Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 0.000000] Linux version 3.10.20 (daniel@Ayoub) (gcc version 4.7.0 (Cavium Inc. Version: SDK_3_1_0_p2 build 34) ) #165 SMP Mon May 18 23:41:17 PDT 2015 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 0.000000] CVMSEG size: 2 cache lines (256 bytes) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Cavium Inc. SDK-3.1 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] bootconsole [early0] enabled Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] CPU revision is: 000d9602 (Cavium Octeon III) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] FPU revision is: 00739600 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] Checking for the multiply/shift bug... no. Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] Checking for the daddiu bug... no. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Determined physical RAM map: Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] memory: 000000000c800000 @ 0000000002500000 (usable) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] memory: 0000000000c00000 @ 000000000f200000 (usable) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] memory: 000000002f000000 @ 0000000020000000 (usable) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] memory: 0000000000830000 @ 0000000000100000 (usable) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] memory: 0000000001a00000 @ 0000000000930000 (usable after init) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Wasting 896 bytes for tracking 16 unused pages Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Initrd not found or empty - disabling initrd Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Using passed Device Tree <8000000000080000>. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] software IO TLB [mem 0x02670000-0x026b0000] (0MB) mapped at [8000000002670000-80000000026affff] Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] Zone ranges: Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] DMA32 [mem 0x00100000-0xefffffff] Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] Normal empty Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] Movable zone start for each node Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] Early memory node ranges Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] node 0: [mem 0x00100000-0x0232ffff] Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] node 0: [mem 0x02500000-0x0ecfffff] Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] node 0: [mem 0x0f200000-0x0fdfffff] Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] node 0: [mem 0x20000000-0x4effffff] Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] On node 0 totalpages: 15971 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] DMA32 zone: 14 pages used for memmap Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] DMA32 zone: 0 pages reserved Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] DMA32 zone: 15971 pages, LIFO batch:1 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Cavium Hotplug: Available coremask 0x0 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 0.000000] Primary instruction cache 78kB, virtually tagged, 39 way, 16 sets, linesize 128 bytes. Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 0.000000] Primary data cache 32kB, 32-way, 8 sets, linesize 128 bytes. Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 0.000000] Secondary unified cache 512kB, 4-way, 1024 sets, linesize 128 bytes. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] PERCPU: Embedded 1 pages/cpu @8000000002710000 s12544 r8192 d44800 u65536 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] pcpu-alloc: s12544 r8192 d44800 u65536 alloc=1*65536 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] pcpu-alloc: [0] 0 [0] 1 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 15957 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 0.000000] Kernel command line: bootoctlinux 0x20000000 numcores=2 serial#=752011191521-36287 console=ttyS0,115200 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] PID hash table entries: 4096 (order: -1, 32768 bytes) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Dentry cache hash table entries: 131072 (order: 4, 1048576 bytes) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Inode-cache hash table entries: 65536 (order: 3, 524288 bytes) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Memory: 983296k/1022144k available (5825k kernel code, 38848k reserved, 2536k data, 26624k init, 0k highmem) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] Hierarchical RCU implementation. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] RCU restricting CPUs from NR_CPUS=32 to nr_cpu_ids=2. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] NR_IRQS:512 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] CIB interrupt controller probed: 800107000000e000 23 bits Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] CIB interrupt controller probed: 800107000000e200 12 bits Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] CIB interrupt controller probed: 800107000000e400 6 bits Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] CIB interrupt controller probed: 800107000000ec00 15 bits Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] CIB interrupt controller probed: 800107000000e600 4 bits Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] CIB interrupt controller probed: 800107000000e800 11 bits Wed Jun 22 09:16:04 2016 kern.info kernel: [ 0.000000] CIB interrupt controller probed: 800107000000e900 11 bits Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.523146] Calibrating delay loop (skipped) preset value.. 2000.00 BogoMIPS (lpj=10000000) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.531359] pid_max: default: 32768 minimum: 501 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.536075] Security Framework initialized Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.540092] Mount-cache hash table entries: 4096 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 22.546345] Checking for the daddi bug... no. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.547133] SMP: Booting CPU01 (CoreId 1)... Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.551335] CPU revision is: 000d9602 (Cavium Octeon III) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.551338] FPU revision is: 00739600 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.551520] Cpu 1 online Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.562935] Brought up 2 CPUs Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.565880] Cavium Hotplug: Available coremask 0x0 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 22.572871] NET: Registered protocol family 16 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 22.578284] Installing handlers for error tree at: ffffffff808be430 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 22.595802] PCIe: Initializing port 0 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 24.658338] PCIe: Link timeout on port 0, probably the slot is empty Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 24.658343] PCIe: Initializing port 1 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 24.661839] PCIe: Port 1 not in PCIe mode, skipping Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 24.661844] PCIe: Initializing port 2 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 24.665486] PCIe: Port 2 not in PCIe mode, skipping Wed Jun 22 09:16:04 2016 kern.warn kernel: [ 24.671854] [sched_delayed] sched: RT throttling activated Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.685172] bio: create slab at 0 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.689593] vgaarb: loaded Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 24.692523] SCSI subsystem initialized Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 24.696372] libata version 3.00 loaded. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.696788] usbcore: registered new interface driver usbfs Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.702221] usbcore: registered new interface driver hub Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.707517] usbcore: registered new device driver usb Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.712669] pps_core: LinuxPPS API ver. 1 registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.717466] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.726691] PTP clock support registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.730567] EDAC MC: Ver: 3.0.0 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.734247] PCI host bridge to bus 0000:00 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.738203] pci_bus 0000:00: root bus resource [mem 0x1000000000000] Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.744526] pci_bus 0000:00: root bus resource [io 0x0000] Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.750094] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff] Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 24.758021] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.758967] Switching to clocksource OCTEON_CVMCOUNT Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.765239] NET: Registered protocol family 2 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.769882] TCP established hash table entries: 8192 (order: 1, 131072 bytes) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.776999] TCP bind hash table entries: 8192 (order: 1, 131072 bytes) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.783488] TCP: Hash tables configured (established 8192 bind 8192) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.789757] TCP: reno registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.792938] UDP hash table entries: 2048 (order: 0, 65536 bytes) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.799025] UDP-Lite hash table entries: 2048 (order: 0, 65536 bytes) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 24.805682] NET: Registered protocol family 1 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 24.809887] PCI: CLS 0 bytes, default 128 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 26.399466] octeon_pci_console: Console not created. Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 26.404325] /proc/octeon_perf: Octeon performance counter interface loaded Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.413076] HugeTLB registered 512 MB page size, pre-allocated 0 pages Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 26.420795] sys_fw_version: 0.1.17 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 26.420809] sys_revision: 21 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.421165] squashfs: version 4.0 (2009/01/31) Phillip Lougher Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.427101] NTFS driver 2.1.30 [Flags: R/W]. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.431230] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.437364] msgmni has been set to 1920 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 26.442105] Key type asymmetric registered Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 26.446090] Asymmetric key parser 'x509' registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.450916] io scheduler noop registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.454830] io scheduler deadline registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.459092] io scheduler cfq registered (default) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.464016] octeon_gpio 1070000000800.gpio-controller: OCTEON GPIO Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.511642] Serial: 8250/16550 driver, 6 ports, IRQ sharing disabled Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.519325] 1180000000800.serial: ttyS0 at MMIO 0x1180000000800 (irq = 34) is a OCTEON Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.527113] console [ttyS0] enabled, bootconsole disabled Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.550489] 1180000000c00.serial: ttyS1 at MMIO 0x1180000000c00 (irq = 35) is a OCTEON Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.571355] brd: module loaded Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.589510] loop: module loaded Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 26.606085] slram: not enough parameters. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.629470] IMQ driver loaded successfully. (numdevs = 16, numqueues = 1) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.648407] Hooking IMQ after NAT on PREROUTING. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.665234] Hooking IMQ before NAT on POSTROUTING. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.684141] libphy: mdio-octeon: probed Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.701360] mdio-octeon 1180000001800.mdio: Version 1.0 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.718836] spi_ks8995: Micrel KS8995 Ethernet switch SPI driver version 0.1.1 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.738746] e1000e: Intel(R) PRO/1000 Network Driver - 2.3.2-k Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.756714] e1000e: Copyright(c) 1999 - 2013 Intel Corporation. Wed Jun 22 09:16:04 2016 kern.err kernel: [ 26.775030] octeon-pow-ethernet ERROR: You must specify a broadcast group mask. Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 26.794513] octeon-ethernet 2.0 Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 26.811371] Interface 0 has 4 ports (QSGMII) Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 26.811449] Interface 1 has 4 ports (QSGMII) Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 26.811456] Interface 2 has 4 ports (NPI) Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 26.811470] Interface 3 has 4 ports (LOOP) Wed Jun 22 09:16:04 2016 kern.debug kernel: [ 26.811487] Interface 4 has 1 ports (AGL) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.819494] usbcore: registered new interface driver cdc_ether Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.837574] usbcore: registered new interface driver plusb Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.855308] usbcore: registered new interface driver sierra_net Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.874037] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.892854] ehci-pci: EHCI PCI platform driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.909536] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.928467] usbcore: registered new interface driver usb-storage Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.946817] usbcore: registered new interface driver usbserial Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.964878] usbcore: registered new interface driver usbserial_generic Wed Jun 22 09:16:04 2016 kern.info kernel: [ 26.983622] usbserial: USB Serial support registered for generic Wed Jun 22 09:16:04 2016 kern.info kernel: [ 27.001859] usbcore: registered new interface driver sierra Wed Jun 22 09:16:04 2016 kern.info kernel: [ 27.019644] usbserial: USB Serial support registered for Sierra USB modem Wed Jun 22 09:16:04 2016 kern.info kernel: [ 27.038838] i2c /dev entries driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 27.054873] i2c-octeon 1180000001000.i2c: version 2.5 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 27.072853] octeon_wdt: Initial granularity 5 Sec Wed Jun 22 09:16:04 2016 kern.info kernel: [ 27.089955] EDAC DEVICE0: Giving out device to module 'octeon-cpu' controller 'cache': DEV 'octeon_pc_edac' (INTERRUPT) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 27.113048] EDAC DEVICE1: Giving out device to module 'octeon-l2c' controller 'octeon_l2c_err': DEV 'octeon_l2c_edac' (POLLED) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 27.136703] octeon_lmc_edac octeon_lmc_edac.0: Disabled (ECC not enabled) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 28.914004] Netfilter messages via NETLINK v0.30. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 28.930847] nfnl_acct: registering with nfnetlink. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 28.947806] nf_conntrack version 0.5.0 (7682 buckets, 30728 max) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 28.966226] ctnetlink v0.93: registering with nfnetlink. Wed Jun 22 09:16:04 2016 kern.info kernel: [ 28.984032] xt_time: kernel timezone is -0000 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 29.000522] ip_set: protocol 6 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.015818] ipip: IPv4 over IPv4 tunneling driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.033128] gre: GRE over IPv4 demultiplexor driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.050141] ip_gre: GRE over IPv4 tunneling driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.068253] ip_tables: (C) 2000-2006 Netfilter Core Team Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.085902] ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.104432] arp_tables: (C) 2002 David S. Miller Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.121230] TCP: cubic registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.136672] Initializing XFRM netlink socket Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.153122] NET: Registered protocol family 10 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.172920] mip6: Mobile IPv6 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.188064] ip6_tables: (C) 2000-2006 Netfilter Core Team Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.205890] sit: IPv6 over IPv4 tunneling driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.223879] ip6_gre: GRE over IPv6 tunneling driver Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.241486] NET: Registered protocol family 17 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.258102] NET: Registered protocol family 15 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 29.274771] Bridge firewalling registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.290922] Ebtables v2.0 registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.333822] 8021q: 802.1Q VLAN Support v1.8 Wed Jun 22 09:16:04 2016 kern.notice kernel: [ 29.350187] Key type dns_resolver registered Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.366719] L2 lock: TLB refill 256 bytes Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.382854] L2 lock: General exception 128 bytes Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.399592] L2 lock: low-level interrupt 128 bytes Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.416503] L2 lock: interrupt 640 bytes Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.432552] L2 lock: memcpy 1152 bytes Wed Jun 22 09:16:04 2016 kern.err kernel: [ 29.450383] drivers/rtc/hctosys.c: unable to open rtc device (rtc0) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 29.475108] Freeing unused kernel memory: 26624K (ffffffff80930000 - ffffffff82330000) Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.797455] mmc1: BKOPS_EN bit is not set Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.818153] mmc1: new high speed DDR MMC card at address 0001 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.836605] mmcblk0: mmc1:0001 P1XXXX 3.60 GiB Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.853586] mmcblk0boot0: mmc1:0001 P1XXXX partition 1 2.00 MiB Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.871953] mmcblk0boot1: mmc1:0001 P1XXXX partition 2 2.00 MiB Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.890321] mmcblk0rpmb: mmc1:0001 P1XXXX partition 3 128 KiB Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.912216] mmcblk0: p1 p2 p3 p4 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.933055] mmcblk0boot1: unknown partition table Wed Jun 22 09:16:04 2016 kern.info kernel: [ 46.954562] mmcblk0boot0: unknown partition table Wed Jun 22 09:16:04 2016 kern.info kernel: [ 47.813980] kjournald starting. Commit interval 5 seconds Wed Jun 22 09:16:04 2016 kern.info kernel: [ 47.814825] EXT3-fs (mmcblk0p4): using internal journal Wed Jun 22 09:16:04 2016 kern.info kernel: [ 47.815545] EXT3-fs (mmcblk0p4): recovery complete Wed Jun 22 09:16:04 2016 kern.info kernel: [ 47.815549] EXT3-fs (mmcblk0p4): mounted filesystem with writeback data mode Wed Jun 22 09:16:04 2016 user.err kernel: [ 48.106410] init: failed to symlink /tmp -> /var Wed Jun 22 09:16:04 2016 user.info kernel: [ 48.123474] init: Console is alive Wed Jun 22 09:16:04 2016 user.info kernel: [ 48.139349] init: - watchdog - Wed Jun 22 09:16:04 2016 user.info kernel: [ 49.155504] init: - preinit - Wed Jun 22 09:16:04 2016 user.notice kernel: [ 52.355725] mount_root: mounting /dev/root Wed Jun 22 09:16:04 2016 user.info kernel: [ 52.372680] mount_root: loading kmods from internal overlay Wed Jun 22 09:16:04 2016 user.info kernel: [ 52.502521] block: attempting to load /etc/config/fstab Wed Jun 22 09:16:04 2016 user.info kernel: [ 52.522150] block: extroot: not configured Wed Jun 22 09:16:04 2016 user.info kernel: [ 52.543135] procd: - early - Wed Jun 22 09:16:04 2016 user.info kernel: [ 52.558476] procd: - watchdog - Wed Jun 22 09:16:04 2016 user.info kernel: [ 53.278469] procd: - ubus - Wed Jun 22 09:16:04 2016 user.info kernel: [ 54.294696] procd: - init - Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.103459] NET: Registered protocol family 38 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.126907] tun: Universal TUN/TAP device driver, 1.6 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.144254] tun: (C) 1999-2004 Max Krasnyansky Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.172327] u32 classifier Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.187192] input device check on Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.202980] Actions configured Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.219646] Mirror/redirect action on Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.244261] PPP generic driver version 2.4.2 Wed Jun 22 09:16:04 2016 kern.info kernel: [ 56.261748] NET: Registered protocol family 24 Wed Jun 22 09:16:05 2016 user.emerg procd: this file has been obseleted. please call "/sbin/block mount" directly Wed Jun 22 09:16:05 2016 daemon.warn netifd: You have delegated IPv6-prefixes but haven't assigned them to any interface. Did you forget to set option ip6assign on your lan-interfaces? Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'lan' is enabled Wed Jun 22 09:16:05 2016 kern.debug kernel: [ 58.271555] SGMII0: Port 1 link timeout Wed Jun 22 09:16:05 2016 kern.notice kernel: [ 58.271843] eth1: 1000 Mbps Full duplex, port 1 Wed Jun 22 09:16:05 2016 kern.info kernel: [ 58.271917] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready Wed Jun 22 09:16:05 2016 kern.info kernel: [ 58.272643] device eth1 entered promiscuous mode Wed Jun 22 09:16:05 2016 kern.info kernel: [ 58.273651] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'lan' is setting up now Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'lan' is now up Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'blockdomain' is enabled Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'blockdomain' is setting up now Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'blockdomain' is now up Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'loopback' is enabled Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'loopback' is setting up now Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'loopback' is now up Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'wan' is enabled Wed Jun 22 09:16:05 2016 kern.notice kernel: [ 58.304742] eth0: 1000 Mbps Full duplex, port 0 Wed Jun 22 09:16:05 2016 kern.info kernel: [ 58.304865] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'wan6' is enabled Wed Jun 22 09:16:05 2016 daemon.notice netifd: Network device 'lo' link is up Wed Jun 22 09:16:05 2016 daemon.notice netifd: Interface 'loopback' has link connectivity Wed Jun 22 09:16:05 2016 daemon.err block: /dev/mmcblk0p4 is already mounted Wed Jun 22 09:16:05 2016 kern.notice kernel: [ 58.326393] eth2: 1000 Mbps Full duplex, port 2 Wed Jun 22 09:16:05 2016 kern.info kernel: [ 58.326535] IPv6: ADDRCONF(NETDEV_UP): eth2: link is not ready Wed Jun 22 09:16:05 2016 cron.info crond[3193]: crond (busybox 1.23.2) started, log level 5 Wed Jun 22 09:16:05 2016 user.notice firewall: Reloading firewall due to ifup of lan (br-lan) Wed Jun 22 09:16:05 2016 authpriv.info dropbear[3223]: Not backgrounding Wed Jun 22 09:16:06 2016 kern.info kernel: [ 59.043597] device eth0 entered promiscuous mode Wed Jun 22 09:16:06 2016 kern.info kernel: [ 59.046861] device eth2 entered promiscuous mode Wed Jun 22 09:16:06 2016 daemon.notice netifd: Network device 'eth1' link is up Wed Jun 22 09:16:06 2016 daemon.notice netifd: Bridge 'br-lan' link is up Wed Jun 22 09:16:06 2016 daemon.notice netifd: Interface 'lan' has link connectivity Wed Jun 22 09:16:06 2016 daemon.notice netifd: Interface 'blockdomain' has link connectivity Wed Jun 22 09:16:06 2016 kern.info kernel: [ 59.244024] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready Wed Jun 22 09:16:06 2016 kern.info kernel: [ 59.244087] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:06 2016 kern.info kernel: [ 59.244111] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:06 2016 kern.info kernel: [ 59.244162] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready Wed Jun 22 09:16:06 2016 daemon.notice netifd: Network device 'eth0' link is up Wed Jun 22 09:16:06 2016 daemon.notice netifd: Interface 'wan' has link connectivity Wed Jun 22 09:16:06 2016 daemon.notice netifd: Interface 'wan' is setting up now Wed Jun 22 09:16:06 2016 kern.info kernel: [ 59.284011] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready Wed Jun 22 09:16:06 2016 daemon.notice netifd: Interface 'wan' is now up Wed Jun 22 09:16:06 2016 daemon.notice netifd: Network device 'eth2' link is up Wed Jun 22 09:16:06 2016 daemon.notice netifd: Interface 'wan6' has link connectivity Wed Jun 22 09:16:06 2016 daemon.notice netifd: Interface 'wan6' is setting up now Wed Jun 22 09:16:06 2016 daemon.notice netifd: Interface 'wan6' is now up Wed Jun 22 09:16:06 2016 kern.info kernel: [ 59.304121] IPv6: ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready Wed Jun 22 09:16:06 2016 daemon.crit dnsmasq[3369]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:06 2016 daemon.crit dnsmasq[3369]: FAILED to start up Wed Jun 22 09:16:07 2016 daemon.crit dnsmasq[3492]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:07 2016 daemon.crit dnsmasq[3492]: FAILED to start up Wed Jun 22 09:16:08 2016 kern.info kernel: [ 61.243816] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:08 2016 daemon.crit dnsmasq[3613]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:08 2016 daemon.crit dnsmasq[3613]: FAILED to start up Wed Jun 22 09:16:08 2016 user.notice firewall: Reloading firewall due to ifup of wan (eth0) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Enabling inline operation Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Running in IDS mode Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: --== Initializing Snort ==-- Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Initializing Output Plugins! Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Initializing Preprocessors! Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Initializing Plug-ins! Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Parsing Rules file "/etc/snort/snort_bridge.conf" Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: PortVar 'HTTP_PORTS' defined : Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: PortVar 'SHELLCODE_PORTS' defined : Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: [ 1:65535 ] Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: PortVar 'ORACLE_PORTS' defined : Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: [ 1024:65535 ] Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: PortVar 'SSH_PORTS' defined : Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: [ 22 ] Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: PortVar 'FTP_PORTS' defined : Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: [ 21 2100 3535 ] Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: PortVar 'SIP_PORTS' defined : Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: [ 5060:5061 5600 ] Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: PortVar 'FILE_DATA_PORTS' defined : Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 3330Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: PortVar 'GTP_PORTS' defined : Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: [ 2123 2152 3386 ] Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Detection: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Search-Method = AC-Full Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Split Any/Any group = enabled Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Search-Method-Optimizations = enabled Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Maximum pattern length = 20 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Tagged Packet Limit: 256 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: done Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/ Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Log directory = /tmp/snort/ Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalizer config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: ip4: on Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: ip4::df: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: ip4::rf: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: ip4::tos: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: ip4::trim: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: ip4::ttl: on (min=1, new=5) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalizer config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp: on Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::ecn: stream Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::block: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::rsv: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::pad: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::req_urg: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::req_pay: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::req_urp: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::urp: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::opt: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::ips: on Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::trim_syn: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::trim_rst: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::trim_win: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: tcp::trim_mss: off Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalizer config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: icmp4: on Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalizer config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: ip6: on Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: ip6::hops: on (min=1, new=5) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalizer config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: icmp6: on Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Frag3 global config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max frags: 65536 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Fragment memory cap: 4194304 bytes Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Frag3 engine config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Bound Address: default Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Target-based policy: WINDOWS Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Fragment timeout: 180 seconds Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Fragment min_ttl: 1 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Fragment Anomalies: Alert Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Overlap Limit: 10 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Min fragment Length: 100 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Expected Streams: 39 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Stream global config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Track TCP sessions: ACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max TCP sessions: 10000 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: TCP cache pruning timeout: 30 seconds Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: TCP cache nominal timeout: 3600 seconds Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Memcap (for reassembly packet storage): 8388608 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Track UDP sessions: ACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max UDP sessions: 10000 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: UDP cache pruning timeout: 30 seconds Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: UDP cache nominal timeout: 180 seconds Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Track ICMP sessions: ACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max ICMP sessions: 65536 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Track IP sessions: INACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Log info if session memory consumption exceeds 1156952 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Send up to 2 active responses Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wait at least 5 seconds between responses Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Protocol Aware Flushing: ACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Maximum Flush Point: 16000 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Stream TCP Policy config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Bound Address: default Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Reassembly Policy: WINDOWS Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Timeout: 180 seconds Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Limit on TCP Overlaps: 10 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Maximum number of bytes to queue per session: 1090276 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Maximum number of segs to queue per session: 2621 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Options: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Require 3-Way Handshake: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 3-Way Handshake Timeout: 180 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Detect Anomalies: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Reassembly Ports: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 21 client (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 22 client (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 23 client (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 25 client (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 36 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 42 client (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 53 client (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 70 client (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 79 client (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 80 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 81 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 82 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 83 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 84 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 85 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 86 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 87 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 88 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 89 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 90 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: additional ports configured but not printed. Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Stream UDP Policy config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Timeout: 180 seconds Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: HttpInspect Config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: GLOBAL CONFIG Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Detect Proxy Usage: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: IIS Unicode Map Filename: /etc/snort/unicode.map Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: IIS Unicode Map Codepage: 1252 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Memcap used for logging URI and Hostname: 150994944 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Gzip Memory: 838860 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Gzip Sessions: 1807 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Gzip Compress Depth: 65535 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Gzip Decompress Depth: 65535 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: DEFAULT SERVER CONFIG: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Server profile: All Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Server Flow Depth: 0 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Client Flow Depth: 0 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Chunk Length: 500000 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Header Field Length: 750 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Number Header Fields: 100 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Number of WhiteSpaces allowed with header folding: 200 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Inspect Pipeline Requests: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: URI Discovery Strict Mode: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Allow Proxy Usage: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Disable Alerting: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Oversize Dir Length: 500 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Only inspect URI: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalize HTTP Headers: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Inspect HTTP Cookies: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Inspect HTTP Responses: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Extract Gzip from responses: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Decompress response files: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Unlimited decompression of gzip data from responses: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalize Javascripts in HTTP Responses: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalize HTTP Cookies: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Enable XFF and True Client IP: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Log HTTP URI data: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Log HTTP Hostname data: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Extended ASCII code support in URI: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ascii: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Double Decoding: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: %U Encoding: YES alert: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Bare Byte: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: UTF 8: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: IIS Unicode: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Multiple Slash: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: IIS Backslash: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Directory Traversal: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Web Root Traversal: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Apache WhiteSpace: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: IIS Delimiter: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: rpc_decode arguments: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: alert_fragments: INACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: alert_large_fragments: INACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: alert_incomplete: INACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: alert_multiple_requests: INACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: FTPTelnet Config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: GLOBAL CONFIG Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Inspection Type: stateful Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Check for Encrypted Traffic: YES alert: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Continue to check encrypted data: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: TELNET CONFIG: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ports: 23 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Are You There Threshold: 20 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Normalize: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Detect Anomalies: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: FTP CONFIG: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: FTP Server: default Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ports (PAF): 21 2100 3535 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ignore open data channels: NO Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: FTP Client: default Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Check for Bounce Attacks: YES alert: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Response Length: 256 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: SSH config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Autodetection: ENABLED Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Challenge-Response Overflow Alert: ENABLED Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: SSH1 CRC32 Alert: ENABLED Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Server Version String Overflow Alert: ENABLED Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Protocol Mismatch Alert: ENABLED Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Bad Message Direction Alert: DISABLED Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Bad Payload Size Alert: DISABLED Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Unrecognized Version Alert: DISABLED Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Encrypted Packets: 20 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Max Server Version String Length: 100 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: MaxClientBytes: 19600 (Default) Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ports: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 22 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: DNS config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: DNS Client rdata txt Overflow Alert: ACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Obsolete DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Experimental DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ports: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 53 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: SSLPP config: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Encrypted packets: not inspected Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Ports: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 443 465 563 636 989 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 992 993 994 995 7801 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 7802 7900 7901 7902 7903 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 7904 7905 7906 7907 7908 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 7909 7910 7911 7912 7913 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 7914 7915 7916 7917 7918 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: 7919 7920 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Server side data is trusted Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Maximum SSL Heartbeat length: 0 Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Wed Jun 22 09:16:09 2016 daemon.notice snort[3688]: Initializing rule chains... Wed Jun 22 09:16:10 2016 daemon.notice snort[3688]: WARNING: /etc/snort/rules/snort.rules(982) threshold (in rule) is deprecated; use detection_filter instead. Wed Jun 22 09:16:10 2016 daemon.crit dnsmasq[3757]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:10 2016 daemon.crit dnsmasq[3757]: FAILED to start up Wed Jun 22 09:16:10 2016 user.notice firewall: Reloading firewall due to ifup of wan6 (eth2) Wed Jun 22 09:16:11 2016 daemon.crit dnsmasq[3886]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:11 2016 daemon.crit dnsmasq[3886]: FAILED to start up Wed Jun 22 09:16:12 2016 daemon.err snort[3688]: FATAL ERROR: /etc/snort/rules/snort.rules(3601) Unknown rule type: sid:drop. Wed Jun 22 09:16:14 2016 user.emerg procd: Cannot change large-receive-offload Wed Jun 22 09:16:15 2016 kern.notice kernel: [ 68.303623] eth0: Link down Wed Jun 22 09:16:16 2016 daemon.notice netifd: Network device 'eth0' link is down Wed Jun 22 09:16:16 2016 daemon.notice netifd: Interface 'wan' has link connectivity loss Wed Jun 22 09:16:16 2016 daemon.notice netifd: Interface 'wan' is now down Wed Jun 22 09:16:16 2016 daemon.notice netifd: Interface 'wan' is disabled Wed Jun 22 09:16:16 2016 daemon.notice netifd: Interface 'wan' is enabled Wed Jun 22 09:16:16 2016 kern.info kernel: [ 69.308376] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready Wed Jun 22 09:16:16 2016 daemon.crit dnsmasq[3963]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:16 2016 daemon.crit dnsmasq[3963]: FAILED to start up Wed Jun 22 09:16:16 2016 daemon.info procd: Instance dnsmasq::instance1 s in a crash loop 6 crashes, 0 seconds since last crash Wed Jun 22 09:16:17 2016 daemon.emerg procd: Cannot change large-receive-offload Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Enabling inline operation Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Running in IDS mode Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: --== Initializing Snort ==-- Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Initializing Output Plugins! Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Initializing Preprocessors! Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Initializing Plug-ins! Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Parsing Rules file "/etc/snort/snort_bridge.conf" Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: PortVar 'HTTP_PORTS' defined : Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: PortVar 'SHELLCODE_PORTS' defined : Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: [ 1:65535 ] Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: PortVar 'ORACLE_PORTS' defined : Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: [ 1024:65535 ] Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: PortVar 'SSH_PORTS' defined : Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: [ 22 ] Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: PortVar 'FTP_PORTS' defined : Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: [ 21 2100 3535 ] Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: PortVar 'SIP_PORTS' defined : Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: [ 5060:5061 5600 ] Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: PortVar 'FILE_DATA_PORTS' defined : Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 3330Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: PortVar 'GTP_PORTS' defined : Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: [ 2123 2152 3386 ] Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Detection: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Search-Method = AC-Full Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Split Any/Any group = enabled Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Search-Method-Optimizations = enabled Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Maximum pattern length = 20 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Tagged Packet Limit: 256 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: done Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/ Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Log directory = /tmp/snort/ Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalizer config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: ip4: on Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: ip4::df: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: ip4::rf: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: ip4::tos: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: ip4::trim: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: ip4::ttl: on (min=1, new=5) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalizer config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp: on Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::ecn: stream Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::block: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::rsv: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::pad: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::req_urg: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::req_pay: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::req_urp: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::urp: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::opt: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::ips: on Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::trim_syn: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::trim_rst: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::trim_win: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: tcp::trim_mss: off Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalizer config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: icmp4: on Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalizer config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: ip6: on Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: ip6::hops: on (min=1, new=5) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalizer config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: icmp6: on Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Frag3 global config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max frags: 65536 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Fragment memory cap: 4194304 bytes Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Frag3 engine config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Bound Address: default Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Target-based policy: WINDOWS Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Fragment timeout: 180 seconds Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Fragment min_ttl: 1 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Fragment Anomalies: Alert Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Overlap Limit: 10 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Min fragment Length: 100 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Expected Streams: 39 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Stream global config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Track TCP sessions: ACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max TCP sessions: 10000 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: TCP cache pruning timeout: 30 seconds Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: TCP cache nominal timeout: 3600 seconds Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Memcap (for reassembly packet storage): 8388608 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Track UDP sessions: ACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max UDP sessions: 10000 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: UDP cache pruning timeout: 30 seconds Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: UDP cache nominal timeout: 180 seconds Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Track ICMP sessions: ACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max ICMP sessions: 65536 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Track IP sessions: INACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Log info if session memory consumption exceeds 1156952 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Send up to 2 active responses Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wait at least 5 seconds between responses Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Protocol Aware Flushing: ACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Maximum Flush Point: 16000 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Stream TCP Policy config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Bound Address: default Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Reassembly Policy: WINDOWS Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Timeout: 180 seconds Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Limit on TCP Overlaps: 10 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Maximum number of bytes to queue per session: 1090276 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Maximum number of segs to queue per session: 2621 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Options: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Require 3-Way Handshake: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 3-Way Handshake Timeout: 180 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Detect Anomalies: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Reassembly Ports: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 21 client (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 22 client (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 23 client (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 25 client (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 36 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 42 client (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 53 client (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 70 client (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 79 client (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 80 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 81 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 82 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 83 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 84 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 85 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 86 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 87 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 88 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 89 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 90 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: additional ports configured but not printed. Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Stream UDP Policy config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Timeout: 180 seconds Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: HttpInspect Config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: GLOBAL CONFIG Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Detect Proxy Usage: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: IIS Unicode Map Filename: /etc/snort/unicode.map Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: IIS Unicode Map Codepage: 1252 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Memcap used for logging URI and Hostname: 150994944 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Gzip Memory: 838860 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Gzip Sessions: 1807 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Gzip Compress Depth: 65535 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Gzip Decompress Depth: 65535 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: DEFAULT SERVER CONFIG: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Server profile: All Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Server Flow Depth: 0 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Client Flow Depth: 0 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Chunk Length: 500000 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Header Field Length: 750 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Number Header Fields: 100 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Number of WhiteSpaces allowed with header folding: 200 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Inspect Pipeline Requests: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: URI Discovery Strict Mode: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Allow Proxy Usage: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Disable Alerting: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Oversize Dir Length: 500 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Only inspect URI: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalize HTTP Headers: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Inspect HTTP Cookies: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Inspect HTTP Responses: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Extract Gzip from responses: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Decompress response files: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Unlimited decompression of gzip data from responses: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalize Javascripts in HTTP Responses: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalize HTTP Cookies: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Enable XFF and True Client IP: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Log HTTP URI data: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Log HTTP Hostname data: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Extended ASCII code support in URI: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ascii: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Double Decoding: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: %U Encoding: YES alert: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Bare Byte: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: UTF 8: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: IIS Unicode: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Multiple Slash: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: IIS Backslash: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Directory Traversal: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Web Root Traversal: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Apache WhiteSpace: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: IIS Delimiter: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: rpc_decode arguments: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: alert_fragments: INACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: alert_large_fragments: INACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: alert_incomplete: INACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: alert_multiple_requests: INACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: FTPTelnet Config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: GLOBAL CONFIG Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Inspection Type: stateful Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Check for Encrypted Traffic: YES alert: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Continue to check encrypted data: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: TELNET CONFIG: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ports: 23 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Are You There Threshold: 20 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Normalize: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Detect Anomalies: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: FTP CONFIG: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: FTP Server: default Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ports (PAF): 21 2100 3535 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ignore open data channels: NO Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: FTP Client: default Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Check for Bounce Attacks: YES alert: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Response Length: 256 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: SSH config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Autodetection: ENABLED Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Challenge-Response Overflow Alert: ENABLED Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: SSH1 CRC32 Alert: ENABLED Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Server Version String Overflow Alert: ENABLED Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Protocol Mismatch Alert: ENABLED Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Bad Message Direction Alert: DISABLED Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Bad Payload Size Alert: DISABLED Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Unrecognized Version Alert: DISABLED Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Encrypted Packets: 20 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Max Server Version String Length: 100 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: MaxClientBytes: 19600 (Default) Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ports: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 22 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: DNS config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: DNS Client rdata txt Overflow Alert: ACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Obsolete DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Experimental DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ports: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 53 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: SSLPP config: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Encrypted packets: not inspected Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Ports: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 443 465 563 636 989 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 992 993 994 995 7801 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 7802 7900 7901 7902 7903 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 7904 7905 7906 7907 7908 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 7909 7910 7911 7912 7913 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 7914 7915 7916 7917 7918 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: 7919 7920 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Server side data is trusted Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Maximum SSL Heartbeat length: 0 Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: Initializing rule chains... Wed Jun 22 09:16:17 2016 daemon.notice snort[3969]: WARNING: /etc/snort/rules/snort.rules(982) threshold (in rule) is deprecated; use detection_filter instead. Wed Jun 22 09:16:18 2016 kern.notice kernel: [ 71.263594] eth1: Link down Wed Jun 22 09:16:19 2016 daemon.notice netifd: Network device 'eth1' link is down Wed Jun 22 09:16:19 2016 kern.info kernel: [ 72.254024] br-lan: port 1(eth1) entered disabled state Wed Jun 22 09:16:19 2016 daemon.err snort[3969]: FATAL ERROR: /etc/snort/rules/snort.rules(3601) Unknown rule type: sid:drop. Wed Jun 22 09:16:20 2016 daemon.emerg procd: Cannot change large-receive-offload Wed Jun 22 09:16:20 2016 daemon.notice netifd: Bridge 'br-lan' link is down Wed Jun 22 09:16:20 2016 daemon.notice netifd: Interface 'lan' has link connectivity loss Wed Jun 22 09:16:20 2016 daemon.notice netifd: Interface 'blockdomain' has link connectivity loss Wed Jun 22 09:16:20 2016 daemon.notice netifd: Network device 'eth0' link is up Wed Jun 22 09:16:20 2016 daemon.notice netifd: Interface 'wan' has link connectivity Wed Jun 22 09:16:20 2016 daemon.notice netifd: Interface 'wan' is setting up now Wed Jun 22 09:16:20 2016 kern.notice kernel: [ 73.324203] eth0: 1000 Mbps Full duplex, port 0 Wed Jun 22 09:16:20 2016 kern.info kernel: [ 73.324223] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready Wed Jun 22 09:16:20 2016 daemon.notice netifd: Interface 'wan' is now up Wed Jun 22 09:16:20 2016 user.notice firewall: Reloading firewall due to ifup of wan (eth0) Wed Jun 22 09:16:21 2016 kern.notice kernel: [ 74.323630] eth2: Link down Wed Jun 22 09:16:21 2016 daemon.crit dnsmasq[4076]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:21 2016 daemon.crit dnsmasq[4076]: FAILED to start up Wed Jun 22 09:16:22 2016 daemon.notice netifd: Network device 'eth1' link is up Wed Jun 22 09:16:22 2016 daemon.notice netifd: Bridge 'br-lan' link is up Wed Jun 22 09:16:22 2016 daemon.notice netifd: Interface 'lan' has link connectivity Wed Jun 22 09:16:22 2016 daemon.notice netifd: Interface 'blockdomain' has link connectivity Wed Jun 22 09:16:22 2016 kern.notice kernel: [ 75.273914] eth1: 1000 Mbps Full duplex, port 1 Wed Jun 22 09:16:22 2016 kern.info kernel: [ 75.273950] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:22 2016 kern.info kernel: [ 75.273983] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:23 2016 daemon.notice netifd: Network device 'eth2' link is down Wed Jun 22 09:16:23 2016 daemon.notice netifd: Interface 'wan6' has link connectivity loss Wed Jun 22 09:16:23 2016 daemon.notice netifd: Interface 'wan6' is now down Wed Jun 22 09:16:23 2016 daemon.notice netifd: Interface 'wan6' is disabled Wed Jun 22 09:16:23 2016 daemon.notice netifd: Interface 'wan6' is enabled Wed Jun 22 09:16:23 2016 kern.info kernel: [ 76.287551] IPv6: ADDRCONF(NETDEV_UP): eth2: link is not ready Wed Jun 22 09:16:24 2016 daemon.emerg procd: /etc/rc.local: line 36: /etc/itus/detect_mode.sh: Permission denied Wed Jun 22 09:16:24 2016 kern.info kernel: [ 77.273832] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:24 2016 daemon.notice snort[4150]: Enabling inline operation Wed Jun 22 09:16:24 2016 daemon.notice snort[4150]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:24 2016 daemon.notice snort[4150]: Running in IDS mode Wed Jun 22 09:16:24 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:24 2016 daemon.notice snort[4150]: --== Initializing Snort ==-- Wed Jun 22 09:16:24 2016 daemon.notice snort[4150]: Initializing Output Plugins! Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Initializing Preprocessors! Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Initializing Plug-ins! Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Parsing Rules file "/etc/snort/snort_bridge.conf" Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: PortVar 'HTTP_PORTS' defined : Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: PortVar 'SHELLCODE_PORTS' defined : Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: [ 1:65535 ] Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: PortVar 'ORACLE_PORTS' defined : Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: [ 1024:65535 ] Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: PortVar 'SSH_PORTS' defined : Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: [ 22 ] Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: PortVar 'FTP_PORTS' defined : Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: [ 21 2100 3535 ] Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: PortVar 'SIP_PORTS' defined : Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: [ 5060:5061 5600 ] Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: PortVar 'FILE_DATA_PORTS' defined : Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 3330Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: PortVar 'GTP_PORTS' defined : Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: [ 2123 2152 3386 ] Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Detection: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Search-Method = AC-Full Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Split Any/Any group = enabled Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Search-Method-Optimizations = enabled Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Maximum pattern length = 20 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Tagged Packet Limit: 256 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: done Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/ Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Log directory = /tmp/snort/ Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalizer config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: ip4: on Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: ip4::df: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: ip4::rf: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: ip4::tos: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: ip4::trim: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: ip4::ttl: on (min=1, new=5) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalizer config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp: on Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::ecn: stream Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::block: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::rsv: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::pad: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::req_urg: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::req_pay: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::req_urp: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::urp: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::opt: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::ips: on Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::trim_syn: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::trim_rst: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::trim_win: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: tcp::trim_mss: off Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalizer config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: icmp4: on Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalizer config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: ip6: on Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: ip6::hops: on (min=1, new=5) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalizer config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: icmp6: on Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Frag3 global config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max frags: 65536 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Fragment memory cap: 4194304 bytes Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Frag3 engine config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Bound Address: default Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Target-based policy: WINDOWS Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Fragment timeout: 180 seconds Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Fragment min_ttl: 1 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Fragment Anomalies: Alert Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Overlap Limit: 10 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Min fragment Length: 100 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Expected Streams: 39 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Stream global config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Track TCP sessions: ACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max TCP sessions: 10000 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: TCP cache pruning timeout: 30 seconds Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: TCP cache nominal timeout: 3600 seconds Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Memcap (for reassembly packet storage): 8388608 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Track UDP sessions: ACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max UDP sessions: 10000 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: UDP cache pruning timeout: 30 seconds Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: UDP cache nominal timeout: 180 seconds Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Track ICMP sessions: ACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max ICMP sessions: 65536 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Track IP sessions: INACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Log info if session memory consumption exceeds 1156952 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Send up to 2 active responses Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wait at least 5 seconds between responses Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Protocol Aware Flushing: ACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Maximum Flush Point: 16000 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Stream TCP Policy config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Bound Address: default Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Reassembly Policy: WINDOWS Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Timeout: 180 seconds Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Limit on TCP Overlaps: 10 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Maximum number of bytes to queue per session: 1090276 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Maximum number of segs to queue per session: 2621 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Options: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Require 3-Way Handshake: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 3-Way Handshake Timeout: 180 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Detect Anomalies: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Reassembly Ports: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 21 client (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 22 client (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 23 client (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 25 client (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 36 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 42 client (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 53 client (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 70 client (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 79 client (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 80 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 81 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 82 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 83 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 84 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 85 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 86 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 87 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 88 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 89 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 90 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: additional ports configured but not printed. Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Stream UDP Policy config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Timeout: 180 seconds Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: HttpInspect Config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: GLOBAL CONFIG Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Detect Proxy Usage: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: IIS Unicode Map Filename: /etc/snort/unicode.map Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: IIS Unicode Map Codepage: 1252 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Memcap used for logging URI and Hostname: 150994944 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Gzip Memory: 838860 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Gzip Sessions: 1807 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Gzip Compress Depth: 65535 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Gzip Decompress Depth: 65535 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: DEFAULT SERVER CONFIG: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Server profile: All Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Server Flow Depth: 0 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Client Flow Depth: 0 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Chunk Length: 500000 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Header Field Length: 750 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Number Header Fields: 100 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Number of WhiteSpaces allowed with header folding: 200 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Inspect Pipeline Requests: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: URI Discovery Strict Mode: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Allow Proxy Usage: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Disable Alerting: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Oversize Dir Length: 500 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Only inspect URI: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalize HTTP Headers: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Inspect HTTP Cookies: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Inspect HTTP Responses: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Extract Gzip from responses: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Decompress response files: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Unlimited decompression of gzip data from responses: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalize Javascripts in HTTP Responses: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalize HTTP Cookies: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Enable XFF and True Client IP: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Log HTTP URI data: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Log HTTP Hostname data: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Extended ASCII code support in URI: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ascii: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Double Decoding: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: %U Encoding: YES alert: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Bare Byte: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: UTF 8: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: IIS Unicode: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Multiple Slash: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: IIS Backslash: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Directory Traversal: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Web Root Traversal: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Apache WhiteSpace: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: IIS Delimiter: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: rpc_decode arguments: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: alert_fragments: INACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: alert_large_fragments: INACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: alert_incomplete: INACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: alert_multiple_requests: INACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: FTPTelnet Config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: GLOBAL CONFIG Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Inspection Type: stateful Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Check for Encrypted Traffic: YES alert: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Continue to check encrypted data: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: TELNET CONFIG: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ports: 23 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Are You There Threshold: 20 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Normalize: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Detect Anomalies: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: FTP CONFIG: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: FTP Server: default Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ports (PAF): 21 2100 3535 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ignore open data channels: NO Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: FTP Client: default Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Check for Bounce Attacks: YES alert: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Response Length: 256 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: SSH config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Autodetection: ENABLED Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Challenge-Response Overflow Alert: ENABLED Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: SSH1 CRC32 Alert: ENABLED Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Server Version String Overflow Alert: ENABLED Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Protocol Mismatch Alert: ENABLED Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Bad Message Direction Alert: DISABLED Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Bad Payload Size Alert: DISABLED Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Unrecognized Version Alert: DISABLED Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Encrypted Packets: 20 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Max Server Version String Length: 100 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: MaxClientBytes: 19600 (Default) Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ports: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 22 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: DNS config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: DNS Client rdata txt Overflow Alert: ACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Obsolete DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Experimental DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ports: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 53 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: SSLPP config: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Encrypted packets: not inspected Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Ports: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 443 465 563 636 989 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 992 993 994 995 7801 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 7802 7900 7901 7902 7903 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 7904 7905 7906 7907 7908 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 7909 7910 7911 7912 7913 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 7914 7915 7916 7917 7918 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: 7919 7920 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Server side data is trusted Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Maximum SSL Heartbeat length: 0 Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: Initializing rule chains... Wed Jun 22 09:16:25 2016 daemon.notice netifd: Network device 'eth2' link is up Wed Jun 22 09:16:25 2016 daemon.notice netifd: Interface 'wan6' has link connectivity Wed Jun 22 09:16:25 2016 daemon.notice netifd: Interface 'wan6' is setting up now Wed Jun 22 09:16:25 2016 kern.notice kernel: [ 78.303949] eth2: 1000 Mbps Full duplex, port 2 Wed Jun 22 09:16:25 2016 kern.info kernel: [ 78.303980] IPv6: ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready Wed Jun 22 09:16:25 2016 daemon.notice netifd: Interface 'wan6' is now up Wed Jun 22 09:16:25 2016 daemon.notice vnstatd[4184]: vnStat daemon 1.12 started. (uid:0 gid:0) Wed Jun 22 09:16:25 2016 daemon.notice vnstatd[4184]: Monitoring: br-lan (100 Mbit) eth0 (100 Mbit) Wed Jun 22 09:16:25 2016 user.notice firewall: Reloading firewall due to ifup of wan6 (eth2) Wed Jun 22 09:16:25 2016 daemon.emerg procd: Stopping strongSwan IPsec failed: starter is not running Wed Jun 22 09:16:25 2016 daemon.notice snort[4150]: WARNING: /etc/snort/rules/snort.rules(982) threshold (in rule) is deprecated; use detection_filter instead. Wed Jun 22 09:16:26 2016 daemon.crit dnsmasq[4272]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:26 2016 daemon.crit dnsmasq[4272]: FAILED to start up Wed Jun 22 09:16:27 2016 daemon.emerg procd: 192.168.1.112 this is the blocked domains ip Wed Jun 22 09:16:27 2016 daemon.emerg procd: 192.168.1.112 this is the blacklist ip Wed Jun 22 09:16:27 2016 daemon.emerg procd: copying new sorted rules....this may take a minute. Wed Jun 22 09:16:27 2016 daemon.err snort[4150]: FATAL ERROR: /etc/snort/rules/snort.rules(3601) Unknown rule type: sid:drop. Wed Jun 22 09:16:28 2016 daemon.emerg procd: sed: unsupported command / Wed Jun 22 09:16:28 2016 daemon.crit dnsmasq[4375]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:28 2016 daemon.crit dnsmasq[4375]: FAILED to start up Wed Jun 22 09:16:29 2016 daemon.err uhttpd[3297]: cut: standard output: Broken pipe Wed Jun 22 09:16:30 2016 daemon.notice netifd: Interface 'blockdomain' is now down Wed Jun 22 09:16:30 2016 daemon.notice netifd: Interface 'blockdomain' is setting up now Wed Jun 22 09:16:30 2016 daemon.notice netifd: Interface 'blockdomain' is now up Wed Jun 22 09:16:31 2016 daemon.crit dnsmasq[4732]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:31 2016 daemon.crit dnsmasq[4732]: FAILED to start up Wed Jun 22 09:16:32 2016 user.notice update_webfilter: updated dnsmasq blacklist Wed Jun 22 09:16:32 2016 user.notice update_webfilter: updated network.interface.blockdomain: 192.168.1.112 Wed Jun 22 09:16:32 2016 user.notice update_webfilter: updated firewall.@redirect[0].Itusfilter: 192.168.1.112 Wed Jun 22 09:16:32 2016 user.notice update_webfilter: updated firewall.@redirect[1]dns-traffic-to-shield: 192.168.1.112 Wed Jun 22 09:16:32 2016 user.notice update_webfilter: updated uhttpd.Itusfilter Wed Jun 22 09:16:32 2016 daemon.crit dnsmasq[4782]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:32 2016 daemon.crit dnsmasq[4782]: FAILED to start up Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Enabling inline operation Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Running in IDS mode Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: --== Initializing Snort ==-- Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Initializing Output Plugins! Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Initializing Preprocessors! Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Initializing Plug-ins! Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Parsing Rules file "/etc/snort/snort_bridge.conf" Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: PortVar 'HTTP_PORTS' defined : Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: PortVar 'SHELLCODE_PORTS' defined : Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: [ 1:65535 ] Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: PortVar 'ORACLE_PORTS' defined : Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: [ 1024:65535 ] Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: PortVar 'SSH_PORTS' defined : Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: [ 22 ] Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: PortVar 'FTP_PORTS' defined : Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: [ 21 2100 3535 ] Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: PortVar 'SIP_PORTS' defined : Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: [ 5060:5061 5600 ] Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: PortVar 'FILE_DATA_PORTS' defined : Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 3330Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: PortVar 'GTP_PORTS' defined : Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: [ 2123 2152 3386 ] Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Detection: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Search-Method = AC-Full Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Split Any/Any group = enabled Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Search-Method-Optimizations = enabled Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Maximum pattern length = 20 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Tagged Packet Limit: 256 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: done Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/ Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Log directory = /tmp/snort/ Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Normalizer config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: ip4: on Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: ip4::df: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: ip4::rf: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: ip4::tos: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: ip4::trim: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: ip4::ttl: on (min=1, new=5) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Normalizer config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp: on Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::ecn: stream Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::block: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::rsv: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::pad: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::req_urg: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::req_pay: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::req_urp: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::urp: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::opt: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::ips: on Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::trim_syn: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::trim_rst: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::trim_win: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: tcp::trim_mss: off Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Normalizer config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: icmp4: on Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Normalizer config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: ip6: on Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: ip6::hops: on (min=1, new=5) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Normalizer config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: icmp6: on Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Frag3 global config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max frags: 65536 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Fragment memory cap: 4194304 bytes Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Frag3 engine config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Bound Address: default Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Target-based policy: WINDOWS Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Fragment timeout: 180 seconds Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Fragment min_ttl: 1 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Fragment Anomalies: Alert Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Overlap Limit: 10 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Min fragment Length: 100 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max Expected Streams: 39 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Stream global config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Track TCP sessions: ACTIVE Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max TCP sessions: 10000 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: TCP cache pruning timeout: 30 seconds Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: TCP cache nominal timeout: 3600 seconds Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Memcap (for reassembly packet storage): 8388608 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Track UDP sessions: ACTIVE Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max UDP sessions: 10000 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: UDP cache pruning timeout: 30 seconds Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: UDP cache nominal timeout: 180 seconds Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Track ICMP sessions: ACTIVE Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max ICMP sessions: 65536 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Track IP sessions: INACTIVE Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Log info if session memory consumption exceeds 1156952 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Send up to 2 active responses Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Wait at least 5 seconds between responses Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Protocol Aware Flushing: ACTIVE Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Maximum Flush Point: 16000 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Stream TCP Policy config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Bound Address: default Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Reassembly Policy: WINDOWS Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Timeout: 180 seconds Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Limit on TCP Overlaps: 10 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Maximum number of bytes to queue per session: 1090276 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Maximum number of segs to queue per session: 2621 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Options: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Require 3-Way Handshake: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 3-Way Handshake Timeout: 180 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Detect Anomalies: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Reassembly Ports: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 21 client (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 22 client (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 23 client (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 25 client (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 36 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 42 client (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 53 client (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 70 client (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 79 client (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 80 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 81 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 82 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 83 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 84 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 85 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 86 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 87 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 88 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 89 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: 90 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: additional ports configured but not printed. Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Stream UDP Policy config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Timeout: 180 seconds Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: HttpInspect Config: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: GLOBAL CONFIG Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Detect Proxy Usage: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: IIS Unicode Map Filename: /etc/snort/unicode.map Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: IIS Unicode Map Codepage: 1252 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Memcap used for logging URI and Hostname: 150994944 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max Gzip Memory: 838860 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max Gzip Sessions: 1807 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Gzip Compress Depth: 65535 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Gzip Decompress Depth: 65535 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: DEFAULT SERVER CONFIG: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Server profile: All Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Server Flow Depth: 0 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Client Flow Depth: 0 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max Chunk Length: 500000 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max Header Field Length: 750 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max Number Header Fields: 100 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max Number of WhiteSpaces allowed with header folding: 200 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Inspect Pipeline Requests: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: URI Discovery Strict Mode: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Allow Proxy Usage: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Disable Alerting: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Oversize Dir Length: 500 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Only inspect URI: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Normalize HTTP Headers: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Inspect HTTP Cookies: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Inspect HTTP Responses: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Extract Gzip from responses: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Decompress response files: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Unlimited decompression of gzip data from responses: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Normalize Javascripts in HTTP Responses: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Normalize HTTP Cookies: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Enable XFF and True Client IP: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Log HTTP URI data: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Log HTTP Hostname data: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Extended ASCII code support in URI: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Ascii: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Double Decoding: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: %U Encoding: YES alert: YES Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Bare Byte: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: UTF 8: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: IIS Unicode: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Multiple Slash: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: IIS Backslash: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Directory Traversal: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Web Root Traversal: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Apache WhiteSpace: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: IIS Delimiter: YES alert: NO Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: rpc_decode arguments: Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: alert_fragments: INACTIVE Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: alert_large_fragments: INACTIVE Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: alert_incomplete: INACTIVE Wed Jun 22 09:16:32 2016 daemon.notice snort[4791]: alert_multiple_requests: INACTIVE Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: FTPTelnet Config: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: GLOBAL CONFIG Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Inspection Type: stateful Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Check for Encrypted Traffic: YES alert: NO Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Continue to check encrypted data: YES Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: TELNET CONFIG: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Ports: 23 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Are You There Threshold: 20 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Normalize: YES Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Detect Anomalies: YES Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: FTP CONFIG: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: FTP Server: default Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Ports (PAF): 21 2100 3535 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Ignore open data channels: NO Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: FTP Client: default Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Check for Bounce Attacks: YES alert: YES Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Max Response Length: 256 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: SSH config: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Autodetection: ENABLED Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Challenge-Response Overflow Alert: ENABLED Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: SSH1 CRC32 Alert: ENABLED Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Server Version String Overflow Alert: ENABLED Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Protocol Mismatch Alert: ENABLED Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Bad Message Direction Alert: DISABLED Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Bad Payload Size Alert: DISABLED Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Unrecognized Version Alert: DISABLED Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Max Encrypted Packets: 20 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Max Server Version String Length: 100 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: MaxClientBytes: 19600 (Default) Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Ports: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 22 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: DNS config: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: DNS Client rdata txt Overflow Alert: ACTIVE Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Obsolete DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Experimental DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Ports: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 53 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: SSLPP config: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Encrypted packets: not inspected Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Ports: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 443 465 563 636 989 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 992 993 994 995 7801 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 7802 7900 7901 7902 7903 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 7904 7905 7906 7907 7908 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 7909 7910 7911 7912 7913 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 7914 7915 7916 7917 7918 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: 7919 7920 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Server side data is trusted Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Maximum SSL Heartbeat length: 0 Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: Initializing rule chains... Wed Jun 22 09:16:33 2016 daemon.notice snort[4791]: WARNING: /etc/snort/rules/snort.rules(982) threshold (in rule) is deprecated; use detection_filter instead. Wed Jun 22 09:16:35 2016 daemon.err snort[4791]: FATAL ERROR: /etc/snort/rules/snort.rules(3601) Unknown rule type: sid:drop. Wed Jun 22 09:16:37 2016 daemon.crit dnsmasq[4795]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:37 2016 daemon.crit dnsmasq[4795]: FAILED to start up Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Enabling inline operation Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Running in IDS mode Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: --== Initializing Snort ==-- Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Initializing Output Plugins! Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Initializing Preprocessors! Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Initializing Plug-ins! Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Parsing Rules file "/etc/snort/snort_bridge.conf" Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: PortVar 'HTTP_PORTS' defined : Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: PortVar 'SHELLCODE_PORTS' defined : Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: [ 1:65535 ] Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: PortVar 'ORACLE_PORTS' defined : Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: [ 1024:65535 ] Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: PortVar 'SSH_PORTS' defined : Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: [ 22 ] Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: PortVar 'FTP_PORTS' defined : Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: [ 21 2100 3535 ] Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: PortVar 'SIP_PORTS' defined : Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: [ 5060:5061 5600 ] Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: PortVar 'FILE_DATA_PORTS' defined : Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 3330Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: PortVar 'GTP_PORTS' defined : Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: [ 2123 2152 3386 ] Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Detection: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Search-Method = AC-Full Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Split Any/Any group = enabled Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Search-Method-Optimizations = enabled Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Maximum pattern length = 20 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Tagged Packet Limit: 256 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: done Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/ Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Log directory = /tmp/snort/ Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalizer config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: ip4: on Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: ip4::df: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: ip4::rf: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: ip4::tos: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: ip4::trim: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: ip4::ttl: on (min=1, new=5) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalizer config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp: on Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::ecn: stream Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::block: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::rsv: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::pad: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::req_urg: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::req_pay: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::req_urp: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::urp: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::opt: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::ips: on Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::trim_syn: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::trim_rst: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::trim_win: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: tcp::trim_mss: off Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalizer config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: icmp4: on Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalizer config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: ip6: on Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: ip6::hops: on (min=1, new=5) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalizer config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: icmp6: on Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Frag3 global config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max frags: 65536 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Fragment memory cap: 4194304 bytes Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Frag3 engine config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Bound Address: default Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Target-based policy: WINDOWS Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Fragment timeout: 180 seconds Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Fragment min_ttl: 1 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Fragment Anomalies: Alert Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Overlap Limit: 10 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Min fragment Length: 100 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Expected Streams: 39 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Stream global config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Track TCP sessions: ACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max TCP sessions: 10000 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: TCP cache pruning timeout: 30 seconds Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: TCP cache nominal timeout: 3600 seconds Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Memcap (for reassembly packet storage): 8388608 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Track UDP sessions: ACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max UDP sessions: 10000 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: UDP cache pruning timeout: 30 seconds Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: UDP cache nominal timeout: 180 seconds Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Track ICMP sessions: ACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max ICMP sessions: 65536 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Track IP sessions: INACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Log info if session memory consumption exceeds 1156952 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Send up to 2 active responses Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wait at least 5 seconds between responses Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Protocol Aware Flushing: ACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Maximum Flush Point: 16000 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Stream TCP Policy config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Bound Address: default Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Reassembly Policy: WINDOWS Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Timeout: 180 seconds Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Limit on TCP Overlaps: 10 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Maximum number of bytes to queue per session: 1090276 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Maximum number of segs to queue per session: 2621 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Options: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Require 3-Way Handshake: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 3-Way Handshake Timeout: 180 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Detect Anomalies: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Reassembly Ports: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 21 client (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 22 client (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 23 client (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 25 client (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 36 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 42 client (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 53 client (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 70 client (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 79 client (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 80 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 81 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 82 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 83 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 84 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 85 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 86 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 87 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 88 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 89 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 90 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: additional ports configured but not printed. Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Stream UDP Policy config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Timeout: 180 seconds Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: HttpInspect Config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: GLOBAL CONFIG Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Detect Proxy Usage: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: IIS Unicode Map Filename: /etc/snort/unicode.map Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: IIS Unicode Map Codepage: 1252 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Memcap used for logging URI and Hostname: 150994944 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Gzip Memory: 838860 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Gzip Sessions: 1807 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Gzip Compress Depth: 65535 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Gzip Decompress Depth: 65535 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: DEFAULT SERVER CONFIG: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Server profile: All Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Server Flow Depth: 0 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Client Flow Depth: 0 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Chunk Length: 500000 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Header Field Length: 750 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Number Header Fields: 100 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Number of WhiteSpaces allowed with header folding: 200 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Inspect Pipeline Requests: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: URI Discovery Strict Mode: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Allow Proxy Usage: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Disable Alerting: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Oversize Dir Length: 500 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Only inspect URI: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalize HTTP Headers: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Inspect HTTP Cookies: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Inspect HTTP Responses: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Extract Gzip from responses: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Decompress response files: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Unlimited decompression of gzip data from responses: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalize Javascripts in HTTP Responses: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalize HTTP Cookies: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Enable XFF and True Client IP: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Log HTTP URI data: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Log HTTP Hostname data: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Extended ASCII code support in URI: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ascii: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Double Decoding: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: %U Encoding: YES alert: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Bare Byte: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: UTF 8: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: IIS Unicode: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Multiple Slash: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: IIS Backslash: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Directory Traversal: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Web Root Traversal: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Apache WhiteSpace: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: IIS Delimiter: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: rpc_decode arguments: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: alert_fragments: INACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: alert_large_fragments: INACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: alert_incomplete: INACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: alert_multiple_requests: INACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: FTPTelnet Config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: GLOBAL CONFIG Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Inspection Type: stateful Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Check for Encrypted Traffic: YES alert: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Continue to check encrypted data: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: TELNET CONFIG: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ports: 23 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Are You There Threshold: 20 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Normalize: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Detect Anomalies: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: FTP CONFIG: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: FTP Server: default Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ports (PAF): 21 2100 3535 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ignore open data channels: NO Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: FTP Client: default Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Check for Bounce Attacks: YES alert: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Response Length: 256 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: SSH config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Autodetection: ENABLED Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Challenge-Response Overflow Alert: ENABLED Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: SSH1 CRC32 Alert: ENABLED Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Server Version String Overflow Alert: ENABLED Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Protocol Mismatch Alert: ENABLED Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Bad Message Direction Alert: DISABLED Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Bad Payload Size Alert: DISABLED Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Unrecognized Version Alert: DISABLED Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Encrypted Packets: 20 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Max Server Version String Length: 100 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: MaxClientBytes: 19600 (Default) Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ports: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 22 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: DNS config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: DNS Client rdata txt Overflow Alert: ACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Obsolete DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Experimental DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ports: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 53 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: SSLPP config: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Encrypted packets: not inspected Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Ports: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 443 465 563 636 989 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 992 993 994 995 7801 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 7802 7900 7901 7902 7903 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 7904 7905 7906 7907 7908 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 7909 7910 7911 7912 7913 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 7914 7915 7916 7917 7918 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: 7919 7920 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Server side data is trusted Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Maximum SSL Heartbeat length: 0 Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Wed Jun 22 09:16:40 2016 daemon.notice snort[4796]: Initializing rule chains... Wed Jun 22 09:16:41 2016 daemon.notice snort[4796]: WARNING: /etc/snort/rules/snort.rules(982) threshold (in rule) is deprecated; use detection_filter instead. Wed Jun 22 09:16:43 2016 daemon.crit dnsmasq[4807]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:43 2016 daemon.crit dnsmasq[4807]: FAILED to start up Wed Jun 22 09:16:43 2016 daemon.err snort[4796]: FATAL ERROR: /etc/snort/rules/snort.rules(3601) Unknown rule type: sid:drop. Wed Jun 22 09:16:44 2016 kern.notice kernel: [ 97.353659] eth0: Link down Wed Jun 22 09:16:45 2016 daemon.notice netifd: Network device 'eth0' link is down Wed Jun 22 09:16:45 2016 daemon.notice netifd: Interface 'wan' has link connectivity loss Wed Jun 22 09:16:45 2016 daemon.notice netifd: Interface 'wan' is now down Wed Jun 22 09:16:45 2016 daemon.notice netifd: Interface 'wan' is disabled Wed Jun 22 09:16:45 2016 daemon.notice netifd: Interface 'wan' is enabled Wed Jun 22 09:16:45 2016 kern.info kernel: [ 98.357574] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready Wed Jun 22 09:16:46 2016 kern.notice kernel: [ 99.293577] eth1: Link down Wed Jun 22 09:16:47 2016 daemon.notice netifd: Network device 'eth1' link is down Wed Jun 22 09:16:47 2016 kern.info kernel: [ 100.284009] br-lan: port 1(eth1) entered disabled state Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Enabling inline operation Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Running in IDS mode Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: --== Initializing Snort ==-- Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Initializing Output Plugins! Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Initializing Preprocessors! Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Initializing Plug-ins! Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Parsing Rules file "/etc/snort/snort_bridge.conf" Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: PortVar 'HTTP_PORTS' defined : Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 33300 34412 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: PortVar 'SHELLCODE_PORTS' defined : Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: [ 1:65535 ] Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: PortVar 'ORACLE_PORTS' defined : Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: [ 1024:65535 ] Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: PortVar 'SSH_PORTS' defined : Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: [ 22 ] Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: PortVar 'FTP_PORTS' defined : Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: [ 21 2100 3535 ] Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: PortVar 'SIP_PORTS' defined : Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: [ 5060:5061 5600 ] Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: PortVar 'FILE_DATA_PORTS' defined : Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000:7001 7071 7144:7145 7510 7770 7777:7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090:9091 9111 9290 9443 9999:10000 11371 12601 13014 15489 29991 3330Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: PortVar 'GTP_PORTS' defined : Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: [ 2123 2152 3386 ] Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Detection: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Search-Method = AC-Full Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Split Any/Any group = enabled Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Search-Method-Optimizations = enabled Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Maximum pattern length = 20 Wed Jun 22 09:16:48 2016 daemon.notice netifd: Bridge 'br-lan' link is down Wed Jun 22 09:16:48 2016 daemon.notice netifd: Interface 'lan' has link connectivity loss Wed Jun 22 09:16:48 2016 daemon.notice netifd: Interface 'blockdomain' has link connectivity loss Wed Jun 22 09:16:48 2016 kern.notice kernel: [ 101.323577] eth2: Link down Wed Jun 22 09:16:48 2016 daemon.crit dnsmasq[4885]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:48 2016 daemon.crit dnsmasq[4885]: FAILED to start up Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Found pid path directive (/var/snort/) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Tagged Packet Limit: 256 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: done Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/ Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Log directory = /tmp/snort/ Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalizer config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: ip4: on Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: ip4::df: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: ip4::rf: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: ip4::tos: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: ip4::trim: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: ip4::ttl: on (min=1, new=5) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalizer config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp: on Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::ecn: stream Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::block: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::rsv: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::pad: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::req_urg: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::req_pay: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::req_urp: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::urp: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::opt: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::ips: on Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::trim_syn: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::trim_rst: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::trim_win: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: tcp::trim_mss: off Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalizer config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: icmp4: on Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalizer config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: ip6: on Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: ip6::hops: on (min=1, new=5) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalizer config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: icmp6: on Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Frag3 global config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max frags: 65536 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Fragment memory cap: 4194304 bytes Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Frag3 engine config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Bound Address: default Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Target-based policy: WINDOWS Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Fragment timeout: 180 seconds Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Fragment min_ttl: 1 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Fragment Anomalies: Alert Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Overlap Limit: 10 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Min fragment Length: 100 Wed Jun 22 09:16:48 2016 daemon.notice netifd: Network device 'eth0' link is up Wed Jun 22 09:16:48 2016 daemon.notice netifd: Interface 'wan' has link connectivity Wed Jun 22 09:16:48 2016 daemon.notice netifd: Interface 'wan' is setting up now Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Expected Streams: 39 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Stream global config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Track TCP sessions: ACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max TCP sessions: 10000 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: TCP cache pruning timeout: 30 seconds Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: TCP cache nominal timeout: 3600 seconds Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Memcap (for reassembly packet storage): 8388608 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Track UDP sessions: ACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max UDP sessions: 10000 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: UDP cache pruning timeout: 30 seconds Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: UDP cache nominal timeout: 180 seconds Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Track ICMP sessions: ACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max ICMP sessions: 65536 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Track IP sessions: INACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Log info if session memory consumption exceeds 1156952 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Send up to 2 active responses Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wait at least 5 seconds between responses Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Protocol Aware Flushing: ACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Maximum Flush Point: 16000 Wed Jun 22 09:16:48 2016 kern.notice kernel: [ 101.374040] eth0: 1000 Mbps Full duplex, port 0 Wed Jun 22 09:16:48 2016 kern.info kernel: [ 101.374075] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready Wed Jun 22 09:16:48 2016 daemon.notice netifd: Interface 'wan' is now up Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Stream TCP Policy config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Bound Address: default Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Reassembly Policy: WINDOWS Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Timeout: 180 seconds Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Limit on TCP Overlaps: 10 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Maximum number of bytes to queue per session: 1090276 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Maximum number of segs to queue per session: 2621 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Options: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Require 3-Way Handshake: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 3-Way Handshake Timeout: 180 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Detect Anomalies: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Reassembly Ports: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 21 client (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 22 client (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 23 client (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 25 client (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 36 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 42 client (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 53 client (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 70 client (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 79 client (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 80 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 81 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 82 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 83 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 84 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 85 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 86 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 87 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 88 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 89 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 90 client (Footprint-IPS) server (Footprint-IPS) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: additional ports configured but not printed. Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Stream UDP Policy config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Timeout: 180 seconds Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: HttpInspect Config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: GLOBAL CONFIG Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Detect Proxy Usage: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: IIS Unicode Map Filename: /etc/snort/unicode.map Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: IIS Unicode Map Codepage: 1252 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Memcap used for logging URI and Hostname: 150994944 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Gzip Memory: 838860 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Gzip Sessions: 1807 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Gzip Compress Depth: 65535 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Gzip Decompress Depth: 65535 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: DEFAULT SERVER CONFIG: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Server profile: All Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Server Flow Depth: 0 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Client Flow Depth: 0 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Chunk Length: 500000 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Header Field Length: 750 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Number Header Fields: 100 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Number of WhiteSpaces allowed with header folding: 200 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Inspect Pipeline Requests: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: URI Discovery Strict Mode: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Allow Proxy Usage: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Disable Alerting: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Oversize Dir Length: 500 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Only inspect URI: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalize HTTP Headers: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Inspect HTTP Cookies: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Inspect HTTP Responses: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Extract Gzip from responses: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Decompress response files: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Unlimited decompression of gzip data from responses: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalize Javascripts in HTTP Responses: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalize HTTP Cookies: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Enable XFF and True Client IP: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Log HTTP URI data: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Log HTTP Hostname data: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Extended ASCII code support in URI: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ascii: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Double Decoding: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: %U Encoding: YES alert: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Bare Byte: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: UTF 8: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: IIS Unicode: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Multiple Slash: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: IIS Backslash: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Directory Traversal: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Web Root Traversal: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Apache WhiteSpace: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: IIS Delimiter: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Whitespace Characters: 0x09 0x0b 0x0c 0x0d Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: rpc_decode arguments: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: alert_fragments: INACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: alert_large_fragments: INACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: alert_incomplete: INACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: alert_multiple_requests: INACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: FTPTelnet Config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: GLOBAL CONFIG Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Inspection Type: stateful Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Check for Encrypted Traffic: YES alert: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Continue to check encrypted data: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: TELNET CONFIG: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ports: 23 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Are You There Threshold: 20 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Normalize: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Detect Anomalies: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: FTP CONFIG: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: FTP Server: default Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ports (PAF): 21 2100 3535 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ignore open data channels: NO Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: FTP Client: default Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Check for Bounce Attacks: YES alert: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Check for Telnet Cmds: YES alert: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ignore Telnet Cmd Operations: YES alert: YES Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Response Length: 256 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: SSH config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Autodetection: ENABLED Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Challenge-Response Overflow Alert: ENABLED Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: SSH1 CRC32 Alert: ENABLED Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Server Version String Overflow Alert: ENABLED Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Protocol Mismatch Alert: ENABLED Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Bad Message Direction Alert: DISABLED Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Bad Payload Size Alert: DISABLED Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Unrecognized Version Alert: DISABLED Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Encrypted Packets: 20 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Max Server Version String Length: 100 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: MaxClientBytes: 19600 (Default) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ports: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 22 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: DNS config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: DNS Client rdata txt Overflow Alert: ACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Obsolete DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Experimental DNS RR Types Alert: INACTIVE Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ports: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 53 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: SSLPP config: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Encrypted packets: not inspected Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Ports: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 443 465 563 636 989 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 992 993 994 995 7801 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 7802 7900 7901 7902 7903 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 7904 7905 7906 7907 7908 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 7909 7910 7911 7912 7913 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 7914 7915 7916 7917 7918 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: 7919 7920 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Server side data is trusted Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Maximum SSL Heartbeat length: 0 Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: Initializing rule chains... Wed Jun 22 09:16:48 2016 user.notice firewall: Reloading firewall due to ifup of wan (eth0) Wed Jun 22 09:16:48 2016 daemon.notice snort[4886]: WARNING: /etc/snort/rules/snort.rules(982) threshold (in rule) is deprecated; use detection_filter instead. Wed Jun 22 09:16:49 2016 daemon.notice netifd: Network device 'eth2' link is down Wed Jun 22 09:16:49 2016 daemon.notice netifd: Interface 'wan6' has link connectivity loss Wed Jun 22 09:16:49 2016 daemon.notice netifd: Interface 'wan6' is now down Wed Jun 22 09:16:49 2016 daemon.notice netifd: Interface 'wan6' is disabled Wed Jun 22 09:16:49 2016 daemon.notice netifd: Interface 'wan6' is enabled Wed Jun 22 09:16:49 2016 kern.info kernel: [ 102.336810] IPv6: ADDRCONF(NETDEV_UP): eth2: link is not ready Wed Jun 22 09:16:49 2016 daemon.crit dnsmasq[4984]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:49 2016 daemon.crit dnsmasq[4984]: FAILED to start up Wed Jun 22 09:16:49 2016 daemon.info procd: Instance dnsmasq::instance1 s in a crash loop 6 crashes, 1 seconds since last crash Wed Jun 22 09:16:50 2016 daemon.notice netifd: Network device 'eth1' link is up Wed Jun 22 09:16:50 2016 daemon.notice netifd: Bridge 'br-lan' link is up Wed Jun 22 09:16:50 2016 daemon.notice netifd: Interface 'lan' has link connectivity Wed Jun 22 09:16:50 2016 daemon.notice netifd: Interface 'blockdomain' has link connectivity Wed Jun 22 09:16:50 2016 kern.notice kernel: [ 103.303949] eth1: 1000 Mbps Full duplex, port 1 Wed Jun 22 09:16:50 2016 kern.info kernel: [ 103.303989] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:50 2016 kern.info kernel: [ 103.304022] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:51 2016 daemon.err snort[4886]: FATAL ERROR: /etc/snort/rules/snort.rules(3601) Unknown rule type: sid:drop. Wed Jun 22 09:16:51 2016 daemon.info procd: Instance snort::instance1 s in a crash loop 6 crashes, 3 seconds since last crash Wed Jun 22 09:16:51 2016 daemon.notice netifd: Network device 'eth2' link is up Wed Jun 22 09:16:51 2016 daemon.notice netifd: Interface 'wan6' has link connectivity Wed Jun 22 09:16:51 2016 daemon.notice netifd: Interface 'wan6' is setting up now Wed Jun 22 09:16:51 2016 kern.notice kernel: [ 104.353937] eth2: 1000 Mbps Full duplex, port 2 Wed Jun 22 09:16:51 2016 kern.info kernel: [ 104.353962] IPv6: ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready Wed Jun 22 09:16:51 2016 daemon.notice netifd: Interface 'wan6' is now up Wed Jun 22 09:16:51 2016 user.notice firewall: Reloading firewall due to ifup of wan6 (eth2) Wed Jun 22 09:16:52 2016 kern.info kernel: [ 105.303814] br-lan: port 1(eth1) entered forwarding state Wed Jun 22 09:16:52 2016 daemon.crit dnsmasq[5154]: illegal repeated keyword at line 13 of /var/etc/dnsmasq.conf Wed Jun 22 09:16:52 2016 daemon.crit dnsmasq[5154]: FAILED to start up Wed Jun 22 09:17:11 2016 kern.info kernel: [ 124.417718] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead. Wed Jun 22 09:17:19 2016 authpriv.info dropbear[3223]: Early exit: Terminated by signal Wed Jun 22 09:17:19 2016 authpriv.info dropbear[5222]: Not backgrounding Wed Jun 22 09:17:29 2016 daemon.emerg procd: 0.us.pool.ntp.org: Unknown host Wed Jun 22 09:17:29 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:29 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:29 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:29 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:29 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:30 2016 user.notice root: NTP eager clock adjust failed. Wed Jun 22 09:17:30 2016 user.notice root: Restarted ntpclient. NTP server #1 of 4. Wed Jun 22 09:17:30 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:30 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:30 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:30 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:30 2016 user.notice root: NTP 0.us.pool.ntp.org failed. Wed Jun 22 09:17:30 2016 user.notice root: NTP eager clock adjust failed. Wed Jun 22 09:17:30 2016 daemon.info procd: - init complete -