Menu
▾
▴
Re: [Snort-inline-users] Help
|
From: Ihab el B. <iha...@ho...> - 2010-01-15 08:54:23
|
Hi,
have you configured your snort_inline.conf file correctly, try to check the mysql database itself (containig rows ...)
also try to except the exploit.rules from the config file and give it a try then, and dont forget to send the packet stream to the queue e.g( iptables -A FORWARD -p all - j QUEUE)
Best regards
Ihab El Bakri
Date: Fri, 15 Jan 2010 10:44:36 +0200
From: mug...@gm...
To: sno...@li...
Subject: [Snort-inline-users] Help
Hi;
This is my first time to run snort-inline, it look like I syccesfully
install snort-inline but when I start it I’m getting the following message. Is saying
that no process found.
What I’m I missing?
charles@ips:~$ sudo /etc/init.d/snort_inlined restart
snort_inline: no process found
Removing iptables rules:
Starting ip_queue module:
Starting iptables rules:
Starting snort_inline:
Reading from iptables
Initializing Inline mode
Also when I run this command “snort_inline -Q -v -c
/etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables” I’m getting the following output with
two errors. What is wrong with my snort-inline?Is any one can help?
charles@ips:~$ sudo snort_inline -Q -v -c
/etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode
--==
Initializing Snort ==--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap:
10485760
| Rows : 4099
| Overhead Bytes:
16400(%0.16)
`----------------------------------------------
Stream4 config:
Stateful
inspection: ACTIVE
Session
statistics: INACTIVE
Session timeout:
30 seconds
Session memory
cap: 8388608 bytes
Session count max:
8192 sessions
Session cleanup
count: 5
State alerts:
INACTIVE
Evasion alerts:
INACTIVE
Scan alerts:
INACTIVE
Log Flushed
Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection:
0
Self preservation
threshold: 50
Self preservation
period: 90
Suspend threshold:
200
Suspend period: 30
Enforce TCP State:
INACTIVE
Midstream Drop
Alerts: INACTIVE
Server Data
Inspection Limit: -1
Inline-mode
options:
Inline-mode enabled? (stream4inline):
No
Sliding Windowsize
(window_size): 7000 (max full conn: 1198)
Memcap reached
method (truncate): Prune
Truncate
percentage (truncate_percentage): 33
DROP out-of-window
packets (drop_out_of_window): No
DROP data on
unestablised session state (drop_data_on_unest): No
DROP no tcp-flags
on establised packets (drop_no_tcp_on_est): No
DROP packet not
within session limits (drop_not_in_limits): No
DROP ttl evasion
(drop_ttl_evasion): No
Store/Load state
from/to disk: No
WARNING /etc/snort_inline/snort_inline.conf(299) =>
flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly:
ACTIVE
Client reassembly:
ACTIVE
Reassembler alerts:
ACTIVE
Zero out flushed
packets: INACTIVE
Flush stream on
alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet
Preferance : Favor Old
Packet Sequence
Overlap Limit: -1
Flush behavior:
Small (<255 bytes)
Ports: 21 23 25 42
53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports:
21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline
Requests: 0
Inspection
Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename:
/etc/snort_inline/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080
8180
Flow Depth: 300
Max Chunk
Length: 500000
Inspect Pipeline
Requests: YES
URI Discovery
Strict Mode: NO
Allow Proxy
Usage: NO
Disable
Alerting: NO
Oversize Dir
Length: 500
Only inspect
URI: NO
Ascii: YES
alert: NO
Double Decoding:
YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES
alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES
alert: YES
Multiple Slash:
YES alert: NO
IIS Backslash:
YES alert: NO
Directory
Traversal: YES alert: NO
Web Root
Traversal: YES alert: YES
Apache
WhiteSpace: YES alert: NO
IIS Delimiter:
YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode
RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode
arguments:
Ports to decode telnet on: 21 23 25 119
Portscan
Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level:
Low
Memcap (in bytes):
10000000
Number of
Nodes: 36900
database: compiled support for ( mysql )
database: configured to use mysql
database:
user = snortuser
database: password is set
database: database name = snort
database:
host = localhost
Interface is NULL. Name may not be unique for the host
Node unique name is: unknown:(null)
database: sensor
name = unknown:(null)
database: sensor
id = 1
database: schema version = 106
database: using the "log" facility
ERROR: Warning: /etc/snort_inline/rules/exploit.rules(24)
=> Unknown keyword ' metadata' in rule!
Fatal Error, Quitting..
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you’re up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 |
