snort-inline-users Mailing List for snort_inline (Page 13)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Francisco Mu=F1oz wrote:
> Thanks for all the help.
>
> On screen the dump is just the same. (as without debug). This is 10
> seconds (approx.) of snort_inline output:
>
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
>
> 11/04-18:13:45.663780 192.168.1.22:39681 <http://192.168.1.22:39681>
> -> 201.209.205.194:44456 <http://201.209.205.194:44456>
> UDP TTL:127 TOS:0x0 ID:60827 IpLen:20 DgmLen:45
> Len: 17
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
> 11/04-18:13:45.752568 201.209.205.194:44456
> <http://201.209.205.194:44456> -> 192.168.1.22:39681
> <http://192.168.1.22:39681>
> UDP TTL:123 TOS:0x0 ID:7305 IpLen:20 DgmLen:536
> Len: 508
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
> 11/04-18:13:45.765346 192.168.1.22:39681 <http://192.168.1.22:39681>
> -> 201.209.205.194:44456 <http://201.209.205.194:44456>
> UDP TTL:127 TOS:0x0 ID:60828 IpLen:20 DgmLen:45
> Len: 17
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
> 11/04-18:13:45.775428 201.209.205.194:44456
> <http://201.209.205.194:44456> -> 192.168.1.22:39681
> <http://192.168.1.22:39681>
> UDP TTL:123 TOS:0x0 ID:7306 IpLen:20 DgmLen:195
> Len: 167
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
>
> 11/04-18:13:45.816135 192.168.1.22:39681 <http://192.168.1.22:39681>
> -> 201.209.205.194:44456 <http://201.209.205.194:44456>
> UDP TTL:127 TOS:0x0 ID:60829 IpLen:20 DgmLen:45
> Len: 17
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
> 11/04-18:13:45.875033 201.209.205.194:44456
> <http://201.209.205.194:44456> -> 192.168.1.22:39681
> <http://192.168.1.22:39681>
> UDP TTL:123 TOS:0x0 ID:7309 IpLen:20 DgmLen:536
> Len: 508
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
> 11/04-18:13:45.905730 201.209.205.194:44456
> <http://201.209.205.194:44456> -> 192.168.1.22:39681
> <http://192.168.1.22:39681>
> UDP TTL:123 TOS:0x0 ID:7310 IpLen:20 DgmLen:102
> Len: 74
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
> 11/04-18:13: 45.944983 201.209.205.194:44456
> <http://201.209.205.194:44456> -> 192.168.1.22:39681
> <http://192.168.1.22:39681>
> UDP TTL:123 TOS:0x0 ID:7312 IpLen:20 DgmLen:536
> Len: 508
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
>
> 11/04-18:13:45.966097 201.209.205.194:44456
> <http://201.209.205.194:44456> -> 192.168.1.22:39681
> <http://192.168.1.22:39681>
> UDP TTL:123 TOS:0x0 ID:7313 IpLen:20 DgmLen:50
> Len: 22
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
> 11/04-18:13:46.062997 192.168.1.26:1202 <http://192.168.1.26:1202> ->
> 64.4.36.39:1863 <http://64.4.36.39:1863>
> TCP TTL:127 TOS:0x0 ID:2042 IpLen:20 DgmLen:217 DF
> ***AP*** Seq: 0x65DFED9F  Ack: 0xC85378F4  Win: 0xFA71  TcpLen: 20
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
> 11/04-18:13:46.230546 201.209.205.194:44456
> <http://201.209.205.194:44456> -> 192.168.1.22:39681
> <http://192.168.1.22:39681>
> UDP TTL:123 TOS:0x0 ID:7316 IpLen:20 DgmLen:536
> Len: 508
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+
>
I don't see any clamav output in there. Thats strange... ahh it looks as
if the debugging is not yet enabled. Not only is clamav debugging
missing, but also other snort debug info...

In your source directory do:
make clean
./configure --enable-debug <your other configure options, if any>
make
make install

then rerun Snort_inline with:
export SNORT_DEBUG=3D67108864
[root@camel log]# snort_inline -c /etc/snort_inline/snort_inline.conf  -Q

If there still is no per-packet clamav output, please check if the value
of 67108864 is correct. To do this do from your source directory:
$ grep CLAMAV src/debug.h
#define DEBUG_CLAMAV          0x04000000  /* 67108864 */

That is the output I get. Maybe yours is different...

Cheers!
Victor

2003	Jan	Feb	Mar	Apr (1)	May (15)	Jun (23)	Jul (54)	Aug (20)	Sep (18)	Oct (19)	Nov (36)	Dec (30)
2004	Jan (48)	Feb (16)	Mar (36)	Apr (36)	May (45)	Jun (47)	Jul (93)	Aug (29)	Sep (28)	Oct (42)	Nov (45)	Dec (53)
2005	Jan (62)	Feb (51)	Mar (65)	Apr (28)	May (57)	Jun (23)	Jul (24)	Aug (72)	Sep (16)	Oct (53)	Nov (53)	Dec (3)
2006	Jan (56)	Feb (6)	Mar (15)	Apr (14)	May (35)	Jun (57)	Jul (35)	Aug (7)	Sep (22)	Oct (16)	Nov (18)	Dec (9)
2007	Jan (8)	Feb (3)	Mar (11)	Apr (35)	May (6)	Jun (10)	Jul (26)	Aug (4)	Sep	Oct (29)	Nov	Dec (7)
2008	Jan (1)	Feb (2)	Mar (2)	Apr (13)	May (8)	Jun (3)	Jul (19)	Aug (20)	Sep (6)	Oct (5)	Nov	Dec (4)
2009	Jan (1)	Feb	Mar (1)	Apr	May	Jun (10)	Jul (2)	Aug (5)	Sep	Oct (1)	Nov	Dec (5)
2010	Jan (10)	Feb (10)	Mar (2)	Apr	May (7)	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec
2011	Jan	Feb (4)	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2012	Jan	Feb	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2013	Jan	Feb (2)	Mar (3)	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec

snort-inline-users Mailing List for snort_inline (Page 13)

snort-inline-users — The goal of this list is to help users debug/use snort_inline