EFW Support

Support => General Support => Topic started by: natas on Tuesday 22 May 2012, 05:48:13 am


Title: endian 2.5.1 --> SNORT does not work ??
Post by: natas on Tuesday 22 May 2012, 05:48:13 am
Hi!
SNORT off in dashboard and shell.
No logs. I looked in /var/log/snort/ and the file 'alert' no exist.
i desactivated all rules and restarted process snort and nothing.
i actived only one rule and restarted process snort and nothing too.
Help me, please.

Title: Re: endian 2.5.1 --> SNORT does not work ??
Post by: natas on Tuesday 22 May 2012, 01:24:53 pm
I looked other behavior of SNORT in /var/log/message.
it starter and after seconds the service stopping.
PART 1
May 21 23:58:33 efw-1336663351 snort[7840]: Enabling inline operation
May 21 23:58:33 efw-1336663351 snort[7840]: Running in IDS mode
May 21 23:58:33 efw-1336663351 snort[7840]:
May 21 23:58:33 efw-1336663351 snort[7840]:         --== Initializing Snort ==--
May 21 23:58:33 efw-1336663351 snort[7840]: Initializing Output Plugins!
May 21 23:58:33 efw-1336663351 snort[7840]: Initializing Preprocessors!
May 21 23:58:33 efw-1336663351 snort[7840]: Initializing Plug-ins!
May 21 23:58:33 efw-1336663351 snort[7840]: Parsing Rules file "/etc/snort/snort.conf"
May 21 23:58:33 efw-1336663351 snort[7840]: Var 'DNS_SERVERS' redefined
May 21 23:58:33 efw-1336663351 snort[7840]: PortVar 'HTTP_PORTS' defined :
May 21 23:58:33 efw-1336663351 snort[7840]:  [ 80 3128 8080 ]
May 21 23:58:33 efw-1336663351 snort[7840]:
May 21 23:58:33 efw-1336663351 snort[7840]: PortVar 'SHELLCODE_PORTS' defined :
May 21 23:58:33 efw-1336663351 snort[7840]:  [ 0:79 81:65535 ]
May 21 23:58:33 efw-1336663351 snort[7840]:
May 21 23:58:33 efw-1336663351 snort[7840]: PortVar 'ORACLE_PORTS' defined :
May 21 23:58:33 efw-1336663351 snort[7840]:  [ 1521 ]
May 21 23:58:33 efw-1336663351 snort[7840]:
May 21 23:58:33 efw-1336663351 snort[7840]: PortVar 'SSH_PORTS' defined :
May 21 23:58:33 efw-1336663351 snort[7840]:  [ 22 222 ]
May 21 23:58:33 efw-1336663351 snort[7840]:
May 21 23:58:33 efw-1336663351 snort[7840]: /etc/snort/snort.conf(23) PortVar 'SSH_PORTS', already defined.
May 21 23:58:33 efw-1336663351 snort[7840]: PortVar 'SSH_PORTS' defined :
May 21 23:58:33 efw-1336663351 snort[7840]:  [ 22 222 ]
May 21 23:58:33 efw-1336663351 snort[7840]:
May 21 23:58:33 efw-1336663351 snort[7840]: Detection:
May 21 23:58:33 efw-1336663351 snort[7840]:    Search-Method = Low-Mem-Q
May 21 23:58:33 efw-1336663351 snort[7840]: Tagged Packet Limit: 256
May 21 23:58:33 efw-1336663351 snort[7840]: Loading dynamic engine /usr/lib/libsf_engine.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]: Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
May 21 23:58:33 efw-1336663351 snort[7840]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
May 21 23:58:33 efw-1336663351 snort[7840]: done
May 21 23:58:33 efw-1336663351 snort[7840]:   Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
May 21 23:58:33 efw-1336663351 snort[7840]: Log directory = /var/log/snort
May 21 23:58:33 efw-1336663351 snort[7840]: Frag3 global config:
May 21 23:58:33 efw-1336663351 snort[7840]:     Max frags: 65536
May 21 23:58:33 efw-1336663351 snort[7840]:     Fragment memory cap: 4194304 bytes
May 21 23:58:33 efw-1336663351 snort[7840]: Frag3 engine config:
May 21 23:58:33 efw-1336663351 snort[7840]:     Target-based policy: FIRST
May 21 23:58:33 efw-1336663351 snort[7840]:     Fragment timeout: 60 seconds
May 21 23:58:33 efw-1336663351 snort[7840]:     Fragment min_ttl:   1
May 21 23:58:33 efw-1336663351 snort[7840]:     Fragment Problems: 1
May 21 23:58:33 efw-1336663351 snort[7840]:     Overlap Limit:     0
May 21 23:58:33 efw-1336663351 snort[7840]:     Min fragment Length:     0
May 21 23:58:33 efw-1336663351 snort[7840]: Stream5 global config:
May 21 23:58:33 efw-1336663351 snort[7840]:     Track TCP sessions: ACTIVE
May 21 23:58:33 efw-1336663351 snort[7840]:     Max TCP sessions: 8192
May 21 23:58:33 efw-1336663351 snort[7840]:     Memcap (for reassembly packet storage): 8388608
May 21 23:58:33 efw-1336663351 snort[7840]:     Track UDP sessions: INACTIVE
May 21 23:58:33 efw-1336663351 snort[7840]:     Track ICMP sessions: INACTIVE
May 21 23:58:33 efw-1336663351 snort[7840]:     Log info if session memory consumption exceeds 1048576
May 21 23:58:33 efw-1336663351 snort[7840]: Stream5 TCP Policy config:
May 21 23:58:33 efw-1336663351 snort[7840]:     Reassembly Policy: FIRST
May 21 23:58:33 efw-1336663351 snort[7840]:     Timeout: 30 seconds
May 21 23:58:33 efw-1336663351 snort[7840]:     Maximum number of bytes to queue per session: 1048576
May 21 23:58:33 efw-1336663351 snort[7840]:     Maximum number of segs to queue per session: 2621
May 21 23:58:33 efw-1336663351 snort[7840]:     Options:
May 21 23:58:33 efw-1336663351 snort[7840]:         Static Flushpoint Sizes: YES
May 21 23:58:33 efw-1336663351 snort[7840]:     Reassembly Ports:
May 21 23:58:33 efw-1336663351 snort[7840]:       21 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       23 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       25 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       42 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       53 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       80 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       110 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       111 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       135 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       136 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       137 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       139 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       143 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       445 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       513 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       514 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       1433 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       1521 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       2401 client (Footprint)
May 21 23:58:33 efw-1336663351 snort[7840]:       3306 client (Footprint)

Title: Re: endian 2.5.1 --> SNORT does not work ??
Post by: natas on Tuesday 22 May 2012, 01:26:16 pm
PART 2

May 21 23:58:33 efw-1336663351 snort[7840]: HttpInspect Config:
May 21 23:58:33 efw-1336663351 snort[7840]:     GLOBAL CONFIG
May 21 23:58:33 efw-1336663351 snort[7840]:       Max Pipeline Requests:    0
May 21 23:58:33 efw-1336663351 snort[7840]:       Inspection Type:          STATELESS
May 21 23:58:33 efw-1336663351 snort[7840]:       Detect Proxy Usage:       NO
May 21 23:58:33 efw-1336663351 snort[7840]:       IIS Unicode Map Filename: /etc/snort/unicode.map
May 21 23:58:33 efw-1336663351 snort[7840]:       IIS Unicode Map Codepage: 1252
May 21 23:58:33 efw-1336663351 snort[7840]:     DEFAULT SERVER CONFIG:
May 21 23:58:33 efw-1336663351 snort[7840]:       Server profile: All
May 21 23:58:33 efw-1336663351 snort[7840]:       Ports: 80 3128 8080
May 21 23:58:33 efw-1336663351 snort[7840]:       Server Flow Depth: 0
May 21 23:58:33 efw-1336663351 snort[7840]:       Client Flow Depth: 300
May 21 23:58:33 efw-1336663351 snort[7840]:       Max Chunk Length: 500000
May 21 23:58:33 efw-1336663351 snort[7840]:       Max Header Field Length: 0
May 21 23:58:33 efw-1336663351 snort[7840]:       Max Number Header Fields: 0
May 21 23:58:33 efw-1336663351 snort[7840]:       Inspect Pipeline Requests: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       URI Discovery Strict Mode: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Allow Proxy Usage: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Disable Alerting: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       Oversize Dir Length: 0
May 21 23:58:33 efw-1336663351 snort[7840]:       Only inspect URI: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Normalize HTTP Headers: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Inspect HTTP Cookies: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Inspect HTTP Responses: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Normalize HTTP Cookies: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Extended ASCII code support in URI: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Ascii: YES alert: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Double Decoding: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       %U Encoding: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       Bare Byte: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       Base36: OFF
May 21 23:58:33 efw-1336663351 snort[7840]:       UTF 8: YES alert: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       IIS Unicode: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       Multiple Slash: YES alert: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       IIS Backslash: YES alert: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Directory Traversal: YES alert: NO
May 21 23:58:33 efw-1336663351 snort[7840]:       Web Root Traversal: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       Apache WhiteSpace: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       IIS Delimiter: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
May 21 23:58:33 efw-1336663351 snort[7840]:       Non-RFC Compliant Characters: 0x00
May 21 23:58:33 efw-1336663351 snort[7840]:       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
May 21 23:58:33 efw-1336663351 snort[7840]: rpc_decode arguments:
May 21 23:58:33 efw-1336663351 snort[7840]:     Ports to decode RPC on: 111 32771
May 21 23:58:33 efw-1336663351 snort[7840]:     alert_fragments: INACTIVE
May 21 23:58:33 efw-1336663351 snort[7840]:     alert_large_fragments: ACTIVE
May 21 23:58:33 efw-1336663351 snort[7840]:     alert_incomplete: ACTIVE
May 21 23:58:33 efw-1336663351 snort[7840]:     alert_multiple_requests: ACTIVE
May 21 23:58:33 efw-1336663351 snort[7840]: Portscan Detection Config:
May 21 23:58:33 efw-1336663351 snort[7840]:     Detect Protocols:  TCP UDP ICMP IP
May 21 23:58:33 efw-1336663351 snort[7840]:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
May 21 23:58:33 efw-1336663351 snort[7840]:     Sensitivity Level: Low
May 21 23:58:33 efw-1336663351 snort[7840]:     Memcap (in bytes): 10000000
May 21 23:58:33 efw-1336663351 snort[7840]:     Number of Nodes:   36900
May 21 23:58:33 efw-1336663351 snort[7840]: FTPTelnet Config:
May 21 23:58:33 efw-1336663351 snort[7840]:     GLOBAL CONFIG
May 21 23:58:33 efw-1336663351 snort[7840]:       Inspection Type: stateful
May 21 23:58:33 efw-1336663351 snort[7840]:       Check for Encrypted Traffic: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       Continue to check encrypted data: NO
May 21 23:58:33 efw-1336663351 snort[7840]:     TELNET CONFIG:
May 21 23:58:33 efw-1336663351 snort[7840]:       Ports: 23
May 21 23:58:33 efw-1336663351 snort[7840]:       Are You There Threshold: 200
May 21 23:58:33 efw-1336663351 snort[7840]:       Normalize: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       Detect Anomalies: NO
May 21 23:58:33 efw-1336663351 snort[7840]:     FTP CONFIG:
May 21 23:58:33 efw-1336663351 snort[7840]:       FTP Server: default
May 21 23:58:33 efw-1336663351 snort[7840]:         Ports: 21
May 21 23:58:33 efw-1336663351 snort[7840]:         Check for Telnet Cmds: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:         Ignore Telnet Cmd Operations: OFF
May 21 23:58:33 efw-1336663351 snort[7840]:         Identify open data channels: YES
May 21 23:58:33 efw-1336663351 snort[7840]:       FTP Client: default
May 21 23:58:33 efw-1336663351 snort[7840]:         Check for Bounce Attacks: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:         Check for Telnet Cmds: YES alert: YES
May 21 23:58:33 efw-1336663351 snort[7840]:         Ignore Telnet Cmd Operations: OFF
May 21 23:58:33 efw-1336663351 snort[7840]:         Max Response Length: 256
May 21 23:58:34 efw-1336663351 snort[7840]: SMTP Config:
May 21 23:58:34 efw-1336663351 snort[7840]:     Ports: 25 587 691
May 21 23:58:34 efw-1336663351 snort[7840]:     Inspection Type: Stateful
May 21 23:58:34 efw-1336663351 snort[7840]:     Normalize: EXPN RCPT VRFY
May 21 23:58:34 efw-1336663351 snort[7840]:     Ignore Data: No
May 21 23:58:34 efw-1336663351 snort[7840]:     Ignore TLS Data: No
May 21 23:58:34 efw-1336663351 snort[7840]:     Ignore SMTP Alerts: No
May 21 23:58:34 efw-1336663351 snort[7840]:     Max Command Line Length: Unlimited
May 21 23:58:34 efw-1336663351 snort[7840]:     Max Specific Command Line Length:
May 21 23:58:34 efw-1336663351 snort[7840]:        ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
May 21 23:58:34 efw-1336663351 snort[7840]:        RCPT:300 VRFY:255
May 21 23:58:34 efw-1336663351 snort[7840]:     Max Header Line Length: Unlimited
May 21 23:58:34 efw-1336663351 snort[7840]:     Max Response Line Length: Unlimited
May 21 23:58:34 efw-1336663351 snort[7840]:     X-Link2State Alert: Yes
May 21 23:58:34 efw-1336663351 snort[7840]:     Drop on X-Link2State Alert: No
May 21 23:58:34 efw-1336663351 snort[7840]:     Alert on commands: None
May 21 23:58:34 efw-1336663351 snort[7840]: ********** WARNING **********
May 21 23:58:34 efw-1336663351 snort[7840]: The dcerpc preprocessor is superceded by the dcerpc2 preprocessor.  It is considered deprecated and will be removed in a future release.
May 21 23:58:34 efw-1336663351 snort[7840]: *****************************
May 21 23:58:34 efw-1336663351 snort[7840]: DCE/RPC Decoder config:
May 21 23:58:34 efw-1336663351 snort[7840]:     Autodetect ports ENABLED
May 21 23:58:34 efw-1336663351 snort[7840]:     SMB fragmentation ENABLED
May 21 23:58:34 efw-1336663351 snort[7840]:     DCE/RPC fragmentation ENABLED
May 21 23:58:34 efw-1336663351 snort[7840]:     Max Frag Size: 3000 bytes
May 21 23:58:34 efw-1336663351 snort[7840]:     Memcap: 100000 KB
May 21 23:58:34 efw-1336663351 snort[7840]:     Alert if memcap exceeded DISABLED
May 21 23:58:34 efw-1336663351 snort[7840]:     Reassembly increment: DISABLED
May 21 23:58:34 efw-1336663351 snort[7840]: DNS config:
May 21 23:58:34 efw-1336663351 snort[7840]:     DNS Client rdata txt Overflow Alert: ACTIVE
May 21 23:58:34 efw-1336663351 snort[7840]:     Obsolete DNS RR Types Alert: INACTIVE
May 21 23:58:34 efw-1336663351 snort[7840]:     Experimental DNS RR Types Alert: INACTIVE
May 21 23:58:34 efw-1336663351 snort[7840]:     Ports:
May 21 23:58:34 efw-1336663351 snort[7840]:  53
May 21 23:58:34 efw-1336663351 snort[7840]:
May 21 23:58:34 efw-1336663351 snort[7840]:
May 21 23:58:34 efw-1336663351 snort[7840]: +++++++++++++++++++++++++++++++++++++++++++++++++++
May 21 23:58:34 efw-1336663351 snort[7840]: Initializing rule chains...
May 21 23:58:34 efw-1336663351 snort[7840]: Warning: /var/signatures/snort/processed/auto/emerging-attack_response.rules(34) => threshold (in rule) is deprecated; use detection_filter instead.
May 21 23:58:57 efw-1336663351 snort[7840]: 12465 Snort rules read
May 21 23:58:57 efw-1336663351 snort[7840]:     12465 detection rules
May 21 23:58:57 efw-1336663351 snort[7840]:     0 decoder rules
May 21 23:58:57 efw-1336663351 snort[7840]:     0 preprocessor rules
May 21 23:58:57 efw-1336663351 snort[7840]: 12465 Option Chains linked into 1857 Chain Headers
May 21 23:58:57 efw-1336663351 snort[7840]: 0 Dynamic rules
May 21 23:58:57 efw-1336663351 snort[7840]: +++++++++++++++++++++++++++++++++++++++++++++++++++
May 21 23:58:57 efw-1336663351 snort[7840]:
May 21 23:59:02 efw-1336663351 snort[7840]: +-------------------[Rule Port Counts]---------------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]: |             tcp     udp    icmp      ip
May 21 23:59:02 efw-1336663351 snort[7840]: |     src     784      21       0       0
May 21 23:59:02 efw-1336663351 snort[7840]: |     dst    9465     268       0       0
May 21 23:59:02 efw-1336663351 snort[7840]: |     any    1113     811      58      25
May 21 23:59:02 efw-1336663351 snort[7840]: |      nc     754     714       1       2
May 21 23:59:02 efw-1336663351 snort[7840]: |     s+d      58      56       0       0
May 21 23:59:02 efw-1336663351 snort[7840]: +----------------------------------------------------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]:
May 21 23:59:02 efw-1336663351 snort[7840]: +-----------------------[detection-filter-config]------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]: | memory-cap : 1048576 bytes
May 21 23:59:02 efw-1336663351 snort[7840]: +-----------------------[detection-filter-rules]-------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]: -------------------------------------------------------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]:
May 21 23:59:02 efw-1336663351 snort[7840]: +-----------------------[rate-filter-config]-----------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]: | memory-cap : 1048576 bytes
May 21 23:59:02 efw-1336663351 snort[7840]: +-----------------------[rate-filter-rules]------------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]: | none
May 21 23:59:02 efw-1336663351 snort[7840]: -------------------------------------------------------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]:
May 21 23:59:02 efw-1336663351 snort[7840]: +-----------------------[event-filter-config]----------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]: | memory-cap : 1048576 bytes
May 21 23:59:02 efw-1336663351 snort[7840]: +-----------------------[event-filter-global]----------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]: | none
May 21 23:59:02 efw-1336663351 snort[7840]: +-----------------------[event-filter-local]-----------------------------------
May 21 23:59:02 efw-1336663351 snort[7840]: | gen-id=1      sig-id=2406661    type=Limit     tracking=src count=1   seconds=60
.
.
.
.
.
May 21 23:59:04 efw-1336663351 snort[7840]: | gen-id=1      sig-id=2404130    type=Limit     tracking=src count=1   seconds=3600
May 21 23:59:04 efw-1336663351 snort[7840]: +-----------------------[suppression]------------------------------------------
May 21 23:59:04 efw-1336663351 snort[7840]: | none
May 21 23:59:04 efw-1336663351 snort[7840]: -------------------------------------------------------------------------------
May 21 23:59:04 efw-1336663351 snort[7840]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
May 21 23:59:04 efw-1336663351 snort[7840]: Verifying Preprocessor Configurations!
May 21 23:59:04 efw-1336663351 snort[7840]: UDP tracking disabled, no UDP sessions allocated
May 21 23:59:04 efw-1336663351 snort[7840]: ICMP tracking disabled, no ICMP sessions allocated
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.DROPIP' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.TorIP' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.CompIP' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.BotccIP' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.DshieldIP' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.Evil' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.RBN' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: Warning: flowbits key 'ET.HTTP.at.SSL' is set but not ever checked.
May 21 23:59:04 efw-1336663351 snort[7840]: 88 out of 512 flowbits in use.
May 21 23:59:04 efw-1336663351 snort[7840]: Initializing daemon mode
May 21 23:59:04 efw-1336663351 snort[7840]: Daemon parent exiting
May 21 23:59:04 efw-1336663351 snort[7853]: Daemon initialized, signaled parent pid: 7840
May 21 23:59:04 efw-1336663351 snort[7853]: Initializing Network Interface br0
May 21 23:59:04 efw-1336663351 snort[7853]: Checking PID path...
May 21 23:59:04 efw-1336663351 snort[7853]: PID path stat checked out ok, PID path set to /var/run/
May 21 23:59:04 efw-1336663351 snort[7853]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_br0.pid" for PID "7853"

HELP ME, PLEASE.

Title: Re: endian 2.5.1 --> SNORT does not work ??
Post by: kashifmax on Tuesday 22 May 2012, 08:50:12 pm
I didn't faced any issue while using the snort rules. I just enable it and set it automatically (weekly). Try to search this forum if any. To update manually, see this link.
http://www.efwsupport.com/index.php?topic=1794.0

Title: Re: endian 2.5.1 --> SNORT does not work ??
Post by: mrkroket on Wednesday 23 May 2012, 12:36:13 am
kill all snort processes (killall snort), delete the PID file (rm -rf "/var/run/snort_br0.pid ) and restart Snort on verbose mode restartsnort.py -d

On almost all versions of EFW there is a known error that crashes Snort. It is caused by newer rules with incompatible functions with the EFW snort version. The only way to fix that is to check on verbose mode what rules are crashing (you can identify them by a number i.e. 2004234). Then go to web GUI and disable those rules.
After that you can restart Snort nicely

Title: Re: endian 2.5.1 --> SNORT does not work ??
Post by: natas on Wednesday 23 May 2012, 08:39:24 am
Quote from: mrkroket on Wednesday 23 May  2012, 12:36:13 am
kill all snort processes (killall snort), delete the PID file (rm -rf "/var/run/snort_br0.pid ) and restart Snort on verbose mode restartsnort.py -d

On almost all versions of EFW there is a known error that crashes Snort. It is caused by newer rules with incompatible functions with the EFW snort version. The only way to fix that is to check on verbose mode what rules are crashing (you can identify them by a number i.e. 2004234). Then go to web GUI and disable those rules.
After that you can restart Snort nicely

Hi man!
ok. i activated all rules and executed your steps:
"kill all snort processes (killall snort), delete the PID file (rm -rf "/var/run/snort_br0.pid ) and restart Snort on verbose mode restartsnort.py -d"
The problem continue.

Other attempt was to deactivate all rules in dashboard and nothing:
May 22 19:21:04 efw-1336663351 snort[16725]: +++++++++++++++++++++++++++++++++++++++++++++++++++
May 22 19:21:04 efw-1336663351 snort[16725]: Initializing rule chains...
May 22 19:21:04 efw-1336663351 snort[16725]: 1 Snort rules read
May 22 19:21:04 efw-1336663351 snort[16725]:     1 detection rules
May 22 19:21:04 efw-1336663351 snort[16725]:     0 decoder rules
May 22 19:21:04 efw-1336663351 snort[16725]:     0 preprocessor rules
May 22 19:21:04 efw-1336663351 snort[16725]: 1 Option Chains linked into 1 Chain Headers
May 22 19:21:04 efw-1336663351 snort[16725]: 0 Dynamic rules
May 22 19:21:04 efw-1336663351 snort[16725]: +++++++++++++++++++++++++++++++++++++++++++++++++++
May 22 19:21:04 efw-1336663351 snort[16725]:
May 22 19:21:04 efw-1336663351 snort[16725]: +-------------------[Rule Port Counts]---------------------------------------
May 22 19:21:04 efw-1336663351 snort[16725]: |             tcp     udp    icmp      ip
May 22 19:21:04 efw-1336663351 snort[16725]: |     src       0       0       0       0
May 22 19:21:04 efw-1336663351 snort[16725]: |     dst       1       0       0       0
May 22 19:21:04 efw-1336663351 snort[16725]: |     any       0       0       0       0
May 22 19:21:04 efw-1336663351 snort[16725]: |      nc       0       0       0       0
May 22 19:21:04 efw-1336663351 snort[16725]: |     s+d       0       0       0       0
May 22 19:21:04 efw-1336663351 snort[16725]: +----------------------------------------------------------------------------
May 22 19:21:04 efw-1336663351 snort[16725]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
May 22 19:21:04 efw-1336663351 snort[16725]: Verifying Preprocessor Configurations!
May 22 19:21:04 efw-1336663351 snort[16725]: UDP tracking disabled, no UDP sessions allocated
May 22 19:21:04 efw-1336663351 snort[16725]: ICMP tracking disabled, no ICMP sessions allocated
May 22 19:21:04 efw-1336663351 snort[16725]: Initializing daemon mode
May 22 19:21:04 efw-1336663351 snort[16725]: Daemon parent exiting
May 22 19:21:04 efw-1336663351 snort[16726]: Daemon initialized, signaled parent pid: 16725
May 22 19:21:04 efw-1336663351 snort[16726]: Initializing Network Interface br0
May 22 19:21:04 efw-1336663351 snort[16726]: Checking PID path...
May 22 19:21:04 efw-1336663351 snort[16726]: PID path stat checked out ok, PID path set to /var/run/
May 22 19:21:04 efw-1336663351 snort[16726]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_br0.pid" for PID "16726"

Shit. i reseted efw to factory default and problem with SNORT continue.


Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media