Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root@sunflower student]# /usr/local/bin/snort -r hp0_130.pcap -c /etc/snort/snort.conf
- Running in IDS mode
- --== Initializing Snort ==--
- Initializing Output Plugins!
- Initializing Preprocessors!
- Initializing Plug-ins!
- Parsing Rules file /etc/snort/snort.conf
- +++++++++++++++++++++++++++++++++++++++++++++++++++
- Initializing rule chains...
- Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
- Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
- Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
- Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
- Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
- Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
- Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
- Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
- Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
- Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
- Var 'AIM_SERVERS' defined, value len = 185 chars
- [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
- .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
- Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
- Detection:
- Search-Method = Low-Mem
- ,-----------[Flow Config]----------------------
- | Stats Interval: 0
- | Hash Method: 2
- | Memcap: 10485760
- | Rows : 4099
- | Overhead Bytes: 16400(%0.16)
- `----------------------------------------------
- Frag3 global config:
- Max frags: 65536
- Fragment memory cap: 4194304 bytes
- Frag3 engine config:
- Target-based policy: FIRST
- Fragment timeout: 60 seconds
- Fragment min_ttl: 1
- Fragment ttl_limit: 5
- Fragment Problems: 1
- Bound Addresses: 0.0.0.0/0.0.0.0
- Stream4 config:
- Stateful inspection: ACTIVE
- Session statistics: INACTIVE
- Session timeout: 30 seconds
- Session memory cap: 8388608 bytes
- Session count max: 8192 sessions
- Session cleanup count: 5
- State alerts: INACTIVE
- Evasion alerts: INACTIVE
- Scan alerts: INACTIVE
- Log Flushed Streams: INACTIVE
- MinTTL: 1
- TTL Limit: 5
- Async Link: 0
- State Protection: 0
- Self preservation threshold: 50
- Self preservation period: 90
- Suspend threshold: 200
- Suspend period: 30
- Enforce TCP State: INACTIVE
- Midstream Drop Alerts: INACTIVE
- Allow Blocking of TCP Sessions in Inline: ACTIVE
- Server Data Inspection Limit: -1
- WARNING /etc/snort/snort.conf(408) => flush_behavior set in config file, using old static flushpoints (0)
- Stream4_reassemble config:
- Server reassembly: INACTIVE
- Client reassembly: ACTIVE
- Reassembler alerts: ACTIVE
- Zero out flushed packets: INACTIVE
- Flush stream on alert: INACTIVE
- flush_data_diff_size: 500
- Reassembler Packet Preferance : Favor Old
- Packet Sequence Overlap Limit: -1
- Flush behavior: Small (<255 bytes)
- Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
- Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
- HttpInspect Config:
- GLOBAL CONFIG
- Max Pipeline Requests: 0
- Inspection Type: STATELESS
- Detect Proxy Usage: NO
- IIS Unicode Map Filename: /etc/snort/unicode.map
- IIS Unicode Map Codepage: 1252
- DEFAULT SERVER CONFIG:
- Server profile: All
- Ports: 80 8080 8180
- Flow Depth: 300
- Max Chunk Length: 500000
- Inspect Pipeline Requests: YES
- URI Discovery Strict Mode: NO
- Allow Proxy Usage: NO
- Disable Alerting: NO
- Oversize Dir Length: 500
- Only inspect URI: NO
- Ascii: YES alert: NO
- Double Decoding: YES alert: YES
- %U Encoding: YES alert: YES
- Bare Byte: YES alert: YES
- Base36: OFF
- UTF 8: OFF
- IIS Unicode: YES alert: YES
- Multiple Slash: YES alert: NO
- IIS Backslash: YES alert: NO
- Directory Traversal: YES alert: NO
- Web Root Traversal: YES alert: YES
- Apache WhiteSpace: YES alert: NO
- IIS Delimiter: YES alert: NO
- IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
- Non-RFC Compliant Characters: NONE
- Whitespace Characters: 0x09 0x0b 0x0c 0x0d
- rpc_decode arguments:
- Ports to decode RPC on: 111 32771
- alert_fragments: INACTIVE
- alert_large_fragments: ACTIVE
- alert_incomplete: ACTIVE
- alert_multiple_requests: ACTIVE
- Portscan Detection Config:
- Detect Protocols: TCP UDP ICMP IP
- Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
- Sensitivity Level: Low
- Memcap (in bytes): 10000000
- Number of Nodes: 36900
- 7211 Snort rules read...
- 7211 Option Chains linked into 250 Chain Headers
- 0 Dynamic rules
- +++++++++++++++++++++++++++++++++++++++++++++++++++
- Tagged Packet Limit: 256
- +-----------------------[thresholding-config]----------------------------------
- | memory-cap : 1048576 bytes
- +-----------------------[thresholding-global]----------------------------------
- | none
- +-----------------------[thresholding-local]-----------------------------------
- | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
- | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
- | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
- | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
- | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
- | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
- | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2
- +-----------------------[suppression]------------------------------------------
- | none
- -------------------------------------------------------------------------------
- Rule application order: ->activation->dynamic->pass->drop->alert->log
- Log directory = /var/log/snort
- Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
- Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
- Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
- Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
- FTPTelnet Config:
- GLOBAL CONFIG
- Inspection Type: stateful
- Check for Encrypted Traffic: YES alert: YES
- Continue to check encrypted data: NO
- TELNET CONFIG:
- Ports: 23
- Are You There Threshold: 200
- Normalize: YES
- Detect Anomalies: NO
- FTP CONFIG:
- FTP Server: default
- Ports: 21
- Check for Telnet Cmds: YES alert: YES
- Identify open data channels: YES
- FTP Client: default
- Check for Bounce Attacks: YES alert: YES
- Check for Telnet Cmds: YES alert: YES
- Max Response Length: 256
- SMTP Config:
- Ports: 25
- Inspection Type: STATEFUL
- Normalize Spaces: YES
- Ignore Data: NO
- Ignore TLS Data: NO
- Ignore Alerts: NO
- Max Command Length: 0
- Max Header Line Length: 0
- Max Response Line Length: 0
- X-Link2State Alert: YES
- Drop on X-Link2State Alert: NO
- DNS config:
- DNS Client rdata txt Overflow Alert: ACTIVE
- Obsolete DNS RR Types Alert: INACTIVE
- Experimental DNS RR Types Alert: INACTIVE
- Ports: 53
- Verifying Preprocessor Configurations!
- Warning: flowbits key 'mspub_header' is set but not ever checked.
- Warning: flowbits key 'mssearch_file.request' is set but not ever checked.
- Warning: flowbits key 'sylk.download' is set but not ever checked.
- Warning: flowbits key 'access.download' is set but not ever checked.
- Warning: flowbits key 'emf.request' is set but not ever checked.
- Warning: flowbits key 'works.download' is set but not ever checked.
- Warning: flowbits key 'dce.mqqm.bind' is set but not ever checked.
- 59 out of 512 flowbits in use.
- TCPDUMP file reading mode.
- Reading network traffic from "hp0_130.pcap" file.
- snaplen = 65535
- database: compiled support for ( mysql )
- database: configured to use mysql
- database: user = root
- database: password is set
- database: database name = db
- database: host = localhost
- database: sensor name = sunflower:[reading from a file]
- ERROR: database: mysql_error: Access denied for user 'root'@'localhost' (using password: YES)
- Fatal Error, Quitting..
Add Comment
Please, Sign In to add comment