懂snort的进来看看！

ly_lee

我再red hat linux9下装了snort-2.8.0.1和MYSQL,PHP,APACHE做了个IDS系统！我键入snort -d -v –e
也就是嗅探器模式下的命令可以看到数据包但是当我键入
[root@localhost local]# snort -dev -l ./log -h 210.43.2.0/24 -c snort.conf
也就是网络入侵检测模式命令时时出现以下代码：
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf
ERROR: Unable to open rules file: snort.conf or ./snort.conf
Fatal Error, Quitting..
然后我再键入[root@localhost local]# snort -dev -l ./log -h 210.43.2.0/24 -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
Var 'HOME_NET' redefined
PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 8000 8080 8180 8888]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535]
PortVar 'ORACLE_PORTS' defined :  [ 1521]
PortVar 'AUTH_PORTS' defined :  [ 113]
PortVar 'DNS_PORTS' defined :  [ 53]
PortVar 'FINGER_PORTS' defined :  [ 79]
PortVar 'FTP_PORTS' defined :  [ 21]
PortVar 'IMAP_PORTS' defined :  [ 143]
PortVar 'IRC_PORTS' defined :  [ 6665:6669 7000]
PortVar 'MSSQL_PORTS' defined :  [ 1433]
PortVar 'NNTP_PORTS' defined :  [ 119]
PortVar 'POP2_PORTS' defined :  [ 109]
PortVar 'POP3_PORTS' defined :  [ 110]
PortVar 'SUNRPC_PORTS' defined :  [ 111 32770:32779]
PortVar 'RLOGIN_PORTS' defined :  [ 513]
PortVar 'RSH_PORTS' defined :  [ 514]
PortVar 'SMB_PORTS' defined :  [ 139 445]
PortVar 'SMTP_PORTS' defined :  [ 25]
PortVar 'SNMP_PORTS' defined :  [ 161]
PortVar 'SSH_PORTS' defined :  [ 22]
PortVar 'TELNET_PORTS' defined :  [ 23]
PortVar 'MAIL_PORTS' defined :  [ 25 143 465 691]
PortVar 'SSL_PORTS' defined :  [ 25 443 465 636 993 995]
Detection:
   Search-Method = AC-BNFA
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: ACTIVE
    Max UDP sessions: 131072
    Track ICMP sessions: INACTIVE
Stream5 TCP Policy config:
    Reassembly Policy: WINDOWS
    Timeout: 30 seconds
    Min ttl:  1
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      465 client (Footprint)
      513 client (Footprint)
      691 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2100 client (Footprint)
Stream5 UDP Policy config:
    Timeout: 30 seconds
    Options:
        Ignore Any -> Any Rules: YES
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 2301 3128 8000 8080 8180 8888
      Flow Depth: 1460
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: NO
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: NO
      Base36: OFF
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: NO
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules
Fatal Error, Quitting..
请问这是怎么回事！问题可能出在哪里？？？

ly_lee

还有这个问题！！我键入包记录模式的命令[root@localhost local]# snort -l ./log -b
结果出现以下代码：
Running in packet logging mode
Log directory = ./log

        --== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
***
*** interface device lookup found: eth0
***

Initializing Network Interface eth0
Decoding Ethernet on interface eth0

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.0.1 (Build 72)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.
           Using PCRE version: 7.8 2008-09-05

Not Using PCAP_FRAMES
*** Caught Usr-Signal: 'Rotate Stats'
Performance log file '' not open*** Caught Usr-Signal: 'Rotate Stats'
Performance log file '' not open*** Caught Int-Signal
Run time prior to being shutdown was 87.288649 seconds
===============================================================================
Packet Wire Totals:
   Received:          331
   Analyzed:          325 (98.187%)
    Dropped:            0 (0.000%)
Outstanding:            6 (1.813%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
      ETH: 325        (100.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 256        (78.769%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 23         (7.077%)
      UDP: 233        (71.692%)
     ICMP: 0          (0.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 61         (18.769%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 8          (2.462%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
  Upconvt: 0          (0.000%)
  Up fail: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 325
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 325
PASSED: 0
===============================================================================
请高手看下！

ly_lee

Not Using PCAP_FRAMES这个出现的问题我造网上查啦！说是要设置个新的环境变量 export PCAP_FRAMES=max，但是我不知道怎么设置啊？在那里设置？？