# Snort Help [Solved]

## vaguy02

Everyone,

I'm trying to install snort with a mysql back end to monitor network traffic.

I tried following this guide http://gentoo-wiki.com/HOWTO_Use_Snort,_Acid,_and_MySQL_Effectively

I got all the way down to the starting snort, and I get the famous [!!] But the log file doesn't really tell me anything interesting. Please take a look and let me know what you guys think.

```

Nov  9 09:55:19 defender snort[31551]: Var 'eth1_ADDRESS' defined, value len = 25 chars

Nov  9 09:55:19 defender snort[31551]: , value = 68.99.164.0/255.255.252.0

Nov  9 09:55:19 defender snort[31551]: Var 'any_ADDRESS' defined, value len = 15 chars

Nov  9 09:55:19 defender snort[31551]: , value = 0.0.0.0/0.0.0.0

Nov  9 09:55:19 defender snort[31551]: Var 'lo_ADDRESS' defined, value len = 19 chars

Nov  9 09:55:19 defender snort[31551]: , value = 127.0.0.0/255.0.0.0

Nov  9 09:55:19 defender snort[31551]: Parsing Rules file /etc/snort/snort.conf

Nov  9 09:55:19 defender snort[31551]: Var 'HOME_NET' defined, value len = 14 chars

Nov  9 09:55:19 defender snort[31551]: , value = 192.168.1.0/24

Nov  9 09:55:19 defender snort[31551]: Var 'EXTERNAL_NET' defined, value len = 3 chars

Nov  9 09:55:19 defender snort[31551]: , value = any

Nov  9 09:55:19 defender snort[31551]: Var 'DNS_SERVERS' defined, value len = 14 chars

Nov  9 09:55:19 defender snort[31551]: , value = 192.168.1.0/24

Nov  9 09:55:19 defender snort[31551]: Var 'SMTP_SERVERS' defined, value len = 14 chars

Nov  9 09:55:19 defender snort[31551]: , value = 192.168.1.0/24

Nov  9 09:55:19 defender snort[31551]: Var 'HTTP_SERVERS' defined, value len = 14 chars

Nov  9 09:55:19 defender snort[31551]: , value = 192.168.1.0/24

Nov  9 09:55:19 defender snort[31551]: Var 'SQL_SERVERS' defined, value len = 14 chars

Nov  9 09:55:19 defender snort[31551]: , value = 192.168.1.0/24

Nov  9 09:55:19 defender snort[31551]: Var 'TELNET_SERVERS' defined, value len = 14 chars

Nov  9 09:55:19 defender snort[31551]: , value = 192.168.1.0/24

Nov  9 09:55:19 defender snort[31551]: Var 'SNMP_SERVERS' defined, value len = 14 chars

Nov  9 09:55:19 defender snort[31551]: , value = 192.168.1.0/24

Nov  9 09:55:19 defender snort[31551]: Var 'HTTP_PORTS' defined, value len = 2 chars

Nov  9 09:55:19 defender snort[31551]: , value = 80

Nov  9 09:55:19 defender snort[31551]: Var 'SHELLCODE_PORTS' defined, value len = 3 chars

Nov  9 09:55:19 defender snort[31551]: , value = !80

Nov  9 09:55:19 defender snort[31551]: Var 'ORACLE_PORTS' defined, value len = 4 chars

Nov  9 09:55:19 defender snort[31551]: , value = 1521

Nov  9 09:55:19 defender snort[31551]: Var 'AIM_SERVERS' defined, value len = 185 chars

Nov  9 09:55:19 defender snort[31551]:

Nov  9 09:55:19 defender snort[31551]:    [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,20$

Nov  9 09:55:19 defender snort[31551]:    .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

Nov  9 09:55:19 defender snort[31551]: Var 'RULE_PATH' defined, value len = 16 chars

Nov  9 09:55:19 defender snort[31551]: , value = /etc/snort/rules

Nov  9 09:55:19 defender snort[31551]: ,-----------[Flow Config]----------------------

Nov  9 09:55:19 defender snort[31551]: | Stats Interval:  0

Nov  9 09:55:19 defender snort[31551]: | Hash Method:     2

Nov  9 09:55:19 defender snort[31551]: | Memcap:          10485760

Nov  9 09:55:19 defender snort[31551]: | Rows  :          4099

Nov  9 09:55:19 defender snort[31551]: | Overhead Bytes:  32800(%0.31)

Nov  9 09:55:19 defender snort[31551]: `----------------------------------------------

Nov  9 09:55:19 defender snort[31551]: Frag3 global config:

Nov  9 09:55:19 defender snort[31551]:     Max frags: 65536

Nov  9 09:55:19 defender snort[31551]:     Fragment memory cap: 4194304 bytes

Nov  9 09:55:19 defender snort[31551]: Frag3 engine config:

Nov  9 09:55:19 defender snort[31551]:     Target-based policy: FIRST

Nov  9 09:55:19 defender snort[31551]:     Fragment timeout: 60 seconds

Nov  9 09:55:19 defender snort[31551]:     Fragment min_ttl:   1

Nov  9 09:55:19 defender snort[31551]:     Fragment ttl_limit: 5

Nov  9 09:55:19 defender snort[31551]:     Fragment Problems: 1

Nov  9 09:55:19 defender snort[31551]:     Bound Addresses: 0.0.0.0/0.0.0.0

Nov  9 09:55:19 defender snort[31551]: Stream4 config:

Nov  9 09:55:19 defender snort[31551]:     Stateful inspection: ACTIVE

Nov  9 09:55:19 defender snort[31551]:     Session statistics: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     Session timeout: 30 seconds

Nov  9 09:55:19 defender snort[31551]:     Session memory cap: 8388608 bytes

Nov  9 09:55:19 defender snort[31551]:     Session count max: 8192 sessions

Nov  9 09:55:19 defender snort[31551]:     Session cleanup count: 5

Nov  9 09:55:19 defender snort[31551]:     State alerts: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     Evasion alerts: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     Scan alerts: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     Log Flushed Streams: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     MinTTL: 1

Nov  9 09:55:19 defender snort[31551]:     TTL Limit: 5

Nov  9 09:55:19 defender snort[31551]:     Async Link: 0

Nov  9 09:55:19 defender snort[31551]:     State Protection: 0

Nov  9 09:55:19 defender snort[31551]:     Self preservation threshold: 50

Nov  9 09:55:19 defender snort[31551]:     Self preservation period: 90

Nov  9 09:55:19 defender snort[31551]:     Suspend threshold: 200

Nov  9 09:55:19 defender snort[31551]:     Suspend period: 30

Nov  9 09:55:19 defender snort[31551]:     Enforce TCP State: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     Midstream Drop Alerts: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     Allow Blocking of TCP Sessions in Inline: ACTIVE

Nov  9 09:55:19 defender snort[31551]:     Server Data Inspection Limit: -1

Nov  9 09:55:19 defender snort[31551]: WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0)

Nov  9 09:55:19 defender snort[31551]: Stream4_reassemble config:

Nov  9 09:55:19 defender snort[31551]:     Server reassembly: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     Client reassembly: ACTIVE

Nov  9 09:55:19 defender snort[31551]:     Reassembler alerts: ACTIVE

Nov  9 09:55:19 defender snort[31551]:     Zero out flushed packets: INACTIVE  

Nov  9 09:55:19 defender snort[31551]:     Flush stream on alert: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     flush_data_diff_size: 500

Nov  9 09:55:19 defender snort[31551]:     Reassembler Packet Preferance : Favor Old

Nov  9 09:55:19 defender snort[31551]:     Packet Sequence Overlap Limit: -1

Nov  9 09:55:19 defender snort[31551]:     Flush behavior: Small (<255 bytes)  

Nov  9 09:55:19 defender snort[31551]:     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306

Nov  9 09:55:19 defender snort[31551]:     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306

Nov  9 09:55:19 defender snort[31551]: HttpInspect Config:

Nov  9 09:55:19 defender snort[31551]:     GLOBAL CONFIG

Nov  9 09:55:19 defender snort[31551]:       Max Pipeline Requests:    0

Nov  9 09:55:19 defender snort[31551]:       Inspection Type:          STATELESS

Nov  9 09:55:19 defender snort[31551]:       Detect Proxy Usage:       NO 

Nov  9 09:55:19 defender snort[31551]:       IIS Unicode Map Filename: /etc/snort/unicode.map

Nov  9 09:55:19 defender snort[31551]:       IIS Unicode Map Codepage: 1252  

Nov  9 09:55:19 defender snort[31551]:     DEFAULT SERVER CONFIG:

Nov  9 09:55:19 defender snort[31551]:       Server profile: All 

Nov  9 09:55:19 defender snort[31551]:       Ports: 80 8080 8180

Nov  9 09:55:19 defender snort[31551]:       Flow Depth: 300

Nov  9 09:55:19 defender snort[31551]:       Max Chunk Length: 500000

Nov  9 09:55:19 defender snort[31551]:       Inspect Pipeline Requests: YES

Nov  9 09:55:19 defender snort[31551]:       URI Discovery Strict Mode: NO

Nov  9 09:55:19 defender snort[31551]:       Allow Proxy Usage: NO

Nov  9 09:55:19 defender snort[31551]:       Disable Alerting: NO

Nov  9 09:55:19 defender snort[31551]:       Oversize Dir Length: 500

Nov  9 09:55:19 defender snort[31551]:       Only inspect URI: NO   

Nov  9 09:55:19 defender snort[31551]:       Ascii: YES alert: NO

Nov  9 09:55:19 defender snort[31551]:       Double Decoding: YES alert: YES

Nov  9 09:55:19 defender snort[31551]:       %U Encoding: YES alert: YES

Nov  9 09:55:19 defender snort[31551]:       Bare Byte: YES alert: YES

Nov  9 09:55:19 defender snort[31551]:       Base36: OFF

Nov  9 09:55:19 defender snort[31551]:       UTF 8: OFF

Nov  9 09:55:19 defender snort[31551]:       IIS Unicode: YES alert: YES

Nov  9 09:55:19 defender snort[31551]:       Multiple Slash: YES alert: NO

Nov  9 09:55:19 defender snort[31551]:       IIS Backslash: YES alert: NO

Nov  9 09:55:19 defender snort[31551]:       Directory Traversal: YES alert: NO

Nov  9 09:55:19 defender snort[31551]:       Web Root Traversal: YES alert: YES

Nov  9 09:55:19 defender snort[31551]:       Apache WhiteSpace: YES alert: NO

Nov  9 09:55:19 defender snort[31551]:       IIS Delimiter: YES alert: NO

Nov  9 09:55:19 defender snort[31551]:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

Nov  9 09:55:19 defender snort[31551]:       Non-RFC Compliant Characters: NONE

Nov  9 09:55:19 defender snort[31551]:       Whitespace Characters: 0x09 0x0b 0x0c 0x0d

Nov  9 09:55:19 defender snort[31551]: rpc_decode arguments:   

Nov  9 09:55:19 defender snort[31551]:     Ports to decode RPC on: 111 32771

Nov  9 09:55:19 defender snort[31551]:     alert_fragments: INACTIVE

Nov  9 09:55:19 defender snort[31551]:     alert_large_fragments: ACTIVE

Nov  9 09:55:19 defender snort[31551]:     alert_incomplete: ACTIVE

Nov  9 09:55:19 defender snort[31551]:     alert_multiple_requests: ACTIVE

Nov  9 09:55:19 defender snort[31551]: Portscan Detection Config:

Nov  9 09:55:19 defender snort[31551]:     Detect Protocols:  TCP UDP ICMP IP

Nov  9 09:55:19 defender snort[31551]:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan

Nov  9 09:55:19 defender snort[31551]:     Sensitivity Level: Low

Nov  9 09:55:19 defender snort[31551]:     Memcap (in bytes): 10000000

Nov  9 09:55:19 defender snort[31551]:     Number of Nodes:   26109

Nov  9 09:55:19 defender snort[31551]: 

```

My snort.conf is very long, but I will post here if necessary. Hope someone can help.

Robert

[Edit] Been playing around with it, I think I found the error message.

Nov  9 10:18:48 defender snort[619]: FATAL ERROR: /etc/snort/rules/sql.rules(49): Cannot check flow connection for non-TCP traffic

Any ideas?

[/Edit]

----------

## nubla

Hi,

seems that it is a configuration-error. Please post the content of /etc/snort/snort.conf but without any comments, then it won't be so long  :Wink:  You can skip all include lines as well...

[EDIT] Use 

```
egrep -v "^#|^$" snort.conf > test.conf
```

 to filter the comments out.

----------

## vaguy02

```

var HOME_NET $eth0_ADDRESS

var EXTERNAL_NET $eth1_ADDRESS

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/2$

var RULE_PATH /etc/snort/rules

dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/

dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so

preprocessor flow: stats_interval 0 hash 2

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \

    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \

    profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor ftp_telnet: global \

   encrypted_traffic yes \

   inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \

   normalize \

   ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: ftp server default \

   def_max_param_len 100 \

   alt_max_param_len 200 { CWD } \

   cmd_validity MODE < char ASBCZ > \

   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \

   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \

   telnet_cmds yes \

   data_chan

preprocessor ftp_telnet_protocol: ftp client default \

   max_resp_len 256 \

   bounce yes \

   telnet_cmds yes

preprocessor smtp: \

  ports { 25 } \

  inspection_type stateful \

  normalize cmds \

  normalize_cmds { EXPN VRFY RCPT } \

  alt_max_command_line_len 260 { MAIL } \

  alt_max_command_line_len 300 { RCPT } \

  alt_max_command_line_len 500 { HELP HELO ETRN } \

  alt_max_command_line_len 255 { EXPN VRFY }

preprocessor sfportscan: proto  { all } \

                         memcap { 10000000 } \

                         sense_level { low }

preprocessor dcerpc: \

    autodetect \

    max_frag_size 3000 \

    memcap 100000

preprocessor dns: \

    ports { 53 } \

    enable_rdata_overflow

output database: alert, mysql, user=snort password=*removed* dbname=snort host=localhost

include classification.config

include reference.config

include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/other-ids.rules

include $RULE_PATH/experimental.rules

```

I found a help thing on snort.org about the a similar problem with snort and IP Cop but I'm not using IP Cop so it didn't really help me. 

Hope you can find see something I'm missing.

Robert

----------

## nubla

lol, just updated my ruleset and got exactly the same error. As a first workaround comment line 49 in /etc/snort/rules/sql.rules out. I try to find something...

----------

## vaguy02

haha, welcome to my world. Observe all road signs.

P.S. - Commenting 49 out worked for me, wonder why it's causing an issue.

----------

## nubla

Oke, found something  :Smile: 

The rule in line 49 of sql.rules is wrong!

I asked my big snort-book and it had an answer  :Cool: 

 *snort-book P:341 from syngress wrote:*   

> Q: Can I use ﬂow state with a UDP stream?
> 
> A: No. Flow is not applicable to UDP streams, as there really is no true session state.

 

So you can do two things. Let it commented out unless you have an MS-SQL server or change the new rule to the old rule:

```
-> Modified active in sql.rules (1):

        old: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; flowbits:isnotset,ms_sql_seen_dns; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; reference:url,www.microsoft.com/technet/security/bulletin/MS02-039.mspx; classtype:misc-activity; sid:2050; rev:9;)

        

        new: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; flow:to_server; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; reference:url,www.microsoft.com/technet/security/bulletin/MS02-039.mspx; classtype:misc-activity; sid:2050; rev:10;)
```

But sourcefire maintain the rules. They have something in thought, if they change them. I think it's only a typo error, because the only other rule in the rules-folder with udp flow control is commented out as well. So i think the rule in line 49 of sql.rules should it, too.

[EDIT] If you have no MS-SQL server you can comment out the sql.rules completely in /etc/snort/snort.conf. The biggest work is not the ids installation, it's the later tuning. Look at the config and identify the things you don't have on your host/network and disable them. Also look into the rules identify unsuitable rules and disable them as well. Have a look at the really good dokumentation on www.snort.org if you need help on some settings. If you won't do this your ids will produce a lot of false positives, and you will overlook real and important alerts sooner or later.

----------

## vaguy02

Quick secondary question.

So I have Base installed and I'm able to access the website etc....

It shows one sensor on 192.168.1.1 which of course is the internal interface.  My question is shouldn't there be another sensor monitoring the exterior interface to the internet? I'm not too worried about internal attempts against the server, but I am worried about external attempts. Do you know of how to fix this in snort?

----------

## nubla

Mhh,

good question. Since now i only played with snort on an one-interface machine. In /etc/conf.d/snort is your configuration for the daemon itself. Maybe your interface is set to the internal and not to the external interface. If you want both maybe IFACE="eth0 eth1" or something like this could help.

----------

## vaguy02

Haha, I don't think it's going to be that easy. I tried that and got the now infamous [!!] about the eth1.pid . looks like I'm going to have to read up more on snort before I try to tackle that specific issue.

Thanks for all the help today. I really appreciate it.

----------

## nubla

Omg, yes it can't work. PIDFILE=/var/run/snort_$IFACE.pid becomes PIDFILE=/var/run/snort_eth0 eth1.pid and that can't work. I was to fast yesterday  :Wink:  But one idea is left   :Cool:  I googled around and it seems that many people start one snort instance for every interface they have. So maybe you can split the init-script and config file to two different versions, eg.:

```
mv /etc/init.d/snort /etc/init.d/snort_eth0

cp /etc/init.d/snort_eth1 /etc/init.d/snort_eth1

mv /etc/conf.d/snort /etc/conf.d/snort_eth0

cp /etc/conf.d/snort_eth0 /etc/conf.d/snort_eth1

... or something like this ...

```

You must set $LOGDIR to different locations and if you want to use different configurations $CONF as well. But i don't know if it works well nor if base (never tested base, i use prelude/prewikka) can handle it correct.

[EDIT] http://www.snort.org/docs/faq/3Q06/node35.html

----------

## vaguy02

Well, according to the link you provided since I'm running 2.6.xxx I should be able to use the keyword any on the interface line and it should use all interfaces. I tried that, and I restarted snort, but now I'm getting :

FATAL ERROR: No netmask specified for home network!

But the thing is, I'm using the var HOME_NET $eth0_ADDRESS variable, so it should be pulling the netmask straight from the /etc/conf.d/net file right? I mean that's how it was doing before when I just had the one interface selected.

 :Sad:  ugh.....don't ya love this.....

----------

## nubla

The text says that this only works if you have a special patched libpcap, have you?  :Wink:  I would prefer the multiple instances...

----------

## vaguy02

yep  :Smile:  that I do. haha. Actually, I got it working now..... For some reason, I had to leave the network variable as "192.168.0.0/16" and only change the interface to "any". I had changed the network to any as well. Which doesn't make sense, why limit it to the 192.168.0.0/16 in network but then select an interface on a completely different network, but anywho, it worked. So I'm happy. I've already picked up a couple port scans from Poland and Brazil against the front facing network. I need to figure out how to have snort or base to email me when it picks up a scan like that, that's my next project. Any ideas?

Robert.

----------

## nubla

I'm not really sure which network variable you mean, but never mind it works  :Smile:  The email problem is the same as the two-interface problem, i've never tried that. I use snort with prelude directly on my laptop and setup metamonitor to watch the prelude.log. For the server maybe you can use cron to run an analysis-tool like http://packetstormsecurity.org/sniffers/snort/snort_stat.pl periodically and send the results with sendmail. For an on-demand solution maybe a file-watcher could trigger the analysis-tool and email-sending on log-file change.

----------

## vaguy02

yeah, some kind of log checker or cron job is probably what I'm going to have to end up going with. 

Question, I've got an ICMP hit against my outside address. The source is 10.2.104.1 which to me says that person is spoofing their ip when hitting me with pings, am I correct in my assumptions?

----------

## nubla

Yep i think so. But why ping (or do other icmp) an host with an spoofed private address as source on an public network. The sender will never get an answer... unless you have an vpn running on your box.

----------

## vaguy02

Nope, no VPN. It looks like it's on the other side as well......against the internal boxes with the same address.....That's really weird...Doesn't matter. I will just block all traffic that is -i ${WAN} -s 10.0.0.0/8 that should take care of the situation....when in doubt. Blank -j DROP statement. haha

----------

## vaguy02

Nope, no VPN. It looks like it's on the other side as well......against the internal boxes with the same address.....That's really weird...Doesn't matter. I will just block all traffic that is -i ${WAN} -s 10.0.0.0/8 that should take care of the situation....when in doubt. Blank -j DROP statement. haha

----------

## nubla

Only a thought. If i use azureus i got a lot of weird ICMP messages, too. Maybe you have some peer-to-peer software running, which triggers that. This could explain the private ip.

----------

## vaguy02

That is very possible, haha, I do have roommates......

----------

## afbach

 *nubla wrote:*   

> Oke, found something 
> 
> The rule in line 49 of sql.rules is wrong!
> 
> I asked my big snort-book and it had an answer 
> ...

 

No, the issue turns out to be a compile issue for snort  itself. It *can* follow flow for udp but you need to configure the build w/ the

```

./configure --enable-stream4udp
```

option. Then those rules will pass.

a

----------

