lward@snort3:/tmp$ sudo snortsp -L /etc/snort/snort3_beta_pcap.lua [+] Loaded pcap DAQ [+] Loaded file DAQ [+] Loaded afpacket DAQ [*] DAQ Modules Loaded... [*] Loading decoder modules [+] Loaded ethernet [+] Loaded null [+] Loaded arp [+] Loaded ip [+] Loaded tcp [+] Loaded udp [+] Loaded icmp [+] Loaded icmp6 [+] Loaded gre [+] Loaded mpls [+] Loaded 8021q [+] Loaded ipv6 [+] Loaded ppp [+] Loaded pppoe [+] Loaded gtp [+] Loaded raw [*] Decoder initialized... [*] Flow manager initialized... [*] Data source subsystem loaded [*] Engine manager initialized Control thread running - 3083164560 (17491) [*] Loading command interface [!] Loading SnortSP command metatable [!] Loading data source command metatable [!] Loading engine command metatable [!] Loading output command metatable [!] Loading analyzer command metatable Executing /etc/snort/snort3_beta_pcap.lua Engine "e1" created Adding analyzer "a1" to engine "e1" Added bpf, "", for analyzer "a1" Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf PortVar 'HTTP_PORTS' defined : [ 80 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1521 ] Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 8192 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: INACTIVE Track ICMP sessions: INACTIVE Stream5 TCP Policy config: Reassembly Policy: FIRST Timeout: 30 seconds Min ttl: 1 Options: Static Flushpoint Sizes: YES Reassembly Ports: 21 client (Footprint) 23 client (Footprint) 25 client (Footprint) 42 client (Footprint) 53 client (Footprint) 80 client (Footprint) 110 client (Footprint) 111 client (Footprint) 135 client (Footprint) 136 client (Footprint) 137 client (Footprint) 139 client (Footprint) 143 client (Footprint) 445 client (Footprint) 513 client (Footprint) 514 client (Footprint) 1433 client (Footprint) 1521 client (Footprint) 2401 client (Footprint) 3306 client (Footprint) HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Max Header Field Length: 0 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 19569 Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort/sf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort/snort_preproc... Loading dynamic preprocessor library /usr/local/lib/snort/snort_preproc/preproc_dns.so... done Loading dynamic preprocessor library /usr/local/lib/snort/snort_preproc/preproc_dcerpc.so... done Loading dynamic preprocessor library /usr/local/lib/snort/snort_preproc/preproc_smtp.so... done Loading dynamic preprocessor library /usr/local/lib/snort/snort_preproc/preproc_ftptelnet.so... done Loading dynamic preprocessor library /usr/local/lib/snort/snort_preproc/preproc_ssl.so... done Loading dynamic preprocessor library /usr/local/lib/snort/snort_preproc/preproc_ssh.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort/snort_preproc FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25 587 691 Inspection Type: Stateful Normalize: EXPN RCPT VRFY Ignore Data: No Ignore TLS Data: No Ignore SMTP Alerts: No Max Command Line Length: Unlimited Max Specific Command Line Length: ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260 RCPT:300 VRFY:255 Max Header Line Length: Unlimited Max Response Line Length: Unlimited X-Link2State Alert: Yes Drop on X-Link2State Alert: No Alert on commands: None DCE/RPC Decoder config: Autodetect ports ENABLED SMB fragmentation ENABLED DCE/RPC fragmentation ENABLED Max Frag Size: 3000 bytes Memcap: 100000 KB Alert if memcap exceeded DISABLED DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 SSLPP impl->config: Encrypted packets: not inspected Ports: 443 465 563 636 989 992 993 994 995 +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 7226 Snort rules read 7226 detection rules 0 decoder rules 0 preprocessor rules 7226 Option Chains linked into 259 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 801 9 0 0 | dst 5688 390 0 0 | any 180 115 39 11 | nc 16 7 14 8 | s+d 3 3 0 0 +---------------------------------------------------------------------------- +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60 | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->alert->log Log directory = /tmp/ Verifying Preprocessor Configurations! Warning: flowbits key 'access.download' is set but not ever checked. Warning: flowbits key 'works.download' is set but not ever checked. Warning: flowbits key 'mspub_header' is set but not ever checked. Warning: flowbits key 'emf.request' is set but not ever checked. Warning: flowbits key 'sylk.download' is set but not ever checked. 57 out of 512 flowbits in use. [ Port Based Pattern Matching Memory ] +-[AC-BNFA Search Info Summary]------------------------------ | Instances : 245 | Patterns : 44993 | Pattern Chars : 426734 | Num States : 139368 | Num Match States : 17359 | Memory : 4.30Mbytes | Patterns : 1.26M | Match Lists : 1.17M | Transitions : 1.81M +------------------------------------------------- --== Initialization Complete ==-- ,,_ -*> Snort Analytic! <*- o" )~ Version 3.0.0 (Build 16) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2008 Sourcefire Inc., et al. Using PCRE version: 7.4 2007-09-21 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.8 Preprocessor Object: SF_SSH (IPV6) Version 1.1 Preprocessor Object: SF_SSLPP (IPV6) Version 1.0 Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.1 Preprocessor Object: SF_SMTP (IPV6) Version 1.1 Preprocessor Object: SF_DCERPC (IPV6) Version 1.1 Preprocessor Object: SF_DNS (IPV6) Version 1.1 Not Using PCAP_FRAMES [*] Spawning analyzer thread - 0/0! /usr/local//lib/snort/snort.so thread running - 3052542864 (17491) Creating new data source Reading packets from file /tmp/Honeynet-RFP-iis.pcap Flow manager created with 100000000 flow capacity Linking engine "e1" to data source "s1" init_pcap: reading from pcap file init_pcap: Opening pcap file "/tmp/Honeynet-RFP-iis.pcap" File opened, snaplen = 1514 [*] Data Source Config: Name: s1 Type: pcap Interface: file Filename: /tmp/Honeynet-RFP-iis.pcap Snaplen: 1514 Flags: 0x00000001 Display: None (0) Filter command: DAQ: 0x8078560 User Context: 0x80ea148 Max flows: 100000000 Max idle: 300 Memcap: 10000000 [*] Flow Manager Config: Max flows: 100000000 Max idle: 300 Memcap: 10000000 [*] DAQ config: Interface: reading from file... Readback filename: /tmp/Honeynet-RFP-iis.pcap Snaplen: 1514 Datalink: 1 Count: 0 Packet Count: 0 Promisc flag: 0 File flag: 1 pcap ptr: 0x9b54640 analysis context ptr: 0xb5565008 [*] Spawning engine thread! e1 thread running - 3041799056 (17491) e1 thread exiting - 3041799056 (17491) [*] INACTIVE data source s1 received 6707 packets on file Analyzed: 6707 (100.000%) Dropped: 0 (0.000%) Idle Cycles: 1 [-] Ethernet Stats: Count: 6707 [-] IPv4 Stats: Count: 6707 [-] TCP Stats: Count: 6660 Bad Csum: 84 [-] UDP Stats: Count: 38 [-] ICMP Stats: Count: 9 [-] Raw Stats: Count: 3234 Bytes: 1207600 defrag statistics for mgr 0x0xb556506c Total Fragments: 0 Total Trackers: 0 Trackers Active: 0 Trackers Released: 0 Reassembled Packets: 0 Fragments Stored: 0 Fragments Released: 0 Discards: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 ,,_ -*> SnortSP! <*- o" )~ Version 3.0.0b2 (Build 9) [BETA] '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 2008 Sourcefire Inc. Pkts = 6707, Secs = 1 /usr/local//lib/snort/snort.so thread exiting - 3052542864 (17491) =============================================================================== Packet Wire Totals: Received: 6940 Analyzed: 6707 (96.643%) Dropped: 0 (0.000%) Outstanding: 233 (3.357%) =============================================================================== Breakdown by protocol (includes rebuilt packets): ETH: 6940 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 6940 (100.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 6660 (95.965%) UDP: 38 (0.548%) ICMP: 9 (0.130%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) IPv4/IPv4: 0 (0.000%) IPv4/IPv6: 0 (0.000%) IPv6/IPv4: 0 (0.000%) IPv6/IPv6: 0 (0.000%) GRE: 0 (0.000%) GRE ETH: 0 (0.000%) GRE VLAN: 0 (0.000%) GRE IPv4: 0 (0.000%) GRE IPv6: 0 (0.000%) GRE IP6 E: 0 (0.000%) GRE PPTP: 0 (0.000%) GRE ARP: 0 (0.000%) GRE IPX: 0 (0.000%) GRE LOOP: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 84 (1.210%) S5 G 1: 0 (0.000%) S5 G 2: 233 (3.357%) Total: 6940 =============================================================================== Action Stats: ALERTS: 290 LOGGED: 290 PASSED: 0 =============================================================================== Frag3 statistics: Total Fragments: 0 Alerts: 0 Anomalies: 0 Frag w/IP Opts: 0 Bad Size Small: 0 Bad Size Large: 0 Oversize: 0 Teardrop: 0 Zero Frag: 0 Short Frag: 0 Overlaps: 0 IPV6 BSD ICMP: 0 IPV6 Bad Frag: 0 IPV6 Header Mismatch: 0 Min TTL: 0 =============================================================================== Stream5 statistics: Total sessions: 282 TCP sessions: 282 UDP sessions: 0 ICMP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 321 TCP StreamTrackers Deleted: 321 TCP Timeouts: 105 TCP Overlaps: 4 TCP Segments Queued: 497 TCP Segments Released: 497 TCP Rebuilt Packets: 375 TCP Segments Used: 494 TCP Discards: 77 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 128 GET methods: 816 Post parameters extracted: 128 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Base 36: 0 Directory traversals: 336 Extra slashes ("//"): 0 Self-referencing paths ("./"): 336 Total packets processed: 3253 =============================================================================== =============================================================================== Snort exiting Calling s_list_free_all for decoder_list Control thread exiting - 3083164560 (17491) lward@snort3:/tmp$