Snort mailing list archives

Re: can't log send out packets

From: "hzmiaowang" <hzmiaowang () qq com>
Date: Thu, 29 Dec 2011 12:18:24 +0800

D:\Snort\bin>snort.exe -W
    ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1.2-ODBC-MySQL-WIN32 GRE (Build 84)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using PCRE version: 8.10 2010-06-25
           Using ZLIB version: 1.2.3
 Index   Physical Address        IP Address      Device Name     Description
-----   ----------------        ----------      -----------     -----------
    1   00:00:00:00:00:00       192.168.6.193   \Device\NPF_{B5B1EB97-A072-4131-A609-83AAA257E81D}      Marvell Yukon Et
hernet Controller.
    2   00:00:00:00:00:00       192.168.5.102   \Device\NPF_{7C548D8F-5399-4671-8306-6478C98B8A01}      Microsoft
 D:\Snort\bin>snort.exe -c d:\Snort\etc\snort.conf -i1 -vde > d:\Snort\k1.txt
  
 then i ping 192.168.6.1 from 192.168.6.193
  
 K1.txt:
 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 12/29-12:04:49.036516 00:26:55:BC:0C:1E -> 08:10:75:A6:9B:6E type:0x800 len:0x4A
192.168.6.193 -> 192.168.6.1 ICMP TTL:64 TOS:0x0 ID:13055 IpLen:20 DgmLen:60
Type:8  Code:0  ID:1   Seq:4  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi
 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 12/29-12:04:49.037435 08:10:75:A6:9B:6E -> 00:26:55:BC:0C:1E type:0x800 len:0x4A
192.168.6.1 -> 192.168.6.193 ICMP TTL:64 TOS:0x0 ID:92 IpLen:20 DgmLen:60
Type:0  Code:0  ID:1  Seq:4  ECHO REPLY
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi
 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
  
 log show snort can get echo and echo reply packets
  
 snort.conf:
 output database: alert, mysql,  user=snortusr password=snortusr dbname=snort_hex encoding=hex host=localhost 
detail=full
alert icmp any any <> any any  (content:"abcd";sid:10007777)
  
 but in mysql ,i can only see echo reply packets,no echo packets.
  
 type snort.conf:
 #--------------------------------------------------
#   VRT Rule Packages Snort.conf
#
#   For more information visit us at:
#     http://www.snort.org                   Snort Website
#     http://vrt-sourcefire.blogspot.com/    Sourcefire VRT Blog
#
#     Mailing list Contact:      snort-sigs () lists sourceforge net
#     False Positive reports:    fp () sourcefire com
#     Snort bugs:                bugs () snort org
#
#     Compatible with Snort Versions:
#     VERSIONS : 2.9.1.1
#
#     Snort build options:
#     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules 
--enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload 
--enable-react --enable-flexresp3
#
#     Additional information:
#     This configuration file enables active response, to run snort in
#     test mode -T you are required to supply an interface -i <interface>
#     or test mode will fail to fully validate the configuration and
#     exit with a FATAL error
#--------------------------------------------------
 ###################################################
# This file contains a sample snort configuration. 
# You should take the following steps to create your own custom configuration:
#
#  1) Set the network variables.
#  2) Configure the decoder
#  3) Configure the base detection engine
#  4) Configure dynamic loaded libraries
#  5) Configure preprocessors
#  6) Configure output plugins
#  7) Customize your rule set
#  8) Customize preprocessor and decoder rule set
#  9) Customize shared object rule set
###################################################
 ###################################################
# Step #1: Set the network variables.  For more information, see README.variables
###################################################
 # Setup the network addresses you are protecting
#  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var HOME_NET 192.168.5.0/24
var RULE_PATH d:\snort\rules
var SO_RULE_PATH d:\snort\rules
var PREPROC_RULE_PATH d:\snort\preproc_rules
 ###################################################
# Step #2: Configure the decoder.  For more information, see README.decode
###################################################
 # Stop generic decode events:
config disable_decode_alerts
 # Stop Alerts on experimental TCP options
config disable_tcpopt_experimental_alerts
 # Stop Alerts on obsolete TCP options
config disable_tcpopt_obsolete_alerts
 # Stop Alerts on T/TCP alerts
config disable_tcpopt_ttcp_alerts
 # Stop Alerts on all other TCPOption type events:
config disable_tcpopt_alerts
 # Stop Alerts on invalid ip options
config disable_ipopt_alerts
 # Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
# config enable_decode_oversized_alerts
 # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
# config enable_decode_oversized_drops
 # Configure IP / TCP checksum mode
config checksum_mode: all
 # Configure maximum number of flowbit references.  For more information, see README.flowbits
# config flowbits_size: 64
 # Configure ports to ignore 
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53
 # Configure active response for non inline operation. For more information, see REAMDE.active
# config response: eth0 attempts 2
 # Configure DAQ related options for inline operation. For more information, see README.daq
#
# config daq: <type>
# config daq_dir: <dir>
# config daq_mode: <mode>
# config daq_var: <var>
#
# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
# <mode> ::= read-file | passive | inline
# <var> ::= arbitrary <name>=<value passed to DAQ
# <dir> ::= path as to where to look for DAQ module so's
 # Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line 
options
#
# config set_gid:
# config set_uid:
 # Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README
#
# config snaplen:
#
 # Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h 
command line options (-F)
#
# config bpf_file:
#
 # Configure default log directory for snort to log to.  For more information see snort -h command line options (-l)
#
# config logdir:
 #config interface: 1
config interface: 1
###################################################
# Step #3: Configure the base detection engine.  For more information, see  README.decode
###################################################
 # Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
 # Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
config detection: search-method ac-split search-optimize max-pattern-len 20
 # Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 8 log 3 order_events content_length
 ###################################################
# Per packet and rule latency enforcement
# For more information see README.ppm
###################################################
 # Per Packet latency configuration
#config ppm: max-pkt-time 250, \
#   fastpath-expensive-packets, \
#   pkt-log
 # Per Rule latency configuration
#config ppm: max-rule-time 200, \
#   threshold 3, \
#   suspend-expensive-rules, \
#   suspend-timeout 20, \
#   rule-log alert
 ###################################################
# Configure Perf Profiling for debugging
# For more information see README.PerfProfiling
###################################################
 #config profile_rules: print all, sort avg_ticks
#config profile_preprocs: print all, sort avg_ticks
 ###################################################
# Step #4: Configure dynamic loaded libraries.  
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
 # path to dynamic preprocessor libraries
#dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
 # path to base preprocessor engine
#dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
 # path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules
 ###################################################
# Step #5: Configure preprocessors
# For more information, see the Snort Manual, Configuring Snort - Preprocessors
###################################################
 
###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################
 # unified2 
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
 # Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp 
 # syslog
# output alert_syslog: LOG_AUTH LOG_ALERT
 # pcap
# output log_tcpdump: tcpdump.log
 # database
# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
#output database: log, mysql,  user=snortusr password=snortusr dbname=snorthost encoding=ascii host=localhost
output database: alert, mysql,  user=snortusr password=snortusr dbname=snort_acs encoding=ascii host=localhost 
detail=full
output database: alert, mysql,  user=snortusr password=snortusr dbname=snort_hex encoding=hex host=localhost detail=full
#output database: alert, mysql,  user=snortusr password=snortusr dbname=snort encoding=hex host=localhost 
# prelude
# output alert_prelude
 # metadata reference data.  do not modify these lines
include classification.config
include reference.config
 
###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################
 alert icmp 192.168.any any -> any any  (content:"abcd";sid:10007777)
#log tcp 192.168.5.90 any <> any 80  (msg:"0000";content:"GET";sid:10000987)
 #reject icmp any any <> any any  
#include D:\Snort\preproc_rules\user.txt
 # site specific rules
#include $RULE_PATH/local.rules
 #include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/backdoor.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/blacklist.rules
#include $RULE_PATH/botnet-cnc.rules
#include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
#include $RULE_PATH/ddos.rules
#include $RULE_PATH/dns.rules
#include $RULE_PATH/dos.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/p2p.rules
#include $RULE_PATH/phishing-spam.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/pop2.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/scada.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/shellcode.rules
#include $RULE_PATH/smtp.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/specific-threats.rules
#include $RULE_PATH/spyware-put.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/telnet.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/virus.rules
#include $RULE_PATH/voip.rules
#include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/x11.rules
 ###################################################
# Step #8: Customize your preprocessor and decoder alerts
# For more information, see README.decoder_preproc_rules
###################################################
 # decoder and preprocessor event rules
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
 ###################################################
# Step #9: Customize your Shared Object Snort Rules
# For more information, see http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
###################################################
 # dynamic library rules
# include $SO_RULE_PATH/bad-traffic.rules
# include $SO_RULE_PATH/chat.rules
# include $SO_RULE_PATH/dos.rules
# include $SO_RULE_PATH/exploit.rules
# include $SO_RULE_PATH/icmp.rules
# include $SO_RULE_PATH/imap.rules
# include $SO_RULE_PATH/misc.rules
# include $SO_RULE_PATH/multimedia.rules
# include $SO_RULE_PATH/netbios.rules
# include $SO_RULE_PATH/nntp.rules
# include $SO_RULE_PATH/pop3.rules
# include $SO_RULE_PATH/p2p.rules
# include $SO_RULE_PATH/smtp.rules
# include $SO_RULE_PATH/snmp.rules
# include $SO_RULE_PATH/specific-threats.rules
# include $SO_RULE_PATH/sql.rules
# include $SO_RULE_PATH/web-activex.rules
# include $SO_RULE_PATH/web-client.rules
# include $SO_RULE_PATH/web-iis.rules
# include $SO_RULE_PATH/web-misc.rules
 # Event thresholding or suppression commands. See threshold.conf 
#include threshold.conf

  
  
 I want get packets that go from my computer to others.
  
 thks  lots!
  
 miao
  
  
  
  
  
  
  
  
   
  
  ------------------ Original ------------------
  From:  "Joel Esler"<jesler () sourcefire com>;
 Date:  Sun, Dec 25, 2011 00:28 AM
 To:  "hzmiaowang"<hzmiaowang () qq com>; 
 Cc:  "snort-users"<snort-users () lists sourceforge net>; 
 Subject:  Re: [Snort-users] can't log send out packets

  
If you run snort -vde on the proper interface, do you are all 8 go past on the screen without analyzation? (-c). 


--
Joel Esler

On Dec 22, 2011, at 6:51 AM, "hzmiaowang" <hzmiaowang () qq com> wrote:

hi:
I install snort 2.9.1 on win7 notebook. There are two network card in my computer.One is wireless,the other is
ethernet card. when i enable wireless netcard,i can get income packets and send packets in mysql database.but when i
swich to ethernet netcard ,i can only get income packets,can't get sent packets. so i can only get 4 rows when i use

alert icmp any any -> any any (content:"abcd";sid:10007777) in snort.conf with ethernet netcad
from WIN7 ping other IP. while get 8 rows with wireless netcard.

I install snort 2.9.1 on another computer with only one netcard. It work right.(8 rows with ping)
I want use Snort to log all sql command when i use WIN7 to manager remote ORACLE database.

when i use snort -vde -c d:\snort\etc\snort.conf (with ethernet card)
I can see 8 ping packets,but why ony 4 income packets be loged?
thanks lot ,sorry for poor english
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

can't log send out packets hzmiaowang (Dec 24)
- Re: can't log send out packets Joel Esler (Dec 24)
- <Possible follow-ups>
- Re: can't log send out packets hzmiaowang (Dec 28)