Snort: 2013

Tuesday 29 October 2013

Snort Alert - ZmEu Scanner

Yesterday I was doing my work suddenly i received some alerts on my Snort IDS with Signature. It's like below

#48-(3-699628) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:28:00 91.121.158.56:59362 10.21.1.19:80 TCP
#49-(3-699627) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59179 10.21.1.19:80 TCP
#50-(3-699626) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59010 10.21.1.19:80 TCP
#51-(3-699625) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58725 10.21.1.19:80 TCP
#53-(3-699623) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58563 10.21.1.19:80 TCP

after i searched google regarding ZmEu and found some one try discovering phpMyAdmin security hole. I confirmed my apache access.log also. It is showing some hacker try to hack phpMyAdmin.

91.121.158.56 - - [29/Oct/2013:13:27:58 +0530] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /pma/scripts/setup.php HTTP/1.1" 404 17112 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"

We can block above ZmEu scanner using iptables or fail2ban. Here i am going to use iptables string match.

Iptables rule:

[root@server~]# iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --algo bm --string 'ZmEu' -j DROP

Explanation:-

--dport -----> destination port
--to -----> offset to stop searching
1000 -----> total 1000 bytes
--algo -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
--string -----> Text search pattern (case sensitive)

Save the iptables rule and restart

[root@server~]# service iptables save

[root@server~]# service iptables restart

After you will check the iptables rule. It will show like below

[root@server~]# iptables -nvL

0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 STRING match "ZmEu" ALGO name bm TO 1000

Now I blocked ZmEu using Iptables.....

Wednesday 23 October 2013

Snort Alert - DFind w00tw00t GET-Requests

I received some alerts on my IDS with Signature. It's like below

#632-(3-693403) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 08:51:34 89.46.161.210:30693 10.21.1.19:80 TCP

#706-(3-692963) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-23 00:21:54 85.214.236.97:64368 10.21.1.19:80 TCP

#707-(3-692918) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 23:34:23 24.172.10.141:4456 10.21.1.19:80 TCP

#726-(3-692857) [url] [snort] ET WEB_SERVER DFind w00tw00t GET-Requests 2013-10-22 22:23:33 89.46.161.210:21368 10.21.1.19:80 TCP

After i checked all the payload. It is like below

I searched regarding this alert (w00tw00t.at.ISC.SANS.Win32 ) and getting this is one type of vulnerability scanners after i checked my apache access.log . It's like below

[root@server~]# less /var/log/httpd/access_log | grep "GET /w00tw00t.at.ISC.SANS"

89.46.161.210 - - [22/Oct/2013:22:23:33 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"
24.172.10.141 - - [22/Oct/2013:23:34:23 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
85.214.236.97 - - [23/Oct/2013:00:21:54 +0530] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
89.46.161.210 - - [23/Oct/2013:08:51:34 +0530] "GET /w00tw00t.at.ISC.SANS.Win32:) HTTP/1.1" 400 226 "-" "-"

The above attempt was unsuccessful because 400 (Bad request) error indicating after I checked my apache error.log also. It is like below

[root@server ~]# less /var/log/httpd/error_log | grep "89.46.161.210"

[Tue Oct 22 22:23:33 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 08:51:34 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)
[Wed Oct 23 19:08:46 2013] [error] [client 89.46.161.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.Win32:)

[root@server~]# less /var/log/httpd/error_log | grep "24.172.10.141"

[Tue Oct 22 23:34:23 2013] [error] [client 24.172.10.141] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Above request without hostname. Any HTTP/1.1 request should have host ( like example.com).

Today also i received lot of alert regarding vulnerability scanners. So I decided to drop this type of GET request using IPTABLES.

Iptables rule:

I used string match option.

[root@server~]# iptables -I INPUT -d xx.xx.xx.xx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Explanation:-

-d ------> Destination
xx.xx.xx.xx -----> your server ipaddress
--dport -----> destination port
--to -----> offset to stop searching
70 -----> total 70 bytes
--algo -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
--string -----> Text search pattern (case sensitive)

Save the iptables rule and restart

[root@server~]# service iptables save

[root@server~]# service iptables restart

After you will check the iptables rule. It will show like below

[root@server~]# iptables -nvL

0 0 DROP tcp -- * * 0.0.0.0/0 176.9.7.40 tcp dpt:80 STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 70

Now we blocked DFind w00tw00t GET-Requests using Iptables.....

Thursday 17 October 2013

Snort Alert - Morfeus F Scanner

Today morning i received some alerts on Snort IDS with Signature. It is like below

#2885-(2-579886) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

#2886-(2-579887) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP

#2887-(2-579888) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP

#2888-(2-666456) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP

#2889-(2-666457) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

#2890-(2-666458) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60747 10.21.1.19:80 TCP

#2891-(2-666459) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:32975 10.21.1.19:80 TCP

#2892-(2-754607) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60191 10.21.1.19:80 TCP

#2893-(2-754608) [url] [url] [snort] ET WEB_SERVER PHP Attack Tool Morfeus F Scanner 2013-10-17 08:51:14 88.190.22.62:60300 10.21.1.19:80 TCP

After that i searched above alert in google and found out they scan websites.I checked my apache access.log also.

[root@snort~]# grep -R "88.190.22.62" /var/log/httpd/access_log

88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /roundcubemail/README HTTP/1.1" 404 15869 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:13 +0530] "GET /rc/README HTTP/1.1" 404 15858 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /roundcube/README HTTP/1.1" 404 15865 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /mail/README HTTP/1.1" 404 15860 "-" "Morfeus strikes again."
88.190.22.62 - - [17/Oct/2013:08:51:14 +0530] "GET /README HTTP/1.1" 404 15855 "-" "Morfeus strikes again."

They have not done anything because status code 404 (Not Found) . I decided to block this type of scanner before they will do something

I bocked Morfeus F Scanner using .htaccess file

Go to website directory and open the ".htaccess " file and add below two lines

RewriteCond %{HTTP_USER_AGENT} ^Morfeus

RewriteRule ^.*$ - [F]

End.....

Thursday 5 September 2013

Emerging Threats rules for Snort

First i was using Snort Registered user rule from official snort website ( snort.org) after that i found Emerging Threats rule from my friend blog.

You can download Emerging Threats rule depends upon the snort version. You will use below link

http://rules.emergingthreats.net/open/

I was using Snort 2.9. So i download ET rule using below link

[root@snort_install]# wget http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz

[root@snort_install]# tar -zxvf emerging.rules.tar.gz

Copy all the rules from rules directory to /etc/snort/rules

[root@snort_install]# mv rules/* /etc/snort/rules/

Now we need to change rules path settings in snort.conf file

[root@iitb-st snort_install]# vim /etc/snort/snort.conf

################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/emerging-ftp.rules include $RULE_PATH/emerging-policy.rules include $RULE_PATH/emerging-trojan.rules include $RULE_PATH/emerging-games.rules include $RULE_PATH/emerging-pop3.rules include $RULE_PATH/emerging-user_agents.rules ##include $RULE_PATH/emerging-activex.rules #include $RULE_PATH/emerging-rpc.rules include $RULE_PATH/emerging-attack_response.rules include $RULE_PATH/emerging-icmp.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging-scada.rules #include $RULE_PATH/emerging-voip.rules include $RULE_PATH/emerging-chat.rules #include $RULE_PATH/emerging-icmp_info.rules ##include $RULE_PATH/emerging-shellcode.rules include $RULE_PATH/emerging-web_client.rules include $RULE_PATH/emerging-imap.rules include $RULE_PATH/emerging-web_server.rules #include $RULE_PATH/emerging-current_events.rules ##include $RULE_PATH/emerging-inappropriate.rules include $RULE_PATH/emerging-smtp.rules ##include $RULE_PATH/emerging-web_specific_apps.rules ##include $RULE_PATH/emerging-deleted.rules include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-snmp.rules #include $RULE_PATH/emerging-worm.rules #include $RULE_PATH/emerging-dns.rules #include $RULE_PATH/emerging-misc.rules include $RULE_PATH/emerging-sql.rules #include $RULE_PATH/emerging-dos.rules #include $RULE_PATH/emerging-netbios.rules include $RULE_PATH/emerging-telnet.rules include $RULE_PATH/emerging-exploit.rules #include $RULE_PATH/emerging-p2p.rules #include $RULE_PATH/emerging-tftp.rules include $RULE_PATH/emerging-mobile_malware.rules include $RULE_PATH/emerging-info.rules #include $RULE_PATH/emerging-botcc.rules #include $RULE_PATH/emerging-botcc-BLOCK.rules include $RULE_PATH/emerging-compromised.rules #include $RULE_PATH/emerging-compromised-BLOCK.rules #include $RULE_PATH/emerging-drop.rules #include $RULE_PATH/emerging-drop-BLOCK.rules #include $RULE_PATH/emerging-dshield.rules #include $RULE_PATH/emerging-dshield-BLOCK.rules #include $RULE_PATH/emerging-rbn.rules #include $RULE_PATH/emerging-rbn-malvertisers.rules #include $RULE_PATH/emerging-rbn-BLOCK.rules #include $RULE_PATH/emerging-rbn-malvertisers-BLOCK.rules #include $RULE_PATH/emerging-tor.rules #include $RULE_PATH/emerging-tor-BLOCK.rules #include $RULE_PATH/emerging-ciarmy.rules

:wq

This above rules set up depends upon your server needs.

Now you will go and check your rules (/etc/snort/rules). Here also you will customize the rules depends upon your server needs.

I hope, it will helps...

Sunday 4 August 2013

BASE Configuration on Centos 6.3 x86_64

BASE ( Basic Analysis and Security Engine ) is a good way to view Data through a Web Interface.

Require packages:

1. Webserver (apache)
2. PHP
3. BASE
4. adodb

We will install apache and php following command

[root@snort ~]# yum install httpd php php-pear*

Download the "base" following link using wget command

[root@snort snort_install]# wget http://sourceforge.net/projects/secureideas/files/latest/download?source=files

Extract and move the base directory to apache home directory

[root@snort snort_install]# tar -zvxf base-1.4.5.tar.gz

[root@snort snort_install]# mv base-1.4.5 /var/www/html/base

Change the group "apache" and give the permission 775

[root@snort snort_install]# chown apache.apache -R /var/www/html/base/

[root@snort snort_install]# chmod 775 -R /var/www/html/base/

Download the "Adodb " following link using wget command

[root@snort snort_install]# wget http://sourceforge.net/projects/adodb/files/latest/download?source=files

Unzip the adodb518a.zip and change the name "adodb5" to "adobe" and move to inside the "base" directory.

[root@snort snort_install]# unzip adodb518a.zip

[root@snort snort_install]# mv adodb5 /var/www/html/base/adodb

Now restart the httpd and mysqld service

[root@snort snort_install]# service httpd restart

[root@snort snort_install]# service service mysqld restart

Now we will open the base through web browser.

My server ip address http://10.21.1.19/base

Step 1:

The above screen is showing regarding config file and PHP version and Just Click to "Continue"

Step 2:

The above screen is asking ADODB path and my case "/var/www/html/base/adodb".
Click Continue

Step 3:

Type the Database details and Click Continue.

Step 4:

Just give user name and password for BASE login. Click Continue.

Step 5:

Just Click Continue..

Step 6:

Just Click Continue..

Step 7:

This is BASE screen.

Thursday 1 August 2013

Install and Configure barnyard2 on Centos 6.3 x86_64

Snort creates the output file format "unified2". So we can read that unified2 file using Barnyard2.
Before install the Barnyard2 we should install and configure Snort and Mysql

Baryard2 Installation

We can download the Baryard2 using "wget" command following link

[root@snort snort_install]# wget

http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz

Extract, compile and install the Barnyard2

[root@snort snort_install]# tar -zxvf barnyard2-1.9.tar.gz

[root@snort barnyard2-1.9]# ./configure --with-mysql

[root@snort barnyard2-1.9]# make

[root@snort barnyard2-1.9]# make install

Copy the "barnyard2.conf" file to "/etc/snort/" and "sid-msg.map" from /snort_install/snort-rule/etc/sid-msg.map to "/etc/snort/"

[root@snort barnyard2-1.9]# cp etc/barnyard2.conf /etc/snort/

[root@snort barnyard2-1.9]# cp -p /snort_install/snort-rule/etc/sid-msg.map /etc/snort/

[root@snort barnyard2-1.9]# mkdir /var/log/barnyard2

[root@snort barnyard2-1.9]# chmod 666 /var/log/barnyard2

[root@snort ~]# chmod 775 -R /var/log/snort/

[root@snort ~]# chown snort:snort -R /var/log/snort/

Baryard2 Configuration:

Open and Edit "barnyard2.conf" file

[root@snort barnyard2-1.9]# vim /etc/snort/barnyard2.conf

config hostname: snort <---- give hostname and Interface name

config interface: eth0

input unified2 <----- log file format

output database: alert, mysql, user=user-name dbname=database-name password=xxxxx host=localhost

:wq

Barnyard2 Testing

Open the terminal and type following command

[root@snort ~]# snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 &

We will run below command and should get below output

[root@snort ~]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.u2

Closing spool file '/var/log/snort//snort.u2.1374562940'. Read 332 records

Opened spool file '/var/log/snort//snort.u2.1374877709'

Closing spool file '/var/log/snort//snort.u2.1374877709'. Read 0 records

Opened spool file '/var/log/snort//snort.u2.1374881111'

Waiting for new data

options ---> -c Use configuration file

-d Spool files from Directory

-f file pattern

Now Barnyard2 is working fine..

Sunday 28 July 2013

Snort with Mysql on Centos 6.3 x86_64

Now we are going to create Mysql Database to receive the Snort logs. First we need to install Mysql.
Already i install mysql if you are not , use this link to install Mysql installation

[root@snort snort_install]# mysql -u root -p

Create the database "snort" using following command

mysql> create database snort;

now i am going to check whether the database created or not using below command

Create the separate user and give all permission for snort database.

mysql> grant all on snort.* to 'snortuser'@'localhost' identified by 'test@1234';

database name --> snort

database user name --> snortuser

database user password --> test@1234

mysql> flush privileges;

Now we will restore the "create_mysql" which has the schema for the database. Refer barnyard2 directory

[root@snort barnyard2-1.9]# mysql -u snortuser -p snort < schemas/create_mysql

Now restart the mysql service

[root@snort snort_install]# service mysql restart

Saturday 27 July 2013

Snort Installation and Configuration on Centos 6.3 x86_64

Snort is a open source network Intrusion Detection System and Intrusion Prevention System (IDS/IPS). more information click this link

Here i am going to install Snort Intrusion Detection System ( IDS).

Installation:

Install the below packages using yum command

[root@snort ~]# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++

[root@snort ~]# yum install libcap*

[root@snort ~]# yum install libpcap*

[root@snort ~]# yum install pcre*

Download the below packages using "wget" command

1.libdnet

2.daq

3.snort

Create a directory snort_install for store downloads

[root@snort ~]# mkdir /snort_install

change directory

[root@snort ~]# cd /snort_install/

[root@snort snort_install]# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

[root@snort snort_install]# wget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq-2.0.0.tar.gz

[root@snort snort_install]# wget http://www.snort.org/dl/snort-current/snort-2.9.5.tar.gz -O snort-2.9.5.tar.gz

Extract,compile and install the "libdnet"

[root@snort snort_install]# tar -zxvf libdnet-1.12.tgz

[root@snort snort_install]# cd libdnet-1.12

[root@snort libdnet-1.12]# ./configure

[root@snort libdnet-1.12]# make && make install

Extract,compile and install the "DAQ"

[root@snort snort_install]# tar -zxvf daq-2.0.0.tar.gz

[root@snort snort_install]# cd daq-2.0.0

[root@snort daq-2.0.0]# ./configure

[root@snort daq-2.0.0]# make && make install

Extract,compile and install the "Snort"

[root@snort snort_install]# tar -zxvf snort-2.9.5.tar.gz

[root@snort snort_install]# cd snort-2.9.5

[root@snort snort-2.9.5]# ./configure

[root@snort snort-2.9.5]# make && make install

Snort Rule

We need to download the Snort rule from this link

# wget http://www.snort.org/reg-rules/snortrules-snapshot-2945.tar.gz/38f33a5eb5f006c2ea77d1655001c0a5a9a5122c -O snortrules-snapshot-2945.tar.gz

[root@snort snort_install]# mkdir snort-rule

[root@snort snort_install]# mv snortrules-snapshot-2946.tar.gz snort-rule/

[root@snort snort_install]# tar -zxvf snortrules-snapshot-2946.tar.gz

Create a new group "snort"

[root@snort ~]# groupadd snort

Create a new user "snort" and change the shell "/sbin/nologin"

[root@snort ~]# useradd -g snort snort -s /sbin/nologin

Create some folder following path

[root@snort ~]# mkdir /etc/snort

[root@snort ~ ]# mkdir /etc/snort/rules

[root@snort ~]# mkdir /etc/snort/so_rules

[root@snort ~]# mkdir /etc/snort/preproc_rules

[root@snort ~]# mkdir /var/log/snort

[root@snort ~]# mkdir /usr/local/lib/snort_dynamicrules

Change the owner and group

[root@snort ~]# chown snort:snort /var/log/snort

We need to copy some files from "/snort_install" to appropriate location

[root@snort snort_install]# cd snort-2.9.5/etc/

[root@snort etc]# cp * /etc/snort/

We need to copy all the rules from "snort-rule" directory to appropriate location

[root@snort snort_install]# cd snort-rule

[root@snort snort-rule]# cp rules/* /etc/snort/rules/

[root@snort snort_install]# cp snort-rule/so_rules/precompiled/Centos-5-4/i386/2.9.4.6/* /etc/snort/so_rules/

[root@snort snort-rule]# cp preproc_rules/* /etc/snort/preproc_rules/

[root@snort snort-rule]# touch /etc/snort/rules/black_list.rules

[root@snort snort-rule]# touch /etc/snort/rules/white_list.rules

Snort Configuration:

Open and Edit the Snort configuration file

[root@snort ]# vim /etc/snort/snort.conf

ipvar HOME_NET 10.21.1.19 <------ IP Address of your server

var RULE_PATH /etc/snort/rules <---- Give correct path

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

#preprocessor normalize_ip4 <------ comment this 5 lines

#preprocessor normalize_tcp: ips ecn stream

#preprocessor normalize_icmp4

#preprocessor normalize_ip6

#preprocessor normalize_icmp6

output unified2: filename snort.u2, limit 128 ## line no :521

:wq

Snort Testing

[root@snort ~]# snort -u snort -g snort -c /etc/snort/snort.conf -i eth0

--== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.5 GRE (Build 103) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.0 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Commencing packet processing (pid=4884)

Now snort is working.