My Community Dashboard

Bostjan Znidarsic
View Full Profile
  • Bostjan Znidarsic
    Bostjan Znidarsic replied to a discussion, Snort system files and folder gone! CC5.2

    Tony, Nick

    BIG thx for halp!

    I manage to reinstall snort system to my server.

    maybe just one question, on the end of command "snort status" I gat stage respose from server, bellow is log:

    [root@server ~]# snort status
    Snort BPF option: status
    Running in IDS mode with inferred config file: /etc/snort.conf

    --== Initializing Snort ==--
    Initializing Output Plugins!
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file /etc/snort.conf
    PortVar 'HTTP_PORTS' defined : [ 80 ]
    PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
    PortVar 'ORACLE_PORTS' defined : [ 1521 ]
    Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
    Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl: 1
    Fragment ttl_limit (not used): 5
    Fragment Problems: 1
    Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
    Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl: 1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
    Static Flushpoint Sizes: YES
    Reassembly Ports:
    21 client (Footprint)
    23 client (Footprint)
    25 client (Footprint)
    42 client (Footprint)
    53 client (Footprint)
    80 client (Footprint)
    110 client (Footprint)
    111 client (Footprint)
    135 client (Footprint)
    136 client (Footprint)
    137 client (Footprint)
    139 client (Footprint)
    143 client (Footprint)
    445 client (Footprint)
    513 client (Footprint)
    514 client (Footprint)
    1433 client (Footprint)
    1521 client (Footprint)
    2401 client (Footprint)
    3306 client (Footprint)
    HttpInspect Config:
    GLOBAL CONFIG
    Max Pipeline Requests: 0
    Inspection Type: STATELESS
    Detect Proxy Usage: NO
    IIS Unicode Map Filename: /etc/unicode.map
    IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
    Server profile: All
    Ports: 80 8080 8180
    Server Flow Depth: 300
    Client Flow Depth: 300
    Max Chunk Length: 500000
    Max Header Field Length: 0
    Max Number Header Fields: 0
    Inspect Pipeline Requests: YES
    URI Discovery Strict Mode: NO
    Allow Proxy Usage: NO
    Disable Alerting: NO
    Oversize Dir Length: 500
    Only inspect URI: NO
    Normalize HTTP Headers: NO
    Normalize HTTP Cookies: NO
    Ascii: YES alert: NO
    Double Decoding: YES alert: YES
    %U Encoding: YES alert: YES
    Bare Byte: YES alert: YES
    Base36: OFF
    UTF 8: OFF
    IIS Unicode: YES alert: YES
    Multiple Slash: YES alert: NO
    IIS Backslash: YES alert: NO
    Directory Traversal: YES alert: NO
    Web Root Traversal: YES alert: YES
    Apache WhiteSpace: YES alert: NO
    IIS Delimiter: YES alert: NO
    IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
    Non-RFC Compliant Characters: NONE
    Whitespace Characters: 0x09 0x0b 0x0c 0x0d
    rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
    Portscan Detection Config:
    Detect Protocols: TCP UDP ICMP IP
    Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes: 36900

    INFO => [Alert_FWsam](FWsamCheckIn) Connected to host .
    Tagged Packet Limit: 256
    Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
    Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor...
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done
    Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done
    Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor
    FTPTelnet Config:
    GLOBAL CONFIG
    Inspection Type: stateful
    Check for Encrypted Traffic: YES alert: YES
    Continue to check encrypted data: NO
    TELNET CONFIG:
    Ports: 23
    Are You There Threshold: 200
    Normalize: YES
    Detect Anomalies: NO
    FTP CONFIG:
    FTP Server: default
    Ports: 21
    Check for Telnet Cmds: YES alert: YES
    Identify open data channels: YES
    FTP Client: default
    Check for Bounce Attacks: YES alert: YES
    Check for Telnet Cmds: YES alert: YES
    Max Response Length: 256
    SMTP Config:
    Ports: 25 587 691
    Inspection Type: Stateful
    Normalize: EXPN RCPT VRFY
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length:
    ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
    RCPT:300 VRFY:255
    Max Header Line Length: Unlimited
    Max Response Line Length: Unlimited
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
    DCE/RPC Decoder config:
    Autodetect ports ENABLED
    SMB fragmentation ENABLED
    DCE/RPC fragmentation ENABLED
    Max Frag Size: 3000 bytes
    Memcap: 100000 KB
    Alert if memcap exceeded DISABLED
    Reassembly increment: DISABLED
    DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
    SSLPP config:
    Encrypted packets: not inspected
    Ports:
    443 465 563 636 989
    992 993 994 995
    Server side data is trusted

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    2740 Snort rules read
    2740 detection rules
    0 decoder rules
    0 preprocessor rules
    2740 Option Chains linked into 243 Chain Headers
    0 Dynamic rules
    +++++++++++++++++++++++++++++++++++++++++++++++++++

    +-------------------[Rule Port Counts]---------------------------------------
    | tcp udp icmp ip
    | src 102 11 0 0
    | dst 2324 117 0 0
    | any 117 46 46 19
    | nc 47 10 10 12
    | s+d 8 5 0 0
    +----------------------------------------------------------------------------

    +-----------------------[thresholding-config]----------------------------------
    | memory-cap : 1048576 bytes
    +-----------------------[thresholding-global]----------------------------------
    | none
    +-----------------------[thresholding-local]-----------------------------------
    | gen-id=1 sig-id=2000536 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=100000162 type=Both tracking=src count=100 seconds=60
    | gen-id=1 sig-id=2001583 type=Both tracking=src count=40 seconds=60
    | gen-id=1 sig-id=2010642 type=Threshold tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2010643 type=Threshold tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2000544 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2010494 type=Threshold tracking=src count=5 seconds=120
    | gen-id=1 sig-id=2008577 type=Threshold tracking=dst count=5 seconds=15
    | gen-id=1 sig-id=2000537 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2000546 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2001580 type=Both tracking=src count=70 seconds=60
    | gen-id=1 sig-id=2000545 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2009584 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2001581 type=Both tracking=src count=70 seconds=60
    | gen-id=1 sig-id=3000001 type=Threshold tracking=src count=6 seconds=30
    | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
    | gen-id=1 sig-id=2008454 type=Threshold tracking=src count=30 seconds=30
    | gen-id=1 sig-id=2008230 type=Both tracking=src count=30 seconds=60
    | gen-id=1 sig-id=2002911 type=Threshold tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2002664 type=Limit tracking=src count=1 seconds=60
    | gen-id=1 sig-id=2001904 type=Both tracking=src count=30 seconds=60
    | gen-id=1 sig-id=100000158 type=Both tracking=src count=100 seconds=60
    | gen-id=1 sig-id=2002842 type=Both tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2002994 type=Both tracking=src count=10 seconds=120
    | gen-id=1 sig-id=2002992 type=Both tracking=src count=10 seconds=120
    | gen-id=1 sig-id=2001972 type=Both tracking=src count=20 seconds=360
    | gen-id=1 sig-id=2002993 type=Both tracking=src count=10 seconds=120
    | gen-id=1 sig-id=2001569 type=Both tracking=src count=70 seconds=60
    | gen-id=1 sig-id=100000163 type=Both tracking=src count=100 seconds=60
    | gen-id=1 sig-id=2000543 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2009582 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2001579 type=Both tracking=src count=70 seconds=60
    | gen-id=1 sig-id=2008453 type=Threshold tracking=src count=30 seconds=30
    | gen-id=1 sig-id=2001582 type=Both tracking=src count=40 seconds=60
    | gen-id=1 sig-id=2009583 type=Both tracking=dst count=1 seconds=60
    | gen-id=1 sig-id=2008455 type=Threshold tracking=src count=30 seconds=30
    | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
    | gen-id=1 sig-id=3000002 type=Threshold tracking=src count=20 seconds=60
    | gen-id=1 sig-id=100000208 type=Threshold tracking=src count=50 seconds=60
    | gen-id=1 sig-id=100000877 type=Limit tracking=src count=1 seconds=300
    | gen-id=1 sig-id=2002383 type=Threshold tracking=dst count=5 seconds=300
    | gen-id=1 sig-id=2002910 type=Threshold tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
    | gen-id=1 sig-id=2001906 type=Both tracking=src count=5 seconds=60
    | gen-id=1 sig-id=2002995 type=Both tracking=src count=10 seconds=120
    | gen-id=1 sig-id=100000923 type=Threshold tracking=dst count=200 seconds=60
    | gen-id=1 sig-id=100000159 type=Both tracking=src count=100 seconds=60
    | gen-id=1 sig-id=100000161 type=Both tracking=dst count=100 seconds=60
    +-----------------------[suppression]------------------------------------------
    | none
    -------------------------------------------------------------------------------
    Rule application order: activation->dynamic->pass->drop->alert->log
    Log directory = /var/log/snort
    Verifying Preprocessor Configurations!
    Warning: flowbits key 'sslv2.server_hello.request' is checked but not ever set.
    17 out of 512 flowbits in use.
    ***
    *** interface device lookup found: eth0
    ***

    Initializing Network Interface eth0
    ERROR: OpenPcap() FSM compilation failed:
    syntax error
    PCAP command: status
    Fatal Error, Quitting..

    Please if you can help to resolve the problem.

    thx