[Snort-inline-users] snort-inline

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi;

I changed snort-inline version to 2.6; now it is running and snort-inline
options are enabled but when i launch snort-inline with "snort_inline -Q -v
-c /etc/snort_inline/snort_inline.conf -l /var/log/snort_inline" command i'm
getting the following errors in the output.

1. WARNING /etc/snort_inline/snort_inline.conf(361) => flush_behavior set in
config file, using old static flushpoints (0)
2. ERROR: /etc/snort_inline/rules/exploit.rules(38): Cannot check flow
connection for non-TCP traffic

Can you please help?

Check the full output bellow

charles@ips:~$ sudo  snort_inline -Q -v -c
/etc/snort_inline/snort_inline.conf -l /var/log/snort_inline
Reading from iptables
Running in IDS mode
Initializing Inline mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Var 'usbmon1_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon2_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon3_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon4_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon5_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon6_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon7_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'usbmon8_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 3 chars, value = any
Var 'HONEYNET' defined, value len = 3 chars, value = any
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
   [
64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 23 chars, value =
/etc/snort_inline/rules
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
stream4inline mode enabled
truncating mode enabled
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 3600 seconds
    Session memory cap: 134217728 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: ACTIVE and DROPPING
    Midstream Drop Alerts: INACTIVE
    Allow Blocking of TCP Sessions in Inline: ACTIVE
    Server Data Inspection Limit: -1
    Inline-mode options:
        Inline-mode enabled? (stream4inline): Yes
        Scan mode? (scan_stream_only): Both packet and stream
        Sliding Windowsize (window_size): 3000
        Memcap reached method (truncate): Truncate
        Truncate percentage (truncate_percentage): 33
        Store/Load state from/to disk: No
        Max out-of-order packets in a stream (max_ooo_pkts): 5
        Max out-of-order bytes in a stream (max_ooo_bytes): 5000
        Max sequence holes in a stream (max_seq_holes): 2
        Normalize wscale max (norm_wscale_max): 2
        Perform window scale normaliztion: Yes
        Disable out-of-order packet drop: No
        Disable out-of-order packet drop: No
        Disable sequence hole packet drop: No
        Max sequence holes in a stream (max_seq_holes): 2
        Disable wscale normalization alerts (disable_norm_wscale_alerts): No
        Disable out-of-order alerts (disable_ooo_alerts): No
        Drop bad RST packets? (drop_bad_rst): No
WARNING /etc/snort_inline/snort_inline.conf(361) => flush_behavior set in
config file, using old static flushpoints (0)
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor New
    Packet Sequence Overlap Limit: -1
    Flush behavior: Small (<255 bytes)
    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
3306
    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
1433 1521 3306
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort_inline/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

ERROR: /etc/snort_inline/rules/exploit.rules(38): Cannot check flow
connection for non-TCP traffic
Fatal Error, Quitting..
charles@ips:~$