Snort
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] R?p. : Freebsd + snort (error when Snort start)

from [Joel Esler] [Permanent Link][Original]
To: Todd Wease <twease@sourcefire.com>
Subject: Re: [Snort-users] R?p. : Freebsd + snort (error when Snort start)
From: Joel Esler <joel.esler@sourcefire.com>
Date: Tue, 19 Dec 2006 19:26:47 -0500
Cc: snort-users@lists.sourceforge.net
Delivered-to: sp-com-lists@consult.net
Delivered-to: snort-list@securepoint.com
In-reply-to: <45885DC6.9030706@sourcefire.com>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=snort-users>
List-help: <mailto:snort-users-request@lists.sourceforge.net?subject=help>
List-id: "Snort users talk about... Snort!" <snort-users.lists.sourceforge.net>
List-post: <mailto:snort-users@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request@lists.sourceforge.net?subject=unsubscribe>
Mail-followup-to: Joel Esler <joel.esler@sourcefire.com>, Todd Wease <twease@sourcefire.com>, FRANCIS PROVENCHER <francis.provencher@msp.gouv.qc.ca>, snort-users@lists.sourceforge.net
Organization: "Sourcefire, Inc"
References: <s588141a.008@mail.msp.gouv.qc.ca> <45885DC6.9030706@sourcefire.com>
Sender: snort-users-bounces@lists.sourceforge.net
User-agent: mutt-ng/devel-r804 (Darwin) 
So your command line would be:

/usr/local/bin/snort -i rl0 -c /usr/local/etc/snort/snort.conf

FYI.

J

On Tue, Dec 19, 2006 at 04:46:46PM -0500, it looks like Todd Wease sent me:
> FRANCIS PROVENCHER wrote:
> > For more complete log it look like this;
> >
> >
> >
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'lo0_ADDRESS' defined,
> > value len = 19 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = 127.0.0.0/255.0.0.0
> > Dec 19 16:12:12 portableBS snort[28402]: Parsing Rules file
> > /usr/local/etc/snort/snort.conf
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'HOME_NET' defined, value
> > len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = any
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'EXTERNAL_NET' defined,
> > value len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = any
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'DNS_SERVERS' defined,
> > value len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = any
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'SMTP_SERVERS' defined,
> > value len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = any
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'HTTP_SERVERS' defined,
> > value len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = any
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'SQL_SERVERS' defined,
> > value len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = any
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'TELNET_SERVERS' defined,
> > value len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = any
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'SNMP_SERVERS' defined,
> > value len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = any
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'HTTP_PORTS' defined,
> > value len = 2 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = 80
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'SHELLCODE_PORTS' defined,
> > value len = 3 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = !80
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'ORACLE_PORTS' defined,
> > value len = 4 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value = 1521
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'AIM_SERVERS' defined,
> > value len = 185 chars
> > Dec 19 16:12:12 portableBS snort[28402]:
> > Dec 19 16:12:12 portableBS snort[28402]:   
> > [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188
> > .3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
> > Dec 19 16:12:12 portableBS snort[28402]:   
> > .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> > Dec 19 16:12:12 portableBS snort[28402]: Var 'RULE_PATH' defined, value
> > len = 27 chars
> > Dec 19 16:12:12 portableBS snort[28402]: , value =
> > /usr/local/etc/snort/rules/
> > Dec 19 16:12:12 portableBS snort[28402]: ,-----------[Flow
> > Config]----------------------
> > Dec 19 16:12:12 portableBS snort[28402]: | Stats Interval:  0
> > Dec 19 16:12:12 portableBS snort[28402]: | Hash Method:     2
> > Dec 19 16:12:12 portableBS snort[28402]: | Memcap:          10485760
> > Dec 19 16:12:12 portableBS snort[28402]: | Rows  :          4099
> > Dec 19 16:12:12 portableBS snort[28402]: | Overhead Bytes: 
> > 16400(%0.16)
> > Dec 19 16:12:12 portableBS snort[28402]:
> > `----------------------------------------------
> > Dec 19 16:12:12 portableBS snort[28402]: Frag3 global config:
> > Dec 19 16:12:12 portableBS snort[28402]:     Max frags: 65536
> > Dec 19 16:12:12 portableBS snort[28402]:     Fragment memory cap:
> > 4194304 bytes
> > Dec 19 16:12:12 portableBS snort[28402]: Frag3 engine config:
> > Dec 19 16:12:12 portableBS snort[28402]:     Target-based policy:
> > FIRST
> > Dec 19 16:12:12 portableBS snort[28402]:     Fragment timeout: 60
> > seconds
> > Dec 19 16:12:12 portableBS snort[28402]:     Fragment min_ttl:   1
> > Dec 19 16:12:12 portableBS snort[28402]:     Fragment ttl_limit: 5
> > Dec 19 16:12:12 portableBS snort[28402]:     Fragment Problems: 1
> > Dec 19 16:12:12 portableBS snort[28402]:     Bound Addresses:
> > 0.0.0.0/0.0.0.0
> > Dec 19 16:12:12 portableBS snort[28402]: Stream4 config:
> > Dec 19 16:12:12 portableBS snort[28402]:     Stateful inspection:
> > ACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Session statistics:
> > INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Session timeout: 30
> > seconds
> > Dec 19 16:12:12 por
> > tableBS snort[28402]:     Session memory cap:
> > 8388608 bytes
> > Dec 19 16:12:12 portableBS snort[28402]:     Session count max: 8192
> > sessions
> > Dec 19 16:12:12 portableBS snort[28402]:     Session cleanup count: 5
> > Dec 19 16:12:12 portableBS snort[28402]:     State alerts: INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Evasion alerts: INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Scan alerts: INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Log Flushed Streams:
> > INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     MinTTL: 1
> > Dec 19 16:12:12 portableBS snort[28402]:     TTL Limit: 5
> > Dec 19 16:12:12 portableBS snort[28402]:     Async Link: 0
> > Dec 19 16:12:12 portableBS snort[28402]:     State Protection: 0
> > Dec 19 16:12:12 portableBS snort[28402]:     Self preservation
> > threshold: 50
> > Dec 19 16:12:12 portableBS snort[28402]:     Self preservation period:
> > 90
> > Dec 19 16:12:12 portableBS snort[28402]:     Suspend threshold: 200
> > Dec 19 16:12:12 portableBS snort[28402]:     Suspend period: 30
> > Dec 19 16:12:12 portableBS snort[28402]:     Enforce TCP State:
> > INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Midstream Drop Alerts:
> > INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Allow Blocking of TCP
> > Sessions in Inline: ACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Server Data Inspection
> > Limit: -1
> > Dec 19 16:12:12 portableBS snort[28402]: WARNING
> > /usr/local/etc/snort/snort.conf(408) => flush_behavior set in config
> > file, u
> > sing old static flushpoints (0)
> > Dec 19 16:12:12 portableBS snort[28402]: Stream4_reassemble config:
> > Dec 19 16:12:12 portableBS snort[28402]:     Server reassembly:
> > INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Client reassembly: ACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Reassembler alerts:
> > ACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Zero out flushed packets:
> > INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     Flush stream on alert:
> > INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     flush_data_diff_size: 500
> > Dec 19 16:12:12 portableBS snort[28402]:     Reassembler Packet
> > Preferance : Favor Old
> > Dec 19 16:12:12 portableBS snort[28402]:     Packet Sequence Overlap
> > Limit: -1
> > Dec 19 16:12:12 portableBS snort[28402]:     Flush behavior: Small
> > (<255 bytes)
> > Dec 19 16:12:12 portableBS snort[28402]:     Ports: 21 23 25 42 53 80
> > 110 111 135 136 137 139 143 445 513 1433 1521 3306
> > Dec 19 16:12:12 portableBS snort[28402]:     Emergency Ports: 21 23 25
> > 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
> >  3306
> > Dec 19 16:12:12 portableBS snort[28402]: HttpInspect Config:
> > Dec 19 16:12:12 portableBS snort[28402]:     GLOBAL CONFIG
> > Dec 19 16:12:12 portableBS snort[28402]:       Max Pipeline Requests:  
> >  0
> > Dec 19 16:12:12 portableBS snort[28402]:       Inspection Type:        
> >  STATELESS
> > Dec 19 16:12:12 portableBS snort[28402]:       Detect Proxy Usage:     
> >  NO
> > Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map
> > Filename: /usr/local/etc/snort/unicode.map
> > Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map
> > Codepage: 1252
> > Dec 19 16:12:12 portableBS snort[28402]:     DEFAULT SERVER CONFIG:
> > Dec 19 16:12:12 portableBS snort[28402]:       Server profile: All
> > Dec 19 16:12:12 portableBS snort[28402]:       Ports: 80 8080 8180
> > Dec 19 16:12:12 portableBS snort[28402]:       Flow Depth: 300
> > Dec 19 16:12:12 portableBS snort[28402]:       Max Chunk Length:
> > 500000
> > Dec 19 16:12:12 portableBS snort[28402]:       Inspect Pipeline
> > Requests: YES
> > Dec 19 16:12:12 portableBS snort[28402]:       URI Discovery Strict
> > Mode: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       Allow Proxy Usage: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       Disable Alerting: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       Oversize Dir Length:
> > 500
> > Dec 19 16:12:12 portableBS snort[28402]:       Only inspect URI: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       Ascii: YES alert: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       Double Decoding: YES
> > alert: YES
> > Dec 19 16:12:12 portableBS snort[28402]:       %U Encoding:
> >  YES alert:
> > YES
> > Dec 19 16:12:12 portableBS snort[28402]:       Bare Byte: YES alert:
> > YES
> > Dec 19 16:12:12 portableBS snort[28402]:       Base36: OFF
> > Dec 19 16:12:12 portableBS snort[28402]:       UTF 8: OFF
> > Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode: YES alert:
> > YES
> > Dec 19 16:12:12 portableBS snort[28402]:       Multiple Slash: YES
> > alert: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       IIS Backslash: YES
> > alert: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       Directory Traversal: YES
> > alert: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       Web Root Traversal: YES
> > alert: YES
> > Dec 19 16:12:12 portableBS snort[28402]:       Apache WhiteSpace: YES
> > alert: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       IIS Delimiter: YES
> > alert: NO
> > Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map: GLOBAL
> > IIS UNICODE MAP CONFIG
> > Dec 19 16:12:12 portableBS snort[28402]:       Non-RFC Compliant
> > Characters: NONE
> > Dec 19 16:12:12 portableBS snort[28402]:       Whitespace Characters:
> > 0x09 0x0b 0x0c 0x0d
> > Dec 19 16:12:12 portableBS snort[28402]: rpc_decode arguments:
> > Dec 19 16:12:12 portableBS snort[28402]:     Ports to decode RPC on:
> > 111 32771
> > Dec 19 16:12:12 portableBS snort[28402]:     alert_fragments: INACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     alert_large_fragments:
> > ACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     alert_incomplete: ACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]:     alert_multiple_requests:
> > ACTIVE
> > Dec 19 16:12:12 portableBS snort[28402]: Portscan Detection Config:
> > Dec 19 16:12:12 portableBS snort[28402]:     Detect Protocols:  TCP UDP
> > ICMP IP
> > Dec 19 16:12:12 portableBS snort[28402]:     Detect Scan Type: 
> > portscan portsweep decoy_portscan distributed_portscan
> > Dec 19 16:12:12 portableBS snort[28402]:     Sensitivity Level: Low
> > Dec 19 16:12:12 portableBS snort[28402]:     Memcap (in bytes):
> > 10000000
> > Dec 19 16:12:12 portableBS snort[28402]:     Number of Nodes:   36900
> > Dec 19 16:12:12 portableBS snort[28402]:
> > Dec 19 16:12:13 portableBS snort[28402]: Tagged Packet Limit: 256
> > Dec 19 16:12:13 portableBS snort[28402]:
> > Dec 19 16:12:13 portableBS snort[28402]:
> > +-----------------------[thresholding-config]----------------------------------
> > Dec 19 16:12:13 portableBS snort[28402]: | memory-cap : 1048576 bytes
> > Dec 19 16:12:13 portableBS snort[28402]:
> > +-----------------------[thresholding-global]----------------------------------
> > Dec 19 16:12:13 portableBS snort[28402]: | none
> > Dec 19 16:12:13 portableBS snort[28402]:
> > +-----------------------[thresholding-local]-----------------------------------
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3152   
> >    type=Threshold tracking=src count=5   seconds=2
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7760   
> >    type=Limit     tracking=src count=1   seconds=600
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6127   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7801   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7706   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6128   
> >    type=Limit     tracking=src count=1   seconds=600
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7649   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7758   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7669   
> >    type=Limit     tracking=src count=1   seconds=120
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7646   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7068   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7759   
> >    type=Lim
> > it     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5322   
> >    type=Limit     tracking=src count=1   seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7069   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7118   
> >    type=Limit     tracking=src count=1   seconds=600
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7712   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5321   
> >    type=Limit     tracking=src count=1   seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3542   
> >    type=Threshold tracking=src count=5   seconds=2
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2924   
> >    type=Threshold tracking=dst count=10  seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7655   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7711   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6336   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7861   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2275   
> >    type=Threshold tracking=dst count=5   seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7613   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7074   
> >    type=Limit     tracking=src count=1   seconds=600
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2923   
> >    type=Threshold tracking=dst count=10  seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6146   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6176   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6176   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7642   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6322   
> >    type=Limit     tracking=src count=1   seconds=3000
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7802   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6398   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7727   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6321   
> >    type=Limit     tracking=src count=1   seconds=3000
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=4984   
> >    type=Threshold tracking=src count=5   seconds=2
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=8477   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6122   
> >    type=Limit     tracking=src count=1   seconds=600
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7647   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3543   
> >    type=Threshold tracking=src count=5   seconds=2
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7624   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5323   
> >    type=Limit     tracking=src count=1   seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2523   
> >    type=Both      tracking=dst count=10  seconds=10
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=8549   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7691   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7732   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7034   
> >    type=Limit     tracking=src count=1   seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3273   
> >    type=Threshold tracking=src count=5   seconds=2
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7739   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7033   
> >    type=Limit     tracking=src count=1   seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6174   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6290   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3527   
> >    type=Limit     tracking=dst count=5   seconds=60
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6107   
> >    type=Limit     tracking=src count=1   seconds=600
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6324   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7822   
> >    type=Limit     tracking=src count=1   seconds=300
> > Dec 19 16:12:13 portableBS snort[28402]:
> > +-----------------------[suppression]------------------------------------------
> > Dec 19 16:12:13 portableBS snort[28402]: | none
> > Dec 19 16:12:13 portableBS snort[28402]:
> > -------------------------------------------------------------------------------
> > Dec 19 16:12:13 portableBS snort[28402]: Rule application order:
> > ->activation->dynamic->pass->drop->alert->log
> > Dec 19 16:12:13 portableBS snort[28402]: Log directory =
> > /var/log/snort
> > Dec 19 16:12:13 portableBS snort[28402]: Loading dynamic engine
> > /usr/local/lib/snort/dynamicengine/libsf_engine.so...
> > Dec 19 16:12:13 portableBS snort[28402]: done
> > Dec 19 16:12:13 portableBS snort[28402]: Loading all dynamic
> > preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
> > ...
> > Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> > library /usr/local/lib/snort/dynamicpreprocessor//lib
> > sf_ftptelnet_preproc.so...
> > Dec 19 16:12:13 portableBS snort[28402]: done
> > Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> > library /usr/local/lib/snort/dynamicpreprocessor//lib
> > sf_smtp_preproc.so...
> > Dec 19 16:12:13 portableBS snort[28402]: done
> > Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> > library /usr/local/lib/snort/dynamicpreprocessor//lib
> > sf_ssh_preproc.so...
> > Dec 19 16:12:13 portableBS snort[28402]: done
> > Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> > library /usr/local/lib/snort/dynamicpreprocessor//lib
> > sf_dcerpc_preproc.so...
> > Dec 19 16:12:13 portableBS snort[28402]: done
> > Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> > library /usr/local/lib/snort/dynamicpreprocessor//lib
> > sf_dns_preproc.so...
> > Dec 19 16:12:13 portableBS snort[28402]: done
> > Dec 19 16:12:13 portableBS snort[28402]:   Finished Loading all dynamic
> > preprocessor libs from /usr/local/lib/snort/dynamicpr
> > eprocessor/
> > Dec 19 16:12:13 portableBS snort[28402]: FTPTelnet Config:
> > Dec 19 16:12:13 portableBS snort[28402]:     GLOBAL CONFIG
> > Dec 19 16:12:13 portableBS snort[28402]:       Inspection Type:
> > stateful
> > Dec 19 16:12:13 portableBS snort[28402]:       Check for Encrypted
> > Traffic: YES alert: YES
> > Dec 19 16:12:13 portableBS snort[28402]:       Continue to check
> > encrypted data: NO
> > Dec 19 16:12:13 portableBS snort[28402]:     TELNET CONFIG:
> > Dec 19 16:12:13 portableBS snort[28402]:       Ports: 23
> > Dec 19 16:12:13 portableBS snort[28402
> > ]:       Are You There Threshold:
> > 200
> > Dec 19 16:12:13 portableBS snort[28402]:       Normalize: YES
> > Dec 19 16:12:13 portableBS snort[28402]:       Detect Anomalies: NO
> > Dec 19 16:12:13 portableBS snort[28402]:     FTP CONFIG:
> > Dec 19 16:12:13 portableBS snort[28402]:       FTP Server: default
> > Dec 19 16:12:13 portableBS snort[28402]:         Ports: 21
> > Dec 19 16:12:13 portableBS snort[28402]:         Check for Telnet Cmds:
> > YES alert: YES
> > Dec 19 16:12:13 portableBS snort[28402]:         Identify open data
> > channels: YES
> > Dec 19 16:12:13 portableBS snort[28402]:       FTP Client: default
> > Dec 19 16:12:13 portableBS snort[28402]:         Check for Bounce
> > Attacks: YES alert: YES
> > Dec 19 16:12:13 portableBS snort[28402]:         Check for Telnet Cmds:
> > YES alert: YES
> > Dec 19 16:12:13 portableBS snort[28402]:         Max Response Length:
> > 256
> > Dec 19 16:12:13 portableBS snort[28402]: SMTP Config:
> > Dec 19 16:12:13 portableBS snort[28402]:       Ports:
> > Dec 19 16:12:13 portableBS snort[28402]: 25
> > Dec 19 16:12:13 portableBS snort[28402]:
> > Dec 19 16:12:13 portableBS snort[28402]:       Inspection Type:        
> >    STATEFUL
> > Dec 19 16:12:13 portableBS snort[28402]:       Normalize Spaces:       
> >    YES
> > Dec 19 16:12:13 portableBS snort[28402]:       Ignore Data:            
> >    NO
> > Dec 19 16:12:13 portableBS snort[28402]:       Ignore TLS Data:        
> >    NO
> > Dec 19 16:12:13 portableBS snort[28402]:       Ignore Alerts:          
> >    NO
> > Dec 19 16:12:13 portableBS snort[28402]:       Max Command Length:     
> >    0
> > Dec 19 16:12:13 portableBS snort[28402]:       Max Header Line Length: 
> >    0
> > Dec 19 16:12:13 portableBS snort[28402]:       Max Response Line
> > Length:   0
> > Dec 19 16:12:13 portableBS snort[28402]:       X-Link2State Alert:     
> >    YES
> > Dec 19 16:12:13 portableBS snort[28402]:       Drop on X-Link2State
> > Alert: NO
> > Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> > 'dce.bind.netware_cs' is checked but not ever set.
> > Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> > 'dce.isystemactivator.bind' is checked but not ever set.
> > Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> > 'dce.bind.veritas' is set but not ever checked.
> > Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> > 'realplayer.playlist' is checked but not ever set.
> > Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> > 'ms_sql_seen_dns' is checked but not ever set.
> > Dec 19 16:12:13 portableBS snort[28402]: 248 out of 512 flowbits in
> > use.
> > Dec 19 16:12:13 portableBS snort[28402]: *** *** interface device
> > lookup found: rl0 ***
> > Dec 19 16:12:13 portableBS snort[28402]: Initializing daemon mode
> > Dec 19 16:12:13 portableBS snort[28403]: PID path stat checked out ok,
> > PID path set to /var/run/
> > Dec 19 16:12:13 portableBS snort[28403]: Writing PID "28403" to file
> > "/var/run//snort_rl0.pid"
> > Dec 19 16:12:13 portableBS snort[28402]: Daemon parent exiting
> > Dec 19 16:12:13 portableBS snort[28403]: Daemon initialized, signaled
> > parent pid: 28402
> >
> >
> >
> > If i lunch the command like this for example;
> >
> >
> > /usr/local/bin/snort -i rl0 /usr/local/etc/snort/snort.conf
> >
> > i received this error message;
> > .....
> > Verifying Preprocessor Configurations!
> > Warning: flowbits key 'dce.bind.netware_cs' is checked but not ever
> > set.
> > Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
> > Warning: flowbits key 'realplayer.playlist' is checked but not ever
> > set.
> > Warning: flowbits key 'dce.isystemactivator.bind' is checked but not
> > ever set.
> > Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
> > 248 out of 512 flowbits in use.
> >
> > Initializing Network Interface rl0
> > ERROR: OpenPcap() FSM compilation failed:
> >         syntax error
> > PCAP command: /usr/local/etc/snort/snort.conf
> > Fatal Error, Quitting..
> >   
> >
> 
> 
> In the above command line you forgot to use the -c switch with the 
> config file so Snort was trying to compile a bpf filter with the config 
> path.
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] MySQL Error (subject changed), Nigel Houghton
Next by Date:  Re: [Snort-users] MySQL Error (subject changed), Paul Schmehl
Previous by Thread:  Re: [Snort-users] Rép. : Freebsd + snort (error when Snort start), Todd Wease
Next by Thread:  [Snort-users] (no subject), FRANCIS PROVENCHER
Indexes:  [Date] [Thread] [Top] [All Lists]