 22:08:10 barnyard2[3611]:
Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
Mar 8 22:08:10 barnyard2[3611]: FATAL ERROR: /usr/local/etc/snort/snort_0em1/barnyard2.conf(29) Unknown config directive: reference-map.
Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
Mar 8 22:08:10 barnyard2[3611]: Parsing config file "/usr/local/etc/snort/snort_0em1/barnyard2.conf"
Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Output Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
Mar 8 22:08:10 barnyard2[3611]: Initializing Input Plugins!
Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
Mar 8 22:08:10 barnyard2[3611]: –== Initializing Barnyard2 ==--
Mar 8 22:08:10 barnyard2[3611]:
Mar 8 22:08:10 barnyard2[3611]:
Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
Mar 8 22:08:10 barnyard2[3611]: Running in Continuous mode
Mar 8 22:08:10 barnyard2[3611]: ERROR: Unable to open Reference file '0em1' (No such file or directory)
Mar 8 22:08:10 barnyard2[3611]: ERROR: Unable to open Reference file '0em1' (No such file or directory)
Mar 8 22:08:10 snort[3609]: Decoding Ethernet on interface em1
Mar 8 22:08:10 snort[3609]: Decoding Ethernet on interface em1
Mar 8 22:08:10 snort[3609]: Writing PID "3609" to file "/var/run//snort_em10em1.pid"
Mar 8 22:08:10 snort[3609]: Writing PID "3609" to file "/var/run//snort_em10em1.pid"
Mar 8 22:08:10 snort[3609]: PID path stat checked out ok, PID path set to /var/run/
Mar 8 22:08:10 snort[3609]: PID path stat checked out ok, PID path set to /var/run/
Mar 8 22:08:10 snort[3609]: Checking PID path…
Mar 8 22:08:10 snort[3609]: Checking PID path…
Mar 8 22:08:10 kernel: em1: promiscuous mode enabled
Mar 8 22:08:10 snort[3609]: Daemon initialized, signaled parent pid: 3541
Mar 8 22:08:10 snort[3609]: Daemon initialized, signaled parent pid: 3541
Mar 8 22:08:10 snort[3541]: Daemon parent exiting
Mar 8 22:08:10 snort[3541]: Daemon parent exiting
Mar 8 22:08:10 snort[3541]: Initializing daemon mode
Mar 8 22:08:10 snort[3541]: Initializing daemon mode
Mar 8 22:08:10 snort[3541]: Initializing Network Interface em1
Mar 8 22:08:10 snort[3541]: Initializing Network Interface em1
Mar 8 22:08:10 snort[3541]: 460 out of 512 flowbits in use.
Mar 8 22:08:10 snort[3541]: 460 out of 512 flowbits in use.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'csv.download' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'csv.download' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.asf' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.asf' is checked but not ever set.
Mar 8 22:08:10 kernel: em1: promiscuous mode disabled
Mar 8 22:08:10 kernel: em1: promiscuous mode enabled
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'visio.request' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'visio.request' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.eps.download' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.eps.download' is checked but not ever set.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'realmedia_file.request' is set but not ever checked.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'realmedia_file.request' is set but not ever checked.
Mar 8 22:08:10 snort[3541]: Warning: flowbits key 'http.wma' is set but not ever checked. -
The log post is not help ing me out.
Please post pfsense version and snort version.
I need you start snort manually in the terminal. Please post the output of these commands.
ls /usr/local/etc/snort/
snort -c /usr/local/etc/snort/snort_whatever_interface_number_real/snort.conf -l /var/log/snort -D -i what_ever_name -q
P.S. I'll add code to make truble shooting easier.
-
*** interface device lookup found: em0
Initializing Network Interface em0
Decoding Ethernet on interface em0
re
[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]–----------------------------
| Instances : 907
| Patterns : 381151
| Pattern Chars : 4171811
| Num States : 2783753
| Num Match States : 591167
| Memory : 80.36Mbytes
| Patterns : 12.70M
| Match Lists : 34.93M
| Transitions : 32.52M
+---------------------------------------------------== Initialization Complete ==--
,,_ -> Snort! <-
o" )~ Version 2.8.5.3 (Build 124) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 8.00 2009-10-19___ Built Date for Snort on Pfsense 1.2.3 is March 7 2010.
/ f \ Orion IPS Output Code Copyright (C) 2009-2010 Robert Zelaya.
/ p _/Sense
_/ \ Using Snort.org dynamic plugins and Orion IPS source.
__/ Using MMX and 3DNOW.Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.12 <build 17="">Rules Object: web-misc Version 1.0 <build 1="">Rules Object: chat Version 1.0 <build 1="">Rules Object: dos Version 1.0 <build 1="">Rules Object: exploit Version 1.0 <build 1="">Rules Object: icmp Version 1.0 <build 1="">Rules Object: imap Version 1.0 <build 1="">Rules Object: misc Version 1.0 <build 1="">Rules Object: multimedia Version 1.0 <build 1="">Rules Object: netbios Version 1.0 <build 1="">Rules Object: nntp Version 1.0 <build 1="">Rules Object: p2p Version 1.0 <build 1="">Rules Object: smtp Version 1.0 <build 1="">Rules Object: sql Version 1.0 <build 1="">Rules Object: web-activex Version 1.0 <build 1="">Rules Object: web-client Version 1.0 <build 1="">Rules Object: web-iis Version 1.0 <build 1="">Rules Object: bad-traffic Version 1.0 <build 1="">Preprocessor Object: SF_SSLPP Version 1.1 <build 3="">Preprocessor Object: SF_SSH Version 1.1 <build 2="">Preprocessor Object: SF_SMTP Version 1.1 <build 8="">Preprocessor Object: SF_FTPTELNET Version 1.2 <build 12="">Preprocessor Object: SF_DNS Version 1.1 <build 3="">Preprocessor Object: SF_DCERPC2 Version 1.0 <build 2="">Preprocessor Object: SF_DCERPC Version 1.1 <build 5="">Not Using PCAP_FRAMES
+-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->alert->log Encoded Rule Plugin SID: 13416, GID: 3 not registered properly. Disabling this rule. Verifying Preprocessor Configurations! Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option Warning: flowbits key 'aiff_file.request' is set but not ever checked. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Warning: flowbits key 'realmedia_file.request' is set but not ever checked. Warning: flowbits key 'http.eps.download' is checked but not ever set. Warning: flowbits key 'http.pls.download' is set but not ever checked. Warning: flowbits key 'csv.download' is checked but not ever set. Warning: flowbits key 'http.asf' is checked but not ever set. Warning: flowbits key 'works.download' is checked but not ever set. Warning: flowbits key 'http.bmp' is checked but not ever set. Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked. Warning: flowbits key 'Backdoor.Bersek.Init' is set but not ever checked. Warning: flowbits key 'download.pecompact.binary' is checked but not ever set. Warning: flowbits key 'http.m3u.download' is set but not ever checked. Warning: flowbits key 'wav_file.request' is set but not ever checked. Warning: flowbits key 'excel.download' is set but not ever checked. Warning: flowbits key 'visio.request' is checked but not ever set. Warning: flowbits key 'caff_request' is set but not ever checked. Warning: flowbits key 'irc.trojan' is set but not ever checked. Warning: flowbits key 'PtakkS_Keepalive' is set but not ever checked. Warning: flowbits key 'BS.SSL.Server.Hello.Done' is set but not ever checked. Warning: flowbits key 'snipernet' is set but not ever checked. Warning: flowbits key 'http.wma' is set but not ever checked. Warning: flowbits key 'wmp.playlist.download' is checked but not ever set. 461 out of 512 flowbits in use. *** *** interface device lookup found: em0 *** Initializing Network Interface em0 ERROR: Bpf compilation failed: syntax error. PCAP filter: -. Fatal Error, Quitting.. # reset Erase is backspace. # reset cleErase is backspace. # clear # snort -c /usr/local/etc/snort/snort_0em1/snort.conf - | /var/log/snort/ -D izvoz.txt -q /var/log/snort/: Permission denied. Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/usr/local/etc/snort/snort_0em1/snort.conf" PortVar 'HTTP_PORTS' defined : [ 80 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1521 ] PortVar 'AUTH_PORTS' defined : [ 113 ] PortVar 'DNS_PORTS' defined : [ 53 ] PortVar 'FINGER_PORTS' defined : [ 79 ] PortVar 'FTP_PORTS' defined : [ 21 ] PortVar 'IMAP_PORTS' defined : [ 143 ] PortVar 'IRC_PORTS' defined : [ 6665:6669 7000 ] PortVar 'MSSQL_PORTS' defined : [ 1433 ] PortVar 'NNTP_PORTS' defined : [ 119 ] PortVar 'POP2_PORTS' defined : [ 109 ] PortVar 'POP3_PORTS' defined : [ 110 ] PortVar 'SUNRPC_PORTS' defined : [ 111 32770:32779 ] PortVar 'RLOGIN_PORTS' defined : [ 513 ] PortVar 'RSH_PORTS' defined : [ 514 ] PortVar 'SMB_PORTS' defined : [ 139 445 ] PortVar 'SMTP_PORTS' defined : [ 25 ] PortVar 'SNMP_PORTS' defined : [ 161 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'TELNET_PORTS' defined : [ 23 ] PortVar 'MAIL_PORTS' defined : [ 25 143 465 691 ] PortVar 'SSL_PORTS' defined : [ 25 443 465 636 993 995 ] PortVar 'SIP_PROXY_PORTS' defined : [ 5060:5090 16384:32768 ] PortVar 'DCERPC_NCACN_IP_TCP' defined : [ 139 445 ] PortVar 'DCERPC_NCADG_IP_UDP' defined : [ 138 1024:65535 ] PortVar 'DCERPC_NCACN_IP_LONG' defined : [ 135 139 445 593 1024:65535 ] PortVar 'DCERPC_NCACN_UDP_LONG' defined : [ 135 1024:65535 ] PortVar 'DCERPC_NCACN_UDP_SHORT' defined : [ 135 593 1024:65535 ] PortVar 'DCERPC_NCACN_TCP' defined : [ 2103 2105 2107 ] PortVar 'DCERPC_BRIGHTSTORE' defined : [ 6503:6504 ] Detection: Search-Method = AC-BNFA-Q Tagged Packet Limit: 256 Snort BPF option: - Loading dynamic engine /usr/local/lib/snort/dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/... Loading dynamic detection library /usr/local/lib/snort/dynamicrules//bad-traffic.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-iis.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-client.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-activex.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//sql.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//smtp.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//p2p.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//nntp.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//netbios.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//multimedia.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//misc.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//imap.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//icmp.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//exploit.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//dos.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//chat.so... done Loading dynamic detection library /usr/local/lib/snort/dynamicrules//web-misc.so... done Finished Loading all dynamic detection libs from /usr/local/lib/snort/dynamicrules/ Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/ Log directory = /var/log/snort Frag3 global config: Max frags: 8192 Fragment memory cap: 4194304 bytes Frag3 engine config: Target-based policy: BSD Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment Problems: 1 Overlap Limit: 0 Min fragment Length: 0 Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 8192 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: ACTIVE Max UDP sessions: 131072 Track ICMP sessions: ACTIVE Max ICMP sessions: 65536 Log info if session memory consumption exceeds 1048576 Stream5 TCP Policy config: Reassembly Policy: BSD Timeout: 30 seconds Min ttl: 1 Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Options: Static Flushpoint Sizes: YES Reassembly Ports: 0 client (Footprint) server (Footprint) 1 client (Footprint) server (Footprint) 2 client (Footprint) server (Footprint) 3 client (Footprint) server (Footprint) 4 client (Footprint) server (Footprint) 5 client (Footprint) server (Footprint) 6 client (Footprint) server (Footprint) 7 client (Footprint) server (Footprint) 8 client (Footprint) server (Footprint) 9 client (Footprint) server (Footprint) 10 client (Footprint) server (Footprint) 11 client (Footprint) server (Footprint) 12 client (Footprint) server (Footprint) 13 client (Footprint) server (Footprint) 14 client (Footprint) server (Footprint) 15 client (Footprint) server (Footprint) 16 client (Footprint) server (Footprint) 17 client (Footprint) server (Footprint) 18 client (Footprint) server (Footprint) 19 client (Footprint) server (Footprint) Stream5 UDP Policy config: Timeout: 30 seconds Stream5 ICMP Policy config: Timeout: 30 seconds PerfMonitor config: Time: 300 seconds Flow Stats: INACTIVE Event Stats: INACTIVE Max Perf Stats: INACTIVE Console Mode: INACTIVE File Mode: /var/log/snort/snort_0em1.stats SnortFile Mode: INACTIVE Packet Count: 10000 Dump Summary: No Max file size: 2147483648 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /usr/local/etc/snort/snort_0em1/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 Server Flow Depth: 0 Client Flow Depth: 300 Max Chunk Length: 500000 Max Header Field Length: 0 Max Number Header Fields: 0 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 0 Only inspect URI: NO Normalize HTTP Headers: NO Normalize HTTP Cookies: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: YES alert: NO IIS Unicode: YES alert: NO Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Medium Memcap (in bytes): 10000000 Number of Nodes: 36900 Ignore Scanner IP List: 10.135.147.0 / 255.255.255.0 my.wan.ip / 255.255.255.255 my.gw.ip / 255.255.255.255 193.2.1.66 / 255.255.255.255 193.2.1.72 / 255.255.255.255 127.0.0.1 / 255.255.255.255 FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateless Check for Encrypted Traffic: OFF Continue to check encrypted data: NO TELNET CONFIG: Ports: 23 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21 Check for Telnet Cmds: OFF Ignore Telnet Cmd Operations: OFF Identify open data channels: NO FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Ignore Telnet Cmd Operations: OFF Max Response Length: 256 SMTP Config: Ports: 25 465 691 Inspection Type: Stateful Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XSTA XTRN XUSR PIPELINING CHUNKING DSN XQUEU Ignore Data: No Ignore TLS Data: No Ignore SMTP Alerts: No Max Command Line Length: Unlimited Max Specific Command Line Length: ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255 EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255 ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500 IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246 QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246 SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246 TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246 XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246 XLICENSE:246 X-LINK2STATE:246 XSTA:246 XTRN:246 XUSR:246 PIPELINING:246 CHUNKING:246 DSN:246 XQUEU:246 Max Header Line Length: 1000 Max Response Line Length: 512 X-Link2State Alert: Yes Drop on X-Link2State Alert: No Alert on commands: None DCE/RPC 2 Preprocessor Configuration Global Configuration DCE/RPC Defragmentation: Enabled Memcap: 102400 KB Events: smb co cl Server Default Configuration Policy: WinXP Detect ports SMB: 139 445 TCP: 135 UDP: 135 RPC over HTTP server: 593 RPC over HTTP proxy: None Autodetect ports SMB: None TCP: 1025-65535 UDP: 1025-65535 RPC over HTTP server: 1025-65535 RPC over HTTP proxy: None Maximum SMB command chaining: 3 commands DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 SSLPP config: Encrypted packets: not inspected Ports: 443 465 563 636 989 990 992 993 994 995 Server side data is trusted +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Warning: /usr/local/etc/snort/snort_0em1/rules/emerging-attack_response.rules(37) => threshold (in rule) is deprecated; use detection_filter instead. | gen-id=1 sig-id=2406150 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=12295 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=2500058 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=6192 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6365 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=2406647 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=2406181 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=2500167 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=2500056 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=8073 type=Limit tracking=src count=1 seconds=300 | gen-id=3 sig-id=15851 type=Both tracking=dst count=12 seconds=1 | gen-id=3 sig-id=15474 type=Threshold tracking=src count=50 seconds=10 | gen-id=3 sig-id=15912 type=Threshold tracking=src count=200 seconds=30 | gen-id=3 sig-id=15522 type=Threshold tracking=dst count=200 seconds=30 +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->alert->log Encoded Rule Plugin SID: 13416, GID: 3 not registered properly. Disabling this rule. Verifying Preprocessor Configurations! Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option Warning: flowbits key 'BS.SSL.Server.Hello.Done' is set but not ever checked. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Warning: flowbits key 'http.eps.download' is checked but not ever set. Warning: flowbits key 'irc.trojan' is set but not ever checked. Warning: flowbits key 'Backdoor.Bersek.Init' is set but not ever checked. Warning: flowbits key 'http.wma' is set but not ever checked. Warning: flowbits key 'download.pecompact.binary' is checked but not ever set. Warning: flowbits key 'PtakkS_Keepalive' is set but not ever checked. Warning: flowbits key 'http.bmp' is checked but not ever set. Warning: flowbits key 'wav_file.request' is set but not ever checked. Warning: flowbits key 'Netspy_Command_Pattern' is set but not ever checked. Warning: flowbits key 'realmedia_file.request' is set but not ever checked. Warning: flowbits key 'wmp.playlist.download' is checked but not ever set. Warning: flowbits key 'visio.request' is checked but not ever set. Warning: flowbits key 'http.m3u.download' is set but not ever checked. Warning: flowbits key 'excel.download' is set but not ever checked. Warning: flowbits key 'aiff_file.request' is set but not ever checked. Warning: flowbits key 'http.pls.download' is set but not ever checked. Warning: flowbits key 'snipernet' is set but not ever checked. Warning: flowbits key 'csv.download' is checked but not ever set. Warning: flowbits key 'http.asf' is checked but not ever set. Warning: flowbits key 'caff_request' is set but not ever checked. Warning: flowbits key 'works.download' is checked but not ever set. 461 out of 512 flowbits in use. *** *** interface device lookup found: em0 *** Initializing Network Interface em0 ERROR: Bpf compilation failed: syntax error. PCAP filter: -. Fatal Error, Quitting.. # # #Is this OK? :)
p.s.: link (green) to start snort on interface status is not working / firefox 3.6 ;)</build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build></build>
-
I have to rebuild the snort-dev binaries tonight.
There seems to be a bug because I compiled with MMX and 3DNOW code.P.S. Snort is only crashing when using so.rules on my end.
Try to reinstall tomorrow morning.
Sorry
James -
THANKS!!!!
-
Snort is now ok,… but no log and no blocking IP ;)
-
I think when user ping my ip, i can t see blocked IP in snort log. Before it was working.
I have also try with grc.com scan,… no blocked IP.
There are currently no items being blocked by snort.
Will snort now only drop this packet?
-
Should be working now.
One of the pfsense dev removed the blocking option for some reson.
James
-
it's a live ;D
Thanks snort master :)