Network Security: Detailed info on [Snort-users] Rép. : Freebsd + snort (error when Snort start)

Subject:	[Snort-users] Rép. : Freebsd + snort (error when Snort start)
Date:	Tue, 19 Dec 2006 16:31:56 -0500

For more complete log it look like this;



Dec 19 16:12:12 portableBS snort[28402]: Var 'lo0_ADDRESS' defined,
value len = 19 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = 127.0.0.0/255.0.0.0
Dec 19 16:12:12 portableBS snort[28402]: Parsing Rules file
/usr/local/etc/snort/snort.conf
Dec 19 16:12:12 portableBS snort[28402]: Var 'HOME_NET' defined, value
len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = any
Dec 19 16:12:12 portableBS snort[28402]: Var 'EXTERNAL_NET' defined,
value len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = any
Dec 19 16:12:12 portableBS snort[28402]: Var 'DNS_SERVERS' defined,
value len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = any
Dec 19 16:12:12 portableBS snort[28402]: Var 'SMTP_SERVERS' defined,
value len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = any
Dec 19 16:12:12 portableBS snort[28402]: Var 'HTTP_SERVERS' defined,
value len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = any
Dec 19 16:12:12 portableBS snort[28402]: Var 'SQL_SERVERS' defined,
value len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = any
Dec 19 16:12:12 portableBS snort[28402]: Var 'TELNET_SERVERS' defined,
value len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = any
Dec 19 16:12:12 portableBS snort[28402]: Var 'SNMP_SERVERS' defined,
value len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = any
Dec 19 16:12:12 portableBS snort[28402]: Var 'HTTP_PORTS' defined,
value len = 2 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = 80
Dec 19 16:12:12 portableBS snort[28402]: Var 'SHELLCODE_PORTS' defined,
value len = 3 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = !80
Dec 19 16:12:12 portableBS snort[28402]: Var 'ORACLE_PORTS' defined,
value len = 4 chars
Dec 19 16:12:12 portableBS snort[28402]: , value = 1521
Dec 19 16:12:12 portableBS snort[28402]: Var 'AIM_SERVERS' defined,
value len = 185 chars
Dec 19 16:12:12 portableBS snort[28402]:
Dec 19 16:12:12 portableBS snort[28402]:   
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188
.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
Dec 19 16:12:12 portableBS snort[28402]:   
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Dec 19 16:12:12 portableBS snort[28402]: Var 'RULE_PATH' defined, value
len = 27 chars
Dec 19 16:12:12 portableBS snort[28402]: , value =
/usr/local/etc/snort/rules/
Dec 19 16:12:12 portableBS snort[28402]: ,-----------[Flow
Config]----------------------
Dec 19 16:12:12 portableBS snort[28402]: | Stats Interval:  0
Dec 19 16:12:12 portableBS snort[28402]: | Hash Method:     2
Dec 19 16:12:12 portableBS snort[28402]: | Memcap:          10485760
Dec 19 16:12:12 portableBS snort[28402]: | Rows  :          4099
Dec 19 16:12:12 portableBS snort[28402]: | Overhead Bytes: 
16400(%0.16)
Dec 19 16:12:12 portableBS snort[28402]:
`----------------------------------------------
Dec 19 16:12:12 portableBS snort[28402]: Frag3 global config:
Dec 19 16:12:12 portableBS snort[28402]:     Max frags: 65536
Dec 19 16:12:12 portableBS snort[28402]:     Fragment memory cap:
4194304 bytes
Dec 19 16:12:12 portableBS snort[28402]: Frag3 engine config:
Dec 19 16:12:12 portableBS snort[28402]:     Target-based policy:
FIRST
Dec 19 16:12:12 portableBS snort[28402]:     Fragment timeout: 60
seconds
Dec 19 16:12:12 portableBS snort[28402]:     Fragment min_ttl:   1
Dec 19 16:12:12 portableBS snort[28402]:     Fragment ttl_limit: 5
Dec 19 16:12:12 portableBS snort[28402]:     Fragment Problems: 1
Dec 19 16:12:12 portableBS snort[28402]:     Bound Addresses:
0.0.0.0/0.0.0.0
Dec 19 16:12:12 portableBS snort[28402]: Stream4 config:
Dec 19 16:12:12 portableBS snort[28402]:     Stateful inspection:
ACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Session statistics:
INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Session timeout: 30
seconds
Dec 19 16:12:12 por
tableBS snort[28402]:     Session memory cap:
8388608 bytes
Dec 19 16:12:12 portableBS snort[28402]:     Session count max: 8192
sessions
Dec 19 16:12:12 portableBS snort[28402]:     Session cleanup count: 5
Dec 19 16:12:12 portableBS snort[28402]:     State alerts: INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Evasion alerts: INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Scan alerts: INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Log Flushed Streams:
INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     MinTTL: 1
Dec 19 16:12:12 portableBS snort[28402]:     TTL Limit: 5
Dec 19 16:12:12 portableBS snort[28402]:     Async Link: 0
Dec 19 16:12:12 portableBS snort[28402]:     State Protection: 0
Dec 19 16:12:12 portableBS snort[28402]:     Self preservation
threshold: 50
Dec 19 16:12:12 portableBS snort[28402]:     Self preservation period:
90
Dec 19 16:12:12 portableBS snort[28402]:     Suspend threshold: 200
Dec 19 16:12:12 portableBS snort[28402]:     Suspend period: 30
Dec 19 16:12:12 portableBS snort[28402]:     Enforce TCP State:
INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Midstream Drop Alerts:
INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Allow Blocking of TCP
Sessions in Inline: ACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Server Data Inspection
Limit: -1
Dec 19 16:12:12 portableBS snort[28402]: WARNING
/usr/local/etc/snort/snort.conf(408) => flush_behavior set in config
file, u
sing old static flushpoints (0)
Dec 19 16:12:12 portableBS snort[28402]: Stream4_reassemble config:
Dec 19 16:12:12 portableBS snort[28402]:     Server reassembly:
INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Client reassembly: ACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Reassembler alerts:
ACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Zero out flushed packets:
INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     Flush stream on alert:
INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     flush_data_diff_size: 500
Dec 19 16:12:12 portableBS snort[28402]:     Reassembler Packet
Preferance : Favor Old
Dec 19 16:12:12 portableBS snort[28402]:     Packet Sequence Overlap
Limit: -1
Dec 19 16:12:12 portableBS snort[28402]:     Flush behavior: Small
(<255 bytes)
Dec 19 16:12:12 portableBS snort[28402]:     Ports: 21 23 25 42 53 80
110 111 135 136 137 139 143 445 513 1433 1521 3306
Dec 19 16:12:12 portableBS snort[28402]:     Emergency Ports: 21 23 25
42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
 3306
Dec 19 16:12:12 portableBS snort[28402]: HttpInspect Config:
Dec 19 16:12:12 portableBS snort[28402]:     GLOBAL CONFIG
Dec 19 16:12:12 portableBS snort[28402]:       Max Pipeline Requests:  
 0
Dec 19 16:12:12 portableBS snort[28402]:       Inspection Type:        
 STATELESS
Dec 19 16:12:12 portableBS snort[28402]:       Detect Proxy Usage:     
 NO
Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map
Filename: /usr/local/etc/snort/unicode.map
Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map
Codepage: 1252
Dec 19 16:12:12 portableBS snort[28402]:     DEFAULT SERVER CONFIG:
Dec 19 16:12:12 portableBS snort[28402]:       Server profile: All
Dec 19 16:12:12 portableBS snort[28402]:       Ports: 80 8080 8180
Dec 19 16:12:12 portableBS snort[28402]:       Flow Depth: 300
Dec 19 16:12:12 portableBS snort[28402]:       Max Chunk Length:
500000
Dec 19 16:12:12 portableBS snort[28402]:       Inspect Pipeline
Requests: YES
Dec 19 16:12:12 portableBS snort[28402]:       URI Discovery Strict
Mode: NO
Dec 19 16:12:12 portableBS snort[28402]:       Allow Proxy Usage: NO
Dec 19 16:12:12 portableBS snort[28402]:       Disable Alerting: NO
Dec 19 16:12:12 portableBS snort[28402]:       Oversize Dir Length:
500
Dec 19 16:12:12 portableBS snort[28402]:       Only inspect URI: NO
Dec 19 16:12:12 portableBS snort[28402]:       Ascii: YES alert: NO
Dec 19 16:12:12 portableBS snort[28402]:       Double Decoding: YES
alert: YES
Dec 19 16:12:12 portableBS snort[28402]:       %U Encoding:
 YES alert:
YES
Dec 19 16:12:12 portableBS snort[28402]:       Bare Byte: YES alert:
YES
Dec 19 16:12:12 portableBS snort[28402]:       Base36: OFF
Dec 19 16:12:12 portableBS snort[28402]:       UTF 8: OFF
Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode: YES alert:
YES
Dec 19 16:12:12 portableBS snort[28402]:       Multiple Slash: YES
alert: NO
Dec 19 16:12:12 portableBS snort[28402]:       IIS Backslash: YES
alert: NO
Dec 19 16:12:12 portableBS snort[28402]:       Directory Traversal: YES
alert: NO
Dec 19 16:12:12 portableBS snort[28402]:       Web Root Traversal: YES
alert: YES
Dec 19 16:12:12 portableBS snort[28402]:       Apache WhiteSpace: YES
alert: NO
Dec 19 16:12:12 portableBS snort[28402]:       IIS Delimiter: YES
alert: NO
Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map: GLOBAL
IIS UNICODE MAP CONFIG
Dec 19 16:12:12 portableBS snort[28402]:       Non-RFC Compliant
Characters: NONE
Dec 19 16:12:12 portableBS snort[28402]:       Whitespace Characters:
0x09 0x0b 0x0c 0x0d
Dec 19 16:12:12 portableBS snort[28402]: rpc_decode arguments:
Dec 19 16:12:12 portableBS snort[28402]:     Ports to decode RPC on:
111 32771
Dec 19 16:12:12 portableBS snort[28402]:     alert_fragments: INACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     alert_large_fragments:
ACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     alert_incomplete: ACTIVE
Dec 19 16:12:12 portableBS snort[28402]:     alert_multiple_requests:
ACTIVE
Dec 19 16:12:12 portableBS snort[28402]: Portscan Detection Config:
Dec 19 16:12:12 portableBS snort[28402]:     Detect Protocols:  TCP UDP
ICMP IP
Dec 19 16:12:12 portableBS snort[28402]:     Detect Scan Type: 
portscan portsweep decoy_portscan distributed_portscan
Dec 19 16:12:12 portableBS snort[28402]:     Sensitivity Level: Low
Dec 19 16:12:12 portableBS snort[28402]:     Memcap (in bytes):
10000000
Dec 19 16:12:12 portableBS snort[28402]:     Number of Nodes:   36900
Dec 19 16:12:12 portableBS snort[28402]:
Dec 19 16:12:13 portableBS snort[28402]: Tagged Packet Limit: 256
Dec 19 16:12:13 portableBS snort[28402]:
Dec 19 16:12:13 portableBS snort[28402]:
+-----------------------[thresholding-config]----------------------------------
Dec 19 16:12:13 portableBS snort[28402]: | memory-cap : 1048576 bytes
Dec 19 16:12:13 portableBS snort[28402]:
+-----------------------[thresholding-global]----------------------------------
Dec 19 16:12:13 portableBS snort[28402]: | none
Dec 19 16:12:13 portableBS snort[28402]:
+-----------------------[thresholding-local]-----------------------------------
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3152   
   type=Threshold tracking=src count=5   seconds=2
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7760   
   type=Limit     tracking=src count=1   seconds=600
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6127   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7801   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7706   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6128   
   type=Limit     tracking=src count=1   seconds=600
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7649   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7758   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7669   
   type=Limit     tracking=src count=1   seconds=120
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7646   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7068   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7759   
   type=Lim
it     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5322   
   type=Limit     tracking=src count=1   seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7069   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7118   
   type=Limit     tracking=src count=1   seconds=600
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7712   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5321   
   type=Limit     tracking=src count=1   seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3542   
   type=Threshold tracking=src count=5   seconds=2
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2924   
   type=Threshold tracking=dst count=10  seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7655   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7711   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6336   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7861   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2275   
   type=Threshold tracking=dst count=5   seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7613   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7074   
   type=Limit     tracking=src count=1   seconds=600
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2923   
   type=Threshold tracking=dst count=10  seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6146   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6176   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6176   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7642   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6322   
   type=Limit     tracking=src count=1   seconds=3000
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7802   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6398   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7727   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6321   
   type=Limit     tracking=src count=1   seconds=3000
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=4984   
   type=Threshold tracking=src count=5   seconds=2
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=8477   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6122   
   type=Limit     tracking=src count=1   seconds=600
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7647   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3543   
   type=Threshold tracking=src count=5   seconds=2
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7624   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5323   
   type=Limit     tracking=src count=1   seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2523   
   type=Both      tracking=dst count=10  seconds=10
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=8549   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7691   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7732   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7034   
   type=Limit     tracking=src count=1   seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3273   
   type=Threshold tracking=src count=5   seconds=2
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7739   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7033   
   type=Limit     tracking=src count=1   seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6174   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6290   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3527   
   type=Limit     tracking=dst count=5   seconds=60
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6107   
   type=Limit     tracking=src count=1   seconds=600
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6324   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7822   
   type=Limit     tracking=src count=1   seconds=300
Dec 19 16:12:13 portableBS snort[28402]:
+-----------------------[suppression]------------------------------------------
Dec 19 16:12:13 portableBS snort[28402]: | none
Dec 19 16:12:13 portableBS snort[28402]:
-------------------------------------------------------------------------------
Dec 19 16:12:13 portableBS snort[28402]: Rule application order:
->activation->dynamic->pass->drop->alert->log
Dec 19 16:12:13 portableBS snort[28402]: Log directory =
/var/log/snort
Dec 19 16:12:13 portableBS snort[28402]: Loading dynamic engine
/usr/local/lib/snort/dynamicengine/libsf_engine.so...
Dec 19 16:12:13 portableBS snort[28402]: done
Dec 19 16:12:13 portableBS snort[28402]: Loading all dynamic
preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
...
Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
library /usr/local/lib/snort/dynamicpreprocessor//lib
sf_ftptelnet_preproc.so...
Dec 19 16:12:13 portableBS snort[28402]: done
Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
library /usr/local/lib/snort/dynamicpreprocessor//lib
sf_smtp_preproc.so...
Dec 19 16:12:13 portableBS snort[28402]: done
Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
library /usr/local/lib/snort/dynamicpreprocessor//lib
sf_ssh_preproc.so...
Dec 19 16:12:13 portableBS snort[28402]: done
Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
library /usr/local/lib/snort/dynamicpreprocessor//lib
sf_dcerpc_preproc.so...
Dec 19 16:12:13 portableBS snort[28402]: done
Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
library /usr/local/lib/snort/dynamicpreprocessor//lib
sf_dns_preproc.so...
Dec 19 16:12:13 portableBS snort[28402]: done
Dec 19 16:12:13 portableBS snort[28402]:   Finished Loading all dynamic
preprocessor libs from /usr/local/lib/snort/dynamicpr
eprocessor/
Dec 19 16:12:13 portableBS snort[28402]: FTPTelnet Config:
Dec 19 16:12:13 portableBS snort[28402]:     GLOBAL CONFIG
Dec 19 16:12:13 portableBS snort[28402]:       Inspection Type:
stateful
Dec 19 16:12:13 portableBS snort[28402]:       Check for Encrypted
Traffic: YES alert: YES
Dec 19 16:12:13 portableBS snort[28402]:       Continue to check
encrypted data: NO
Dec 19 16:12:13 portableBS snort[28402]:     TELNET CONFIG:
Dec 19 16:12:13 portableBS snort[28402]:       Ports: 23
Dec 19 16:12:13 portableBS snort[28402
]:       Are You There Threshold:
200
Dec 19 16:12:13 portableBS snort[28402]:       Normalize: YES
Dec 19 16:12:13 portableBS snort[28402]:       Detect Anomalies: NO
Dec 19 16:12:13 portableBS snort[28402]:     FTP CONFIG:
Dec 19 16:12:13 portableBS snort[28402]:       FTP Server: default
Dec 19 16:12:13 portableBS snort[28402]:         Ports: 21
Dec 19 16:12:13 portableBS snort[28402]:         Check for Telnet Cmds:
YES alert: YES
Dec 19 16:12:13 portableBS snort[28402]:         Identify open data
channels: YES
Dec 19 16:12:13 portableBS snort[28402]:       FTP Client: default
Dec 19 16:12:13 portableBS snort[28402]:         Check for Bounce
Attacks: YES alert: YES
Dec 19 16:12:13 portableBS snort[28402]:         Check for Telnet Cmds:
YES alert: YES
Dec 19 16:12:13 portableBS snort[28402]:         Max Response Length:
256
Dec 19 16:12:13 portableBS snort[28402]: SMTP Config:
Dec 19 16:12:13 portableBS snort[28402]:       Ports:
Dec 19 16:12:13 portableBS snort[28402]: 25
Dec 19 16:12:13 portableBS snort[28402]:
Dec 19 16:12:13 portableBS snort[28402]:       Inspection Type:        
   STATEFUL
Dec 19 16:12:13 portableBS snort[28402]:       Normalize Spaces:       
   YES
Dec 19 16:12:13 portableBS snort[28402]:       Ignore Data:            
   NO
Dec 19 16:12:13 portableBS snort[28402]:       Ignore TLS Data:        
   NO
Dec 19 16:12:13 portableBS snort[28402]:       Ignore Alerts:          
   NO
Dec 19 16:12:13 portableBS snort[28402]:       Max Command Length:     
   0
Dec 19 16:12:13 portableBS snort[28402]:       Max Header Line Length: 
   0
Dec 19 16:12:13 portableBS snort[28402]:       Max Response Line
Length:   0
Dec 19 16:12:13 portableBS snort[28402]:       X-Link2State Alert:     
   YES
Dec 19 16:12:13 portableBS snort[28402]:       Drop on X-Link2State
Alert: NO
Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
'dce.bind.netware_cs' is checked but not ever set.
Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
'dce.isystemactivator.bind' is checked but not ever set.
Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
'dce.bind.veritas' is set but not ever checked.
Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
'realplayer.playlist' is checked but not ever set.
Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
'ms_sql_seen_dns' is checked but not ever set.
Dec 19 16:12:13 portableBS snort[28402]: 248 out of 512 flowbits in
use.
Dec 19 16:12:13 portableBS snort[28402]: *** *** interface device
lookup found: rl0 ***
Dec 19 16:12:13 portableBS snort[28402]: Initializing daemon mode
Dec 19 16:12:13 portableBS snort[28403]: PID path stat checked out ok,
PID path set to /var/run/
Dec 19 16:12:13 portableBS snort[28403]: Writing PID "28403" to file
"/var/run//snort_rl0.pid"
Dec 19 16:12:13 portableBS snort[28402]: Daemon parent exiting
Dec 19 16:12:13 portableBS snort[28403]: Daemon initialized, signaled
parent pid: 28402



If i lunch the command like this for example;


/usr/local/bin/snort -i rl0 /usr/local/etc/snort/snort.conf

i received this error message;
.....
Verifying Preprocessor Configurations!
Warning: flowbits key 'dce.bind.netware_cs' is checked but not ever
set.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever
set.
Warning: flowbits key 'dce.isystemactivator.bind' is checked but not
ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
248 out of 512 flowbits in use.

Initializing Network Interface rl0
ERROR: OpenPcap() FSM compilation failed:
        syntax error
PCAP command: /usr/local/etc/snort/snort.conf
Fatal Error, Quitting..



Francis Provencher
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Tél: 1 418 646-3258
Courriel:   Francis.provencher@Msp.gouv.qc.ca
 
CEH - Certified Ethical Hackers
SSCP - System Security Certified Practitionner
Sec+ - Security +

"FRA

NCIS PROVENCHER" <francis.provencher@msp.gouv.qc.ca> 2006-12-19
15:42:49 >>>
Hi all, 

I dont know if i post this question on good mailing list, but i wish
it's the good list.

I have update my Freebsd's box on this week (Snort run for about 2
year
on it without problem's). After i restart the box's and snort can't
load
correctly.

The only error i can see is on the /var/log/messages

It look like this;

Dec 19 14:17:31 portableBS snort[27675]: Warning: flowbits key
'realplayer.playlist' is checked but not ever set.
Dec 19 14:17:31 portableBS snort[27675]: Warning: flowbits key
'dce.bind.netware_cs' is checked but not ever set.
Dec 19 14:17:31 portableBS snort[27675]: Warning: flowbits key
'dce.bind.veritas' is set but not ever checked.
Dec 19 14:17:31 portableBS snort[27675]: Warning: flowbits key
'ms_sql_seen_dns' is checked but not ever set.
Dec 19 14:17:31 portableBS snort[27675]: Warning: flowbits key
'dce.isystemactivator.bind' is checked but not ever set.
Dec 19 14:17:31 portableBS snort[27675]: 248 out of 512 flowbits in
use.
Dec 19 14:17:31 portableBS snort[27675]: *** *** interface device
lookup found: rl0 ***
Dec 19 14:17:31 portableBS snort[27675]: Initializing daemon mode
Dec 19 14:17:31 portableBS snort[27676]: PID path stat checked out ok,
PID path set to /var/run/
Dec 19 14:17:31 portableBS snort[27676]: Writing PID "27676" to file
"/var/run//snort_rl0.pid"
Dec 19 14:17:31 portableBS snort[27675]: Daemon parent exiting
Dec 19 14:17:31 portableBS snort[27676]: Daemon initialized, signaled
parent pid: 27675

Snort dont start.
I have look to the conf file, found nothing with interest.

Some one can help me?



Francis Provencher
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Tél: 1 418 646-3258
Courriel:   Francis.provencher@Msp.gouv.qc.ca 
 
CEH - Certified Ethical Hackers
SSCP - System Security Certified Practitionner
Sec+ - Security +

FRANCIS PROVENCHER.vcf
Description: Text document

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] Rép. : Freebsd + snort (error when Snort start), FRANCIS PROVENCHER <= Re: [Snort-users] Rép. : Freebsd + snort (error when Snort start), Todd Wease Re: [Snort-users] R?p. : Freebsd + snort (error when Snort start), Joel Esler

Previous by Date:	Re: [Snort-users] Freebsd + snort (error when Snort start), Todd Wease
Next by Date:	Re: [Snort-users] Rép. : Freebsd + snort (error when Snort start), Todd Wease
Previous by Thread:	[Snort-users] Freebsd + snort (error when Snort start), FRANCIS PROVENCHER
Next by Thread:	Re: [Snort-users] Rép. : Freebsd + snort (error when Snort start), Todd Wease
Indexes:	[Date] [Thread] [Top] [All Lists]