Home page logo
/

snort logo Snort mailing list archives

Re: Continuous packet streaming on boot of CentOS 6.3 64 bit
From: Mayur Patil <ram.nath241089 () gmail com>
Date: Tue, 11 Jun 2013 17:41:20 +0530

Hello,

   This a block of code present in my */etc/init.d/snort*  file

*    if [ "$CONF"X = "X" ]; then*
*    CONF="-c /etc/snort/snort.conf"*
*    else*
*     CONF="-c $CONF"*
*    fi
*
    means snort knows where is snort.conf file !!

    http://pastebin.com/jTpKk2dR

    And I also am unable to change boot mode in CentOS from 0 to other no.

    If I try to do so, it revert back to 0.

    Is it any network related or other error ??

    I am totally block now !!

    Seeking for guidance,

    Thanks !!
-- 
*Cheers,
Mayur*.


On Tue, Jun 11, 2013 at 4:16 PM, Mayur Patil <ram.nath241089 () gmail com>wrote:

Thanks sir for the reply.


Until you get Snort configured to do what you want


 I want to use Snort as IDS mode with N/w Intrusion Detection capability.


I suggest disabling the script from start up.  That depends on how you
enabled the script.


 This is my last saved script at location /etc/init.d/snort which is
responsible for boot. Please have a look

 http://pastebin.com/jTpKk2dR


Yes, and the solution is to disable the script or fix it as I explained
earlier by adding a snort.conf to Snort's command line.  Adding a conf will
allow Snort to inspect the traffic and output any alerts instead of dumping
all the packets.


 I am confused at this point *HOW TO LOGIN INTO CENTOS* as neither GUI
nor CLI is responding.

 Seeking for guidance,


 Thanks !!


On Tue, Jun 11, 2013 at 2:39 PM, Russ Combs <rcombs () sourcefire com> wrote:



On Tue, Jun 11, 2013 at 4:57 AM, Mayur Patil <ram.nath241089 () gmail com>wrote:

Problem is that when I connect cable I am able to ping to machine but
still unable to ssh.

When I try to do ssh from other machine, it says connection refused.

Now I connect the cable and reboot system. When the system starts, it
automatically starts

checking packets i.e. packet dump mode.

I think Snort script is preventing CentOS to boot as GUI as well as CLI.


Most likely you system is just slow to respond to your input because it
is bogged down dumping packets.


I am pretty sure that this is Snort script problem.


Yes, and the solution is to disable the script or fix it as I explained
earlier by adding a snort.conf to Snort's command line.  Adding a conf will
allow Snort to inspect the traffic and output any alerts instead of dumping
all the packets.


Now what to do ??


Until you get Snort configured to do what you want, I suggest disabling
the script from start up.  That depends on how you enabled the script.


Please correct if I am wrong !!

Seeking for your guidance,

Thanks !!

On Tue, Jun 11, 2013 at 2:09 PM, Russ Combs <rcombs () sourcefire com>wrote:



On Tue, Jun 11, 2013 at 4:26 AM, Mayur Patil <ram.nath241089 () gmail com>wrote:

The snort message is as follows:

Initializing output plugins !!

pcap DAQ is configured to passive.

Acquiring network traffic from "eth0"

Decoding ethernet

    --==Initialization Complete==--

SNort
.
.
.
. //messages of version number
.
.
.

Commencing packet processing (pid=1668)

and stopped there !!

I have unplugged n/w cable and got above output.

Does "shell in" means getting grub console then yes !!


I meant ssh but if unplugging the cable works, that's great.


I can get grub console.

Looking forward for guidance,


I'm guessing that you are still in packet dump mode and that you really
want IDS mode.  Do you know what the command line arguments to Snort are?
 If it is running now you can do something like "ps alx | grep snort" to
see.  You need to add -c snort.conf to run in IDS mode.

**
On Tue, Jun 11, 2013 at 1:45 PM, Russ Combs <rcombs () sourcefire com>wrote:



On Tue, Jun 11, 2013 at 4:12 AM, Mayur Patil <
ram.nath241089 () gmail com> wrote:

Thanks Russ sir for reply.

My problem is I am unable to log into command line mode  i.e.
Ctrl+Alt+F2

and also GUI mode of CentOS. And after that I have to add this path.

Would you please guide me how to do that it will be a great help !!

Can you shell in?  If that doesn't work, try unplugging your network
cable(s).


Thank you !!

On Tue, Jun 11, 2013 at 1:33 PM, Russ Combs <rcombs () sourcefire com>wrote:

On Tue, Jun 11, 2013 at 3:41 AM, Mayur Patil <
ram.nath241089 () gmail com> wrote:

Hello,

 I am seeing something like this

 *06/11 11:0246  10.1.46.123:136 -> 10.1.46.255:137*
 * UDP:TTL :128 TOS:8 ID:20 IpLen:20 DgmLen:78 Len:50

* in continuous streaming of packets.
*
*
* *Now I am sure that this is the Snort startup script
problem.....!!

 At the starting I have seen message  *starting snort in packet
dump mode*

 Please help how to disable this mode or disable snort script from
loading at boot time??


*Running in packet dump mode is because you don't have a "-c
path/snort.conf" option on your command line. *


On Tue, Jun 11, 2013 at 11:00 AM, Mayur Patil <
ram.nath241089 () gmail com> wrote:

Hello,

   I have stuck on one issue. I am unable to see either GUI or
CLI for CentOS 6.3.

   Description as follows:

   I was just checking my snort script on centos machine
yesterday. So I left machine as it is.

   When I come today, screen location has changed on desktop so I
adjusted and reboot.

   When I reboot it takes much time to boot, so I press any key
on keyboard it shows

   fast continuous streaming, no idea of what, seems like to be
many packets

   Somewhat

   UDP---TLS-----255.255.255.0 ------------------->

    like this. When I try to load the Ctrl+Alt+f2 nothing happens.

    I am also unable to login through Putty but I am able to ping
the machine.

    How to stop this packet steaming??

    Need help please!!


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]