[snort] Commande de démarrage
Fermé
oasis_5
Messages postés
27
Date d'inscription
mardi 21 février 2006
Statut
Membre
Dernière intervention
8 décembre 2006
-
8 déc. 2006 à 23:13
cool - 2 déc. 2009 à 21:50
cool - 2 déc. 2009 à 21:50
A voir également:
- Redemarage forcé src
- Invite de commande - Guide
- Pc lent au démarrage - Guide
- Forcer demarrage pc - Guide
- Ecran noir demarrage pc - Guide
- Commande terminal mac - Guide
2 réponses
sallagary
Messages postés
5
Date d'inscription
mercredi 26 juillet 2006
Statut
Membre
Dernière intervention
12 juillet 2007
2
12 juil. 2007 à 18:47
12 juil. 2007 à 18:47
BONJOUR,
je voulais vous demandre si quelqu'un a une idée sur le message que je recois au demarrage de snort avec mysql
je fais
[root@localhost snort-2.6.1.5]# /usr/local/snort-2.6.1.5/src/snort -c /etc/snort/snort.conf
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'SMTP_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'HTTP_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'SQL_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'TELNET_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'SNMP_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(440) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
6005 Snort rules read...
6005 Option Chains linked into 233 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
| gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
| gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: STATEFUL
Normalize Spaces: YES
Ignore Data: NO
Ignore TLS Data: NO
Ignore Alerts: NO
Max Command Length: 0
Max Header Line Length: 0
Max Response Line Length: 0
X-Link2State Alert: YES
Drop on X-Link2State Alert: NO
DCE/RPC Decoder config:
Autodetect ports ENABLED
SMB fragmentation ENABLED
DCE/RPC fragmentation ENABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
Verifying Preprocessor Configurations!
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
49 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = 192.168.0.91
database: sensor id = 1
database: schema version = 107
database: using the "log" facility
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size : 256 Chars
| Sizeof State : 2 bytes
| Storage Format : Full
| Num States : 130970
| Num Transitions : 5121344
| State Density : 15.3%
| Finite Automatum : DFA
| Memory : 187.93Mbytes
+-------------------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.6.1.5 (Build 59)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_SMTP Version 1.0 <Build 7>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 4>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10>
Preprocessor Object: SF_DNS Version 1.0 <Build 2>
Not Using PCAP_FRAMES
-----------------------------
Maintenant je vous demande pourquoi il me met : Not Using PCAP_FRAMES
je voulais vous demandre si quelqu'un a une idée sur le message que je recois au demarrage de snort avec mysql
je fais
[root@localhost snort-2.6.1.5]# /usr/local/snort-2.6.1.5/src/snort -c /etc/snort/snort.conf
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'SMTP_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'HTTP_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'SQL_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'TELNET_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'SNMP_SERVERS' defined, value len = 14 chars, value = 192.168.0.0/24
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(440) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
6005 Snort rules read...
6005 Option Chains linked into 233 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
| gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
| gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: STATEFUL
Normalize Spaces: YES
Ignore Data: NO
Ignore TLS Data: NO
Ignore Alerts: NO
Max Command Length: 0
Max Header Line Length: 0
Max Response Line Length: 0
X-Link2State Alert: YES
Drop on X-Link2State Alert: NO
DCE/RPC Decoder config:
Autodetect ports ENABLED
SMB fragmentation ENABLED
DCE/RPC fragmentation ENABLED
Max Frag Size: 3000 bytes
Memcap: 100000 KB
Alert if memcap exceeded DISABLED
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
Verifying Preprocessor Configurations!
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
49 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = 192.168.0.91
database: sensor id = 1
database: schema version = 107
database: using the "log" facility
+--[Pattern Matcher:Aho-Corasick Summary]----------------------
| Alphabet Size : 256 Chars
| Sizeof State : 2 bytes
| Storage Format : Full
| Num States : 130970
| Num Transitions : 5121344
| State Density : 15.3%
| Finite Automatum : DFA
| Memory : 187.93Mbytes
+-------------------------------------------------------------
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.6.1.5 (Build 59)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_SMTP Version 1.0 <Build 7>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 4>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10>
Preprocessor Object: SF_DNS Version 1.0 <Build 2>
Not Using PCAP_FRAMES
-----------------------------
Maintenant je vous demande pourquoi il me met : Not Using PCAP_FRAMES
2 déc. 2009 à 21:50
moi aussi j'utilise snort ,je voulais te dire que le msg "not using pcap frames" ne signifie pas une erreur mais signifie tout simplement que snort est en ecoute ,et est pret à detecter les attaques.
pour s'assurer, essaie de lancer un scan de port(par exemple avec l'utilitaire nmap ) d'une autre machine A, vers une autre machine B, et tu va constater que snort a journaliser ce scan (qui est considéré comme attaque) dans le fichier /var/log/snort/alert.
Bon courage