ALLEWI-M-8257:snort-2.9.9.0-released allewi$ ./bin/snort -c etc/paraskevas.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_syslog : 0x105c27d20 log_tcpdump : 0x105c2aec0 alert_fast : 0x105c26830 alert_full : 0x105c273c0 alert_unixsock: 0x105c28ed0 alert_CSV : 0x105c29710 log_null : 0x105c2adb0 log_unified2 : 0x105c2bbf0 alert_unified2: 0x105c2bd50 unified2 : 0x105c2beb0 log_ascii : 0x105c2f410 alert_test : 0x105c30800 ------------------------------------------------- Initializing Preprocessors! Initializing Plug-ins! ------------------------------------------------- Keyword | Preprocessor @ ------------------------------------------------- arpspoof : 0x105c6c090 arpspoof_detect_host: 0x105c6c420 normalize_ip4: 0x105ca8a10 normalize_icmp4: 0x105ca8c40 normalize_ip6: 0x105ca8d00 normalize_icmp6: 0x105ca8dd0 normalize_tcp: 0x105ca8e90 frag3_global : 0x105c919e0 frag3_engine : 0x105c92250 stream5_global: 0x105ca4160 stream5_tcp : 0x105c9da40 stream5_udp : 0x105c9dd10 stream5_icmp : 0x105c9de20 stream5_ip : 0x105c9df30 rpc_decode : 0x105c6eed0 bo : 0x105c6d520 http_inspect : 0x105c7cb30 http_inspect_server: 0x105c7cb30 PerfMonitor : 0x105c726d0 sfportscan : 0x105c8dd40 ------------------------------------------------- ------------------------------------------------- Keyword | Plugin Registered @ ------------------------------------------------- content : 0x105c4b5b0 uricontent : 0x105c4bc50 protected_content: 0x105c4bd70 http_method : 0x105c4bec0 http_uri : 0x105c4bf50 http_header : 0x105c4bfe0 http_cookie : 0x105c4c070 http_client_body: 0x105c4c100 http_raw_uri : 0x105c4c190 http_raw_header: 0x105c4c220 http_raw_cookie: 0x105c4c2b0 http_stat_code: 0x105c4c340 http_stat_msg: 0x105c4c3d0 offset : 0x105c4c460 depth : 0x105c4c5d0 distance : 0x105c4c780 within : 0x105c4c920 hash : 0x105c4cb00 length : 0x105c4cc30 nocase : 0x105c4cd60 rawbytes : 0x105c4ce50 fast_pattern : 0x105c4ceb0 replace : 0x105c53cb0 flags : 0x105c572f0 itype : 0x105c45d50 icode : 0x105c44120 ttl : 0x105c58dd0 id : 0x105c47ae0 ack : 0x105c56ce0 seq : 0x105c581a0 dsize : 0x105c3fab0 ipopts : 0x105c49ca0 rpc : 0x105c55020 icmp_id : 0x105c44ca0 icmp_seq : 0x105c45460 session : 0x105c55e00 tos : 0x105c494e0 fragbits : 0x105c46920 fragoffset : 0x105c47320 window : 0x105c58740 ip_proto : 0x105c481b0 sameip : 0x105c48c30 flow : 0x105c3df40 pkt_data : 0x105c5c5f0 byte_test : 0x105c35d60 byte_jump : 0x105c37cb0 byte_extract : 0x105c39660 byte_math : 0x105c3bd00 isdataat : 0x105c4a6c0 file_data : 0x105c5aa40 base64_decode: 0x105c5b2a0 base64_data : 0x105c5c1a0 pcre : 0x105c52490 flowbits : 0x105c40ae0 asn1 : 0x105c34a80 react : 0x105c5e130 resp : 0x105c5efc0 ftpbounce : 0x105c43170 urilen : 0x105c59f70 cvs : 0x105c3ef90 file_type : 0x105c5cd80 file_group : 0x105c5cde0 ------------------------------------------------- Parsing Rules file "etc/paraskevas.conf" Tagged Packet Limit: 256 Loading dynamic engine lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor... Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_imap_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_pop_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_sip_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done Finished Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor Log directory = /var/log/snort ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: No such file or directory Fatal Error, Quitting.. ALLEWI-M-8257:snort-2.9.9.0-released allewi$ ./bin/snort -c etc/paraskevas.conf -T Running in Test mode --== Initializing Snort ==-- Initializing Output Plugins! ------------------------------------------------- Keyword | Output @ ------------------------------------------------- alert_syslog : 0x10cb25d20 log_tcpdump : 0x10cb28ec0 alert_fast : 0x10cb24830 alert_full : 0x10cb253c0 alert_unixsock: 0x10cb26ed0 alert_CSV : 0x10cb27710 log_null : 0x10cb28db0 log_unified2 : 0x10cb29bf0 alert_unified2: 0x10cb29d50 unified2 : 0x10cb29eb0 log_ascii : 0x10cb2d410 alert_test : 0x10cb2e800 ------------------------------------------------- Initializing Preprocessors! Initializing Plug-ins! ------------------------------------------------- Keyword | Preprocessor @ ------------------------------------------------- arpspoof : 0x10cb6a090 arpspoof_detect_host: 0x10cb6a420 normalize_ip4: 0x10cba6a10 normalize_icmp4: 0x10cba6c40 normalize_ip6: 0x10cba6d00 normalize_icmp6: 0x10cba6dd0 normalize_tcp: 0x10cba6e90 frag3_global : 0x10cb8f9e0 frag3_engine : 0x10cb90250 stream5_global: 0x10cba2160 stream5_tcp : 0x10cb9ba40 stream5_udp : 0x10cb9bd10 stream5_icmp : 0x10cb9be20 stream5_ip : 0x10cb9bf30 rpc_decode : 0x10cb6ced0 bo : 0x10cb6b520 http_inspect : 0x10cb7ab30 http_inspect_server: 0x10cb7ab30 PerfMonitor : 0x10cb706d0 sfportscan : 0x10cb8bd40 ------------------------------------------------- ------------------------------------------------- Keyword | Plugin Registered @ ------------------------------------------------- content : 0x10cb495b0 uricontent : 0x10cb49c50 protected_content: 0x10cb49d70 http_method : 0x10cb49ec0 http_uri : 0x10cb49f50 http_header : 0x10cb49fe0 http_cookie : 0x10cb4a070 http_client_body: 0x10cb4a100 http_raw_uri : 0x10cb4a190 http_raw_header: 0x10cb4a220 http_raw_cookie: 0x10cb4a2b0 http_stat_code: 0x10cb4a340 http_stat_msg: 0x10cb4a3d0 offset : 0x10cb4a460 depth : 0x10cb4a5d0 distance : 0x10cb4a780 within : 0x10cb4a920 hash : 0x10cb4ab00 length : 0x10cb4ac30 nocase : 0x10cb4ad60 rawbytes : 0x10cb4ae50 fast_pattern : 0x10cb4aeb0 replace : 0x10cb51cb0 flags : 0x10cb552f0 itype : 0x10cb43d50 icode : 0x10cb42120 ttl : 0x10cb56dd0 id : 0x10cb45ae0 ack : 0x10cb54ce0 seq : 0x10cb561a0 dsize : 0x10cb3dab0 ipopts : 0x10cb47ca0 rpc : 0x10cb53020 icmp_id : 0x10cb42ca0 icmp_seq : 0x10cb43460 session : 0x10cb53e00 tos : 0x10cb474e0 fragbits : 0x10cb44920 fragoffset : 0x10cb45320 window : 0x10cb56740 ip_proto : 0x10cb461b0 sameip : 0x10cb46c30 flow : 0x10cb3bf40 pkt_data : 0x10cb5a5f0 byte_test : 0x10cb33d60 byte_jump : 0x10cb35cb0 byte_extract : 0x10cb37660 byte_math : 0x10cb39d00 isdataat : 0x10cb486c0 file_data : 0x10cb58a40 base64_decode: 0x10cb592a0 base64_data : 0x10cb5a1a0 pcre : 0x10cb50490 flowbits : 0x10cb3eae0 asn1 : 0x10cb32a80 react : 0x10cb5c130 resp : 0x10cb5cfc0 ftpbounce : 0x10cb41170 urilen : 0x10cb57f70 cvs : 0x10cb3cf90 file_type : 0x10cb5ad80 file_group : 0x10cb5ade0 ------------------------------------------------- Parsing Rules file "etc/paraskevas.conf" Tagged Packet Limit: 256 Loading dynamic engine lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor... Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_imap_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_pop_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_sip_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done Finished Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor Log directory = /var/log/snort Max Expected Streams: 272 Stream global config: Track TCP sessions: ACTIVE Max TCP sessions: 8192 TCP cache pruning timeout: 30 seconds TCP cache nominal timeout: 3600 seconds Memcap (for reassembly packet storage): 8388608 Track UDP sessions: ACTIVE Max UDP sessions: 131072 UDP cache pruning timeout: 30 seconds UDP cache nominal timeout: 180 seconds Track ICMP sessions: INACTIVE Track IP sessions: INACTIVE Log info if session memory consumption exceeds 1048576 Send up to 0 active responses Protocol Aware Flushing: ACTIVE Maximum Flush Point: 16384 Stream TCP Policy config: Bound Address: default Reassembly Policy: BSD Timeout: 30 seconds Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Reassembly Ports: Stream UDP Policy config: Timeout: 30 seconds Frag3 global config: Max frags: 8192 Fragment memory cap: 4194304 bytes Frag3 engine config: Bound Address: default Target-based policy: BSD Fragment timeout: 60 seconds Fragment min_ttl: 1 Fragment Anomalies: No Alert Overlap Limit: 0 Min fragment Length: 0 +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 1 0 0 0 | nc 1 0 0 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- +-----------------------[detection-filter-config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]------------------------------- | none ------------------------------------------------------------------------------- +-----------------------[rate-filter-config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]---------------------------------- +-----------------------[event-filter-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! [ Port Based Pattern Matching Memory ] --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.9.0 GRE (Build 56) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 - Apple version 54 Using PCRE version: 8.39 2016-06-14 Using ZLIB version: 1.2.5 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0 Preprocessor Object: SF_SSLPP Version 1.1 Preprocessor Object: SF_SSH Version 1.1 Preprocessor Object: SF_SMTP Version 1.1 Preprocessor Object: SF_SIP Version 1.1 Preprocessor Object: SF_SDF Version 1.1 Preprocessor Object: SF_REPUTATION Version 1.1 Preprocessor Object: SF_POP Version 1.0 Preprocessor Object: SF_MODBUS Version 1.1 Preprocessor Object: SF_IMAP Version 1.0 Preprocessor Object: SF_GTP Version 1.1 Preprocessor Object: SF_FTPTELNET Version 1.2 Preprocessor Object: SF_DNS Version 1.1 Preprocessor Object: SF_DNP3 Version 1.1 Preprocessor Object: SF_DCERPC2 Version 1.0 Snort successfully validated the configuration! Snort exiting ALLEWI-M-8257:snort-2.9.9.0-released allewi$ ./bin/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.9.0 GRE (Build 56) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 - Apple version 54 Using PCRE version: 8.39 2016-06-14 Using ZLIB version: 1.2.5 ALLEWI-M-8257:snort-2.9.9.0-released allewi$