SHARE
TWEET

Untitled




Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- [root@sunflower student]# /usr/local/bin/snort -r hp0_130.pcap -c /etc/snort/snort.conf
- Running in IDS mode
- --== Initializing Snort ==--
- Initializing Output Plugins!
- Initializing Preprocessors!
- Initializing Plug-ins!
- Parsing Rules file /etc/snort/snort.conf
- +++++++++++++++++++++++++++++++++++++++++++++++++++
- Initializing rule chains...
- Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
- Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
- Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
- Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
- Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
- Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
- Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
- Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
- Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
- Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
- Var 'AIM_SERVERS' defined, value len = 185 chars
- [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
- .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
- Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
- Detection:
- Search-Method = Low-Mem
- ,-----------[Flow Config]----------------------
- | Stats Interval: 0
- | Hash Method: 2
- | Memcap: 10485760
- | Rows : 4099
- | Overhead Bytes: 16400(%0.16)
- `----------------------------------------------
- Frag3 global config:
- Max frags: 65536
- Fragment memory cap: 4194304 bytes
- Frag3 engine config:
- Target-based policy: FIRST
- Fragment timeout: 60 seconds
- Fragment min_ttl: 1
- Fragment ttl_limit: 5
- Fragment Problems: 1
- Bound Addresses: 0.0.0.0/0.0.0.0
- Stream4 config:
- Stateful inspection: ACTIVE
- Session statistics: INACTIVE
- Session timeout: 30 seconds
- Session memory cap: 8388608 bytes
- Session count max: 8192 sessions
- Session cleanup count: 5
- State alerts: INACTIVE
- Evasion alerts: INACTIVE
- Scan alerts: INACTIVE
- Log Flushed Streams: INACTIVE
- MinTTL: 1
- TTL Limit: 5
- Async Link: 0
- State Protection: 0
- Self preservation threshold: 50
- Self preservation period: 90
- Suspend threshold: 200
- Suspend period: 30
- Enforce TCP State: INACTIVE
- Midstream Drop Alerts: INACTIVE
- Allow Blocking of TCP Sessions in Inline: ACTIVE
- Server Data Inspection Limit: -1
- WARNING /etc/snort/snort.conf(408) => flush_behavior set in config file, using old static flushpoints (0)
- Stream4_reassemble config:
- Server reassembly: INACTIVE
- Client reassembly: ACTIVE
- Reassembler alerts: ACTIVE
- Zero out flushed packets: INACTIVE
- Flush stream on alert: INACTIVE
- flush_data_diff_size: 500
- Reassembler Packet Preferance : Favor Old
- Packet Sequence Overlap Limit: -1
- Flush behavior: Small (<255 bytes)
- Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
- Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
- HttpInspect Config:
- GLOBAL CONFIG
- Max Pipeline Requests: 0
- Inspection Type: STATELESS
- Detect Proxy Usage: NO
- IIS Unicode Map Filename: /etc/snort/unicode.map
- IIS Unicode Map Codepage: 1252
- DEFAULT SERVER CONFIG:
- Server profile: All
- Ports: 80 8080 8180
- Flow Depth: 300
- Max Chunk Length: 500000
- Inspect Pipeline Requests: YES
- URI Discovery Strict Mode: NO
- Allow Proxy Usage: NO
- Disable Alerting: NO
- Oversize Dir Length: 500
- Only inspect URI: NO
- Ascii: YES alert: NO
- Double Decoding: YES alert: YES
- %U Encoding: YES alert: YES
- Bare Byte: YES alert: YES
- Base36: OFF
- UTF 8: OFF
- IIS Unicode: YES alert: YES
- Multiple Slash: YES alert: NO
- IIS Backslash: YES alert: NO
- Directory Traversal: YES alert: NO
- Web Root Traversal: YES alert: YES
- Apache WhiteSpace: YES alert: NO
- IIS Delimiter: YES alert: NO
- IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
- Non-RFC Compliant Characters: NONE
- Whitespace Characters: 0x09 0x0b 0x0c 0x0d
- rpc_decode arguments:
- Ports to decode RPC on: 111 32771
- alert_fragments: INACTIVE
- alert_large_fragments: ACTIVE
- alert_incomplete: ACTIVE
- alert_multiple_requests: ACTIVE
- Portscan Detection Config:
- Detect Protocols: TCP UDP ICMP IP
- Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
- Sensitivity Level: Low
- Memcap (in bytes): 10000000
- Number of Nodes: 36900
- 7211 Snort rules read...
- 7211 Option Chains linked into 250 Chain Headers
- 0 Dynamic rules
- +++++++++++++++++++++++++++++++++++++++++++++++++++
- Tagged Packet Limit: 256
- +-----------------------[thresholding-config]----------------------------------
- | memory-cap : 1048576 bytes
- +-----------------------[thresholding-global]----------------------------------
- | none
- +-----------------------[thresholding-local]-----------------------------------
- | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
- | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
- | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
- | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
- | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
- | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2
- +-----------------------[suppression]------------------------------------------
- | none
- -------------------------------------------------------------------------------
- Rule application order: ->activation->dynamic->pass->drop->alert->log
- Log directory = /var/log/snort
- Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
- Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
- Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
- FTPTelnet Config:
- GLOBAL CONFIG
- Inspection Type: stateful
- Check for Encrypted Traffic: YES alert: YES
- Continue to check encrypted data: NO
- TELNET CONFIG:
- Ports: 23
- Are You There Threshold: 200
- Normalize: YES
- Detect Anomalies: NO
- FTP CONFIG:
- FTP Server: default
- Ports: 21
- Check for Telnet Cmds: YES alert: YES
- Identify open data channels: YES
- FTP Client: default
- Check for Bounce Attacks: YES alert: YES
- Check for Telnet Cmds: YES alert: YES
- Max Response Length: 256
- SMTP Config:
- Ports: 25
- Inspection Type: STATEFUL
- Normalize Spaces: YES
- Ignore Data: NO
- Ignore TLS Data: NO
- Ignore Alerts: NO
- Max Command Length: 0
- Max Header Line Length: 0
- Max Response Line Length: 0
- X-Link2State Alert: YES
- Drop on X-Link2State Alert: NO
- DNS config:
- DNS Client rdata txt Overflow Alert: ACTIVE
- Obsolete DNS RR Types Alert: INACTIVE
- Experimental DNS RR Types Alert: INACTIVE
- Ports: 53
- Verifying Preprocessor Configurations!
- Warning: flowbits key 'mspub_header' is set but not ever checked.
- Warning: flowbits key 'mssearch_file.request' is set but not ever checked.
- Warning: flowbits key 'sylk.download' is set but not ever checked.
- Warning: flowbits key 'access.download' is set but not ever checked.
- Warning: flowbits key 'emf.request' is set but not ever checked.
- Warning: flowbits key 'works.download' is set but not ever checked.
- Warning: flowbits key 'dce.mqqm.bind' is set but not ever checked.
- 59 out of 512 flowbits in use.
- TCPDUMP file reading mode.
- Reading network traffic from "hp0_130.pcap" file.
- snaplen = 65535
- database: compiled support for ( mysql )
- database: configured to use mysql
- database: user = root
- database: password is set
- database: database name = db
- database: host = localhost
- database: sensor name = sunflower:[reading from a file]
- ERROR: database: mysql_error: Access denied for user 'root'@'localhost' (using password: YES)
- Fatal Error, Quitting..
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.