Hello Andi,
it looks like a snort issue.
Regards
Fabrice
Le 2013-08-22 11:42, Morris, Andi a écrit :
Hi all,
After spending a long time configuring snort to trigger on thousands
of SIDs in a dev environment using various portions of the
emerging-trojans, emerging-p2p etc rule files I connected my laptop to
the dev network, fired up a torrent client.......and nothing happened.
So, checking around the place I could see from the PF admin gui that
the snort service wasn't started. Clicking start didn't change that.
Manually from the CLI I ran service snortd start but got a failed message.
Below is the output from /var/log/messages:
Aug 22 16:28:36 pfencedev01 snort[3262]: Found pid path directive
(/usr/local/pf/var/run)
Aug 22 16:28:36 pfencedev01 snort[3262]: Running in IDS mode
Aug 22 16:28:36 pfencedev01 snort[3262]:
Aug 22 16:28:36 pfencedev01 snort[3262]: --== Initializing
Snort ==--
Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Output Plugins!
Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Preprocessors!
Aug 22 16:28:36 pfencedev01 snort[3262]: Initializing Plug-ins!
Aug 22 16:28:36 pfencedev01 snort[3262]: Parsing Rules file
"/usr/local/pf/var/conf/snort.conf"
Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'HTTP_PORTS' defined :
Aug 22 16:28:37 pfencedev01 snort[3262]: [ 80 ]
Aug 22 16:28:37 pfencedev01 snort[3262]:
Aug 22 16:28:37 pfencedev01 kernel: snort uses obsolete
(PF_INET,SOCK_PACKET)
Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'SSH_PORTS' defined :
Aug 22 16:28:37 pfencedev01 snort[3262]: [ 22 ]
Aug 22 16:28:37 pfencedev01 snort[3262]:
Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'ORACLE_PORTS' defined :
Aug 22 16:28:37 pfencedev01 snort[3262]: [ 1521 ]
Aug 22 16:28:37 pfencedev01 snort[3262]:
Aug 22 16:28:37 pfencedev01 snort[3262]: PortVar 'SHELLCODE_PORTS'
defined :
Aug 22 16:28:37 pfencedev01 snort[3262]: [ any ]
Aug 22 16:28:37 pfencedev01 snort[3262]:
Aug 22 16:28:37 pfencedev01 snort[3262]: FATAL ERROR: Unable to open
rules file
"/usr/local/pf/var/conf//usr/local/pf/conf/snort/emerging-virus.rules": No
such file or directory.
Aug 22 16:35:12 pfencedev01 snort[3315]: Running in IDS mode
Aug 22 16:35:12 pfencedev01 snort[3315]:
Aug 22 16:35:12 pfencedev01 snort[3315]: --== Initializing
Snort ==--
Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Output Plugins!
Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Preprocessors!
Aug 22 16:35:12 pfencedev01 snort[3315]: Initializing Plug-ins!
Aug 22 16:35:12 pfencedev01 snort[3315]: Parsing Rules file
"/etc/snort/snort.conf"
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'HTTP_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 80:81 311 591 593 901 1220
1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
8080 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SHELLCODE_PORTS'
defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 0:79 81:65535 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'ORACLE_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 1024:65535 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SSH_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 22 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'FTP_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 21 2100 3535 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: PortVar 'SIP_PORTS' defined :
Aug 22 16:35:13 pfencedev01 snort[3315]: [ 5060:5061 5600 ]
Aug 22 16:35:13 pfencedev01 snort[3315]:
Aug 22 16:35:13 pfencedev01 snort[3315]: Detection:
Aug 22 16:35:13 pfencedev01 snort[3315]: Search-Method = AC-Full-Q
Aug 22 16:35:13 pfencedev01 snort[3315]: Split Any/Any group = enabled
Aug 22 16:35:13 pfencedev01 snort[3315]:
Search-Method-Optimizations = enabled
Aug 22 16:35:13 pfencedev01 snort[3315]: Maximum pattern length = 20
Aug 22 16:35:13 pfencedev01 snort[3315]: FATAL ERROR:
../../src/parser.c(5261) Could not stat dynamic module path
"/usr/local/lib/snort_dynamicrules": No such file or directory.
What's going on here?
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: [email protected] <mailto:[email protected]>
--------------------------------------
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
