SNort + ipcop 1.3

[grosbedos]

bon ben voila.. <BR> <BR>snort demarre presque, je vous laisse voir les logs:(bien entendu ce n'est pas moi qui kill le process...lol) <BR> <BR>Running in IDS mode <BR>Log directory = /var/log/snort <BR> <BR>Initializing Network Interface ppp0 <BR> <BR> --== Initializing Snort ==-- <BR>Rule application order changed to Pass->Alert->Log <BR>Initializing Output Plugins! <BR>Decoding raw data on interface ppp0 <BR>There's no second layer header available for this datalink <BR>Initializing Preprocessors! <BR>Initializing Plug-ins! <BR>Parsing Rules file /etc/snort/snort.conf <BR> <BR>+++++++++++++++++++++++++++++++++++++++++++++++++++ <BR>Initializing rule chains... <BR>[*] Frag2 config: <BR> Fragment timeout: 60 seconds <BR> Fragment memory cap: 2097152 bytes <BR> Fragment min_ttl: 0 <BR> Fragment ttl_limit: 5 <BR> Fragment Problems: 0 <BR> State Protection: 0 <BR> Self preservation threshold: 500 <BR> Self preservation period: 90 <BR> Suspend threshold: 1000 <BR> Suspend period: 30 <BR>Stream4 config: <BR> Stateful inspection: ACTIVE <BR> Session statistics: INACTIVE <BR> Session timeout: 30 seconds <BR> Session memory cap: 2097152 bytes <BR> State alerts: INACTIVE <BR> Evasion alerts: INACTIVE <BR> Scan alerts: ACTIVE <BR> Log Flushed Streams: INACTIVE <BR> MinTTL: 1 <BR> TTL Limit: 5 <BR> Async Link: 0 <BR> State Protection: 0 <BR> Self preservation threshold: 50 <BR> Self preservation period: 90 <BR> Suspend threshold: 200 <BR> Suspend period: 30 <BR>Stream4_reassemble config: <BR> Server reassembly: INACTIVE <BR> Client reassembly: ACTIVE <BR> Reassembler alerts: INACTIVE <BR> Ports: 21 23 25 53 80 110 111 143 513 1433 <BR> Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 <BR>http_decode arguments: <BR> Unicode decoding <BR> IIS alternate Unicode decoding <BR> IIS double encoding vuln <BR> Flip backslash to slash <BR> Include additional whitespace separators <BR> Ports to decode http on: 80 <BR>rpc_decode arguments: <BR> Ports to decode RPC on: 111 32771 <BR> alert_fragments: INACTIVE <BR> alert_large_fragments: ACTIVE <BR> alert_incomplete: ACTIVE <BR> alert_multiple_requests: ACTIVE <BR>telnet_decode arguments: <BR> Ports to decode telnet on: 21 23 25 119 <BR>Conversation Config: <BR> KeepStats: 0 <BR> Conv Count: 3000 <BR> Timeout : 60 <BR> Alert Odd?: 0 <BR> Allowed IP Protocols: All <BR> <BR>Portscan2 config: <BR> log: /var/log/snort/scan.log <BR> scanners_max: 256 <BR> targets_max: 1024 <BR> target_limit: 5 <BR> port_limit: 20 <BR> timeout: 60 <BR>1331 Snort rules read... <BR>1331 Option Chains linked into 149 Chain Headers <BR>0 Dynamic rules <BR>+++++++++++++++++++++++++++++++++++++++++++++++++++ <BR> <BR>Rule application order: ->pass->activation->dynamic->alert->log <BR> <BR> --== Initialization Complete ==-- <BR> <BR>-*> Snort! <*- <BR>Version 2.0.0 (Build 72) <BR>By Martin Roesch (roesch@sourcefire.com, <!-- BBCode auto-link start --><a href="http://www.snort.org" target="_blank">www.snort.org</a><!-- BBCode auto-link end -->) <BR>Killed <BR>

[grosbedos]

oui ben j'ai trouver snif... <BR> <BR>Apr 23 09:19:57 ipcop kernel: Out of Memory: Killed process 8328 (snort) <BR> <BR>et oui..noyau 2.4..snort 2 <BR> <BR>mes 16Meg de 70ms suffisent plus.... <BR> <BR>si j'enleve tty2 etc..il me semble que je peux en libérer, non?? <BR> <BR>y a t-il d'autre moyen??