[linux-users:101110] $B!V(Bsnort: pcap_loop: recvfrom: Network is down$B!W$NI|5lJ}K!$O(B?

["matsui" <matsui888@xxxxxxxxxxx>]

matsui888$B$H?=$7$^$9!#59$7$/$*4j$$CW$7$^$9!#(B
(B
(BRedHat9$B$K(Bsnort-1.9.1-1snort$B$r%$%s%9%H!<%k$7$F$$$^$9!#(B
$BFMA3!"@\B3Cf$N(Bssh$B$,A`:n$G$-$J$/$J$j!"(B
$BL>A02r7hITG=!"99$K$O(Bping$B$b30It$K$OHt$P$J$/$J$j$^$7$?!#(B
(B# ifdown ppp0
(B# ifup ppp0
$B$H$7$F$_$^$7$?$,2sI|$7$^$;$s$G$7$?!#(B
$B0J2<$N$h$&$J%m%0$r8+3]$1$^$7$?!#B?J,!"(Bsnort$B4F;k$N(Bpppoe$B@ZCG$,860x$+$H;W$$$^$9(B
$B$,(B
$B%j%V!<%H$;$:$KI|5l$9$kJ}K!$OL5$$$N$G$7$g$&$+(B?
(B
(B# tail -f /var/log/messages
(BOct 31 13:42:02 host1 su(pam_unix)[25255]: session closed for user root
(BOct 31 13:45:04 host1 kernel: RuleLettingIcmpThroughIN=ppp0 OUT= MAC=
(BSRC=xxx.xxx.xxx.xxx DST=aaa.aaa.aaa.aaa LEN=76 TOS=0x00 PREC=0x00 TTL=37
(BID=125 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=ggg.ggg.ggg.ggg [SRC=aaa.aaa.aaa.aaa
(BDST=ggg.ggg.ggg.ggg LEN=73 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP
(BSPT=32771 DPT=53 LEN=53 ]
(BOct 31 13:47:00 host1 su(pam_unix)[25696]: session opened for user root by
(B(uid=0)
(BOct 31 13:47:02 host1 su(pam_unix)[25696]: session closed for user root
(BOct 31 13:52:00 host1 su(pam_unix)[26153]: session opened for user root by
(B(uid=0)
(BOct 31 13:52:02 host1 su(pam_unix)[26153]: session closed for user root
(BOct 31 13:57:00 host1 su(pam_unix)[26596]: session opened for user root by
(B(uid=0)
(BOct 31 13:57:02 host1 su(pam_unix)[26596]: session closed for user root
(BOct 31 14:01:13 host1 sshd(pam_unix)[27034]: session opened for user user01
(Bby (uid=502)
(BOct 31 14:01:14 host1 sshd(pam_unix)[27034]: session closed for user user01
(BOct 31 14:01:34 host1 10$B7n(B 31 14:01:34 su(pam_unix)[1219]: session closed
(Bfor user root
(BOct 31 14:02:22 host1 sshd(pam_unix)[27047]: session opened for user user01
(Bby (uid=502)
(BOct 31 14:02:23 host1 sshd(pam_unix)[27047]: session closed for user user01
(BOct 31 14:03:00 host1 su(pam_unix)[27057]: session opened for user root by
(B(uid=0)
(BOct 31 14:03:01 host1 su(pam_unix)[27057]: session closed for user root
(BOct 31 14:03:19 host1 sshd(pam_unix)[27123]: session opened for user user01
(Bby (uid=502)
(BOct 31 14:03:20 host1 sshd(pam_unix)[27123]: session closed for user user01
(BOct 31 14:04:00 host1 sshd(pam_unix)[27133]: session opened for user user01
(Bby (uid=502)
(BOct 31 14:08:01 host1 kernel: device ppp0 left promiscuous mode
(BOct 31 14:08:01 host1 snort: pcap_loop: recvfrom: Network is down
(BOct 31 14:08:01 host1 snort:
(B============================================================================
(B===
(BOct 31 14:08:01 host1 snort: Snort analyzed 5010911 out of 5011068 packets,
(BOct 31 14:08:01 host1 snort: dropping 157(0.003%) packets
(BOct 31 14:08:01 host1 snort: Breakdown by protocol:                Action
(BStats:
(BOct 31 14:08:01 host1 snort:     TCP: 4890517    (97.594%)         ALERTS:
(B2598
(BOct 31 14:08:01 host1 snort:     UDP: 112840     (2.252%)          LOGGED:
(B2599
(BOct 31 14:08:01 host1 snort:    ICMP: 7396       (0.148%)          PASSED: 0
(BOct 31 14:08:01 host1 snort:     ARP: 0          (0.000%)
(BOct 31 14:08:01 host1 snort:   EAPOL: 0          (0.000%)
(BOct 31 14:08:01 host1 snort:    IPv6: 0          (0.000%)
(BOct 31 14:08:01 host1 snort:     IPX: 0          (0.000%)
(BOct 31 14:08:01 host1 snort:   OTHER: 0          (0.000%)
(BOct 31 14:08:01 host1 snort: DISCARD: 0          (0.000%)
(BOct 31 14:08:01 host1 kernel: device ppp0 entered promiscuous mode
(BOct 31 14:08:01 host1 snort:
(B============================================================================
(B===
(BOct 31 14:08:01 host1 snort: Wireless Stats:
(BOct 31 14:08:02 host1 /etc/hotplug/net.agent: NET unregister event not
(Bsupported
(BOct 31 14:08:02 host1 snort: Breakdown by type:
(BOct 31 14:08:02 host1 snort:     Management Packets: 0          (0.000%)
(BOct 31 14:08:02 host1 snort:     Control Packets:    0          (0.000%)
(BOct 31 14:08:02 host1 snort:     Data Packets:       0          (0.000%)
(BOct 31 14:08:02 host1 snort:
(B============================================================================
(B===
(BOct 31 14:08:02 host1 snort: Fragmentation Stats:
(BOct 31 14:08:02 host1 snort: Fragmented IP Packets: 2          (0.000%)
(BOct 31 14:08:02 host1 snort:     Fragment Trackers: 1
(BOct 31 14:08:02 host1 snort:    Rebuilt IP Packets: 1
(BOct 31 14:08:02 host1 snort:    Frag elements used: 2
(BOct 31 14:08:02 host1 snort: Discarded(incomplete): 0
(BOct 31 14:08:02 host1 adsl-connect: ADSL connection lost; attempting
(Bre-connection.
(BOct 31 14:08:02 host1 snort:    Discarded(timeout): 0
(BOct 31 14:08:02 host1 snort:   Frag2 memory faults: 0
(BOct 31 14:08:02 host1 snort:
(B============================================================================
(B===
(BOct 31 14:08:02 host1 snort: TCP Stream Reassembly Stats:
(BOct 31 14:08:02 host1 snort:         TCP Packets Used: 4890466    (97.593%)
(BOct 31 14:08:02 host1 snort:          Stream Trackers: 15961
(BOct 31 14:08:02 host1 snort:           Stream flushes: 37772
(BOct 31 14:08:02 host1 snort:            Segments used: 102933
(BOct 31 14:08:02 host1 snort:    Stream4 Memory Faults: 0
(BOct 31 14:08:02 host1 snort:
(B============================================================================
(B===
(BOct 31 14:08:02 host1 snort: Snort received signal 3, exiting
(BOct 31 14:08:07 host1 pppd[27255]: pppd 2.4.1 started by root, uid 0
(BOct 31 14:08:07 host1 pppd[27255]: Using interface ppp0
(BOct 31 14:08:07 host1 pppd[27255]: Connect: ppp0 <--> /dev/pts/0
(BOct 31 14:08:07 host1 /etc/hotplug/net.agent: assuming ppp0 is already up
(BOct 31 14:08:07 host1 pppoe[27256]: PPP session is 979
(BOct 31 14:08:08 host1 pppd[27255]: local  IP address bbb.bbb.bbb.bbb
(BOct 31 14:08:08 host1 pppd[27255]: remote IP address ccc.ccc.ccc.ccc
(BOct 31 14:08:08 host1 pppd[27255]: primary   DNS address zzz.zzz.zzz.zzz
(BOct 31 14:08:08 host1 pppd[27255]: secondary DNS address ddd.ddd.ddd.ddd
(BOct 31 14:08:11 host1 ntpd[4594]: sendto(yyy.yyy.yyy.yyy): Operation not
(Bpermitted
(BOct 31 14:08:27 host1 ntpd[4594]: sendto(133.100.9.2): Operation not
(Bpermitted
(BOct 31 14:08:52 host1 ntpd[4594]: sendto(133.100.11.8): Operation not
(Bpermitted
(BOct 31 14:09:31 host1 ddclient[2549]: WARNING:  cannot connect to
(Bmembers.dyndns.org:80 socket: IO::Socket::INET: Bad hostname
(B'members.dyndns.org'
(BOct 31 14:09:31 host1 ddclient[2549]: FAILED:   updating host1.mine.nu:
(BCould not connect to members.dyndns.org.
(BOct 31 14:11:02 host1 ntpd[4594]: sendto(210.173.160.87): Operation not
(Bpermitted
(B
(B
(B$ grep -v ^# /etc/snort/snort.conf | more
(Bvar HOME_NET any
(Bvar EXTERNAL_NET any
(Bvar DNS_SERVERS $HOME_NET
(Bvar SMTP_SERVERS $HOME_NET
(Bvar HTTP_SERVERS $HOME_NET
(Bvar SQL_SERVERS $HOME_NET
(Bvar TELNET_SERVERS $HOME_NET
(Bvar HTTP_PORTS 80
(Bvar SHELLCODE_PORTS !80
(Bvar ORACLE_PORTS 1521
(Bvar AIM_SERVERS
(B[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.
(B29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
(Bvar RULE_PATH /etc/snort
(Bpreprocessor frag2
(Bpreprocessor stream4: detect_scans, disable_evasion_alerts
(Bpreprocessor stream4_reassemble
(Bpreprocessor http_decode: 80 unicode iis_alt_unicode double_encode
(Biis_flip_slas
(Bh full_whitespace
(Bpreprocessor rpc_decode: 111 32771
(Bpreprocessor bo: -nobrute
(Bpreprocessor telnet_decode
(Bpreprocessor conversation: allowed_ip_protocols all, timeout 60,
(Bmax_conversatio
(Bns 32000
(Binclude classification.config
(Binclude reference.config
(Binclude $RULE_PATH/bad-traffic.rules
(Binclude $RULE_PATH/exploit.rules
(Binclude $RULE_PATH/scan.rules
(Binclude $RULE_PATH/finger.rules
(Binclude $RULE_PATH/ftp.rules
(Binclude $RULE_PATH/telnet.rules
(Binclude $RULE_PATH/rpc.rules
(Binclude $RULE_PATH/rservices.rules
(Binclude $RULE_PATH/dos.rules
(Binclude $RULE_PATH/ddos.rules
(Binclude $RULE_PATH/dns.rules
(Binclude $RULE_PATH/tftp.rules
(Binclude $RULE_PATH/web-cgi.rules
(Binclude $RULE_PATH/web-coldfusion.rules
(Binclude $RULE_PATH/web-iis.rules
(Binclude $RULE_PATH/web-frontpage.rules
(Binclude $RULE_PATH/web-misc.rules
(Binclude $RULE_PATH/web-client.rules
(Binclude $RULE_PATH/web-php.rules
(Binclude $RULE_PATH/sql.rules
(Binclude $RULE_PATH/x11.rules
(Binclude $RULE_PATH/icmp.rules
(Binclude $RULE_PATH/netbios.rules
(Binclude $RULE_PATH/misc.rules
(Binclude $RULE_PATH/attack-responses.rules
(Binclude $RULE_PATH/oracle.rules
(Binclude $RULE_PATH/mysql.rules
(Binclude $RULE_PATH/snmp.rules
(Binclude $RULE_PATH/smtp.rules
(Binclude $RULE_PATH/imap.rules
(Binclude $RULE_PATH/pop3.rules
(Binclude $RULE_PATH/pop2.rules
(Binclude $RULE_PATH/nntp.rules
(Binclude $RULE_PATH/other-ids.rules
(Binclude $RULE_PATH/experimental.rules
(Binclude $RULE_PATH/local.rules