-
-
Tony, Nick
BIG thx for halp!
I manage to reinstall snort system to my server.
maybe just one question, on the end of command "snort status" I gat stage respose from server, bellow is log:
[root@server ~]# snort status
Snort BPF option: status
Running in IDS mode with inferred config file: /etc/snort.conf
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort.conf
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit (not used): 5
Fragment Problems: 1
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
Reassembly Policy: FIRST
Timeout: 30 seconds
Min ttl: 1
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Static Flushpoint Sizes: YES
Reassembly Ports:
21 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
80 client (Footprint)
110 client (Footprint)
111 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
445 client (Footprint)
513 client (Footprint)
514 client (Footprint)
1433 client (Footprint)
1521 client (Footprint)
2401 client (Footprint)
3306 client (Footprint)
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Server Flow Depth: 300
Client Flow Depth: 300
Max Chunk Length: 500000
Max Header Field Length: 0
Max Number Header Fields: 0
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Normalize HTTP Cookies: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
INFO => [Alert_FWsam](FWsamCheckIn) Connected to host .
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor...
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25 587 691
Inspection Type: Stateful
Normalize: EXPN RCPT VRFY
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: Unlimited
Max Specific Command Line Length:
ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
RCPT:300 VRFY:255
Max Header Line Length: Unlimited
Max Response Line Length: Unlimited
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
DCE/RPC Decoder config:
Autodetect ports ENABLED
SMB fragmentation ENABLED
DCE/RPC fragmentation ENABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
Reassembly increment: DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
SSLPP config:
Encrypted packets: not inspected
Ports:
443 465 563 636 989
992 993 994 995
Server side data is trusted
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
2740 Snort rules read
2740 detection rules
0 decoder rules
0 preprocessor rules
2740 Option Chains linked into 243 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 102 11 0 0
| dst 2324 117 0 0
| any 117 46 46 19
| nc 47 10 10 12
| s+d 8 5 0 0
+----------------------------------------------------------------------------
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2000536 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=100000162 type=Both tracking=src count=100 seconds=60
| gen-id=1 sig-id=2001583 type=Both tracking=src count=40 seconds=60
| gen-id=1 sig-id=2010642 type=Threshold tracking=src count=5 seconds=60
| gen-id=1 sig-id=2010643 type=Threshold tracking=src count=5 seconds=60
| gen-id=1 sig-id=2000544 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2010494 type=Threshold tracking=src count=5 seconds=120
| gen-id=1 sig-id=2008577 type=Threshold tracking=dst count=5 seconds=15
| gen-id=1 sig-id=2000537 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2000546 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2001580 type=Both tracking=src count=70 seconds=60
| gen-id=1 sig-id=2000545 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2009584 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2001581 type=Both tracking=src count=70 seconds=60
| gen-id=1 sig-id=3000001 type=Threshold tracking=src count=6 seconds=30
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2008454 type=Threshold tracking=src count=30 seconds=30
| gen-id=1 sig-id=2008230 type=Both tracking=src count=30 seconds=60
| gen-id=1 sig-id=2002911 type=Threshold tracking=src count=5 seconds=60
| gen-id=1 sig-id=2002664 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2001904 type=Both tracking=src count=30 seconds=60
| gen-id=1 sig-id=100000158 type=Both tracking=src count=100 seconds=60
| gen-id=1 sig-id=2002842 type=Both tracking=src count=5 seconds=60
| gen-id=1 sig-id=2002994 type=Both tracking=src count=10 seconds=120
| gen-id=1 sig-id=2002992 type=Both tracking=src count=10 seconds=120
| gen-id=1 sig-id=2001972 type=Both tracking=src count=20 seconds=360
| gen-id=1 sig-id=2002993 type=Both tracking=src count=10 seconds=120
| gen-id=1 sig-id=2001569 type=Both tracking=src count=70 seconds=60
| gen-id=1 sig-id=100000163 type=Both tracking=src count=100 seconds=60
| gen-id=1 sig-id=2000543 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2009582 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2001579 type=Both tracking=src count=70 seconds=60
| gen-id=1 sig-id=2008453 type=Threshold tracking=src count=30 seconds=30
| gen-id=1 sig-id=2001582 type=Both tracking=src count=40 seconds=60
| gen-id=1 sig-id=2009583 type=Both tracking=dst count=1 seconds=60
| gen-id=1 sig-id=2008455 type=Threshold tracking=src count=30 seconds=30
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3000002 type=Threshold tracking=src count=20 seconds=60
| gen-id=1 sig-id=100000208 type=Threshold tracking=src count=50 seconds=60
| gen-id=1 sig-id=100000877 type=Limit tracking=src count=1 seconds=300
| gen-id=1 sig-id=2002383 type=Threshold tracking=dst count=5 seconds=300
| gen-id=1 sig-id=2002910 type=Threshold tracking=src count=5 seconds=60
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=2001906 type=Both tracking=src count=5 seconds=60
| gen-id=1 sig-id=2002995 type=Both tracking=src count=10 seconds=120
| gen-id=1 sig-id=100000923 type=Threshold tracking=dst count=200 seconds=60
| gen-id=1 sig-id=100000159 type=Both tracking=src count=100 seconds=60
| gen-id=1 sig-id=100000161 type=Both tracking=dst count=100 seconds=60
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Verifying Preprocessor Configurations!
Warning: flowbits key 'sslv2.server_hello.request' is checked but not ever set.
17 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***
Initializing Network Interface eth0
ERROR: OpenPcap() FSM compilation failed:
syntax error
PCAP command: status
Fatal Error, Quitting..
Please if you can help to resolve the problem.
thx -
-
Tony,
I follow your instructions and seems to uninstall "snort and snortsam".
Log below:
# rpm -e clearsdn-intrusion-protection snort app-snort app-snort sam
warning: /etc/snortsam.conf saved as /etc/snortsam.conf.rpmsave
warning: /etc/snort.conf saved as /etc/snort.conf.rpmsave
error reading information on service snort: No such file or directory
[root@server ~]# yum install clearsdn-intrusion-protection snort app-snort app- snortsam
Loading "kmod" plugin
Loading "protect-packages" plugin
base-supplements | 951 B 00:00
base-kernels | 951 B 00:00
base-updates | 951 B 00:00
base-console | 951 B 00:00
clearcentos-os | 951 B 00:00
http://plex.r.worldssl.net/PlexMediaServer/fedora-repo/release/i386/repodata/rep omd.xml: [Errno 14] HTTP Error 404: Not Found
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: plex. Pl ease verify its path and try again
[root@server ~]# chkconfig snort on
error reading information on service snort: No such file or directory
[root@server ~]# chkconfig snortsam on
error reading information on service snortsam: No such file or directory
[root@server ~]# service snort start
snort: unrecognized service
[root@server ~]# service snortsam start
snortsam: unrecognized service
[root@server ~]# snort status
-bash: snort: command not found
[root@server ~]# snort
-bash: snort: command not found
[root@server ~]# snortsam
-bash: snortsam: command not found
[root@server ~]#
But now I cant install it back, due to Link of installation files not existing.
Please can you help, maybe provide dome instruction where can I find CC5.2 intrusion- protection installation files.
BR -
-
the output of command snot is:
WARNING => [Alert_FWsam](FWsamCheckIn) Could not connect to host . Will try later.
ERROR: Unable to open rules file: /etc/snort/classification.config or /etc//etc/snort/classification.config
Fatal Error, Quitting..
if it is help to resolve the problem. -
-
As you can see I'm not run out of HDD space.
[root@server ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/root_group-root
35G 5.3G 28G 17% /
/dev/hda1 99M 12M 82M 13% /boot
/dev/mapper/raid_group-home
917G 733G 138G 85% /home
tmpfs 442M 0 442M 0% /dev/shm
The point is that I don't know when and why folder and files gone.
I try to find them on the system HDD but they are not present.
Need to ask, it is possible to resolve the problem, to install CO5.2 on VM machine and after copy folder and files from there!
Please I really need a solution.
THX -
-
Snort system files and folder gone! CC5.2
Dear's
I'm requesting some help, regarding snort system on my home server (CO5.2).
Snort wos working good a long time, but last fue day I noticed that Intrision Detection is not working.
In the web console when I try to restart it it is present inscription "Folder does not exist - - /etc/snort".
I inspected the system directories and is really missing, but I don't now haw it is gone, because nobady delited.
please provide information/solution haw to restore complite folder with files in it.
I now that is the eassy way to reinstall compeate system but for the moment it is not the option.
THX -
-
Calendarv1.0.140This application allows you to manage your time and schedule appointments in a calendar view. It can also serve as reminder on your dashboard.
-
Toggle Sidebar