<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<!--Converted with LaTeX2HTML 2002-2-1 (1.71)
original version by: Nikos Drakos, CBLU, University of Leeds
* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>6 Problems</TITLE>
<META NAME="description" CONTENT="6 Problems">
<META NAME="keywords" CONTENT="faq">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
<LINK REL="STYLESHEET" HREF="faq.css">
<LINK REL="next" HREF="node7.html">
<LINK REL="previous" HREF="node5.html">
<LINK REL="up" HREF="faq.html">
<LINK REL="next" HREF="node7.html">
</HEAD>
<BODY >
<!--Navigation Panel-->
<A NAME="tex2html376"
HREF="node7.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
<A NAME="tex2html374"
HREF="faq.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
<A NAME="tex2html368"
HREF="node5.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html377"
HREF="node7.html">7 Development</A>
<B> Up:</B> <A NAME="tex2html375"
HREF="faq.html">The Snort FAQ</A>
<B> Previous:</B> <A NAME="tex2html369"
HREF="node5.html">5 Getting Fancy</A>
<BR>
<BR>
<!--End of Navigation Panel-->
<!--Table of Child-Links-->
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>
<UL>
<LI><A NAME="tex2html378"
HREF="node6.html#SECTION00061000000000000000">6.1 I think I found a bug in Snort. Now what?</A>
<LI><A NAME="tex2html379"
HREF="node6.html#SECTION00062000000000000000">6.2 SMB alerts aren't working, what's wrong? </A>
<LI><A NAME="tex2html380"
HREF="node6.html#SECTION00063000000000000000">6.3 Snort says ``Garbage Packet with Null Pointer discarded!'' Huh?</A>
<LI><A NAME="tex2html381"
HREF="node6.html#SECTION00064000000000000000">6.4 Snort says ``Ran Out Of Space.'' Huh?</A>
<LI><A NAME="tex2html382"
HREF="node6.html#SECTION00065000000000000000">6.5 My ACID db connection times-out when performing long operations (e.g.
deleting a large number of alerts).</A>
<LI><A NAME="tex2html383"
HREF="node6.html#SECTION00066000000000000000">6.6 Why does ACID keep changing my sensor number and how do I keep it
consistent?</A>
<LI><A NAME="tex2html384"
HREF="node6.html#SECTION00067000000000000000">6.7 Why does snort report ``Packet loss statistics are unavailable under Linux?''</A>
<LI><A NAME="tex2html385"
HREF="node6.html#SECTION00068000000000000000">6.8 My /var/log/snort directory gets very large...</A>
<LI><A NAME="tex2html386"
HREF="node6.html#SECTION00069000000000000000">6.9 Why does the `error deleting alert' message occur when attempting to delete an alert with ACID? </A>
<LI><A NAME="tex2html387"
HREF="node6.html#SECTION000610000000000000000">6.10 ACID appears to be broken in Lynx </A>
<LI><A NAME="tex2html388"
HREF="node6.html#SECTION000611000000000000000">6.11 I am getting `snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings. What's wrong?</A>
<LI><A NAME="tex2html389"
HREF="node6.html#SECTION000612000000000000000">6.12 On HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument</A>
<LI><A NAME="tex2html390"
HREF="node6.html#SECTION000613000000000000000">6.13 Snort is dying with a `can not create file' error and I have plenty of diskspace. What's wrong?</A>
<LI><A NAME="tex2html391"
HREF="node6.html#SECTION000614000000000000000">6.14 I am using Snort on Windows and receive an ``OpenPcap() error upon startup: ERROR: OpenPcap() device open: Error opening adapter'' message. What's wrong? </A>
<LI><A NAME="tex2html392"
HREF="node6.html#SECTION000615000000000000000">6.15 Snort is not logging to my database</A>
<LI><A NAME="tex2html393"
HREF="node6.html#SECTION000616000000000000000">6.16 Portscans are not being logged to my database </A>
<LI><A NAME="tex2html394"
HREF="node6.html#SECTION000617000000000000000">6.17 Snort is not logging to syslog</A>
<LI><A NAME="tex2html395"
HREF="node6.html#SECTION000618000000000000000">6.18 I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from is in my $DNS_SERVERs var </A>
<LI><A NAME="tex2html396"
HREF="node6.html#SECTION000619000000000000000">6.19 Why does chrooted Snort die when I send it a SIGHUP? </A>
<LI><A NAME="tex2html397"
HREF="node6.html#SECTION000620000000000000000">6.20 My snort crashes, how do I restart it?</A>
<LI><A NAME="tex2html398"
HREF="node6.html#SECTION000621000000000000000">6.21 Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch hub?</A>
<LI><A NAME="tex2html399"
HREF="node6.html#SECTION000622000000000000000">6.22 Trying to install snort it says: ``bad interpreter: No such file or
directory''</A>
<LI><A NAME="tex2html400"
HREF="node6.html#SECTION000623000000000000000">6.23 I'm not seeing any interfaces listed under Win32.</A>
<LI><A NAME="tex2html401"
HREF="node6.html#SECTION000624000000000000000">6.24 It's not working on Win32, how can I tell if my problem is Snort or
WinPcap?</A>
<LI><A NAME="tex2html402"
HREF="node6.html#SECTION000625000000000000000">6.25 I just downloaded a new ruleset and now Snort fails, complaining about the
rules.</A>
<LI><A NAME="tex2html403"
HREF="node6.html#SECTION000626000000000000000">6.26 How do I speed up ACID and MySQL?</A>
<LI><A NAME="tex2html404"
HREF="node6.html#SECTION000627000000000000000">6.27 Why am I seeing so many ``SMTP RCPT TO overflow'' alerts ?</A>
<LI><A NAME="tex2html405"
HREF="node6.html#SECTION000628000000000000000">6.28 I'm getting lots of *ICMP Ping Speedera*, is this bad?</A>
<LI><A NAME="tex2html406"
HREF="node6.html#SECTION000629000000000000000">6.29 Why are my unified alert times off by +/- N hours?</A>
<LI><A NAME="tex2html407"
HREF="node6.html#SECTION000630000000000000000">6.30 I try to start Snort and it gives an error like ``ERROR: Unable to open
rules file: /root/.snortrc or /root//root/.snortrc.'' What can I do to fix this?</A>
</UL>
<!--End of Table of Child-Links-->
<HR>
<H1><A NAME="SECTION00060000000000000000">
6 Problems</A>
</H1>
<H2><A NAME="SECTION00061000000000000000">
6.1 I think I found a bug in Snort. Now what?</A>
</H2>
<P>
Get some more diagnostic information and post it to ``snort-users'' at
<A NAME="tex2html79"
HREF="http://www.sourceforge.net/lists/listinfo/snort-users">http://www.sourceforge.net/lists/listinfo/snort-users</A>.
<P>
To get diagnostic information, compile snort as either:
<P>
<PRE>make clean; make CFLAGS=-ggdb
</PRE>
<P>
or
<PRE>make clean; make "CFLAGS=-ggdb -DDEBUG"
</PRE>
<P>
trace coredump as:
<P>
<PRE>
gdb /path/to/snort /path/to/snort/core
gdb> where
gdb> bt
gdb> print $varname, varname, \$\$varname etc..
</PRE>
<P>
or if corefile isn't generated, Snort should be started as:
<P>
<PRE>
gdb snort
gdb> run snort\_args\_go\_here
</PRE>
<P>
Then, when it crashes:
<PRE>
gdb> where
gdb> bt
gdb> print \$varname, varname, \$\$varname etc..
</PRE>
<P>
<H2><A NAME="SECTION00062000000000000000">
6.2 SMB alerts aren't working, what's wrong? </A>
</H2>
<P>
The SMB alerting output plugin was removed in Snort 2.1 due to security issues.
<P>
<H2><A NAME="SECTION00063000000000000000">
6.3 Snort says ``Garbage Packet with Null Pointer discarded!'' Huh?</A>
</H2>
<P>
This was an internal diagnostic message triggered by an old bug
in early versions of the defragmentation preprocessor. Upgrade to
to the latest version of Snort.
<P>
<H2><A NAME="SECTION00064000000000000000">
6.4 Snort says ``Ran Out Of Space.'' Huh?</A>
</H2>
<P>
This is an internal diagnostic message when the defragmentation
preprocessor runs into its 32MB hard allocation space limit.
Tell Dragos about it <IMG
WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img1.png"
ALT="$<$">dr@kyx.net<IMG
WIDTH="16" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img2.png"
ALT="$>$">.
<P>
<H2><A NAME="SECTION00065000000000000000">
6.5 My ACID db connection times-out when performing long operations (e.g.
deleting a large number of alerts).</A>
</H2>
<P>
PHP has an internal variable set to limit the length an script can execute. It
is used to prevent poorly written code from executing indefinitely. In order to
modify the time-out value, examine the 'max_execution_time' variable found in
the 'php.ini' configuration file.
<P>
<H2><A NAME="SECTION00066000000000000000">
6.6 Why does ACID keep changing my sensor number and how do I keep it
consistent?</A>
</H2>
<P>
>From the code in op_acid_db.c:
<PRE>
* []/* if sensor id ==
0, then we attempt attempt to determine it dynamically */ if(data->
sensor_id == 0)
{
data->sensor_id = AcidDbGetSensorId(data);
}
</PRE>
<P>
And AcidDbGetSensorId does the following:
<PRE>
* []"SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' "
"AND filter='%s' AND detail='%u' AND encoding='0'", pv.hostname,
pv.interface, pv.filter, op_data->detail)
</PRE>
<P>
If it gets a sensor back, it uses that sensor_id, if not, it inserts the new
sensor. So from the code, to keep it consistent, don't change the hostname /
interface / filter and detail.
<P>
<H2><A NAME="SECTION00067000000000000000">
6.7 Why does snort report ``Packet loss statistics are unavailable under Linux?''</A>
</H2>
<P>
The Linux IP stack doesn't report lost packet stats. This also has been
recently fixed with the 2.4+ kernel in the new version of libpcap...upgrade
kernels and libpcap and it should now work.
<P>
<H2><A NAME="SECTION00068000000000000000">
6.8 My /var/log/snort directory gets very large...</A>
</H2>
<P>
Try this script to archive the files:
<P>
<PRE>
* []#!/bin/sh
#
# Logfile rotation script for snort writen by jameso@elwood.net.
#
# This script is pretty basic. We start out by setting some vars.
# Its job is tho rotate the days logfiles, e-mail you with what
# it logged, keep one weeks worth of uncompressed logs, and also
# keep compressed tgz files of all the logs. It is made to be run
# at midnight everynight. This script expects you to have a base
# dir that you keep all of your logs, rule sets etc in. You can
# see what sub dirs it expects from looking at the var settings
# below.
#
# Things to note in this script is that we run this script at 12
# every night, so we want to set the dirdate var the day the script
# runs minus a day so we label the files with the correct day. We
# Then create a dir for the days logs, move the log files into
# todays dir. As soon as that is done restart snort so we don't miss
# anything. Then delete any logs that are uncompressed and over a
# week old. Then compress out todays logs and archive them away, and
# end up by mailling out the logs to you.
#
# Define where you have the base of your snort install
snortbase=/usr/snort
# Define other vars
# logdir - Where the logs are kept
# oldlogs - Where you want the archived .tgz logs kept
# weeklogs - This is where you want to keep a weeks worth of log files uncompressed
# dirdate - Todays Date in Month - Day - Year format
# olddirdate - Todays date in the same format as dirdate, minus a week
logdir=$snortbase/log
oldlogs=$snortbase/oldlogs
weeklogs=$snortbase/weeklogs
# When I first wrote this script, I only ran it on BSD systems. That was a
# mistake, as BSD systems have a date command that apperently lets you walk the
# date back pretty easily. Well, some systems don't have this feature, so I had
# to change the way that dates are done in here. I left in the old way, because
# it is cleaner, and I added in a new way that should be portable. If anyone
# has any problems, just let me know and I will try to fix it.
#
# You have to change the system var to either bsd or other. Set it to bsd if
# your system supports the "-v" flag. If you are not sure, set it to other.
system=bsd
if [ $system = bsd ]
then
dirdate=`date -v -1d "+%m-%d-%y"`
olddirdate=`date -v -8d "+%m-%d-%y"`
elif [ $system = other ]
month=`date "+%m"`
yesterday=`expr \`date "+%d"\` - 1`
eightday=`expr \`date "+%d"\` - 8`
year=`date "+%y"`
dirdate=$month-$yesterday-$year
olddirdate=$month-$eightday-$year
fi
# Create the Dir for todays logs.
if [ ! -d $weeklogs/$dirdate ]
then
mkdir $weeklogs/$dirdate
fi
# Move the log files into todays log dir. This is done with
# a for loop right now, because I am afriad that if alot is
# logged there may be to many items to move with a "mv *"
# type command. There may a better way to do this, but I don't
# know it yet.
for logitem in `ls $logdir` ; do
mv $logdir/$logitem $weeklogs/$dirdate
done
# Kill and restart snort now that the log files are moved.
kill `cat /var/run/snort_fxp0.pid`
# Restart snort in the correct way for you
/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \
-c /usr/snort/etc/08292k.rules > /dev/null 2>&1
# Delete any uncompressed log files that over a week old.
if [ -d $weeklogs/$olddirdate ]
then
rm -r $weeklogs/$olddirdate
fi
# Compress and save the log files to save for as long as you want.
# This is done in a sub-shell because we change dirs, and I don't want
# to do that within the shell that the script runs in.
(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)
# Mail out the log files for today.
cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you@domain.com
cat $weeklogs/$dirdate/snort_portscan.log |
mail -s "Snort portscan logs" you@do
main.com
</PRE>
<P>
<H2><A NAME="SECTION00069000000000000000">
6.9 Why does the `error deleting alert' message occur when attempting to delete an alert with ACID? </A>
</H2>
<P>
Most likely the DB user configure in ACID does not have sufficient
privileges. In addition to those privileges granted to log the alerts into
the database (INSERT, SELECT), DELETE is also required.
<P>
This permission related issue can be confirmed by manually inserting a row
into the database, then trying to delete it.
<P>
<OL>
<LI>Log into MySQL with the same credentials (i.e. username, password) as you use in ACID:
<PRE>
mysql -u -p
</PRE>
</LI>
<LI>Insert a test row into the event table:
<PRE>
mysql> INSERT INTO event (sid, cid, signature, timestamp)
VALUES (1,1000000, "test", "0");
</PRE>
(this assumes that you don't already have a row with an event ID=1000000. If
you do just choose another event id #)
<P>
</LI>
<LI>Now delete this newly inserted row:
<P>
<PRE>mysql> DELETE FROM event WHERE sid=1 AND cid=10000000;
</PRE>
<P>
If you were not able to delete, this confirms that this is a permission
problem. Re-login to mysql as root, and issue a GRANT command (giving the
DELETE permission) to the ACID DB user:
<P>
<PRE>GRANT DELETE on snort.* to acid@localhost
</PRE>
<P>
(this assumes that my alert database is 'snort', username is 'acid', and
logging from the 'localhost')
<P>
</LI>
</OL>
<H2><A NAME="SECTION000610000000000000000">
6.10 ACID appears to be broken in Lynx </A>
</H2>
<P>
This is a known issue. Lynx mangles some of the form arguments appended to
the URL. It's resolution is being investigated, but use Netscape, Opera, or
IE in the mean time.
<P>
<H2><A NAME="SECTION000611000000000000000">
6.11 I am getting `snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings. What's wrong?</A>
</H2>
<P>
You are using an older libpcap version with recent linux kernel. There should be
no problem with it as long as your kernel supports SOCK_PACKET socket
type. To get rid off the warning message however, you'll have to upgrade
to some recent version of libpcap (a copy from www.tcpdump.org is recommended).
<P>
<H2><A NAME="SECTION000612000000000000000">
6.12 On HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument</A>
</H2>
<P>
It's because there's another program running using the DLPI service.
The HP-UX implementation doesn't allow more than one libpcap program
at a time to run, unlike Linux (from snort.c).
<P>
<H2><A NAME="SECTION000613000000000000000">
6.13 Snort is dying with a `can not create file' error and I have plenty of diskspace. What's wrong?</A>
</H2>
<P>
You may run out of free inodes, which basically also means you can not create
more files on the partition. The obvious solution is to rm some. ;-)
<P>
<H2><A NAME="SECTION000614000000000000000">
6.14 I am using Snort on Windows and receive an ``OpenPcap() error upon startup: ERROR: OpenPcap() device open: Error opening adapter'' message. What's wrong? </A>
</H2>
<P>
Either winpcap is not installed, or you are using an incompatible version.
Try upgrading to the latest version (2.3 as of 01/17/03). It is available
from <A NAME="tex2html80"
HREF="http://netgroup-serv.polito.it/winpcap/">http://netgroup-serv.polito.it/winpcap/</A>.
It might also be an issue with SMP machines (see FAQ <A HREF="node2.html#winpcap"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>).
<P>
<H2><A NAME="SECTION000615000000000000000">
6.15 Snort is not logging to my database</A>
</H2>
<P>
There are a number of problems that may be causing Snort to fail to log to a
database. You should check these:
<OL>
<LI>You did not set up the database plugin in your configuration file.
</LI>
<LI>You are using an older database schema, and should update it by running the create scripts from the /contrib directory of the source tarball.
</LI>
<LI>You are using a command line option that overrides what you have in your configuration file. This is most often -A or -s. NOTE: If you wish to log to syslog as well, specify so in your configuration file rather then the command line.
</LI>
<LI>There is a problem with your database configuration itself. Make sure the user you specify has the correct permissions, or that the database is even up and running.
</LI>
</OL>
<P>
<H2><A NAME="SECTION000616000000000000000">
6.16 Portscans are not being logged to my database </A>
</H2>
<P>
You need to change the output facility to 'alert' rather then 'log'. The
portscan preprocessor calls output plugins registered as 'alert' plugins
rather then 'log'.
<P>
<PRE>output database: alert, mysql, user=snort dbname=snort host=localhost
</PRE>
<P>
<H2><A NAME="SECTION000617000000000000000">
6.17 Snort is not logging to syslog</A>
</H2>
<P>
There are a number of problems that may be causing snort to fail to log to syslog. You should check these:
<UL>
<LI>You are using a command line option that overrides what you have in your configuration file. This is most often -A.
</LI>
<LI>It may be logging to the wrong place. Make sure syslog is configured correctly.
</LI>
</UL>
<P>
<H2><A NAME="SECTION000618000000000000000">
6.18 I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from is in my $DNS_SERVERs var </A>
</H2>
<P>
Try adding /32 netmasks to those addresses:
<P>
<PRE>var DNS_SERVERS \[xxx.xx.0.3/32,xxx.xxx.0.2/32\]
</PRE>
<P>
And make sure the $DNS_SERVERS variable is on the portscan-ignorehosts line:
<P>
<PRE>preprocessor portscan-ignorehosts: $DNS_SERVERS
</PRE>
<P>
<H2><A NAME="SECTION000619000000000000000"></A><A NAME="chroot"></A>
<BR>
6.19 Why does chrooted Snort die when I send it a SIGHUP?
</H2>
<P>
It's a known problem with permissions. Workaround, restart snort instead.
<P>
But the short answer is this: Due to the way the execv(2) call works, it
"Restarts" snort from scratch. This has the odd side effect of making
HUPS to a chrooted snort become recursive. For example, chroot to /snort.
It now sees /snort as / . Now HUP snort. Snort now expects to have
/snort/snort as /. In other words, you have to re-create your directories
for your jail inside it. 4 HUPS and you will be in
/snort/snort/snort/snort.
<P>
<H2><A NAME="SECTION000620000000000000000">
6.20 My snort crashes, how do I restart it?</A>
</H2>
<P>
Try one of these two shell scripts or daemontools (refer to website to
daemontools)
<P>
<PRE>
* []#!/bin/sh
#snorthup: Snort Restarter and Crash Logger
#(dr@kyx..net with help from kmaxwell@superpages.com)
$conf = "snort.conf"
for $IFACE in fxp0 fxp1
do
if [ -f /var/run/snort_$IFACE.pid ]; then
if ! ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then
/usr/bin/logger -p user.notice snorthup: removing bogus pidfile
/usr/bin/
logger -p user.notice snorthup: restarting absentee snort o
n $IFACE with conf file $i
rm -f /var/run/snort_$IFACE.pid
/usr/local/bin/snort -D -c $conf -i $IFACE
fi;
else
/usr/bin/
logger -p user.notice snorthup: restarting snort on $IFACE with
conf file $conf
/usr/local/bin/snort -D -c $conf -i $IFACE
fi
done
</PRE>
Another version:
<PRE>
* []#!/bin/ksh
# snortstartd: Snort (Re)Starter
# Dom De Vitto (dom@devitto..com)
# (original idea by dr@kyx..net & kmaxwell@superpages.com)
#
# Note: You'd better get CONF and INTERFACES right or
# this script will just keep trying to start snort.
# Path to echo, sed, test, ps, grep, logger, rm, and sleep.
PATH=$PATH:/usr/bin:/usr/local/bin ; export PATH
# Point this to your conf file:
CONF="/usr/local/share/examples/snort/snort.conf"
# Which interfaces should Snort run on, e.g.:
INTERFACES="hme0 hme1"
# Wait this many seconds between checks:
CHECKEVERY=5
# Full path to Snort:
SNORTBINARY=/usr/local/bin/snort
while :; do
for INT in $INTERFACES
do
GREPSTRING="`echo $SNORTBINARY -N -D -c $CONF -i $INT|sed
's?\/?\\\/?g'`"
PSCMDLINES=`(ps augxww 2>/dev/null||ps -ef 2>/dev/null) | grep
"$GREPSTRING"|wc -l`
if [ $PSCMDLINES = 0 ]; then
logger -p user.notice -t "$0" "Starting Snort on $INT."
$SNORTBINARY -N -D -c $CONF -i $INT 2>&1 > /dev/null
fi
done
sleep $CHECKEVERY
done
</PRE>
<P>
<H2><A NAME="SECTION000621000000000000000">
6.21 Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch hub?</A>
</H2>
<P>
Basically it's a function of the design and all autoswitching hubs will
behave in this way. It's the result of just not being able to stuff all
the 100 Mbps traffic into the 10Mbps CSMA/CD. One solution I use to the
problem is these new cheapie four port switches... put all the 10Mbps on
it's own hub/switch/whatever and then route that to the 100Mbps hub I use
for monitoring but put a cheapie switch in between that works as an
adapter basically mediating the 10 up to 100 and vice versa.
<P>
The bad thing about hubs that <EM>don't</EM> have this ``feature,'' is that
in order to support 10bt devices, they throttle the entire hub speed
down to 10bt if there is one or more 10bt only devices hooked up to it.
I have seen this behavior (and did the bandwidth tests to proove it) on
old 3com office connect 10/100 hubs (newer ones do the 2 hubs with a switch
thing.) So, the point of what I am saying is, since these old hubs have
no switching capabilities, and they don't know which port the traffic is
supposed to go to (no switch=no arp table), they have to throttle bandwidth.
<P>
None of the hubs and switches have any significant amount of storage
on the ethernet chip sets, and therefore <EM>any</EM> non-layer-three box that
has 100 <IMG
WIDTH="33" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img8.png"
ALT="$->$"> 10 capability can only handle small amounts of traffic before
the chip set drops incoming packets on the floor. Guess one might call
that throttled bandwidth, but at the expense of retransmission timeouts
and retransmissions at the end nodes.
<P>
If the box has a backplane, multiple cards and some network management
functions, there is a higher <EM>probability</EM> the manufacturer has some
additional buffering going on to keep dropped packets from happening
on at least small bursts of traffic.
<P>
In the most generic of terms, if a box supports 100 ``full-duplex,'' then
its a switch (regardless of what the manufacturer calls it). If it
supports 100 <IMG
WIDTH="33" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img8.png"
ALT="$->$"> 10, there is 50-50 chance the box has some MAC address
awareness. If a box only supports 10 <IMG
WIDTH="33" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img8.png"
ALT="$->$"> 10 or 100 <IMG
WIDTH="33" HEIGHT="30" ALIGN="MIDDLE" BORDER="0"
SRC="img8.png"
ALT="$->$"> 100, there is a
high probability it is not MAC address aware and therefore functions
like a hub.
<P>
Many hubs have different back planes, i.e., one for 10 and one for 100.
<P>
>From a definition standpoint, a hub segment whether it be 10 or 100 is
a single broadcast/collision domain. You will not see ANY traffic
between segements without a bridge or layer3 route function between
them.
<P>
In a switched environment, typically each port is a separate collision
domain but one big broadcast domain. VLANs can be created in some to
separate into separate broadcast domains and some have built in layer
3 functionality which basically connects a router into the backplane
so that it can route between vlans at wire speed.
<P>
Think of a switch as a bridge with many ports. (that's what it is).
Some switches support port mirroring or span ports. When you want to
``sniff'' frames in a switched environment (beyond just
broadcast/multicast traffic) you need to be able to "see" the unicast
traffic (telnet,http for example). You set up a port to mirror
traffic from the ports that have the devices your interested in to the
port you have your analysis device plugged into. Without doing so,
you don't see the unicast conversations because the traffic is getting
"switched" accross the backplane so pc on port 1 talks to server on
port 2 and no other ports get this traffic. If server on port 2
broadcasts or multicasts, the information is flooded out all ports.
(multicast can be controlled on some switches so only those ports that
have listening stations get the traffic. Not all switches have these
capabilities.
<P>
An excellent book on the topic is Interconnections by Radia Perlman.
(Bridges and Routers).
<P>
Additional caveat: if you deal with full duplex on a switched port,
only a tap would save you - users have succesfully used Shomiti's
ones on 100MB FD ports, and used two Snort instances, capturing
traffic on both directions. Port mirroring didn't work in that case ...
<P>
<H2><A NAME="SECTION000622000000000000000">
6.22 Trying to install snort it says: ``bad interpreter: No such file or
directory''</A>
</H2>
<P>
Usually this error comes from editing files on Windows machines. Often it shows
up on the ./configure step. The configure script should be looking for the /bin
/sh shell as its interpreter. If /bin/sh doesn't exist then you'll get this
error. Check that whatever comes after the #! on the first line of configure is
actually there.
<P>
If the file has been edited on a Windows machine it can sometimes Add CR/LF
(VM) characters on the end of each line, so #!/bin/sh becomes #!/bin/shVM and
as the ctrl-v/ctrl-m characters are special, and hidden by default on most
editors, it can create a really hard to find problem. To remove the extra CR
characters that UNIXish machines don't like, simply use the dos2unix command:
<PRE>
* []dos2unix <infile> <outfile>
</PRE>
If your OS doesn't have dos2unix, then you can use:
<PRE>
* []cat <infile> | tr -d ``\r'' > <outfile>
</PRE>
<P>
<H2><A NAME="SECTION000623000000000000000">
6.23 I'm not seeing any interfaces listed under Win32.</A>
</H2>
<P>
The reason you're seeing nothing in the interface list is a WinPcap problem. In
previous versions of WinPcap there is a 1K buffer, which overflows if you have
many interfaces (i.e., 10+). This has been replaced with an 8K buffer in more
recent versions of WinPcap. The current snort distribution should already be
linking against the newer WinPcap libraries, which should resolve this problem.
Try obtaining a more recent build of snort.
<P>
<H2><A NAME="SECTION000624000000000000000">
6.24 It's not working on Win32, how can I tell if my problem is Snort or
WinPcap?</A>
</H2>
<P>
See if WinDump will work with WinPcap. This should help you isolate which
component is being bogus.
<P>
<H2><A NAME="SECTION000625000000000000000">
6.25 I just downloaded a new ruleset and now Snort fails, complaining about the
rules.</A>
</H2>
<P>
First, make sure you downloaded the right ruleset for your version of snort.
Snort.org generally hosts a ruleset for the released version of Snort, as well
as rules for the development branch and sometimes copies for older versions of
snort. This is generally the case for ``unknown keyword in rule'' type errors.
<P>
If you have the rules that are correct for your version of snort be aware that
the snort rules tarball contains a snort.conf file. From time to time the
snort.conf included with the rules gets changed as new .rules files are added,
and new variables are added to support a better ruleset. When downloading new
rulesets you should always give the included snort.conf a quick look-over to
see if new includes or vars have been added, or at least be aware you should
consult it if things do not work as expected. This is generally the case if you
get messages indicating that something is undefined in a rule.
<P>
<H2><A NAME="SECTION000626000000000000000">
6.26 How do I speed up ACID and MySQL?</A>
</H2>
<P>
(ACID FAQ B-10)
Two MySQL optimizations for you to check from the ACID faq:
<P>
<A NAME="tex2html81"
HREF="http://www.andrew.cmu.edu/~rdanyliw/snort/acid_faq.html">http://www.andrew.cmu.edu/~rdanyliw/snort/acid_faq.html</A>
<UL>
<LI>Compact the tables
<P>
After numerous delete operations, `holes' will occur in the native files
used to store the tables decreasing the speed of the all queries. The
following shell script will examine all the MySQL tables and compact them.
<PRE>
[]for table in `echo show tables$|$mysql snort$|$tail +2`
do
echo optimize table $table|mysql snort
done
</PRE>
</LI>
<LI>Creating indexes
<P>
Some of the required indexes are not created in initial MySQL creation
script. The following indexes can be added to significantly improve
performance:
<PRE>
tcphdr.tcp_sport
tcphdr.tcp_dport
acid_ag_alert.ag_sid + acid_ag_alert.ag_cid
</PRE>
MySQL can be fast - you just need to have the proper indexing set up. If
you need a good MySQL reference, pick up a copy of Paul DuBois' book, which
is currently the bible for MySQL. O'Reilly also recently released a
reference by Monty and the MySQL AB team.
<P>
The way to check if the indices are already there are with the SHOW INDEX
command. For instance, to check the tcphdr table, you would run:
<PRE>
+ []mysql> show index from tcphdr;
+----+------+------+-------+-------+------+-------+-----+----+-----+
| Table | Non_unique | Key_name | Seq_in_index | Column_name |
Collation | Cardinality | Sub_part | Packed | Comment |
+----+------+------+-------+-------+------+-------+-----+----+-----+
| tcphdr | 0 | PRIMARY | 1 | sid |
A | NULL | NULL | NULL | |
| tcphdr | 0 | PRIMARY | 2 | cid |
A | 2543146 | NULL | NULL | |
| tcphdr | 1 | tcp_sport | 1 | tcp_sport |
A | NULL | NULL | NULL | |
| tcphdr | 1 | tcp_dport | 1 | tcp_dport |
A | NULL | NULL | NULL | |
| tcphdr | 1 | tcp_flags | 1 | tcp_flags |
A | NULL | NULL | NULL | |
+----+------+------+-------+-------+------+-------+-----+----+-----+
5 rows in set (0.00 sec)
</PRE>
You can see that in this case, the tcphdr.tcp_sport index is in line 3, and
the tcphdr.tcp_dport is in line 4.
<P>
If you need to create the index, you can run:
<PRE>
+ []CREATE INDEX idx_tcp_sport ON tcphdr(tcp_sport);
</PRE>
To create a compound index, you would do this:
<PRE>
+ []CREATE INDEX idx_cpd_sid_cid ON acid_ag_alert(ag_sid,ag_cid);
</PRE>
If you want to take a closer look at the table structures, you can use the
DESCRIBE command, and pass it the table name:
<PRE>
+ [] mysql> DESCRIBE tcphdr;
+------+-----------+---+---+-----+----+
| Field | Type | Null | Key | Default |
Extra |
+------+-----------+---+---+-----+----+
| sid | int(10) unsigned | | PRI | 0 |
|
| cid | int(10) unsigned | | PRI | 0 |
|
| tcp_sport | smallint(5) unsigned | | MUL | 0 |
|
| tcp_dport | smallint(5) unsigned | | MUL | 0 |
|
| tcp_seq | int(10) unsigned | YES | | NULL |
|
| tcp_ack | int(10) unsigned | YES | | NULL |
|
| tcp_off | tinyint(3) unsigned | YES | | NULL |
|
| tcp_res | tinyint(3) unsigned | YES | | NULL |
|
| tcp_flags | tinyint(3) unsigned | | MUL | 0 |
|
| tcp_win | smallint(5) unsigned | YES | | NULL |
|
| tcp_csum | smallint(5) unsigned | YES | | NULL |
|
| tcp_urp | smallint(5) unsigned | YES | | NULL |
|
+------+-----------+---+---+-----+----+
12 rows in set (0.02 sec)
</PRE>
</LI>
</UL>
<P>
<H2><A NAME="SECTION000627000000000000000">
6.27 Why am I seeing so many ``SMTP RCPT TO overflow'' alerts ?</A>
</H2>
<P>
That rule looks for a TCP frame going to your SMTP server which contains more
than 800 bytes of data. Any email can easily set that off if pipelining is
used. SMTP command pipelining allows several command lines lines to be sent as
a single packet without waiting for an OK response. Any good high-volume
mailserver will try to pipeline where possible, resulting in a single TCP frame
containing a series of command lines, each of which is not very long, but in
aggregate easily exceed the 800 byte threshold, particularly if there is a
large recipient list.
<P>
For more info on pipelining:
<P>
<A NAME="tex2html82"
HREF="http://www.faqs.org/rfcs/rfc1854.html">http://www.faqs.org/rfcs/rfc1854.html</A>
<P>
If your mailservers are not vulnerable to these overflows you can disable this
rule and regain some peace...
<P>
<H2><A NAME="SECTION000628000000000000000">
6.28 I'm getting lots of *ICMP Ping Speedera*, is this bad?</A>
</H2>
<P>
Quite ordinary. Windows update uses speedera based DNS, among other things. Of
course, if the speedera traffic is coming from a Dialup account (as there have
been reports of) it's likely a hacker tool. ;-)
<P>
<H2><A NAME="SECTION000629000000000000000">
6.29 Why are my unified alert times off by +/- N hours?</A>
</H2>
<P>
Unified log and alert files are stored in UTC.
<P>
<H2><A NAME="SECTION000630000000000000000">
6.30 I try to start Snort and it gives an error like ``ERROR: Unable to open
rules file: /root/.snortrc or /root//root/.snortrc.'' What can I do to fix this?</A>
</H2>
<P>
When Snort starts, it looks at the command line and checks for ``-c /some/path/
snort.conf.'' If thats not there, then it will look for the one of the following
files:
<P>
<UL>
<LI>/etc/snort.conf
</LI>
<LI>./snort.conf
</LI>
<LI>$HOMEDIR/snort.conf
</LI>
<LI>$HOMEDIR/.snortrc
</LI>
<LI>./.snortrc
</LI>
</UL>
<P>
Make sure your .conf is in one of those locations and then Snort will be able
to find it or use the -c parameter to tell Snort the full pathname to the
snort.conf.
<PRE>
snort -c /usr/local/etc/snort.conf
</PRE>
<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html376"
HREF="node7.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
<A NAME="tex2html374"
HREF="faq.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
<A NAME="tex2html368"
HREF="node5.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
<BR>
<B> Next:</B> <A NAME="tex2html377"
HREF="node7.html">7 Development</A>
<B> Up:</B> <A NAME="tex2html375"
HREF="faq.html">The Snort FAQ</A>
<B> Previous:</B> <A NAME="tex2html369"
HREF="node5.html">5 Getting Fancy</A>
<!--End of Navigation Panel-->
<ADDRESS>
QA Team
2007-02-27
</ADDRESS>
</BODY>
</HTML>
