Author Topic: snort:ERROR: Can't find pcap DAQ! (Read 3601 times)

Almost-retired · « **on:** April 28, 2012, 08:04:00 AM »

snort, snort-bloat, snort-snarf installed.

I've installed all the 'daq' stuffs I can find, but that error continues.

So I straced it, showed some missing usbmon things

I modprobe'd usbmon, those misses go away.

Next I straced it 2>&1|less
and found it to be stuck in a loop, successfully re-opening and re-reading /etc/protocols
Curious, I swapped the "|less" out for a "|grep protocols|wc -l"
and got 512 times, all successful.

The only place 'pcap' or DAQ is mentioned in the whole strace output is in the fatal exit stanza:
=======
[root@coyote etc]# snort
Running in packet dump mode

--== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..
=======
10am, been putzing with this since about 9pm last night.

Since I run my own web server on this machine, it seems as if I should be running something like snort.

What am I missing that synaptic can't find?

Thanks & Cheers, Gene

AndrzejL · « **Reply #1 on:** April 28, 2012, 11:02:25 AM »

Do You have pcap and daq installed?

Quote

[andrzejl@icsserver ~]$ apt-cache search pcap
daq-modules - Bundled DAQ modules
gstreamer0.10-plugins-bad - GStreamer Streaming-media framework plug-ins
jpcap - A Java library for capturing and sending network packets
libdaq-devel - Header files for the dssl library
libdaq0 - Main library for daq
libnet1 - A C library for portable packet creation
libnet1.0.2 - A C library for portable packet creation
libnet1.0.2-devel - Development library and header files for the libnet library
libnet1.0.2-static-devel - Static development library for the libnet library
libnet1.1.0 - A C library for portable packet creation
libnet1.1.0-devel - Development library and header files for the libnet library
libnet1.1.0-static-devel - Static development library for the libnet library
libnet1.1.2 - A C library for portable packet creation
libnet1.1.2-devel - Development library and header files for the libnet library
libnet1.1.2-static-devel - Static development library for the libnet library
libpcap-devel - Static library and header files for the pcap library
libpcap1 - A system-independent interface for user-level packet capture
perl-Cflow - Find ``interesting'' flows in raw IP flow files
perl-Net-Packet - A framework to easily send and receive frames from layer 2 to layer 7
perl-Net-Pcap - Interface to pcap(3) LBL packet capture library
python-pypcap - Simplified object-oriented Python extension module for libpcap
snort - An Intrusion Detection System (IDS)
snort-bloat - Snort with flexresp+mysql+postgresql+inline+prelude support
snort-inline+flexresp - Snort with Inline and Flexible Response support
snort-inline - Snort with Inline support
snort-mysql+flexresp - Snort with MySQL database and Flexible Response support
snort-mysql - Snort with MySQL database support
snort-plain+flexresp - Snort with Flexible Response
snort-postgresql+flexresp - Snort with PostgreSQL database and Flexible Response support
snort-postgresql - Snort with PostgreSQL database support
snort-prelude+flexresp - Snort with Prelude and Flexible Response support
snort-prelude - Snort with Prelude support
tshark - Text-mode network traffic and protocol analyzer
wireshark - Network traffic analyzer
[andrzejl@icsserver ~]$

AndrzejL · « **Reply #2 on:** April 28, 2012, 11:10:58 AM »

I get the same error:

Quote

[root@icsserver andrzejl]# apt-get install snort
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
   libdaq0 (0.5-1pclos2010)
   libdnet1 (1.12-2pclos2010)
   snort-rules (2.4-1pclos2010)
The following NEW packages will be installed:
   libdaq0 (0.5-1pclos2010)
   libdnet1 (1.12-2pclos2010)
   snort (2.9.0.5-1pclos2011)
   snort-rules (2.4-1pclos2010)
0 upgraded, 4 newly installed, 0 removed and 0 not upgraded.
Need to get 3881kB of archives.
After unpacking 12.8MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://192.168.0.1 pclinuxos/2010/main libdaq0 0.5-1pclos2010 [76.6kB]
Get:2 http://192.168.0.1 pclinuxos/2010/main libdnet1 1.12-2pclos2010 [28.1kB]
Get:3 http://192.168.0.1 pclinuxos/2010/main snort-rules 2.4-1pclos2010 [1153kB]
Get:4 http://192.168.0.1 pclinuxos/2010/main snort 2.9.0.5-1pclos2011 [2623kB]
Fetched 3881kB in 0s (9311kB/s)
Committing changes...
Preparing ############################## [100%]
Updating / installing
  snort-rules-2.4-1pclos2010.noarch ############################## [100%]
  libdnet1-1.12-2pclos2010.i586 ############################## [100%]
  libdaq0-0.5-1pclos2010.i586 ############################## [100%]
  snort-2.9.0.5-1pclos2011.i586 ############################## [100%]
Warning: network-up is needed by snort in runlevel 2
Warning: network-up is needed by snort in runlevel 4
Done.
[root@icsserver andrzejl]# sno
snort snort-plain
[root@icsserver andrzejl]# snort
Running in packet dump mode

   --== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..
[root@icsserver andrzejl]#

Will try to investigate

.

AndrzejL · « **Reply #3 on:** April 28, 2012, 11:42:02 AM »

Ok I have found this http://seclists.org/snort/2012/q1/31

It says to run snort with --daq-dir option example snort --daq-dir /usr/local/lib/daq

so I checked for daq libraries

Quote

[root@icsserver andrzejl]# updatedb
[root@icsserver andrzejl]# locate daq | grep lib
/usr/lib/libdaq.so.0
/usr/lib/libdaq.so.0.0.1
/usr/share/doc/libdaq0-0.5
/usr/share/doc/libdaq0-0.5/README
/var/cache/apt/archives/libdaq0-0.5-1pclos2010.i586.rpm
[root@icsserver andrzejl]#

so I ran

snort -de -i en0 --daq-dir /usr/lib/

didn't took me to far... same error...

Are we missing dependancy? Does snort needs to be recompiled with daq support?

AndrzejL · « **Reply #4 on:** April 28, 2012, 12:06:45 PM »

Ok solved partially...

I have found out http://forums.gentoo.org/viewtopic-t-848607-start-0.html here that for daq we need for example file daq_dump.so

Here http://rpm.pbone.net/ I have found out that the file is contained in daq-modules rpm

Quote

[root@icsserver andrzejl]# apt-get install daq-modules
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
   libnetfilter_queue1 (0.0.17-1pclos2009)
   libnfnetlink0 (0.0.41-1pclos2009)
The following NEW packages will be installed:
   daq-modules (0.5-1pclos2010)
   libnetfilter_queue1 (0.0.17-1pclos2009)
   libnfnetlink0 (0.0.41-1pclos2009)
0 upgraded, 3 newly installed, 0 removed and 0 not upgraded.
Need to get 54.1kB of archives.
After unpacking 106kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://192.168.0.1 pclinuxos/2010/main libnfnetlink0 0.0.41-1pclos2009 [15.4kB]
Get:2 http://192.168.0.1 pclinuxos/2010/main libnetfilter_queue1 0.0.17-1pclos2009 [16.4kB]
Get:3 http://192.168.0.1 pclinuxos/2010/main daq-modules 0.5-1pclos2010 [22.3kB]
Fetched 54.1kB in 0s (172kB/s)
Committing changes...
Preparing ############################## [100%]
Updating / installing
  libnfnetlink0-0.0.41-1pclos2009.i586 ############################## [100%]
  libnetfilter_queue1-0.0.17-1pclos2009. ############################## [100%]
  daq-modules-0.5-1pclos2010.i586 ############################## [100%]
Done.
[root@icsserver andrzejl]# snort
Running in packet dump mode

   --== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..
[root@icsserver andrzejl]# updatedb
[root@icsserver andrzejl]# locate daq_dump.so
/usr/lib/daq/daq_dump.so
[root@icsserver andrzejl]# snort -de -i ppp0 --daq-dir /usr/lib/daq
Running in packet dump mode

   --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "ppp0".
Decoding Linux SLL

   --== Initialization Complete ==--

   ,,_ -*> Snort! <*-
  o" )~ Version 2.9.0.5 (Build 135)
   '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
   Copyright (C) 1998-2011 Sourcefire, Inc., et al.
   Using libpcap version 1.1.1
   Using PCRE version: 8.21 2011-12-12
   Using ZLIB version: 1.2.5

Commencing packet processing (pid=5838)
04/28-19:00:49.399359 < l/l len: 0 l/l type: 0x200 00:00:00:00:00:00
pkt type:0x0 proto: 0x800 len:0x64

===============================================================================
Run time for packet processing was 2.773380 seconds
Snort processed 24 packets.
Snort ran for 0 days 0 hours 0 minutes 2 seconds
   Pkts/sec: 12
===============================================================================
Packet I/O Totals:
   Received: 24
   Analyzed: 24 (100.000%)
   Dropped: 0 ( 0.000%)
   Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
   Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
   Eth: 0 ( 0.000%)
   VLAN: 0 ( 0.000%)
   IP4: 24 (100.000%)
   Frag: 0 ( 0.000%)
   ICMP: 5 ( 20.833%)
   UDP: 0 ( 0.000%)
   TCP: 19 ( 79.167%)
   IP6: 0 ( 0.000%)
   IP6 Ext: 0 ( 0.000%)
   IP6 Opts: 0 ( 0.000%)
   Frag6: 0 ( 0.000%)
   ICMP6: 0 ( 0.000%)
   UDP6: 0 ( 0.000%)
   TCP6: 0 ( 0.000%)
   Teredo: 0 ( 0.000%)
   ICMP-IP: 0 ( 0.000%)
   EAPOL: 0 ( 0.000%)
   MPLS: 0 ( 0.000%)
   ARP: 0 ( 0.000%)
   IPX: 0 ( 0.000%)
   Eth Loop: 0 ( 0.000%)
   Eth Disc: 0 ( 0.000%)
   IP4 Disc: 0 ( 0.000%)
   IP6 Disc: 0 ( 0.000%)
   TCP Disc: 0 ( 0.000%)
   UDP Disc: 0 ( 0.000%)
  ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
   Other: 0 ( 0.000%)
Bad Chk Sum: 1 ( 4.167%)
   Bad TTL: 0 ( 0.000%)
   S5 G 1: 0 ( 0.000%)
   S5 G 2: 0 ( 0.000%)
   Total: 24
===============================================================================
Snort exiting
[root@icsserver andrzejl]#

Obviously we are missing dependancy daq-modules-0.5-1pclos2010.i586

Now what makes me wonder is why the service won't start

...

Quote

[root@icsserver andrzejl]# service snort start
Starting snort: [FAILED]
[root@icsserver andrzejl]#

Will investigate some more but I have no idea how the service should start / what mode etc...

AndrzejL · « **Reply #5 on:** April 28, 2012, 12:45:08 PM »

Ok another problem solved partially.

I have noticed that running command:

Code: [Select]

snort -c /etc/snort/snort.conf
gives more output.

Quote

Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
ERROR: /etc/snort/snort.conf(XX) Unknown rule type: ipvar.
Fatal Error, Quitting..

The embolden XX shows where in the conf file (which line) the problem occurs.

Ipvar as explained here http://forums.snort.org/forums/snort-newbies/topics/var-and-ipvar

Quote

I understand that ipvar is for IPv6 support but to otherwise use var for IPv4 support, and that the —enable-ipv6 configuration command is optional (remarked out in the 2.9.0 snort.conf file).

Hence it was logical that it fails on my machine - I have ipv6 disabled.

~~After # few lines with ipvar in the snort.conf file I am bit further:~~

Instead of # ipvar lines out I had to edit the lines so it said var instead of ipvar.

Lines 39, 42, 45, 48, 51, 54, 57, 60 and 75 if I remember correctly.

Quote

[root@icsserver log]# snort -c /etc/snort/snort.conf
Running in IDS mode

   --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 50505 ]
Detection:
   Search-Method = AC-Full-Q
   Split Any/Any group = enabled
   Search-Method-Optimizations = enabled
   Maximum pattern length = 20
ERROR: ../../../src/parser.c(5245) Could not stat dynamic module path "/usr/lib/snort/dynamicrules": No such file or directory.
Fatal Error, Quitting..

Investigating this now...

AndrzejL · « **Reply #6 on:** April 28, 2012, 01:02:09 PM »

Again one step further:

Quote

[root@icsserver log]# mkdir -p /usr/lib/snort/dynamicrules
[root@icsserver log]# snort -c /etc/snort/snort.conf
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 50505 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
ERROR: Unable to open rules file "/etc/snort/rules/blacklist.rules": No such file or directory.
Fatal Error, Quitting..
[root@icsserver log]#

AndrzejL · « **Reply #7 on:** April 28, 2012, 01:15:56 PM »

Hmmmm... I think snort needs to be repackaged...

~~I had to run this as root to get any further:~~

Quote

touch /etc/snort/rules/blacklist.rules
touch /etc/snort/rules/botnet-cnc.rules
touch /etc/snort/rules/content-replace.rules
touch /etc/snort/rules/phishing-spam.rules
touch /etc/snort/rules/scada.rules
touch /etc/snort/rules/specific-threats.rules
touch /etc/snort/rules/spyware-put.rules
touch /etc/snort/rules/voip.rules
touch /etc/snort/rules/sn.rules
touch /etc/snort/rules/web-activex.rules

~~There are no examples of rule files in the package...~~

this is weird. Snort-rules are installed and it says it contains rules but some of them are obviously missing. I think we need to have http://www.snort.org/snort-rules/ upgraded version from here added to the repo... but they require login to download latest rules?

Whoa... Paid subscription is needed to download rules... I don't get it...

Quote

[root@icsserver log]# snort -c /etc/snort/snort.conf
Running in IDS mode

   --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 50505 ]
Detection:
   Search-Method = AC-Full-Q
   Split Any/Any group = enabled
   Search-Method-Optimizations = enabled
   Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort/dynamicrules...
Warning: No dynamic libraries found in directory /usr/lib/snort/dynamicrules!
  Finished Loading all dynamic detection libs from /usr/lib/snort/dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp normalizations disabled because not inlineWARNING: icmp4 normalizations disabled because not inlineFrag3 global config:
   Max frags: 65536
   Fragment memory cap: 4194304 bytes
Frag3 engine config:
   Target-based policy: WINDOWS
   Fragment timeout: 180 seconds
   Fragment min_ttl: 1
   Fragment Problems: 1
   Overlap Limit: 10
   Min fragment Length: 100
Stream5 global config:
   Track TCP sessions: ACTIVE
   Max TCP sessions: 8192
   Memcap (for reassembly packet storage): 8388608
   Track UDP sessions: ACTIVE
   Max UDP sessions: 131072
   Track ICMP sessions: INACTIVE
   Log info if session memory consumption exceeds 1048576
   Send up to 0 active responses
Stream5 TCP Policy config:
   Reassembly Policy: WINDOWS
   Timeout: 180 seconds
   Limit on TCP Overlaps: 10
   Maximum number of bytes to queue per session: 1048576
   Maximum number of segs to queue per session: 2621
   Options:
   Require 3-Way Handshake: YES
   3-Way Handshake Timeout: 180
   Detect Anomalies: YES
   Reassembly Ports:
   21 client (Footprint)
   22 client (Footprint)
   23 client (Footprint)
   25 client (Footprint)
   42 client (Footprint)
   53 client (Footprint)
   79 client (Footprint)
   80 client (Footprint) server (Footprint)
   109 client (Footprint)
   110 client (Footprint)
   111 client (Footprint)
   113 client (Footprint)
   119 client (Footprint)
   135 client (Footprint)
   136 client (Footprint)
   137 client (Footprint)
   139 client (Footprint)
   143 client (Footprint)
   161 client (Footprint)
   311 client (Footprint) server (Footprint)
Stream5 UDP Policy config:
   Timeout: 180 seconds
HttpInspect Config:
   GLOBAL CONFIG
   Max Pipeline Requests: 0
   Inspection Type: STATELESS
   Detect Proxy Usage: NO
   IIS Unicode Map Filename: /etc/snort/unicode.map
   IIS Unicode Map Codepage: 1252
   Max Gzip Memory: 838860
   Max Gzip Sessions: 6
   Gzip Compress Depth: 65535
   Gzip Decompress Depth: 65535
   DEFAULT SERVER CONFIG:
   Server profile: All
   Ports: 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371
   Server Flow Depth: 0
   Client Flow Depth: 0
   Max Chunk Length: 500000
   Max Header Field Length: 750
   Max Number Header Fields: 100
   Inspect Pipeline Requests: YES
   URI Discovery Strict Mode: NO
   Allow Proxy Usage: NO
   Disable Alerting: NO
   Oversize Dir Length: 500
   Only inspect URI: NO
   Normalize HTTP Headers: NO
   Inspect HTTP Cookies: YES
   Inspect HTTP Responses: YES
   Extract Gzip from responses: YES
   Unlimited decompression of gzip data from responses: YES
   Normalize HTTP Cookies: NO
   Enable XFF and True Client IP: NO
   Extended ASCII code support in URI: NO
   Ascii: YES alert: NO
   Double Decoding: YES alert: NO
   %U Encoding: YES alert: YES
   Bare Byte: YES alert: NO
   Base36: OFF
   UTF 8: YES alert: NO
   IIS Unicode: YES alert: NO
   Multiple Slash: YES alert: NO
   IIS Backslash: YES alert: NO
   Directory Traversal: YES alert: NO
   Web Root Traversal: YES alert: NO
   Apache WhiteSpace: YES alert: NO
   IIS Delimiter: YES alert: NO
   IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
   Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
   Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
   Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
   alert_fragments: INACTIVE
   alert_large_fragments: INACTIVE
   alert_incomplete: INACTIVE
   alert_multiple_requests: INACTIVE
ERROR: /etc/snort/snort.conf(189) Unknown preprocessor: "normalize_ip6".
Fatal Error, Quitting..
[root@icsserver log]#

Bit further... Still investigating...

AndrzejL · « **Reply #8 on:** April 28, 2012, 01:20:00 PM »

Had to # out the lines 189 and 190 - ipv6 again.

Now this:

Quote

[root@icsserver log]# snort -c /etc/snort/snort.conf
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 50505 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort/dynamicrules...
Warning: No dynamic libraries found in directory /usr/lib/snort/dynamicrules!
Finished Loading all dynamic detection libs from /usr/lib/snort/dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp normalizations disabled because not inlineWARNING: icmp4 normalizations disabled because not inlineFrag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: WINDOWS
Fragment timeout: 180 seconds
Fragment min_ttl: 1
Fragment Problems: 1
Overlap Limit: 10
Min fragment Length: 100
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: ACTIVE
Max UDP sessions: 131072
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Send up to 0 active responses
Stream5 TCP Policy config:
Reassembly Policy: WINDOWS
Timeout: 180 seconds
Limit on TCP Overlaps: 10
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Require 3-Way Handshake: YES
3-Way Handshake Timeout: 180
Detect Anomalies: YES
Reassembly Ports:
21 client (Footprint)
22 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
79 client (Footprint)
80 client (Footprint) server (Footprint)
109 client (Footprint)
110 client (Footprint)
111 client (Footprint)
113 client (Footprint)
119 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
161 client (Footprint)
311 client (Footprint) server (Footprint)
Stream5 UDP Policy config:
Timeout: 180 seconds
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
Max Gzip Memory: 838860
Max Gzip Sessions: 6
Gzip Compress Depth: 65535
Gzip Decompress Depth: 65535
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371
Server Flow Depth: 0
Client Flow Depth: 0
Max Chunk Length: 500000
Max Header Field Length: 750
Max Number Header Fields: 100
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Inspect HTTP Cookies: YES
Inspect HTTP Responses: YES
Extract Gzip from responses: YES
Unlimited decompression of gzip data from responses: YES
Normalize HTTP Cookies: NO
Enable XFF and True Client IP: NO
Extended ASCII code support in URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: NO
%U Encoding: YES alert: YES
Bare Byte: YES alert: NO
Base36: OFF
UTF 8: YES alert: NO
IIS Unicode: YES alert: NO
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: NO
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
alert_fragments: INACTIVE
alert_large_fragments: INACTIVE
alert_incomplete: INACTIVE
alert_multiple_requests: INACTIVE
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: NO
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 20
Normalize: YES
Detect Anomalies: YES
FTP CONFIG:
FTP Server: default
Ports: 21 2100 3535
Check for Telnet Cmds: YES alert: YES
Ignore Telnet Cmd Operations: YES alert: YES
Identify open data channels: NO
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Ignore Telnet Cmd Operations: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25 465 587 691
Inspection Type: Stateful
Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: 512
Max Specific Command Line Length:
ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
XUSR:246
Max Header Line Length: 1000
Max Response Line Length: 512
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
SSH config:
Autodetection: ENABLED
Challenge-Response Overflow Alert: ENABLED
SSH1 CRC32 Alert: ENABLED
Server Version String Overflow Alert: ENABLED
Protocol Mismatch Alert: ENABLED
Bad Message Direction Alert: DISABLED
Bad Payload Size Alert: DISABLED
Unrecognized Version Alert: DISABLED
Max Encrypted Packets: 20
Max Server Version String Length: 100
MaxClientBytes: 19600 (Default)
Ports:
22
DCE/RPC 2 Preprocessor Configuration
Global Configuration
DCE/RPC Defragmentation: Enabled
Memcap: 102400 KB
Events: co
Server Default Configuration
Policy: WinXP
Detect ports
SMB: 139 445
TCP: 135
UDP: 135
RPC over HTTP server: 593
RPC over HTTP proxy: None
Autodetect ports
SMB: None
TCP: 1025-65535
UDP: 1025-65535
RPC over HTTP server: 1025-65535
RPC over HTTP proxy: None
Maximum SMB command chaining: 3 commands
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
SSLPP config:
Encrypted packets: not inspected
Ports:
443 465 563 636 989
992 993 994 995 6907
7702 7801 7900 7901 7902
7903 7904 7905 7906 7908
7909 7910 7911 7912 7913
7914 7915 7916 7917 7918
7919 7920
Server side data is trusted
Sensitive Data preprocessor config:
Global Alert Threshold: 25
Masked Output: DISABLED

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/attack-responses.rules(26) Undefined variable name: HOME_NET.
Fatal Error, Quitting..
[root@icsserver log]#

AndrzejL · « **Reply #9 on:** April 28, 2012, 01:47:40 PM »

Ok now it turns out that I made a mistake # out the ipvar stuff? Sheeesh... Talking about crazy app

or user... Or both...

Edit... Instead of # ipvar out I had to edit file to change all instances of ipvar to var

Lines 39, 42, 45, 48, 51, 54, 57, 60, 75...

after that...

Quote

[root@icsserver rules]# snort -c /etc/snort/snort.conf -l /var/log/snort/
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 50505 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort/dynamicrules...
Warning: No dynamic libraries found in directory /usr/lib/snort/dynamicrules!
Finished Loading all dynamic detection libs from /usr/lib/snort/dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
Log directory = /var/log/snort/
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp normalizations disabled because not inlineWARNING: icmp4 normalizations disabled because not inlineFrag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: WINDOWS
Fragment timeout: 180 seconds
Fragment min_ttl: 1
Fragment Problems: 1
Overlap Limit: 10
Min fragment Length: 100
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: ACTIVE
Max UDP sessions: 131072
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Send up to 0 active responses
Stream5 TCP Policy config:
Reassembly Policy: WINDOWS
Timeout: 180 seconds
Limit on TCP Overlaps: 10
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Require 3-Way Handshake: YES
3-Way Handshake Timeout: 180
Detect Anomalies: YES
Reassembly Ports:
21 client (Footprint)
22 client (Footprint)
23 client (Footprint)
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: 512
Max Specific Command Line Length:
ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
XUSR:246
Max Header Line Length: 1000
Max Response Line Length: 512
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
SSH config:
Autodetection: ENABLED
Challenge-Response Overflow Alert: ENABLED
SSH1 CRC32 Alert: ENABLED
Server Version String Overflow Alert: ENABLED
Protocol Mismatch Alert: ENABLED
Bad Message Direction Alert: DISABLED
Bad Payload Size Alert: DISABLED
Unrecognized Version Alert: DISABLED
Max Encrypted Packets: 20
Max Server Version String Length: 100
MaxClientBytes: 19600 (Default)
Ports:
22
DCE/RPC 2 Preprocessor Configuration
Global Configuration
DCE/RPC Defragmentation: Enabled
Memcap: 102400 KB
Events: co
Server Default Configuration
Policy: WinXP
Detect ports
SMB: 139 445
TCP: 135
UDP: 135
RPC over HTTP server: 593
RPC over HTTP proxy: None
Autodetect ports
SMB: None
TCP: 1025-65535
UDP: 1025-65535
RPC over HTTP server: 1025-65535
RPC over HTTP proxy: None
Maximum SMB command chaining: 3 commands
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
SSLPP config:
Encrypted packets: not inspected
Ports:
443 465 563 636 989
992 993 994 995 6907
7702 7801 7900 7901 7902
7903 7904 7905 7906 7908
7909 7910 7911 7912 7913
7914 7915 7916 7917 7918
7919 7920
Server side data is trusted
Sensitive Data preprocessor config:
Global Alert Threshold: 25
Masked Output: DISABLED

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
WARNING /etc/snort/rules/chat.rules(33) threshold (in rule) is deprecated; use detection_filter instead.

2823 Snort rules read
2823 detection rules
0 decoder rules
0 preprocessor rules
2823 Option Chains linked into 273 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 133 18 0 0
| dst 1978 126 0 0
| any 402 69 166 43
| nc 25 8 94 20
| s+d 12 5 0 0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
| none
+-----------------------[event-filter-local]-----------------------------------
| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=1991 type=Limit tracking=src count=1 seconds=60
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
ICMP tracking disabled, no ICMP sessions allocated
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
32 out of 1024 flowbits in use.

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 211
| 1 byte states : 198
| 2 byte states : 13
| 4 byte states : 0
| Characters : 45653
| States : 24429
| Transitions : 568456
| State Density : 9.1%
| Patterns : 3802
| Match States : 2994
| Memory (MB) : 12.02
| Patterns : 0.26
| Match Lists : 0.37
| DFA
| 1 byte states : 0.97
| 2 byte states : 10.19
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 643 ]
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..
[root@icsserver rules]#

so...

Quote

[root@icsserver rules]# snort --daq-dir /usr/lib/daq -c /etc/snort/snort.conf -l /var/log/snort/
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 50505 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort/dynamicrules...
Warning: No dynamic libraries found in directory /usr/lib/snort/dynamicrules!
Finished Loading all dynamic detection libs from /usr/lib/snort/dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
Log directory = /var/log/snort/
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp normalizations disabled because not inlineWARNING: icmp4 normalizations disabled because not inlineFrag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: WINDOWS
Fragment timeout: 180 seconds
Fragment min_ttl: 1
Fragment Problems: 1
Overlap Limit: 10
Min fragment Length: 100
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: ACTIVE
Max UDP sessions: 131072
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Send up to 0 active responses
Stream5 TCP Policy config:
Reassembly Policy: WINDOWS
Timeout: 180 seconds
Limit on TCP Overlaps: 10
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Options:
Require 3-Way Handshake: YES
3-Way Handshake Timeout: 180
Detect Anomalies: YES
Reassembly Ports:
21 client (Footprint)
22 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
79 client (Footprint)
80 client (Footprint) server (Footprint)
109 client (Footprint)
110 client (Footprint)
111 client (Footprint)
113 client (Footprint)
119 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
161 client (Footprint)
311 client (Footprint) server (Footprint)
Stream5 UDP Policy config:
Timeout: 180 seconds
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
Max Gzip Memory: 838860
Max Gzip Sessions: 6
Gzip Compress Depth: 65535
Gzip Decompress Depth: 65535
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371
Server Flow Depth: 0
Client Flow Depth: 0
Max Chunk Length: 500000
Max Header Field Length: 750
Max Number Header Fields: 100
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Inspect HTTP Cookies: YES
Inspect HTTP Responses: YES
Extract Gzip from responses: YES
Unlimited decompression of gzip data from responses: YES
Normalize HTTP Cookies: NO
Enable XFF and True Client IP: NO
Extended ASCII code support in URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: NO
%U Encoding: YES alert: YES
Bare Byte: YES alert: NO
Base36: OFF
UTF 8: YES alert: NO
IIS Unicode: YES alert: NO
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: NO
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
alert_fragments: INACTIVE
alert_large_fragments: INACTIVE
alert_incomplete: INACTIVE
alert_multiple_requests: INACTIVE
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: NO
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 20
Normalize: YES
Detect Anomalies: YES
FTP CONFIG:
FTP Server: default
Ports: 21 2100 3535
Check for Telnet Cmds: YES alert: YES
Ignore Telnet Cmd Operations: YES alert: YES
Identify open data channels: NO
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Ignore Telnet Cmd Operations: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25 465 587 691
Inspection Type: Stateful
Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: 512
Max Specific Command Line Length:
ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
XUSR:246
Max Header Line Length: 1000
Max Response Line Length: 512
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
SSH config:
Autodetection: ENABLED
Challenge-Response Overflow Alert: ENABLED
SSH1 CRC32 Alert: ENABLED
Server Version String Overflow Alert: ENABLED
Protocol Mismatch Alert: ENABLED
Bad Message Direction Alert: DISABLED
Bad Payload Size Alert: DISABLED
Unrecognized Version Alert: DISABLED
Max Encrypted Packets: 20
Max Server Version String Length: 100
MaxClientBytes: 19600 (Default)
Ports:
22

BLAH BLAH BLAH

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.13 <Build 18>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Commencing packet processing (pid=7548)

Now it still fails as service but I guess /etc/rc.d/init.d/snort file needs to be edited to point to daq folder

.

Investigating

...

AndrzejL · « **Reply #10 on:** April 28, 2012, 03:06:59 PM »

Ok this is to much for me

Edited the file /etc/rc.d/init.d/snort line 103 so it looks like this

Code: [Select]

/usr/sbin/snort --daq-dir /usr/lib/daq -c /etc/snort/snort.conf -l /var/log/snort/ -D > /dev/null 2>&1
This way daq is used, correct conf file is used and logging is enabled and it's in D mode as in daemon and it's quiet...

NOW...

Quote

[root@icsserver rules]# service snort status
snort is stopped
[root@icsserver rules]# service snort start
Starting snort: [FAILED]
[root@icsserver rules]# service snort status
snort (pid 9104) is running...
[root@icsserver rules]# service snort stop
Stopping snort: [ OK ]
[root@icsserver rules]#

Snort starts but it says it fails

... Must be the /etc/rc.d/init.d/snort way of checking if it fails or starts...

Oh here is a way to test config file

Quote

[root@icsserver rules]# snort -T -c /etc/snort/snort.conf
Running in Test mode

   --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 50505 ]
Detection:
   Search-Method = AC-Full-Q
   Split Any/Any group = enabled
   Search-Method-Optimizations = enabled
   Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort/dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort/dynamicrules...
Warning: No dynamic libraries found in directory /usr/lib/snort/dynamicrules!
  Finished Loading all dynamic detection libs from /usr/lib/snort/dynamicrules
Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort/dynamicpreprocessor//libsf_smtp_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/lib/snort/dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp normalizations disabled because not inlineWARNING: icmp4 normalizations disabled because not inlineFrag3 global config:

BLAH BLAH BLAH

   --== Initialization Complete ==--

   ,,_ -*> Snort! <*-
  o" )~ Version 2.9.0.5 (Build 135)
   '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
   Copyright (C) 1998-2011 Sourcefire, Inc., et al.
   Using libpcap version 1.1.1
   Using PCRE version: 8.21 2011-12-12
   Using ZLIB version: 1.2.5

   Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.13 <Build 18>
   Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
   Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
   Preprocessor Object: SF_SDF Version 1.1 <Build 1>
   Preprocessor Object: SF_DNS Version 1.1 <Build 4>
   Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
   Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
   Preprocessor Object: SF_SSH Version 1.1 <Build 3>

Snort successfully validated the configuration!
Snort exiting
[root@icsserver rules]#

AndrzejL · « **Reply #11 on:** April 28, 2012, 03:08:36 PM »

Now I have no idea if this is even a bit correct... I am a messer not a advanced user but I got snort to run - I don't know if it runs correctly - I don't know if it's configured correctly but it runs... Cheers.

Almost-retired · « **Reply #12 on:** April 28, 2012, 06:43:26 PM »

You obviously got a heck of a lot farther than I did, and I did edit the invocation in the /etc/init.d dir. According to the man page, /etc/snort/snort.conf is one of its 2 defaults, the other being a .snort directory in the user's ~home.

You also have at least as much time in this as I do, and for that I thank you profusely.

But, this apparently meaningless error, meaningless in terms of troubleshooting info that is, plus the fact that when I google for it, I get thousands of hits. I would be inclined to toss this whole thing back in their lap, so I'll go see if they have a mailing list & join it. I get the impression it could be as simple as a missing closing curly brace or some such head slapper. I'll leave this active for 2-3 days to see if I can find that magic twanger that makes it Just Work(TM).

Thanks & Cheers, Gene

AndrzejL · « **Reply #13 on:** April 28, 2012, 07:28:51 PM »

No worries mate. I like troubleshooting. Now I need to learn how to properly use snort. Sounds like a app worth knowing

.

I just hope that one of the packagers is using snort full time and can make something out of the mess I posted above

.

Cheers.

Andy

Almost-retired · « **Reply #14 on:** April 28, 2012, 07:56:39 PM »

I went to their home page, but got completely turned off. First the database update service is subscription only, for a rather nominal fee of $30/year. And they want you to join their mailing list, but to subscribe, you first have to (apparently) be a member in good standing in google groups, which itself is password protected. I couldn't even get to the ml archives as everything was behind the password login. FireFox 12 conveniently filled in my gmail username, and a password row of dots that were invalid. The row of dots was about 2x the size of my password I would use to log into their webmail server, something its been in excess of a year since I had to log in and nuke a malformed message that not even fetchmail could be coerced into fetching, which is how I suck my email here and have been for most of a decade, relatively little from gmail in comparison to the volume I pull from the tv stations server. I am the retired Chief Engineer there, and have an account for life.

I don't mind them making money from the update subscription service, but I mind the hiding of the whole thing behind a google login, even for the so-called mailing list they want everybody to migrate to. I mind that, a lot. There is a vulgar saying that ends with "you, and the camel that rode in on you" that applies here. Top that off with its now being the preferred IDS at DHS & TSA, who is busy blowing taxpayers money by the billions for no visible benefit to the flying public, and I see red and just not in the ink in their budget.

Now I am a bit smarter. I also have at least 4 more firewall layers between me and the cable modem, so I expect I can muddle along for quite a while given that the root login here needs most of the universes remaining time for John T.R. to crack.

In fact, given the frequency of updates to clamav, it blows me away that clamav doesn't have a hand out to pay for the bandwidth & hardware to service clamav!

Again, many thanks & Cheers, Gene

PCLinuxOS-Forums

News:

Author Topic: snort:ERROR: Can't find pcap DAQ! (Read 3601 times)

Almost-retired

snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

Almost-retired

Re: snort:ERROR: Can't find pcap DAQ!

AndrzejL

Re: snort:ERROR: Can't find pcap DAQ!

Almost-retired

Re: snort:ERROR: Can't find pcap DAQ!