Home page logo
/

snort logo Snort mailing list archives

Re: 0 byte unifed log output
From: Ashraf Ali <ashrafali.ibs () gmail com>
Date: Thu, 25 Apr 2013 10:20:07 +0530

Hi John,

I had the similar problem , but i was using registered rules.
i sorted out the problem by downloading the latest snapshot(rules) on my
machine, and copied the relevant rules in single file say new.rules, in the
snort.conf file i have included this file only (removed or # the existing
include statement of rules)

And restarted the snort and barnyard2 , i started getting the alerts.

Regards.
Ashraf
Security System Engineer.



On Wed, Apr 24, 2013 at 9:22 PM, John Ainsworth <
john.ainsworth () thebookpeople co uk> wrote:

Hi****

** **

Im pulling my hair out on this problem****

** **

I have installed Snort on Ubunutu 12.04 , 2 nics eth0 used for management
eth1 is receiving traffic that is coming into our firewall via SPAN on the
switch****

** **

If I run snort –v I can see traffic racing past so confident that the SPAN
is working and eth1 is seeing the traffic.****

Output is specified as unified log in /var/log/snort but the unified file
is always 0bytes in size****

-rw------- 1 snort snort    0 Apr 24 16:12 snort.u2.1366816353****

-rw------- 1 snort snort    0 Apr 24 16:34 snort.u2.1366817650****

-rw------- 1 snort snort    0 Apr 24 16:41 snort.u2.1366818087****

-rw-r--r-- 1 snort snort 2056 Apr 24 16:41 barnyard2.waldo****

** **

** **

I have even removed snort and used the autosnort script developed by da667
https://github.com/da667/Autosnort but get exactly the same issue****

I have bought a subscription and have the latest rules****

** **

I start it via rc.local using****

** **

/usr/local/snort/bin/snort -D -u snort -g snort -c
/usr/local/snort/etc/snort.conf -i eth1****

** **

If I start it manually via****

/usr/local/snort/bin/snort  -u snort -g snort -c
/usr/local/snort/etc/snort.conf -i eth1****

** **

I get the below output but still the same issue, I cant believe none of
the traffic is matching rules as it’s a busy website that we are mirroring,
I even tried goin to testmyids.com from a machine to try and generate an
alert****

** **

** **

Anyone seen this or head of it, driving me mad!****

** **

Thanks****

Running in IDS mode****

** **

        --== Initializing Snort ==--****

Initializing Output Plugins!****

Initializing Preprocessors!****

Initializing Plug-ins!****

Parsing Rules file "/usr/local/snort/etc/snort.conf"****

PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 631 901 1220 1414
1741 1****

830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145
7510 7****

777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8222
8243 8****

280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371
34443:34444 410****

80 50002 55555 ]****

PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]****

PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]****

PortVar 'SSH_PORTS' defined :  [ 22 ]****

PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]****

PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]****

PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 631
901 122****

0 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988
7000:7001 714****

4:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123
8180:818****

1 8222 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999
11371 34****

443:34444 41080 50002 55555 ]****

PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]****

Detection:****

   Search-Method = AC-Full-Q****

    Split Any/Any group = enabled****

    Search-Method-Optimizations = enabled****

    Maximum pattern length = 20****

Tagged Packet Limit: 256****

Loading dynamic engine
/usr/local/snort/lib/snort_dynamicengine/libsf_engine.so.****

.. done****

Loading all dynamic detection libs from
/usr/local/snort/lib/snort_dynamicrules.****

..****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/web-****

client.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/mult****

imedia.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/imap****

.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/icmp****

.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/nntp****

.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/misc****

.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/web-****

misc.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/dos.****

so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/web-****

iis.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/web-****

activex.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/bad-****

traffic.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/p2p.****

so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/smtp****

.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/snmp****

.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/chat****

.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/spec****

ific-threats.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/expl****

oit.so... done****

  Loading dynamic detection library
/usr/local/snort/lib/snort_dynamicrules/netb****

ios.so... done****

  Finished Loading all dynamic detection libs from
/usr/local/snort/lib/snort_dy****

namicrules****

Loading all dynamic preprocessor libs from
/usr/local/snort/lib/snort_dynamicpre****

processor/...****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_sdf_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_imap_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_ssh_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_ssl_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_dns_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_reputation_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_dnp3_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_pop_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_sip_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_gtp_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_dce2_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_modbus_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_smtp_preproc.so... done****

  Loading dynamic preprocessor library
/usr/local/snort/lib/snort_dynamicpreproc****

essor//libsf_ftptelnet_preproc.so... done****

  Finished Loading all dynamic preprocessor libs from
/usr/local/snort/lib/snort****

_dynamicpreprocessor/****

Log directory = /var/log/snort****

WARNING: ip4 normalizations disabled because not inline.****

WARNING: tcp normalizations disabled because not inline.****

WARNING: icmp4 normalizations disabled because not inline.****

WARNING: ip6 normalizations disabled because not inline.****

WARNING: icmp6 normalizations disabled because not inline.****

Frag3 global config:****

    Max frags: 65536****

    Fragment memory cap: 4194304 bytes****

Frag3 engine config:****

    Bound Address: default****

    Target-based policy: WINDOWS****

    Fragment timeout: 180 seconds****

    Fragment min_ttl:   1****

    Fragment Anomalies: Alert****

    Overlap Limit:     10****

    Min fragment Length:     100****

Stream5 global config:****

    Track TCP sessions: ACTIVE****

    Max TCP sessions: 262144****

    Memcap (for reassembly packet storage): 8388608****

    Track UDP sessions: ACTIVE****

   Max UDP sessions: 131072****

    Track ICMP sessions: INACTIVE****

    Track IP sessions: INACTIVE****

    Log info if session memory consumption exceeds 1048576****

    Send up to 2 active responses****

    Wait at least 5 seconds between responses****

    Protocol Aware Flushing: ACTIVE****

        Maximum Flush Point: 16000****

Stream5 TCP Policy config:****

    Bound Address: default****

    Reassembly Policy: WINDOWS****

    Timeout: 180 seconds****

    Limit on TCP Overlaps: 10****

    Maximum number of bytes to queue per session: 1048576****

    Maximum number of segs to queue per session: 2621****

    Options:****

        Require 3-Way Handshake: YES****

        3-Way Handshake Timeout: 180****

        Detect Anomalies: YES****

    Reassembly Ports:****

      21 client (Footprint)****

      22 client (Footprint)****

      23 client (Footprint)****

      25 client (Footprint)****

      42 client (Footprint)****

      53 client (Footprint)****

      70 client (Footprint)****

      79 client (Footprint)****

      80 client (Footprint) server (Footprint)****

      81 client (Footprint) server (Footprint)****

      109 client (Footprint)****

      110 client (Footprint) server (Footprint)****

      111 client (Footprint)****

      113 client (Footprint)****

      119 client (Footprint)****

      135 client (Footprint)****

      136 client (Footprint)****

      137 client (Footprint)****

      139 client (Footprint)****

      143 client (Footprint)****

      additional ports configured but not printed.****

Stream5 UDP Policy config:****

    Timeout: 180 seconds****

HttpInspect Config:****

    GLOBAL CONFIG****

      Max Pipeline Requests:    0****

      Inspection Type:          STATELESS****

      Detect Proxy Usage:       NO****

      IIS Unicode Map Filename: /usr/local/snort/etc/unicode.map****

      IIS Unicode Map Codepage: 1252****

      Memcap used for logging URI and Hostname: 150994944****

      Max Gzip Memory: 838860****

      Max Gzip Sessions: 5518****

      Gzip Compress Depth: 65535****

      Gzip Decompress Depth: 65535****

    DEFAULT SERVER CONFIG:****

      Server profile: All****

      Ports (PAF): 80 81 311 383 591 593 631 901 1220 1414 1741 1830 2301
2381 2****

809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779
8000 8****

008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300
8800 8****

888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002
55555****

      Server Flow Depth: 0****

      Client Flow Depth: 0****

      Max Chunk Length: 500000****

      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times**
**

      Max Header Field Length: 750****

      Max Number Header Fields: 100****

      Max Number of WhiteSpaces allowed with header folding: 200****

      Inspect Pipeline Requests: YES****

      URI Discovery Strict Mode: NO****

      Allow Proxy Usage: NO****

      Disable Alerting: NO****

      Oversize Dir Length: 500****

      Only inspect URI: NO****

      Normalize HTTP Headers: NO****

      Inspect HTTP Cookies: YES****

      Inspect HTTP Responses: YES****

      Extract Gzip from responses: YES****

      Unlimited decompression of gzip data from responses: YES****

      Normalize Javascripts in HTTP Responses: YES****

      Max Number of WhiteSpaces allowed with Javascript Obfuscation in
HTTP resp****

onses: 200****

      Normalize HTTP Cookies: NO****

      Enable XFF and True Client IP: NO****

      Log HTTP URI data: NO****

      Log HTTP Hostname data: NO****

      Extended ASCII code support in URI: NO****

      Ascii: YES alert: NO****

      Double Decoding: YES alert: NO****

      %U Encoding: YES alert: YES****

      Bare Byte: YES alert: NO****

      UTF 8: YES alert: NO****

      IIS Unicode: YES alert: NO****

      Multiple Slash: YES alert: NO****

      IIS Backslash: YES alert: NO****

      Directory Traversal: YES alert: NO****

      Web Root Traversal: YES alert: NO****

      Apache WhiteSpace: YES alert: NO****

      IIS Delimiter: YES alert: NO****

      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG****

      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
****

      Whitespace Characters: 0x09 0x0b 0x0c 0x0d****

rpc_decode arguments:****

    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
32777****

32778 32779****

    alert_fragments: INACTIVE****

    alert_large_fragments: INACTIVE****

    alert_incomplete: INACTIVE****

    alert_multiple_requests: INACTIVE****

FTPTelnet Config:****

    GLOBAL CONFIG****

      Inspection Type: stateful****

      Check for Encrypted Traffic: YES alert: NO****

      Continue to check encrypted data: YES****

    TELNET CONFIG:****

      Ports: 23****

      Are You There Threshold: 20****

      Normalize: YES****

      Detect Anomalies: YES****

    FTP CONFIG:****

      FTP Server: default****

        Ports (PAF): 21 2100 3535****

        Check for Telnet Cmds: YES alert: YES****

        Ignore Telnet Cmd Operations: YES alert: YES****

        Identify open data channels: NO****

      FTP Client: default****

        Check for Bounce Attacks: YES alert: YES****

        Check for Telnet Cmds: YES alert: YES****

        Ignore Telnet Cmd Operations: YES alert: YES****

        Max Response Length: 256****

SMTP Config:****

    Ports: 25 465 587 691****

    Inspection Type: Stateful****

    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
EVFY EXPN****

HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML
TICK****

TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
X-LINK2****

STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50****

    Ignore Data: No****

    Ignore TLS Data: No****

    Ignore SMTP Alerts: No****

    Max Command Line Length: 512****

    Max Specific Command Line Length:****

       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255****

       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255****

       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500****

       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246****

       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246****

       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246****

       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246****

       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246****

       XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246****

       XUSR:246****

    Max Header Line Length: 1000****

    Max Response Line Length: 512****

    X-Link2State Alert: Yes****

    Drop on X-Link2State Alert: No****

    Alert on commands: None****

    Alert on unknown commands: No****

    SMTP Memcap: 838860****

    MIME Max Mem: 838860****

    Base64 Decoding: Enabled****

    Base64 Decoding Depth: Unlimited****

    Quoted-Printable Decoding: Enabled****

    Quoted-Printable Decoding Depth: Unlimited****

    Unix-to-Unix Decoding: Enabled****

    Unix-to-Unix Decoding Depth: Unlimited****

    Non-Encoded MIME attachment Extraction: Enabled****

    Non-Encoded MIME attachment Extraction Depth: Unlimited****

    Log Attachment filename: Enabled****

    Log MAIL FROM Address: Enabled****

    Log RCPT TO Addresses: Enabled****

    Log Email Headers: Enabled****

    Email Hdrs Log Depth: 1464****

SSH config:****

    Autodetection: ENABLED****

    Challenge-Response Overflow Alert: ENABLED****

    SSH1 CRC32 Alert: ENABLED****

    Server Version String Overflow Alert: ENABLED****

    Protocol Mismatch Alert: ENABLED****

    Bad Message Direction Alert: DISABLED****

    Bad Payload Size Alert: DISABLED****

    Unrecognized Version Alert: DISABLED****

    Max Encrypted Packets: 20****

    Max Server Version String Length: 100****

    MaxClientBytes: 19600 (Default)****

    Ports:****

        22****

DCE/RPC 2 Preprocessor Configuration****

  Global Configuration****

    DCE/RPC Defragmentation: Enabled****

    Memcap: 102400 KB****

    Events: co****

    SMB Fingerprint policy: Disabled****

  Server Default Configuration****

    Policy: WinXP****

    Detect ports (PAF)****

      SMB: 139 445****

      TCP: 135****

      UDP: 135****

      RPC over HTTP server: 593****

      RPC over HTTP proxy: None****

    Autodetect ports (PAF)****

      SMB: None****

      TCP: 1025-65535****

      UDP: 1025-65535****

      RPC over HTTP server: 1025-65535****

      RPC over HTTP proxy: None****

    Invalid SMB shares: C$ D$ ADMIN$****

    Maximum SMB command chaining: 3 commands****

DNS config:****

    DNS Client rdata txt Overflow Alert: ACTIVE****

    Obsolete DNS RR Types Alert: INACTIVE****

    Experimental DNS RR Types Alert: INACTIVE****

    Ports: 53****

SSLPP config:****

    Encrypted packets: not inspected****

    Ports:****

      443      465      563      636      989****

      992      993      994      995     7801****

     7802     7900     7901     7902     7903****

     7904     7905     7906     7907     7908****

     7909     7910     7911     7912     7913****

     7914     7915     7916     7917     7918****

     7919     7920****

    Server side data is trusted****

Sensitive Data preprocessor config:****

    Global Alert Threshold: 25****

    Masked Output: DISABLED****

SIP config:****

    Max number of sessions: 40000****

    Max number of dialogs in a session: 4 (Default)****

    Status: ENABLED****

    Ignore media channel: DISABLED****

    Max URI length: 512****

    Max Call ID length: 80****

    Max Request name length: 20 (Default)****

    Max From length: 256 (Default)****

    Max To length: 256 (Default)****

    Max Via length: 1024 (Default)****

    Max Contact length: 512****

    Max Content length: 2048****

    Ports:****

        5060    5061    5600****

    Methods:****

         invite cancel ack bye register options refer subscribe update
join inf****

o message notify benotify do qauth sprack publish service unsubscribe prack
****

IMAP Config:****

    Ports: 143****

    IMAP Memcap: 838860****

    Base64 Decoding: Enabled****

    Base64 Decoding Depth: Unlimited****

    Quoted-Printable Decoding: Enabled****

    Quoted-Printable Decoding Depth: Unlimited****

    Unix-to-Unix Decoding: Enabled****

    Unix-to-Unix Decoding Depth: Unlimited****

    Non-Encoded MIME attachment Extraction: Enabled****

    Non-Encoded MIME attachment Extraction Depth: Unlimited****

POP Config:****

    Ports: 110****

    POP Memcap: 838860****

    Base64 Decoding: Enabled****

    Base64 Decoding Depth: Unlimited****

    Quoted-Printable Decoding: Enabled****

    Quoted-Printable Decoding Depth: Unlimited****

    Unix-to-Unix Decoding: Enabled****

    Unix-to-Unix Decoding Depth: Unlimited****

    Non-Encoded MIME attachment Extraction: Enabled****

    Non-Encoded MIME attachment Extraction Depth: Unlimited****

Modbus config:****

    Ports:****

        502****

DNP3 config:****

    Memcap: 262144****

    Check Link-Layer CRCs: ENABLED****

    Ports:****

        20000****

Reputation config:****

WARNING: Can't find any whitelist/blacklist entries. Reputation
Preprocessor dis****

abled.****

** **

+++++++++++++++++++++++++++++++++++++++++++++++++++****

Initializing rule chains...****

3599 Snort rules read****

    3599 detection rules****

    0 decoder rules****

    0 preprocessor rules****

3599 Option Chains linked into 195 Chain Headers****

0 Dynamic rules****

+++++++++++++++++++++++++++++++++++++++++++++++++++****

** **

+-------------------[Rule Port
Counts]---------------------------------------****

|             tcp     udp    icmp      ip****

|     src    1518       5       0       0****

|     dst    1733     197       0       0****

|     any     124      44      28      26****

|      nc      50      12       1       0****

|     s+d       0       1       0       0****


+----------------------------------------------------------------------------
****

** **


+-----------------------[detection-filter-config]------------------------------
****

| memory-cap : 1048576 bytes****


+-----------------------[detection-filter-rules]-------------------------------
****


-------------------------------------------------------------------------------
****

** **


+-----------------------[rate-filter-config]-----------------------------------
****

| memory-cap : 1048576 bytes****


+-----------------------[rate-filter-rules]------------------------------------
****

| none****


-------------------------------------------------------------------------------
****

** **


+-----------------------[event-filter-config]----------------------------------
****

| memory-cap : 1048576 bytes****


+-----------------------[event-filter-global]----------------------------------
****


+-----------------------[event-filter-local]-----------------------------------
****

| none****


+-----------------------[suppression]------------------------------------------
****

| none****


-------------------------------------------------------------------------------
****

Rule application order:
activation->dynamic->pass->drop->sdrop->reject->alert->l****

og****

Verifying Preprocessor Configurations!****

ICMP tracking disabled, no ICMP sessions allocated****

IP tracking disabled, no IP sessions allocated****

WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.****

WARNING: flowbits key 'acunetix.scanner' is set but not ever checked.****

WARNING: flowbits key 'file.dcr' is set but not ever checked.****

WARNING: flowbits key 'netsenum' is set but not ever checked.****

WARNING: flowbits key 'file.p2g' is set but not ever checked.****

WARNING: flowbits key 'rtmp.flashver' is set but not ever checked.****

WARNING: flowbits key 'file.wma' is set but not ever checked.****

119 out of 1024 flowbits in use.****

** **

[ Port Based Pattern Matching Memory ]****

+- [ Aho-Corasick Summary ] -------------------------------------****

| Storage Format    : Full-Q****

| Finite Automaton  : DFA****

| Alphabet Size     : 256 Chars****

| Sizeof State      : Variable (1,2,4 bytes)****

| Instances         : 151****

|     1 byte states : 138****

|     2 byte states : 13****

|     4 byte states : 0****

| Characters        : 62052****

| States            : 48625****

| Transitions       : 4686661****

| State Density     : 37.6%****

| Patterns          : 3715****

| Match States      : 3592****

| Memory (MB)       : 24.90****

|   Patterns        : 0.40****

|   Match Lists     : 0.80****

|   DFA****

|     1 byte states : 0.89****

|     2 byte states : 22.55****

|     4 byte states : 0.00****

+----------------------------------------------------------------****

[ Number of patterns truncated to 20 bytes: 390 ]****

pcap DAQ configured to passive.****

Acquiring network traffic from "eth1".****

Reload thread starting...****

Reload thread started, thread 0x7f8dcb244700 (1446)****

Decoding Ethernet****

Set gid to 117****

Set uid to 107****

** **

        --== Initialization Complete ==--****

** **

   ,,_     -*> Snort! <*-****

  o"  )~   Version 2.9.4.5 GRE (Build 71)****

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-t****

eam****

           Copyright (C) 1998-2013 Sourcefire, Inc., et al.****

           Using libpcap version 1.1.1****

           Using PCRE version: 8.12 2011-01-15****

           Using ZLIB version: 1.2.3.4****

** **

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.17  <Build
18>****

           Rules Object: netbios  Version 1.0  <Build 1>****

           Rules Object: exploit  Version 1.0  <Build 1>****

           Rules Object: specific-threats  Version 1.0  <Build 1>****

           Rules Object: chat  Version 1.0  <Build 1>****

           Rules Object: snmp  Version 1.0  <Build 1>****

           Rules Object: smtp  Version 1.0  <Build 1>****

           Rules Object: p2p  Version 1.0  <Build 1>****

           Rules Object: bad-traffic  Version 1.0  <Build 1>****

           Rules Object: web-activex  Version 1.0  <Build 1>****

           Rules Object: web-iis  Version 1.0  <Build 1>****

           Rules Object: dos  Version 1.0  <Build 1>****

           Rules Object: web-misc  Version 1.0  <Build 1>****

           Rules Object: misc  Version 1.0  <Build 1>****

           Rules Object: nntp  Version 1.0  <Build 1>****

           Rules Object: icmp  Version 1.0  <Build 1>****

           Rules Object: imap  Version 1.0  <Build 1>****

           Rules Object: multimedia  Version 1.0  <Build 1>****

           Rules Object: web-client  Version 1.0  <Build 1>****

           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>****

           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>****

           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>****

           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>****

           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>****

           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>****

           Preprocessor Object: SF_POP  Version 1.0  <Build 1>****

           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>****

           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>****

           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>****

           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>****

           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>****

           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>****

           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>****

Commencing packet processing (pid=1446)****

** **
  --
<#13e3ce4e4f7e4731_> *John Ainsworth*  - IT Manager
01942 868097  (extension 1105)  07733 323091    <#13e3ce4e4f7e4731_> ASH<#13e3ce4e4f7e4731_>
James Herbert <#13e3ce4e4f7e4731_>
<http://www.thebookpeople.co.uk/webapp/wcs/stores/servlet/qs_searchResult_tbp?storeId=10001&catalogId=10051&langId=100&pageSize=20&pageNumber=0&searchTerm=AEYRF>
   This
Email and any attachments to it may be confidential and are intended solely
for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of The Book People Limited. If you are not the intended
recipient of this email, you must neither take any action based upon its
contents, nor copy or show it to anyone. Please contact the sender if you
believe you have received this email in error.


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]