This is Interesting: Free IT Magazines  
Home > Archive > Snort > October 2005 > Re: Fwd: Re: [Snort-users] Suppress alerts





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: Fwd: Re: [Snort-users] Suppress alerts
Peter Rodger

2005-10-24, 9:47 am

--0-85801673-1129816787=:73563
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Content-Id:
Content-Disposition: inline

Hi

Thanks for your hint. The output had a error as I
forgot to specify -l in comand line. The attached is
the right output after I specified -l switch in
command line.

Here is the last part of output:

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=3273 type=Threshold
tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3543 type=Threshold
tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3152 type=Threshold
tracking=src count=5 seconds=
2
| gen-id=1 sig-id=2523 type=Both
tracking=dst count=10 seconds=
10
| gen-id=1 sig-id=2275 type=Threshold
tracking=dst count=5 seconds=
60
| gen-id=1 sig-id=3542 type=Threshold
tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3527 type=Limit
tracking=dst count=5 seconds=
60
+-----------------------[suppression]------------------------------------------
| gen-id=119 sig-id=4
tracking=dstip=0.0.0.0 mask=0.0.0.0

| gen-id=122 sig-id=27
tracking=dstip=0.0.0.0 mask=0.0.0.0

| gen-id=122 sig-id=19
tracking=dstip=0.0.0.0 mask=0.0.0.0

*****************

It looked like it reads the threshold.conf but can not
suppress the alerts? Why?

Any help will be appreciated. I am just too upset
with that.


Thanks,

Peter



--- Joćo Mota <joao@3gnt.net> wrote:

> Peter Rodger wrote:
>
> whole
> and
> not
> directory "log".
> incorrectly
> Well... try to follow the instructions given. What's
> the output
> configuration line? Have you tried replacing the ''
> with '/' or
> vice-versa in the logs path?
>
> If Snort isn't starting how can you be getting
> alerts? When you figure
> out what's wrong with the output dir send the
> Snort's output concerning
> the thresholding.
>
> Good hunting
>
>





__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
--0-85801673-1129816787=:73563
Content-Type: text/plain; name="output.txt"
Content-Description: 2058990509-output.txt
Content-Disposition: inline; filename="output.txt"

D:\win-ids\Snort\bin>snort -c d:\win-ids\snort\etc\snort.conf -l d:\win-ids\snor
t\log
Running in IDS mode

Initializing Network Interface \Device\NPF_{068F010E-6C94-4163-9C52-15551BFD66A9
}

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface \Device\NPF_{068F010E-6C94-4163-9C52-15551BFD66A9
}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file d:\win-ids\snort\etc\snort.conf

++++++++++++++++++++++++++++++++++++++++
+++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE

Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: d:\win-ids\snort\etc\unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900

Using LOCAL time
alert_syslog output processor is defaulting to syslog server on 127.0.0.1 port 5
14!
database: compiled support for ( mysql odbc mssql )
database: configured to use mssql
database: database name = snort
database: user = snort
database: password is set
database: host = localhost
database: port = 1433
database: sensor name = TESTIDS:\Device\NPF_{068F010E-6C94-4163-9C52-15551BFD6
6A9}
database: SQL Server message 5701, state 2, severity 0:
Changed database context to 'snort'.
Server 'TESTIDS',
database: SQL Server message 5701, state 1, severity 0:
Changed database context to 'snort'.
Server 'TESTIDS', Line 1
database: sensor id = 1
database: inconsistent cid information for sid=1
Recovering by rolling forward the cid=38534
database: schema version = 106
database: using the "log" facility
database: compiled support for ( mysql odbc mssql )
database: configured to use mssql
database: database name = snort
database: user = snort
database: password is set
database: host = localhost
database: port = 1433
database: sensor name = TESTIDS:\Device\NPF_{068F010E-6C94-4163-9C52-15551BFD6
6A9}
database: SQL Server message 5701, state 2, severity 0:
Changed database context to 'snort'.
Server 'TESTIDS',
database: SQL Server message 5701, state 1, severity 0:
Changed database context to 'snort'.
Server 'TESTIDS', Line 1
database: sensor id = 1
database: schema version = 106
database: using the "alert" facility
2111 Snort rules read...
2111 Option Chains linked into 191 Chain Headers
0 Dynamic rules
++++++++++++++++++++++++++++++++++++++++
+++++++++++

Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'http.jpeg' is checked but not ever set.

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=
2
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=
10
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=
60
| gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=
60
+-----------------------[suppression]------------------------------------------
| gen-id=119 sig-id=4 tracking=dstip=0.0.0.0 mask=0.0.0.0

| gen-id=122 sig-id=27 tracking=dstip=0.0.0.0 mask=0.0.0.0

| gen-id=122 sig-id=19 tracking=dstip=0.0.0.0 mask=0.0.0.0

+------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log
Log directory = d:\win-ids\snort\log

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.3.0-ODBC-MySQL-MSSQL-FlexRESP-WIN32 (Build 10)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et al.

--0-85801673-1129816787=:73563--


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2009 webservertalk.com