snort啟動后自動退出，版主幫忙啊。

snort啟動后自動退出，版主幫忙啊。

# /usr/local/snort/bin/snort -d -c /usr/local/snort/conf/snort.conf -i eth0
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /usr/local/snort/conf/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
   [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 22 chars, value = /usr/local/snort/rules
,---------------------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  32800(%0.31)
`----------------------------------------------
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 1
    Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE  
    Midstream Drop Alerts: INACTIVE
    Server Data Inspection Limit: -1
WARNING /usr/local/snort/conf/snort.conf(408) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor Old
    Packet Sequence Overlap Limit: -1
    Flush behavior: Small (<255 bytes)
    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /usr/local/snort/conf/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   26109

2486 Snort rules read...
2486 Option Chains linked into 182 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Tagged Packet Limit: 256

+---------------------------------------------------------
| memory-cap : 1048576 bytes
+---------------------------------------------------------
| none
+----------------------------------------------------------
| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
| gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10
+-----------------------------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Max Response Length: 256
SMTP Config:
      Ports: 25
      Inspection Type:            STATEFUL
      Normalize Spaces:           YES
      Ignore Data:                NO
      Ignore TLS Data:            NO
      Ignore Alerts:              NO
      Max Command Length:         0
      Max Header Line Length:     0
      Max Response Line Length:   0
      X-Link2State Alert:         YES
      Drop on X-Link2State Alert: NO
Verifying Preprocessor Configurations!
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.

Initializing Network Interface eth0
OpenPcap() device eth0 network lookup:
        eth0: no IPv4 address assigned
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = root
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = localhost.localdomain:eth0
database:     sensor id = 1
database: inconsistent cid information for sid=1
          Recovering by rolling forward the cid=2
database: schema version = 107
database: using the "log" facility

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 59)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.6  <Build 11>
           Preprocessor Object: SF_SSH  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.0  <Build 2>
           Preprocessor Object: SF_DCERPC  Version 1.0  <Build 4>
           Preprocessor Object: SF_SMTP  Version 1.0  <Build 7>
           Preprocessor Object: SF_FTPTELNET  Version 1.0  <Build 10>
Using PCAP_FRAMES = max
Segmentation fault
#
好像是：「Segmentation fault」這個錯誤提示，換成eth1之後就不會報錯，但是沒有數據，高手幫忙啊！！！

你的eth0.eth1作用是什麼呢？

是大寫 D吧？ -c  -D
後面要加 ethx 標註么？

eth1是通信用的，eth0鏈接埠鏡像，-D是後台運行，-c是載入配置文件，跟這些參數沒有關係，謝謝你的回復。

Tags: