API tools faq
paste
Advertisement
Guest User

pcap

a guest
Jul 25th, 2014
444
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.12 KB | None | 0 0
raw download clone embed print report
  1. # snort -r /data/test.pcap -c /data/Snort/snort-2.9.6.1/etc/snort.conf
  2. Running in IDS mode
  3.  
  4. --== Initializing Snort ==--
  5. Initializing Output Plugins!
  6. Initializing Preprocessors!
  7. Initializing Plug-ins!
  8. Parsing Rules file "/data/Snort/snort-2.9.6.1/etc/snort.conf"
  9. pcap: old 64bit kernel detected, apply workaround for tpacket_v1 interface
  10. pcap: old 64bit kernel detected, apply workaround for tpacket_v1 interface
  11. pcap: old 64bit kernel detected, apply workaround for tpacket_v1 interface
  12. pcap: old 64bit kernel detected, apply workaround for tpacket_v1 interface
  13. pcap: old 64bit kernel detected, apply workaround for tpacket_v1 interface
  14. PortVar 'HTTP_PORTS' defined : [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
  15. PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
  16. PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
  17. PortVar 'SSH_PORTS' defined : [ 22 ]
  18. PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
  19. PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
  20. PortVar 'FILE_DATA_PORTS' defined : [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
  21. PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
  22. Detection:
  23. Search-Method = AC-Full-Q
  24. Split Any/Any group = enabled
  25. Search-Method-Optimizations = enabled
  26. Maximum pattern length = 20
  27. Found profile_preprocs config directive (print all, sort avg_ticks)
  28. Found profile_rules config directive (print all, sort avg_ticks)
  29. Tagged Packet Limit: 256
  30. Log directory = /var/log/snort
  31. WARNING: ip4 normalizations disabled because not inline.
  32. WARNING: tcp normalizations disabled because not inline.
  33. WARNING: icmp4 normalizations disabled because not inline.
  34. Frag3 global config:
  35. Max frags: 65536
  36. Fragment memory cap: 4194304 bytes
  37. Frag3 engine config:
  38. Bound Address: default
  39. Target-based policy: WINDOWS
  40. Fragment timeout: 180 seconds
  41. Fragment min_ttl: 1
  42. Fragment Anomalies: Alert
  43. Overlap Limit: 10
  44. Min fragment Length: 100
  45. Stream5 global config:
  46. Track TCP sessions: ACTIVE
  47. Max TCP sessions: 262144
  48. TCP cache pruning timeout: 30 seconds
  49. TCP cache nominal timeout: 3600 seconds
  50. Memcap (for reassembly packet storage): 8388608
  51. Track UDP sessions: ACTIVE
  52. Max UDP sessions: 131072
  53. UDP cache pruning timeout: 30 seconds
  54. UDP cache nominal timeout: 180 seconds
  55. Track ICMP sessions: INACTIVE
  56. Track IP sessions: INACTIVE
  57. Log info if session memory consumption exceeds 1048576
  58. Send up to 2 active responses
  59. Wait at least 5 seconds between responses
  60. Protocol Aware Flushing: ACTIVE
  61. Maximum Flush Point: 16000
  62. Max Expected Streams: 768
  63. Stream5 TCP Policy config:
  64. Bound Address: default
  65. Reassembly Policy: WINDOWS
  66. Timeout: 180 seconds
  67. Limit on TCP Overlaps: 10
  68. Maximum number of bytes to queue per session: 1048576
  69. Maximum number of segs to queue per session: 2621
  70. Options:
  71. Require 3-Way Handshake: YES
  72. 3-Way Handshake Timeout: 180
  73. Detect Anomalies: YES
  74. Reassembly Ports:
  75. 21 client (Footprint)
  76. 22 client (Footprint)
  77. 23 client (Footprint)
  78. 25 client (Footprint)
  79. 36 client (Footprint) server (Footprint)
  80. 42 client (Footprint)
  81. 53 client (Footprint)
  82. 70 client (Footprint)
  83. 79 client (Footprint)
  84. 80 client (Footprint) server (Footprint)
  85. 81 client (Footprint) server (Footprint)
  86. 82 client (Footprint) server (Footprint)
  87. 83 client (Footprint) server (Footprint)
  88. 84 client (Footprint) server (Footprint)
  89. 85 client (Footprint) server (Footprint)
  90. 86 client (Footprint) server (Footprint)
  91. 87 client (Footprint) server (Footprint)
  92. 88 client (Footprint) server (Footprint)
  93. 89 client (Footprint) server (Footprint)
  94. 90 client (Footprint) server (Footprint)
  95. additional ports configured but not printed.
  96. Stream5 UDP Policy config:
  97. Timeout: 180 seconds
  98. HttpInspect Config:
  99. GLOBAL CONFIG
  100. Max Pipeline Requests: 0
  101. Inspection Type: STATELESS
  102. Detect Proxy Usage: NO
  103. IIS Unicode Map Filename: /data/Snort/snort-2.9.6.1/etc/unicode.map
  104. IIS Unicode Map Codepage: 1252
  105. Memcap used for logging URI and Hostname: 150994944
  106. Max Gzip Memory: 838860
  107. Max Gzip Sessions: 9532
  108. Gzip Compress Depth: 65535
  109. Gzip Decompress Depth: 65535
  110. DEFAULT SERVER CONFIG:
  111. Server profile: All
  112. Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712
  113. Server Flow Depth: 10
  114. Client Flow Depth: 10
  115. Max Chunk Length: 500000
  116. Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
  117. Max Header Field Length: 750
  118. Max Number Header Fields: 100
  119. Max Number of WhiteSpaces allowed with header folding: 200
  120. Inspect Pipeline Requests: YES
  121. URI Discovery Strict Mode: NO
  122. Allow Proxy Usage: NO
  123. Disable Alerting: NO
  124. Oversize Dir Length: 500
  125. Only inspect URI: NO
  126. Normalize HTTP Headers: YES
  127. Inspect HTTP Cookies: NO
  128. Inspect HTTP Responses: YES
  129. Extract Gzip from responses: YES
  130. Unlimited decompression of gzip data from responses: YES
  131. Normalize Javascripts in HTTP Responses: YES
  132. Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200
  133. Normalize HTTP Cookies: NO
  134. Enable XFF and True Client IP: NO
  135. Log HTTP URI data: NO
  136. Log HTTP Hostname data: NO
  137. Extended ASCII code support in URI: NO
  138. Ascii: YES alert: NO
  139. Double Decoding: YES alert: NO
  140. %U Encoding: YES alert: YES
  141. Bare Byte: YES alert: NO
  142. UTF 8: YES alert: NO
  143. IIS Unicode: YES alert: NO
  144. Multiple Slash: YES alert: NO
  145. IIS Backslash: YES alert: NO
  146. Directory Traversal: YES alert: NO
  147. Web Root Traversal: YES alert: NO
  148. Apache WhiteSpace: YES alert: NO
  149. IIS Delimiter: YES alert: NO
  150. IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
  151. Non-RFC Compliant Characters: NONE
  152. Whitespace Characters: 0x09 0x0b 0x0c 0x0d
  153.  
  154. +++++++++++++++++++++++++++++++++++++++++++++++++++
  155. Initializing rule chains...
  156. 0 Snort rules read
  157. 0 detection rules
  158. 0 decoder rules
  159. 0 preprocessor rules
  160. 0 Option Chains linked into 0 Chain Headers
  161. 0 Dynamic rules
  162. +++++++++++++++++++++++++++++++++++++++++++++++++++
  163.  
  164. +-------------------[Rule Port Counts]---------------------------------------
  165. | tcp udp icmp ip
  166. | src 0 0 0 0
  167. | dst 0 0 0 0
  168. | any 0 0 0 0
  169. | nc 0 0 0 0
  170. | s+d 0 0 0 0
  171. +----------------------------------------------------------------------------
  172.  
  173. +-----------------------[detection-filter-config]------------------------------
  174. | memory-cap : 1048576 bytes
  175. +-----------------------[detection-filter-rules]-------------------------------
  176. | none
  177. -------------------------------------------------------------------------------
  178.  
  179. +-----------------------[rate-filter-config]-----------------------------------
  180. | memory-cap : 1048576 bytes
  181. +-----------------------[rate-filter-rules]------------------------------------
  182. | none
  183. -------------------------------------------------------------------------------
  184.  
  185. +-----------------------[event-filter-config]----------------------------------
  186. | memory-cap : 1048576 bytes
  187. +-----------------------[event-filter-global]----------------------------------
  188. +-----------------------[event-filter-local]-----------------------------------
  189. | none
  190. +-----------------------[suppression]------------------------------------------
  191. | none
  192. -------------------------------------------------------------------------------
  193. Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
  194. Verifying Preprocessor Configurations!
  195. ICMP tracking disabled, no ICMP sessions allocated
  196. IP tracking disabled, no IP sessions allocated
  197. pcap DAQ configured to read-file.
  198. Acquiring network traffic from "/data/test.pcap".
  199. Reload thread starting...
  200. Reload thread started, thread 0xe7a32b90 (615)
  201. WARNING: active responses disabled since DAQ can't inject packets.
  202.  
  203. --== Initialization Complete ==--
  204.  
  205. ,,_ -*> Snort! <*-
  206. o" )~ Version 2.9.6.1 GRE (Build 56)
  207. '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
  208. Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
  209. Copyright (C) 1998-2013 Sourcefire, Inc., et al.
  210. Using libpcap version 1.2.1
  211. Using PCRE version: 7.0 18-Dec-2006
  212. Using ZLIB version: 1.2.7
  213.  
  214. Commencing packet processing (pid=614)
  215. ===============================================================================
  216. Run time for packet processing was 1.30 seconds
  217. Snort processed 24 packets.
  218. Snort ran for 0 days 0 hours 0 minutes 1 seconds
  219. Pkts/sec: 24
  220. Preprocessor Profile Statistics (all)
  221. ==========================================================
  222. Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total
  223. === ============ ===== ====== ===== ========= ========= ============= ============
  224. 1 httpinspect 0 4 4 100 25.07 36.14 36.14
  225. 2 s5 0 20 20 195 9.76 70.37 70.37
  226. 1 s5tcp 1 20 20 185 9.28 95.10 66.92
  227. 1 s5TcpNewSess 2 1 1 9 9.87 5.32 3.56
  228. 2 s5TcpState 2 19 19 167 8.83 90.35 60.46
  229. 1 s5TcpFlush 3 2 2 5 3.00 3.57 2.16
  230. 1 s5TcpProcessRebuilt 4 2 2 96 48.20 1608.89 34.75
  231. 2 s5TcpBuildPacket 4 2 2 0 0.46 15.49 0.33
  232. 2 s5TcpData 3 4 4 10 2.67 6.36 3.85
  233. 1 s5TcpPktInsert 4 4 4 6 1.73 64.99 2.50
  234. 3 s5TcpPAF 3 17 17 16 0.98 9.97 6.03
  235. 3 mpse 1 1 1 1 1.96 inf 0.71
  236. 4 decode 0 24 24 23 0.99 8.54 8.54
  237. 5 eventq 0 50 50 5 0.11 2.02 2.02
  238. total total 0 24 24 277 11.56 0.00 0.00
  239. Rule Profile Statistics (all rules)
  240. ==========================================================
  241. No rules were profiled
  242. ===============================================================================
  243. Memory usage summary:
  244. Total non-mmapped bytes (arena): 2932736
  245. Bytes in mapped regions (hblkhd): 6873088
  246. Total allocated space (uordblks): 1191904
  247. Total free space (fordblks): 1740832
  248. Topmost releasable block (keepcost): 5856
  249. ===============================================================================
  250. Packet I/O Totals:
  251. Received: 24
  252. Analyzed: 24 (100.000%)
  253. Dropped: 0 ( 0.000%)
  254. Filtered: 0 ( 0.000%)
  255. Outstanding: 0 ( 0.000%)
  256. Injected: 0
  257. ===============================================================================
  258. Breakdown by protocol (includes rebuilt packets):
  259. Eth: 24 (100.000%)
  260. VLAN: 0 ( 0.000%)
  261. IP4: 20 ( 83.333%)
  262. Frag: 0 ( 0.000%)
  263. ICMP: 0 ( 0.000%)
  264. UDP: 0 ( 0.000%)
  265. TCP: 20 ( 83.333%)
  266. IP6: 0 ( 0.000%)
  267. IP6 Ext: 0 ( 0.000%)
  268. IP6 Opts: 0 ( 0.000%)
  269. Frag6: 0 ( 0.000%)
  270. ICMP6: 0 ( 0.000%)
  271. UDP6: 0 ( 0.000%)
  272. TCP6: 0 ( 0.000%)
  273. Teredo: 0 ( 0.000%)
  274. ICMP-IP: 0 ( 0.000%)
  275. IP4/IP4: 0 ( 0.000%)
  276. IP4/IP6: 0 ( 0.000%)
  277. IP6/IP4: 0 ( 0.000%)
  278. IP6/IP6: 0 ( 0.000%)
  279. GRE: 0 ( 0.000%)
  280. GRE Eth: 0 ( 0.000%)
  281. GRE VLAN: 0 ( 0.000%)
  282. GRE IP4: 0 ( 0.000%)
  283. GRE IP6: 0 ( 0.000%)
  284. GRE IP6 Ext: 0 ( 0.000%)
  285. GRE PPTP: 0 ( 0.000%)
  286. GRE ARP: 0 ( 0.000%)
  287. GRE IPX: 0 ( 0.000%)
  288. GRE Loop: 0 ( 0.000%)
  289. MPLS: 0 ( 0.000%)
  290. ARP: 4 ( 16.667%)
  291. IPX: 0 ( 0.000%)
  292. Eth Loop: 0 ( 0.000%)
  293. Eth Disc: 0 ( 0.000%)
  294. IP4 Disc: 0 ( 0.000%)
  295. IP6 Disc: 0 ( 0.000%)
  296. TCP Disc: 0 ( 0.000%)
  297. UDP Disc: 0 ( 0.000%)
  298. ICMP Disc: 0 ( 0.000%)
  299. All Discard: 0 ( 0.000%)
  300. Other: 0 ( 0.000%)
  301. Bad Chk Sum: 0 ( 0.000%)
  302. Bad TTL: 0 ( 0.000%)
  303. S5 G 1: 0 ( 0.000%)
  304. S5 G 2: 0 ( 0.000%)
  305. Total: 24
  306. ===============================================================================
  307. Action Stats:
  308. Alerts: 0 ( 0.000%)
  309. Logged: 0 ( 0.000%)
  310. Passed: 0 ( 0.000%)
  311. Limits:
  312. Match: 0
  313. Queue: 0
  314. Log: 0
  315. Event: 0
  316. Alert: 0
  317. Verdicts:
  318. Allow: 24 (100.000%)
  319. Block: 0 ( 0.000%)
  320. Replace: 0 ( 0.000%)
  321. Whitelist: 0 ( 0.000%)
  322. Blacklist: 0 ( 0.000%)
  323. Ignore: 0 ( 0.000%)
  324. ===============================================================================
  325. Frag3 statistics:
  326. Total Fragments: 0
  327. Frags Reassembled: 0
  328. Discards: 0
  329. Memory Faults: 0
  330. Timeouts: 0
  331. Overlaps: 0
  332. Anomalies: 0
  333. Alerts: 0
  334. Drops: 0
  335. FragTrackers Added: 0
  336. FragTrackers Dumped: 0
  337. FragTrackers Auto Freed: 0
  338. Frag Nodes Inserted: 0
  339. Frag Nodes Deleted: 0
  340. ===============================================================================
  341. Stream5 statistics:
  342. Total sessions: 1
  343. TCP sessions: 1
  344. UDP sessions: 0
  345. ICMP sessions: 0
  346. IP sessions: 0
  347. TCP Prunes: 0
  348. UDP Prunes: 0
  349. ICMP Prunes: 0
  350. IP Prunes: 0
  351. TCP StreamTrackers Created: 1
  352. TCP StreamTrackers Deleted: 1
  353. TCP Timeouts: 0
  354. TCP Overlaps: 0
  355. TCP Segments Queued: 2
  356. TCP Segments Released: 2
  357. TCP Rebuilt Packets: 2
  358. TCP Segments Used: 2
  359. TCP Discards: 0
  360. TCP Gaps: 0
  361. UDP Sessions Created: 0
  362. UDP Sessions Deleted: 0
  363. UDP Timeouts: 0
  364. UDP Discards: 0
  365. Events: 0
  366. Internal Events: 0
  367. TCP Port Filter
  368. Filtered: 0
  369. Inspected: 0
  370. Tracked: 20
  371. UDP Port Filter
  372. Filtered: 0
  373. Inspected: 0
  374. Tracked: 0
  375. ===============================================================================
  376. HTTP Inspect - encodings (Note: stream-reassembled packets included):
  377. POST methods: 0
  378. GET methods: 1
  379. HTTP Request Headers extracted: 1
  380. HTTP Request Cookies extracted: 0
  381. Post parameters extracted: 0
  382. HTTP response Headers extracted: 1
  383. HTTP Response Cookies extracted: 0
  384. Unicode: 0
  385. Double unicode: 0
  386. Non-ASCII representable: 0
  387. Directory traversals: 0
  388. Extra slashes ("//"): 0
  389. Self-referencing paths ("./"): 0
  390. HTTP Response Gzip packets extracted: 0
  391. Gzip Compressed Data Processed: n/a
  392. Gzip Decompressed Data Processed: n/a
  393. Total packets processed: 4
  394. ===============================================================================
  395. Snort exiting
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!