[Snortsam-discussion] Snortsam errors

Alberto Nicolás Gentil Otero - GenSys Alberto Nicolás Gentil Otero - GenSys
Tue Feb 2 11:52:36 EST 2010 

Hi,

When I start snortsam, return de following:

 > sudo snortsam

SnortSam, v 2.69.
Copyright (c) 2001-2009 Frank Knobbe <frank at knobbe.us>. All rights reserved.

Plugin 'fwsam': v 2.5, by Frank Knobbe
Plugin 'fwexec': v 2.7, by Frank Knobbe
Plugin 'pix': v 2.9, by Frank Knobbe
Plugin 'ciscoacl': v 2.12, by Ali Basel <alib at sabanciuniv.edu>
Plugin 'cisconullroute': v 2.5, by Frank Knobbe
Plugin 'cisconullroute2': v 2.2, by Wouter de Jong <maddog2k at maddog2k.net>
Plugin 'netscreen': v 2.10, by Frank Knobbe
Plugin 'ipchains': v 2.8, by Hector A. Paterno <apaterno at dsnsecurity.com>
Plugin 'iptables': v 2.9, by Fabrizio Tivano <fabrizio at sad.it>, Luis 
Marichal <luismarichal at gmail.com>
Plugin 'ebtables': v 2.4, by Bruno Scatolin <ipsystems at uol.com.br>
Plugin 'watchguard': v 2.7, by Thomas Maier <thomas.maier at arcos.de>
Plugin 'email': v 2.12, by Frank Knobbe
Plugin 'email-blocks-only': v 2.12, by Frank Knobbe
Plugin 'snmpinterfacedown': v 2.3, by Ali BASEL <ali at basel.name.tr>
Plugin 'forward': v 2.8, by Frank Knobbe

Parsing config file /etc/snortsam.conf...
Linking plugin 'cisconullroute2'...
Checking for existing state file "/var/db/snortsam.state".
Found. Reading state file.
Starting to listen for Snort alerts.
Error: Packet out of sequence from 127.0.0.1, trying to re-sync.
Snort station 127.0.0.1 using wrong password, trying to re-sync.
Error: Packet out of sequence from 127.0.0.1, trying to re-sync.
Blocking host **.**.**.** completely for 300 seconds (Sig_ID: 882).
Snort station 127.0.0.1 using wrong password, trying to re-sync.
Blocking host **.**.**.** completely for 300 seconds (Sig_ID: 882).
Snort station 127.0.0.1 using wrong password, trying to re-sync.
Blocking host **.**.**.** completely for 300 seconds (Sig_ID: 882).
Snort station 127.0.0.1 using wrong password, trying to re-sync.
Snort station 127.0.0.1 using wrong password, trying to re-sync.
Snort station 127.0.0.1 using wrong password, trying to re-sync.
...

On the router the rules are added ok.

What happen?

in snort.conf:

output alert_fwsam:  127.0.0.1/passprobe

in snortsam.conf:

defaultkey passprobe
accept  127.0.0.1
...

Another question, How can I add to all the rules "fwsam"?

Thank you for your attention and sorry for my English.

More information about the Snortsam-discussion mailing list