snort 的base里没有HttpInspect 数据

heiheijian

大家帮我看下snort的HttpInspect在base里面没有数据,大家帮我看下,下面是snort 启动信息.

[root@mail snort]#  snort  -c /etc/snort/snort.conf -g snort -u snort -i eth0 -l /var/log/snort
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
Var 'HOME_NET' redefined
PortVar 'HTTP_PORTS' defined :  [ 80 2301 3128 8000 8080 8180 8888]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535]
PortVar 'ORACLE_PORTS' defined :  [ 1521]
PortVar 'AUTH_PORTS' defined :  [ 113]
PortVar 'DNS_PORTS' defined :  [ 53]
PortVar 'FINGER_PORTS' defined :  [ 79]
PortVar 'FTP_PORTS' defined :  [ 21]
PortVar 'IMAP_PORTS' defined :  [ 143]
PortVar 'IRC_PORTS' defined :  [ 6665:6669 7000]
PortVar 'MSSQL_PORTS' defined :  [ 1433]
PortVar 'NNTP_PORTS' defined :  [ 119]
PortVar 'POP2_PORTS' defined :  [ 109]
PortVar 'POP3_PORTS' defined :  [ 110]
PortVar 'SUNRPC_PORTS' defined :  [ 111 32770:32779]
PortVar 'RLOGIN_PORTS' defined :  [ 513]
PortVar 'RSH_PORTS' defined :  [ 514]
PortVar 'SMB_PORTS' defined :  [ 139 445]
PortVar 'SMTP_PORTS' defined :  [ 25]
PortVar 'SNMP_PORTS' defined :  [ 161]
PortVar 'SSH_PORTS' defined :  [ 22]
PortVar 'TELNET_PORTS' defined :  [ 23]
PortVar 'MAIL_PORTS' defined :  [ 25 143 465 691]
PortVar 'SSL_PORTS' defined :  [ 25 443 465 636 993 995]
Detection:
   Search-Method = AC-BNFA
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: ACTIVE
    Max UDP sessions: 131072
    Track ICMP sessions: INACTIVE
Stream5 TCP Policy config:
    Reassembly Policy: WINDOWS
    Timeout: 30 seconds
    Min ttl:  1
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      465 client (Footprint)
      513 client (Footprint)
      691 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2100 client (Footprint)
Stream5 UDP Policy config:
    Timeout: 30 seconds
    Options:
        Ignore Any -> Any Rules: YES
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 2301 3128 8000 8080 8180 8888
      Flow Depth: 1460
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: NO
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: NO
      Base36: OFF
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: YES
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
    SERVER: 192.168.1.14
      Server profile: All
      Ports: 80 3128 8080
      Flow Depth: 0
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 300
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: OFF
      Bare Byte: OFF
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: OFF
      Multiple Slash: OFF
      IIS Backslash: OFF
      Directory Traversal: OFF
      Web Root Traversal: OFF
      Apache WhiteSpace: OFF
      IIS Delimiter: OFF
      IIS Unicode Map:  NOT CONFIGURED
      Non-RFC Compliant Characters: 0x00
      Whitespace Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: High/Experimental
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: YES
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 20
      Normalize: YES
      Detect Anomalies: YES
    FTP CONFIG:
      FTP Server: default
        Ports: 21 2100
        Check for Telnet Cmds: OFF
        Identify open data channels: NO
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: NO
        Max Response Length: 200

SMTP Config:
    Ports: 25 465 691
    Inspection Type: Stateful
    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2STATE XSTA XTRN XUSR PIPELINING CHUNKING DSN XQUEU
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length:
       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
       XLICENSE:246 X-LINK2STATE:246 XSTA:246 XTRN:246 XUSR:246
       PIPELINING:246 CHUNKING:246 DSN:246 XQUEU:246
    Max Header Line Length: 1000
    Max Response Line Length: 512
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
SSH config:
    Autodetection: DISABLED
    GOBBLES Alert: ENABLED
    SSH1 CRC32 Alert: ENABLED
    Server Version String Overflow Alert: ENABLED
    Protocol Mismatch Alert: ENABLED
    Bad Message Direction Alert: ENABLED
    Bad Payload Size Alert: ENABLED
    Unrecognized Version Alert: ENABLED
    Max Encrypted Packets: 20  
    MaxClientBytes: 19600 (Default)
    Ports:
        22

DCE/RPC Decoder config:
    Autodetect ports ENABLED
    SMB fragmentation ENABLED
    DCE/RPC fragmentation ENABLED
    Max Frag Size: 3000 bytes
    Memcap: 100000 KB
    Alert if memcap exceeded DISABLED

DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1958 Snort rules read
    1958 detection rules
    0 decoder rules
    0 preprocessor rules
1958 Option Chains linked into 58 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src     765       2       0       0
|     dst    1042      37       0       0
|     any       2       2     108       0
|      nc       4       1      82       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=4984       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2  
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Verifying Preprocessor Configurations!
Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'sslv3.client_hello.request' is checked but not ever set.
15 out of 512 flowbits in use.

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.1.14
database:     sensor id = 2
database: schema version = 107
database: using the "log" facility

[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 59
| Patterns         : 2159
| Pattern Chars    : 56862
| Num States       : 43589
| Num Match States : 2009
| Memory           :   860.68Kbytes
|   Patterns       :   97.64K
|   Match Lists    :   189.69K
|   Transitions    :   568.28K
+-------------------------------------------------

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.0.1 (Build 72)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.
           Using PCRE version: 7.4 2007-09-21

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.6  <Build 11>
           Preprocessor Object: SF_SSH  Version 1.0  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.0  <Build 7>
           Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 10>
           Preprocessor Object: SF_DNS  Version 1.0  <Build 2>
           Preprocessor Object: SF_DCERPC  Version 1.0  <Build 4>
Using PCAP_FRAMES = max

[ 本帖最后由 heiheijian 于 2007-12-24 11:24 编辑 ]

shulei521

兄弟,能不能把你的配置过程贴出来，让我们看看，我配了两次了，http://ip/base都不能访问。不知道是那里出了问题。

jerichen

我的问题更严重，什么数据都没有。不知道你的解决没有