[résolu][SME 7xx] Permissions SNORT

par **old7** » 19 Août 2006 12:46

Bonjour,

Retour de vacances et hop dans le cambuis, pfff ...

Pouvez-vous me dire quelles sont les permissions des répertoires /snort et /snortd svp ?

J'ai fait l'upgrade de smeserver-snort-2.4.3-1 à smeserver-snort-2.6.0-2 et le système ne sait plus accéder à /var/log/snortd :

Code: Tout sélectionner: runsvdir -P /service log: var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denie

Merci de votre aide.

par **MasterSleepy** » 21 Août 2006 08:08

Salut,

Qu'est-il indiqué dans la desciption du rpm???
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=302

A+

par **old7** » 21 Août 2006 19:31

MasterSleepy a écrit:Salut,
Qu'est-il indiqué dans la desciption du rpm???
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=302
A+

Salut Master,

o install, remove old one first and assure that directory
/var/service/snortd/
/var/log/snort/
/var/log/snortd/
have been erase with uninstall procedure.

Effectivement, j'ai suivi la desc du rpm et j'ai effectué l'uninstall et effacé à la main tout ce qui n'était pas parti lors de "rpm -e". ... pour être honnête, je n'ai pas noté ce qui a dû être retiré manuellement (confiant que j'étais).

Oups, pas contre, je n'ai pas fait un drop de la db ... ça vient de là ?!? ... si c'est le cas, va falloir que je plonge dans la doc de MySQL ...

Shame on me !!

par **old7** » 25 Août 2006 21:49

MasterSleepy a écrit:Salut,
Qu'est-il indiqué dans la desciption du rpm???
http://www.vanhees.cc/index.php?name=CmodsDownload&file=index&req=viewdownloaddetails&lid=302
A+

Je reviens avec le soucis.

Pas trop sur de la manip décrite plus haut dans le thread, j'ai tout recommencé proprement :

Code: Tout sélectionner: rpm -e smeserver-snort-2.4.3-1.i386 rm -rf /var/log/snort [root@SME temp]# ls -l /etc/snort/ total 32 drwxr-xr-x 2 root root 4096 aoû 25 20:58 rules -rw------- 1 root root 1876 avr 23 01:46 snort.conf.12350 -rw------- 1 root root 23047 avr 29 10:18 snort.conf.3743 -rw------- 1 root root 0 avr 29 10:08 snort.conf.3993 -rw------- 1 root root 0 avr 29 09:49 snort.conf.4005 -rw------- 1 root root 0 mai 30 00:03 snort.conf.4310 -rw------- 1 root root 0 avr 29 09:37 snort.conf.4753 -rw------- 1 root root 0 mai 2 20:10 snort.conf.6745 [root@SME temp]# rm -rf /etc/snort/ [root@SME temp]# ls -l /etc/snort/ ls: /etc/snort/: Aucun fichier ou répertoire de ce type [root@SME temp]#

plus aucune trace de snort sur la machine

Code: Tout sélectionner: mysql> show databases ; +-----------+ | Database | +-----------+ | horde | | mysql | | sme7admin | | test | +-----------+ 4 rows in set (0.00 sec)

reboot de la machine
install de snort (je logge ici toutes les opérations effectuées)

Code: Tout sélectionner: [root@SME temp]# rpm -ivh smeserver-snort-2.6.0-2.i386.rpm Préparation... ########################################### [100%] 1:smeserver-snort ########################################### [100%] ======================= Activate sme snort ================================ ======================= Creating snort_log database ======================= ======================= Creating snort_archive database =================== ======================= Creating tables in snort_log ====================== ======================= Creating tables in snort_archive ================== Starting snortd:[ OK ] BEWARE no rules have been installed!! Install some rules in /etc/snort/rules or install oinkmaster [root@SME temp]# [root@SME temp]# db configuration show snortd snortd=service HttpInspect=enabled mysql=enabled status=enabled [root@SME temp]#

jusqu'ici rien de particulier. Un petit 'ps' pour vérifier :

Code: Tout sélectionner: [root@SME temp]# ps -aux | grep 'snort' Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ root 1497 1.4 0.1 2652 316 ? Ss 21:06 0:03 runsvdir -P /service log: var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied?multilog: fatal: unable to lock directory /var/log/snortd: access denied? root 3367 14.3 0.1 1716 224 ? Rs 21:08 0:13 runsv snortd root 3551 0.2 1.4 9020 2792 ? S 21:08 0:00 /usr/sbin/snort -i eth1 -u snort -g snort -c /etc/snort/snort.conf -K ascii -p root 8923 0.0 0.3 5240 632 pts/0 S+ 21:10 0:00 grep snort

:-( c'est pas bon !

Code: Tout sélectionner: drwxr-xr-x 2 snort snort 4096 mar 22 06:17 snort drwxr-xr-x 2 root root 4096 jui 18 06:13 snortd [root@SME log]# ls -l snort* snort: total 0 snortd: total 0 [root@jolan log]#

J'ai refait la même chose (remove total, reboot, install de snort) en allant jusqu'à l'install de oinkmaster + guardian + base pour avoir le même résultat...

Avez-vous une idée ?

par **MasterSleepy** » 28 Août 2006 07:57

Salut,

Peux-tu me dire les permissions sur le répertoire /var/log/snortd ??
Y a-t-il de fichier qui sont créé dans ce même répertoire?

A+

par **old7** » 28 Août 2006 16:03

MasterSleepy a écrit:Salut,

Peux-tu me dire les permissions sur le répertoire /var/log/snortd ??
Y a-t-il de fichier qui sont créé dans ce même répertoire?

A+

/var/log/snortd :

drwxr-xr-x 2 root root 4096 jui 18 06:13 snortd

Aucun fichier n'est créé dans ce repertoire.

par **MasterSleepy** » 28 Août 2006 16:10

Salut,

Oui ça me parait normal alors vu les permissions.
lance la commande

Code: Tout sélectionner: chown -R smelog:smelog /var/log/snortd

et relance le service.
Ca devrait solutionner le problème, mais je trouve ça bizarre car j'avais corrigé se problème dans la dernière version du rpm.

A+

par **old7** » 28 Août 2006 22:58

MasterSleepy a écrit:Salut,

Oui ça me parait normal alors vu les permissions.
lance la commande
Code: Tout sélectionner
chown -R smelog:smelog /var/log/snortd

et relance le service.
Ca devrait solutionner le problème, mais je trouve ça bizarre car j'avais corrigé se problème dans la dernière version du rpm.

A+

Merci de m'aider...

Alors, pour faire bref : rpm -e ancienne version de snort comme décrit plus haut dans le thread (sauf le reboot).

Ensuite rpm -ivh smeserver-snort-2.6.0-2.i386.rpm

Préparation... ########################################### [100%]
1:smeserver-snort ########################################### [100%]
======================= Activate sme snort ================================
======================= Creating snort_log database =======================
======================= Creating snort_archive database ===================
======================= Creating tables in snort_log ======================
======================= Creating tables in snort_archive ==================
Starting snortd:runsvctrl: warning: /service/snortd/log: unable to open supervise/control: file does not exist
runsvctrl: warning: /service/snortd: unable to open supervise/control: file does not exist
[ÉCHOUÉ]
BEWARE no rules have been installed!! Install some rules in /etc/snort/rules
or install oinkmaster

Modification des permissions de /var/log/snortd :

#chown -R smelog:smelog /var/log/snortd
# ls -l /var/log/
drwxr-xr-x 2 snort snort 4096 mar 22 06:17 snort
drwxr-xr-x 2 smelog smelog 4096 jui 18 06:13 snortd
# service snortd restart
Restarting snortd runsvctrl: warning: /service/snortd: unable to open supervise/control: file does not exist
[ÉCHOUÉ]
runsvctrl: warning: /service/snortd: unable to open supervise/control: file does not exist
# service snortd stop
Stopping snortd:svwaitdown: warning: /service/snortd: unable to open supervise/ok: file does not exist
[ÉCHOUÉ]

Face à tant d'injure :

# shutdown -r now

# ls -l snortd
-rw-r--r-- 1 smelog smelog 34986 aoû 28 22:20 current
-rw------- 1 smelog smelog 0 aoû 28 22:19 lock
-rw-r--r-- 1 smelog smelog 0 aoû 28 22:19 state

Ca semble bon ... mais la machine pédale comme une malade :(

# watch 'ps aux | grep snort'

Every 2,0s: ps aux | grep snort Mon Aug 28 22:28:42 2006

root 1708 0.0 0.0 1788 88 ? Ss 22:19 0:00 runsv snortd
smelog 1736 0.0 0.0 1320 44 ? S 22:19 0:00 /usr/local/bin/multilog t s5000000 /var/log/snortd
root 3510 0.8 0.2 5140 432 pts/0 S+ 22:27 0:00 watch ps aux | grep snort
snort 3518 40.3 77.2 229808 147724 ? R 22:28 0:10 /usr/sbin/snort -i eth1 -u snort -g snort -c /etc/snort/snort.conf -K ascii -p

snort consomme entre 70 et 90% du CPU et beaucoup MEM ... pas bon ça !!

Je décide d'installer Oinkmaster pour alimenter Snort avec les règles.. mais ça ne change rien ..

par **MasterSleepy** » 29 Août 2006 08:31

Salut,

Snort utilise beaucoup de ressource mais quand même...
Essaye un peu de couper le service snort
et de l'éxécuter à la ligne de commande.

Code: Tout sélectionner: usr/sbin/snort -i eth1 -u snort -g snort -c /etc/snort/snort.conf -K ascii -p

Pour vérifier que la config est correct.

A+

par **old7** » 29 Août 2006 20:03

MasterSleepy a écrit:Salut,
Snort utilise beaucoup de ressource mais quand même...
Essaye un peu de couper le service snort
et de l'éxécuter à la ligne de commande.
Code: Tout sélectionner
usr/sbin/snort -i eth1 -u snort -g snort -c /etc/snort/snort.conf -K ascii -p

Pour vérifier que la config est correct.
A+

Wouais, c'est quand même beaucoup de ressources ... la version précédente tournait à l'aise ; celle-ci met la machine à genoux.

voici ce que raconte Snort lancé à la main :

Code: Tout sélectionner: /usr/sbin/snort: /usr/lib/mysql/libmysqlclient.so.14: no version information available (required by /usr/sbin/snort) Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'EXTERNAL_NET' defined, value len = 14 chars, value = 192.168.100.31 Var 'DNS_SERVERS' defined, value len = 47 chars, value = [127.0.0.1/1,192.168.200.0/24,192.168.100.31/1] Var 'SMTP_SERVERS' defined, value len = 47 chars, value = [127.0.0.1/1,192.168.200.0/24,192.168.100.31/1] Var 'HTTP_SERVERS' defined, value len = 47 chars, value = [127.0.0.1/1,192.168.200.0/24,192.168.100.31/1] Var 'SQL_SERVERS' defined, value len = 47 chars, value = [127.0.0.1/1,192.168.200.0/24,192.168.100.31/1] Var 'TELNET_SERVERS' defined, value len = 47 chars, value = [127.0.0.1/1,192.168.200.0/24,192.168.100.31/1] Var 'SNMP_SERVERS' defined, value len = 47 chars, value = [127.0.0.1/1,192.168.200.0/24,192.168.100.31/1] Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 Var 'AIM_SERVERS' defined, value len = 132 chars [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0 /24] Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- WARNING: the frag2 preprocessor will be deprecated in the next release of snort. Please switch to using frag3. No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Server Data Inspection Limit: -1 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 443 980 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: YES Oversize Dir Length: 3000 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE WARNING: the telnet preprocessor will be deprecated in the next release of snort. Please switch to using ftptelnet. telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 7109 Snort rules read... 7109 Option Chains linked into 518 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Tagged Packet Limit: 256 +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=7180 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6197 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7691 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6361 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5989 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7597 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7518 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7532 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5742 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6222 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6127 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=100000163 type=Both tracking=src count=100 seconds=60 | gen-id=1 sig-id=5915 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6192 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6282 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6488 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6203 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=5797 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6385 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6480 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5881 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=6239 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5990 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7138 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7190 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7559 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7624 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5976 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6478 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6321 type=Limit tracking=src count=1 seconds=3000 | gen-id=1 sig-id=5971 type=Limit tracking=src count=1 seconds=900 | gen-id=1 sig-id=5846 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6232 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=7549 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6358 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7573 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=100000311 type=Limit tracking=src count=1 seconds=360 | gen-id=1 sig-id=5773 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6275 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5749 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7525 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7141 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5858 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7118 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5802 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5910 type=Limit tracking=dst count=1 seconds=300 | gen-id=1 sig-id=5867 type=Limit tracking=src count=1 seconds=900 | gen-id=1 sig-id=5961 type=Limit tracking=src count=1 seconds=1800 | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=5940 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6196 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5988 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6365 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=1991 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=5970 type=Limit tracking=src count=1 seconds=900 | gen-id=1 sig-id=5914 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5744 type=Limit tracking=src count=1 seconds=1800 | gen-id=1 sig-id=5979 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6191 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=100000161 type=Both tracking=dst count=100 seconds=60 | gen-id=1 sig-id=7034 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=6213 type=Limit tracking=src count=1 seconds=1800 | gen-id=1 sig-id=100000162 type=Both tracking=src count=100 seconds=60 | gen-id=1 sig-id=5323 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=6322 type=Limit tracking=src count=1 seconds=3000 | gen-id=1 sig-id=7615 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7537 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5928 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=5796 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5966 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5994 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7511 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7142 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5921 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5931 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7567 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6384 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6208 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=6271 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6107 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5321 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=5856 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6336 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7576 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6219 type=Both tracking=src count=1 seconds=1800 | gen-id=1 sig-id=7563 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7727 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5951 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6496 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5975 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7195 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6252 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5806 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7582 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7613 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7154 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=5922 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5837 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5992 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=100000310 type=Limit tracking=src count=1 seconds=360 | gen-id=1 sig-id=7572 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7140 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7524 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7548 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5897 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7642 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5866 type=Limit tracking=src count=1 seconds=900 | gen-id=1 sig-id=7534 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5918 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=6373 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5939 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6363 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6398 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6225 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5987 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=100000158 type=Both tracking=src count=100 seconds=60 | gen-id=1 sig-id=6377 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7594 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7074 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7515 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7589 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5916 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5981 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5925 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=6489 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5978 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6212 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7169 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7706 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5322 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=5903 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7649 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5927 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=5995 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7646 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5930 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5825 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7575 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6207 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=6374 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7050 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7603 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6494 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=7655 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5944 type=Limit tracking=src count=1 seconds=900 | gen-id=1 sig-id=5765 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5977 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6250 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6174 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7194 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5974 type=Limit tracking=src count=1 seconds=900 | gen-id=1 sig-id=7100 type=Limit tracking=src count=1 seconds=3000 | gen-id=1 sig-id=5891 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5760 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6281 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5835 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7571 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5836 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6386 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7139 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5929 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=7523 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=100000208 type=Threshold tracking=src count=50 seconds=60 | gen-id=1 sig-id=5982 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5807 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7527 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=100000160 type=Both tracking=src count=300 seconds=60 | gen-id=1 sig-id=5879 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5980 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6477 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=6200 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7514 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5896 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6487 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5829 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5803 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7192 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=5926 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5889 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7535 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5824 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=5831 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6233 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7732 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5932 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5750 type=Limit tracking=src count=1 seconds=1800 | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60 | gen-id=1 sig-id=6343 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5801 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7531 type=Limit tracking=src count=1 seconds=6000 | gen-id=1 sig-id=7177 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6254 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6290 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5943 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5764 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6146 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6220 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5853 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7033 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=5774 type=Limit tracking=src count=1 seconds=1800 | gen-id=1 sig-id=5899 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7550 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6176 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7505 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5986 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6206 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5890 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5767 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6483 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6241 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5993 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7522 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7185 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6228 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6341 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=7055 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7552 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6364 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7144 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5776 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6122 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7526 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=100000159 type=Both tracking=src count=100 seconds=60 | gen-id=1 sig-id=7529 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6223 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5841 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7539 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7760 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6360 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5949 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5946 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6199 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7069 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5973 type=Limit tracking=src count=1 seconds=900 | gen-id=1 sig-id=5828 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7174 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7516 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7581 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7712 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 | gen-id=1 sig-id=5805 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5832 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5830 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6237 type=Limit tracking=src count=1 seconds=1200 | gen-id=1 sig-id=5996 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6342 type=Limit tracking=src count=1 seconds=60 | gen-id=1 sig-id=5865 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7557 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7533 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5942 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7562 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5917 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6128 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7587 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5842 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5945 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5852 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6481 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7593 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7569 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6270 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5954 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7504 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5838 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7739 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6482 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6484 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5871 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7669 type=Limit tracking=src count=1 seconds=120 | gen-id=1 sig-id=7191 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6189 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5950 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7558 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5912 type=Limit tracking=src count=1 seconds=3000 | gen-id=1 sig-id=7647 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6372 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5983 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7551 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=5775 type=Limit tracking=src count=1 seconds=1800 | gen-id=1 sig-id=7143 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6251 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6490 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=6359 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7758 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7759 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2 | gen-id=1 sig-id=7711 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5794 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=7547 type=Limit tracking=src count=1 seconds=600 | gen-id=1 sig-id=6198 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7570 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7193 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=7068 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=100000312 type=Limit tracking=src count=1 seconds=360 | gen-id=1 sig-id=6324 type=Limit tracking=src count=1 seconds=300 | gen-id=1 sig-id=5804 type=Limit tracking=src count=1 seconds=300 +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->pass->drop->alert->log Log directory = /var/log/snort Verifying Preprocessor Configurations! Warning: flowbits key 'http.jpeg' is checked but not ever set. Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set but not ever checked. Warning: flowbits key 'Perfect_Keylogger1' is set but not ever checked. Warning: flowbits key 'PerfectKeylogger1' is checked but not ever set. Warning: flowbits key 'backdoor.fraggle.rock.2.0.lite.pc.info' is checked but not ever set. Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. Warning: flowbits key 'community_uri.size.1050' is set but not ever checked. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'DesktopDetective_InfoRequest' is set but not ever checked. Initializing Network Interface eth1 Var 'eth1_ADDRESS' defined, value len = 27 chars, value = 192.168.100.0/255.255.255.0 Decoding Ethernet on interface eth1 database: compiled support for ( mysql ) database: configured to use mysql database: user = root database: password is set database: database name = snort_log database: host = localhost database: sensor name = 192.168.100.31 database: sensor id = 1 database: schema version = 107 database: using the "log" facility

ctrl + c

Code: Tout sélectionner: Processus arrêté

Je remarque quelques différences entre ce que raconte les deux versions de Snort. Si tu en as besoin, je peux poster les messages de l'ancienne version.

Pour info, après install j'ai rebooté la machine, installé oinkmaster pour obtenir des règles.
Je dispose aussi des messages de snort-2.6.0-2 avant installation des régles si besoin.

par **MasterSleepy** » 31 Août 2006 08:12

Salut,

Effectivement la version 2.6 est extrêmement exigente.
Je suis moi aussi repassé en version 2.4 qui fonctionne, je trouve, plus correctement, exception de httpInspect.
Pour donner une information, sur ma machine la version 2.6 de snort utilisait 60% de la mémoire tandis que la version 2.4.5 en utilise 6 à 7 %.
Je vais d'ailleurs adapter mes packages pour utiliser la dernière version de la branche 2.4 de snort.

A+

par **old7** » 01 Sep 2006 23:36

MasterSleepy a écrit:Salut,

Effectivement la version 2.6 est extrêmement exigente.
Je suis moi aussi repassé en version 2.4 qui fonctionne, je trouve, plus correctement, exception de httpInspect.
Pour donner une information, sur ma machine la version 2.6 de snort utilisait 60% de la mémoire tandis que la version 2.4.5 en utilise 6 à 7 %.
Je vais d'ailleurs adapter mes packages pour utiliser la dernière version de la branche 2.4 de snort.

A+

Ok, donc c'est normal que ma petite config soit à genoux..
Back to 2.4 alors...

En tout cas, MasterSleepy, un grand merci pour le temps que tu as consacré à mon soucis.

Pour ton info, j'ai installé la version 2,6 de Snort sur une SME 7,0 toute fraîche (full install from CD) et j'ai dû faire le "chown -R smelog:smelog /var/log/snortd".

[résolu][SME 7xx] Permissions SNORT

[résolu][SME 7xx] Permissions SNORT

Qui est en ligne ?