[Snort-devel] Dynamic Preprocessor Example doesn't log in Database

Hui Cao hcao at ...402...
Thu Apr 7 11:28:30 EDT 2011


Also, Can you make sure the following is in your snort.config file:

config autogenerate_preprocessor_decoder_rules

If this isn't set, no preprocessor alerts will be created.

Hui.

On 04/07/2011 03:54 AM, Thomas LESTRIEZ wrote:
>
> Hi,
>
> As you asked, my two files snort.conf and barnyard2.conf :
>
> SNORT.CONF
>
> #--------------------------------------------------
> #   VRT Rule Packages Snort.conf
> #
> #   For more information visit us at:
> #     http://www.snort.org                   Snort Website
> #     http://vrt-sourcefire.blogspot.com/    Sourcefire VRT Blog
> #
> #     Mailing list Contact:      snort-sigs at lists.sourceforge.net
> #     False Positive reports:    fp at ...402...
> #     Snort bugs:                bugs at ...835...
> #
> #     Compatible with Snort Versions:
> #     VERSIONS : 2.9.0.3
> #
> #     Snort build options:
> #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls 
> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm 
> --enable-perfprofiling --enable-zlib --enable-active-response 
> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
> #--------------------------------------------------
>
> ###################################################
> # This file contains a sample snort configuration.
> # You should take the following steps to create your own custom 
> configuration:
> #
> #  1) Set the network variables.
> #  2) Configure the decoder
> #  3) Configure the base detection engine
> #  4) Configure dynamic loaded libraries
> #  5) Configure preprocessors
> #  6) Configure output plugins
> #  7) Customize your rule set
> #  8) Customize preprocessor and decoder rule set
> #  9) Customize shared object rule set
> ###################################################
>
> ###################################################
> # Step #1: Set the network variables.  For more information, see 
> README.variables
> ###################################################
>
> # Setup the network addresses you are protecting
> ipvar HOME_NET any
>
> # Set up the external network addresses. Leave as "any" in most 
> situations
> ipvar EXTERNAL_NET any
>
> # List of DNS servers on your network
> ipvar DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
> ipvar SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
> ipvar HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
> ipvar SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
> ipvar TELNET_SERVERS $HOME_NET
>
> # List of ssh servers on your network
> ipvar SSH_SERVERS $HOME_NET
>
> # List of ports you run web servers on
> portvar HTTP_PORTS 
> [80,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,5250,7001,7777,7779,8000,8008,8028,8080,8088,8118,8123,8180,8243,8280,8888,9090,9091,9443,9999,11371]
>
> # List of ports you want to look for SHELLCODE on.
> portvar SHELLCODE_PORTS !80
>
> # List of ports you might see oracle attacks on
> portvar ORACLE_PORTS 1024:
>
> # List of ports you want to look for SSH connections on:
> portvar SSH_PORTS 22
>
> # other variables, these should not be modified
> ipvar AIM_SERVERS 
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>
> # Path to your rules files (this can be a relative path)
> # Note for Windows users:  You are advised to make this an absolute path,
> # such as:  c:\snort\rules
> var RULE_PATH rules
> var SO_RULE_PATH ../so_rules
> var PREPROC_RULE_PATH ../preproc_rules
>
> ###################################################
> # Step #2: Configure the decoder.  For more information, see 
> README.decode
> ###################################################
>
> # Stop generic decode events:
> config disable_decode_alerts
>
> # Stop Alerts on experimental TCP options
> config disable_tcpopt_experimental_alerts
>
> # Stop Alerts on obsolete TCP options
> config disable_tcpopt_obsolete_alerts
>
> # Stop Alerts on T/TCP alerts
> config disable_tcpopt_ttcp_alerts
>
> # Stop Alerts on all other TCPOption type events:
> config disable_tcpopt_alerts
>
> # Stop Alerts on invalid ip options
> config disable_ipopt_alerts
>
> # Alert if value in length field (IP, TCP, UDP) is greater th elength 
> of the packet
> # config enable_decode_oversized_alerts
>
> # Same as above, but drop packet if in Inline mode (requires 
> enable_decode_oversized_alerts)
> # config enable_decode_oversized_drops
>
> # Configure IP / TCP checksum mode
> config checksum_mode: all
>
> # Configure maximum number of flowbit references.  For more 
> information, see README.flowbits
> # config flowbits_size: 64
>
> # Configure ports to ignore
> # config ignore_ports: tcp 21 6667:6671 1356
> # config ignore_ports: udp 1:17 53
>
> # Configure active response for non inline operation. For more 
> information, see REAMDE.active
> # config response: eth0 attempts 2
>
>
> ###################################################
> # Step #3: Configure the base detection engine.  For more information, 
> see  README.decode
> ###################################################
>
> # Configure PCRE match limitations
> config pcre_match_limit: 3500
> config pcre_match_limit_recursion: 1500
>
> # Configure the detection engine  See the Snort Manual, Configuring 
> Snort - Includes - Config
> config detection: search-method ac-split search-optimize 
> max-pattern-len 20
>
> # Configure the event queue.  For more information, see 
> README.event_queue
> config event_queue: max_queue 8 log 3 order_events content_length
>
> ###################################################
> # Per packet and rule latency enforcement
> # For more information see README.ppm
> ###################################################
>
> # Per Packet latency configuration
> #config ppm: max-pkt-time 250, \
> #   fastpath-expensive-packets, \
> #   pkt-log
>
> # Per Rule latency configuration
> #config ppm: max-rule-time 200, \
> #   threshold 3, \
> #   suspend-expensive-rules, \
> #   suspend-timeout 20, \
> #   rule-log alert
>
> ###################################################
> # Configure Perf Profiling for debugging
> # For more information see README.PerfProfiling
> ###################################################
>
> #config profile_rules: print all, sort avg_ticks
> #config profile_preprocs: print all, sort avg_ticks
>
> ###################################################
> # Step #4: Configure dynamic loaded libraries.
> # For more information, see Snort Manual, Configuring Snort - Dynamic 
> Modules
> ###################################################
>
> # path to dynamic preprocessor libraries
> dynamicpreprocessor directory 
> /usr/local/snort/lib/snort_dynamicpreprocessor/
>
> # path to base preprocessor engine
> dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
>
> # path to dynamic rules libraries
> dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
>
> ###################################################
> # Step #5: Configure preprocessors
> # For more information, see the Snort Manual, Configuring Snort - 
> Preprocessors
> ###################################################
>
> # Inline packet normalization. For more information, see README.normalize
> # Does nothing in IDS mode
> preprocessor normalize_ip4
> preprocessor normalize_tcp: ips ecn stream
> preprocessor normalize_icmp4
> preprocessor normalize_ip6
> preprocessor normalize_icmp6
>
> # Target-based IP defragmentation.  For more inforation, see README.frag3
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy windows detect_anomalies 
> overlap_limit 10 min_fragment_length 100 timeout 180
>
> # Target-Based stateful inspection/stream reassembly.  For more 
> inforation, see README.stream5
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp 
> yes, track_icmp no max_active_responses 2 min_response_seconds 5
> preprocessor stream5_tcp: policy windows, detect_anomalies, 
> require_3whs 180, \
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 
> 139 143 \
>         161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 
> 6667 6668 6669 \
>         7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 
> 32779, \
>     ports both 80 311 443 465 563 591 593 636 901 989 992 993 994 995 
> 1220 1414 1830 2301 2381 2809 3128 3702 5250 6907 7001 7702 7777 7779 \
>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 
> 7912 7913 7914 7915 7916 \
>         7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 
> 8243 8280 8888 9090 9091 9443 9999 11371
> preprocessor stream5_udp: timeout 180
>
> # performance statistics.  For more information, see the Snort Manual, 
> Configuring Snort - Preprocessors - Performance Monitor
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats 
> pktcnt 10000
>
> # HTTP normalization and anomaly detection.  For more information, see 
> README.http_inspect
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252 
> compress_depth 20480 decompress_depth 20480
> preprocessor http_inspect_server: server default \
>     chunk_length 500000 \
>     server_flow_depth 0 \
>     client_flow_depth 0 \
>     post_depth 65495 \
>         oversize_dir_length 500 \
>     max_header_length 750 \
>     max_headers 100 \
>     ports { 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 
> 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 
> 8888 9090 9091 9443 9999 11371 } \
>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>     enable_cookie \
>     extended_response_inspection \
>     inspect_gzip \
>     normalize_utf \
>     unlimited_decompress \
>     apache_whitespace no \
>     ascii no \
>     bare_byte no \
>     base36 no \
>         directory no \
>         double_decode no \
>         iis_backslash no \
>         iis_delimiter no \
>         iis_unicode no \
>         multi_slash no \
>    utf_8 no \
>         u_encode yes \
>         webroot no
>
> # ONC-RPC normalization and anomaly detection.  For more information, 
> see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 
> 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments 
> no_alert_incomplete
>
> # Back Orifice detection.
> preprocessor bo
>
> # FTP / Telnet normalization and anomaly detection.  For more 
> information, see README.ftptelnet
> preprocessor ftp_telnet: global inspection_type stateful 
> encrypted_traffic no
> preprocessor ftp_telnet_protocol: telnet \
>     ayt_attack_thresh 20 \
>     normalize ports { 23 } \
>     detect_anomalies
> preprocessor ftp_telnet_protocol: ftp server default \
>     def_max_param_len 100 \
>     ports { 21 2100 3535 } \
>     telnet_cmds yes \
>     ignore_telnet_erase_cmds yes \
>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>     ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD 
> QUIT REIN STOU SYST XCUP XPWD } \
>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR 
> STOU XMKD } \
>     alt_max_param_len 256 { CWD RNTO } \
>     alt_max_param_len 400 { PORT } \
>     alt_max_param_len 512 { SIZE } \
>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>     cmd_validity ALLO < int [ char R int ] > \
>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>     cmd_validity MACB < string > \
>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>     cmd_validity MODE < char ASBCZ > \
>     cmd_validity PORT < host_port > \
>     cmd_validity PROT < char CSEP > \
>     cmd_validity STRU < char FRPO [ string ] > \
>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ 
> number ] } >
> preprocessor ftp_telnet_protocol: ftp client default \
>     max_resp_len 256 \
>     bounce yes \
>     ignore_telnet_erase_cmds yes \
>     telnet_cmds yes
>
>
> # SMTP normalization and anomaly detection.  For more information, see 
> README.SMTP
> preprocessor smtp: ports { 25 465 587 691 } \
>     inspection_type stateful \
>     enable_mime_decoding \
>     max_mime_depth 20480 \
>     normalize cmds \
>     normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM 
> ESND ESOM ETRN EVFY } \
>     normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT 
> RCPT RSET SAML SEND SOML } \
>     normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT 
> X-DRCP X-ERCP X-EXCH50 } \
>     normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN 
> XLICENSE XQUE XSTA XTRN XUSR } \
>     max_command_line_len 512 \
>     max_header_line_len 1000 \
>     max_response_line_len 512 \
>     alt_max_command_line_len 260 { MAIL } \
>     alt_max_command_line_len 300 { RCPT } \
>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL 
> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA 
> RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE 
> XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
>     valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM 
> ESND ESOM ETRN EVFY } \
>     valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT 
> RSET SAML SEND SOML } \
>     valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT 
> X-DRCP X-ERCP X-EXCH50 } \
>     valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN 
> XLICENSE XQUE XSTA XTRN XUSR } \
>     xlink2state { enabled }
>
> # Portscan detection.  For more information, see README.sfportscan
> # preprocessor sfportscan: proto  { all } memcap { 10000000 } 
> sense_level { low }
>
> # ARP spoof detection.  For more information, see the Snort Manual - 
> Configuring Snort - Preprocessors - ARP Spoof Preprocessor
> # preprocessor arpspoof
> # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
> # SSH anomaly detection.  For more information, see README.ssh
> preprocessor ssh: server_ports { 22 } \
>                   autodetect \
>                   max_client_bytes 19600 \
>                   max_encrypted_packets 20 \
>                   max_server_version_len 100 \
>                   enable_respoverflow enable_ssh1crc32 \
>                   enable_srvoverflow enable_protomismatch
>
> # SMB / DCE-RPC normalization and anomaly detection.  For more 
> information, see README.dcerpc2
> preprocessor dcerpc2: memcap 102400, events [co ]
> preprocessor dcerpc2_server: default, policy WinXP, \
>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
>     smb_max_chain 3
>
> # DNS anomaly detection.  For more information, see README.dns
> preprocessor dns: ports { 53 } enable_rdata_overflow
>
> # SSL anomaly detection and traffic bypass.  For more information, see 
> README.ssl
> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 
> 7702 7900 7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 
> 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, 
> noinspect_encrypted
>
> # SDF sensitive data preprocessor.  For more information see 
> README.sensitive_data
> preprocessor sensitive_data: alert_threshold 25
>
> ###################################################
> # Step #6: Configure output plugins
> # For more information, see Snort Manual, Configuring Snort - Output 
> Modules
> ###################################################
>
> # unified2
> # Recommended for most installs
> # output unified2: filename merged.log, limit 128, nostamp, 
> mpls_event_types, vlan_event_types
> output unified2: filename snort.u2, limit 128
> # Additional configuration for specific types of installs
> # output alert_unified2: filename snort.alert, limit 128, nostamp
> # output log_unified2: filename snort.log, limit 128, nostamp
>
> # syslog
> # output alert_syslog: LOG_AUTH LOG_ALERT
>
> # output alert_full: /var/log/syslog
>
> # pcap
> # output log_tcpdump: tcpdump.log
>
> # database
> # output database: alert, <db_type>, user=<username> 
> password=<password> test dbname=<name> host=<hostname>
> # output database: log, <db_type>, user=<username> password=<password> 
> test dbname=<name> host=<hostname>
> # prelude
> # output alert_prelude
>
> # metadata reference data.  do not modify these lines
> include classification.config
> include reference.config
> ###################################################
> #Dynamic-example
> preprocessor dynamic_example: port 11123
> ###################################################
>
> # Step #7: Customize your rule set
> # For more information, see Snort Manual, Writing Snort Rules
> #
> # NOTE: All categories are enabled in this conf file
> ###################################################
>
> # site specific rules
> include $RULE_PATH/local.rules
>
> #include $RULE_PATH/attack-responses.rules
> #include $RULE_PATH/backdoor.rules
> #include $RULE_PATH/bad-traffic.rules
> #include $RULE_PATH/blacklist.rules
> #include $RULE_PATH/botnet-cnc.rules
> #include $RULE_PATH/chat.rules
> #include $RULE_PATH/content-replace.rules
> #include $RULE_PATH/ddos.rules
> #include $RULE_PATH/dns.rules
> #include $RULE_PATH/dos.rules
> #include $RULE_PATH/exploit.rules
> #include $RULE_PATH/finger.rules
> #include $RULE_PATH/ftp.rules
> #include $RULE_PATH/icmp.rules
> #include $RULE_PATH/icmp-info.rules
> #include $RULE_PATH/imap.rules
> #include $RULE_PATH/info.rules
> #include $RULE_PATH/misc.rules
> #include $RULE_PATH/multimedia.rules
> #include $RULE_PATH/mysql.rules
> #include $RULE_PATH/netbios.rules
> #include $RULE_PATH/nntp.rules
> #include $RULE_PATH/oracle.rules
> #include $RULE_PATH/other-ids.rules
> #include $RULE_PATH/p2p.rules
> #include $RULE_PATH/phishing-spam.rules
> #include $RULE_PATH/policy.rules
> #include $RULE_PATH/pop2.rules
> #include $RULE_PATH/pop3.rules
> #include $RULE_PATH/rpc.rules
> #include $RULE_PATH/rservices.rules
> #include $RULE_PATH/scada.rules
> #include $RULE_PATH/scan.rules
> #include $RULE_PATH/shellcode.rules
> #include $RULE_PATH/smtp.rules
> #include $RULE_PATH/snmp.rules
> #include $RULE_PATH/specific-threats.rules
> #include $RULE_PATH/spyware-put.rules
> #include $RULE_PATH/sql.rules
> #include $RULE_PATH/telnet.rules
> #include $RULE_PATH/tftp.rules
> #include $RULE_PATH/virus.rules
> #include $RULE_PATH/voip.rules
> #include $RULE_PATH/web-activex.rules
> #include $RULE_PATH/web-attacks.rules
> #include $RULE_PATH/web-cgi.rules
> #include $RULE_PATH/web-client.rules
> #include $RULE_PATH/web-coldfusion.rules
> #include $RULE_PATH/web-frontpage.rules
> #include $RULE_PATH/web-iis.rules
> #include $RULE_PATH/web-misc.rules
> #include $RULE_PATH/web-php.rules
> #include $RULE_PATH/x11.rules
>
> ###################################################
> # Step #8: Customize your preprocessor and decoder alerts
> # For more information, see README.decoder_preproc_rules
> ###################################################
>
> # decoder and preprocessor event rules
> # include $PREPROC_RULE_PATH/preprocessor.rules
> # include $PREPROC_RULE_PATH/decoder.rules
> # include $PREPROC_RULE_PATH/sensitive-data.rules
>
> ###################################################
> # Step #9: Customize your Shared Object Snort Rules
> # For more information, see 
> http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
> ###################################################
>
> # dynamic library rules
> # include $SO_RULE_PATH/bad-traffic.rules
> # include $SO_RULE_PATH/chat.rules
> # include $SO_RULE_PATH/dos.rules
> # include $SO_RULE_PATH/exploit.rules
> # include $SO_RULE_PATH/icmp.rules
> # include $SO_RULE_PATH/imap.rules
> # include $SO_RULE_PATH/misc.rules
> # include $SO_RULE_PATH/multimedia.rules
> # include $SO_RULE_PATH/netbios.rules
> # include $SO_RULE_PATH/nntp.rules
> # include $SO_RULE_PATH/p2p.rules
> # include $SO_RULE_PATH/smtp.rules
> # include $SO_RULE_PATH/sql.rules
> # include $SO_RULE_PATH/web-activex.rules
> # include $SO_RULE_PATH/web-client.rules
> # include $SO_RULE_PATH/web-iis.rules
> # include $SO_RULE_PATH/web-misc.rules
>
> # Event thresholding or suppression commands. See threshold.conf
> include threshold.conf
>
>
>
>
>
> BARNYARD2.CONF:
>
>
> #-------------------------------------------------------------
> #  Barnyard2 configuration file
> #
> #  http://www.securixlive.com/barnyard2
> #
> #  Contact: dev at ...3030...
> #-------------------------------------------------------------
>
> #
> # This file contains a sample barnyard2 configuration.
> # You can take the following steps to create your own custom 
> configuration:
> #
> #   1) Configure the variable declarations
> #   2) Setup the input plugins
> #   3) Setup the output plugins
> #
>
> # Step 1: configure the variable declarations
> #
> # in order to keep from having a commandline that uses every letter in 
> the
> # alphabet most configuration options are set here.
>
> # use UTC for timestamps
> #
> #config utc
>
> # set the appropriate paths to the file(s) your Snort process is using.
> #
> config reference_file:            /usr/local/snort/etc/reference.config
> config classification_file: /usr/local/snort/etc/classification.config
> config gen_file:            /usr/local/snort/etc/gen-msg.map
> config sid_file:                /usr/local/snort/etc/sid-msg.map
>
> # define dedicated references similar to that of snort.
> #
> #config reference: mybugs http://www.mybugs.com/?s=
>
> # define explicit classifications similar to that of snort.
> #
> #config classification: shortname, short description, priority
>
> # set the directory for any output logging
> #
> #config logdir: /tmp
>
> # to ensure that any plugins requiring some level of uniqueness in 
> their output
> # the alert_with_interface_name, interface and hostname directives are 
> provided.
> # An example of usage would be to configure them to the values of the 
> associated
> # snort process whose unified files you are reading.
> #
> # Example:
> #   For a snort process as follows:
> #     snort -i eth0 -c /etc/snort.conf
> #
> #   Typical options would be:
> #     config hostname:        thor
> #     config interface: eth0
> #     config alert_with_interface_name
> #
> #config hostname:        thor
> config hostname:        localhost
> #config interface:        eth0
> config interface:        eth0
>
> # enable printing of the interface name when alerting.
> #
> #config alert_with_interface_name
>
> # at times snort will alert on a packet within a stream and dump that 
> stream to
> # the unified output. barnyard2 can generate output on each packet of 
> that
> # stream or the first packet only.
> #
> #config alert_on_each_packet_in_stream
>
> # enable daemon mode
> #
> #config daemon
>
> # make barnyard2 process chroot to directory after initialisation.
> #
> #config chroot: /var/spool/barnyard2
>
> # specifiy the group or GID for barnyard2 to run as after initialisation.
> #
> #config set_gid: 999
>
> # specifiy the user or UID for barnyard2 to run as after initialisation.
> #
> #config set_uid: 999
>
> # specify the directory for the barnyard2 PID file.
> #
> #config pidpath: /var/run/by2.pid
>
> # enable decoding of the data link (or second level headers).
> #
> #config decode_data_link
>
> # dump the application data
> #
> #config dump_payload
>
> # dump the application data as chars only
> #
> #config dump_chars_only
>
> # enable verbose dumping of payload information in log style output 
> plugins.
> #
> #config dump_payload_verbose
>
> # enable obfuscation of logged IP addresses.
> #
> #config obfuscate
>
> # enable the year being shown in timestamps
> #
> #config show_year
>
> # set the umask for all files created by the barnyard2 process (eg. 
> log files).
> #
> #config umask: 066
>
> # enable verbose logging
> #
> #config verbose
>
> # quiet down some of the output
> #
> #config quiet
>
> # define the full waldo filepath.
> #
> #config waldo_file: /tmp/waldo
>
> # specificy the maximum length of the MPLS label chain
> #
> #config max_mpls_labelchain_len: 64
>
> # specify the protocol (ie ipv4, ipv6, ethernet) that is encapsulated 
> by MPLS.
> #
> #config mpls_payload_type: ipv4
>
> # set the reference network or homenet which is predominantly used by the
> # log_ascii plugin.
> #
> #config reference_net: 192.168.0.0/24
>
> #
> # CONTINOUS MODE
> #
>
> # set the archive directory for use with continous mode
> #
> #config archivedir: /tmp
>
> # when in operating in continous mode, only process new records and 
> ignore any
> # existing unified files
> #
> #config process_new_records_only
>
>
>
> # Step 2: setup the input plugins
> #
> # this is not hard, only unified2 is supported ;)
> input unified2
>
>
>
> # Step 3: setup the output plugins
>
> # alert_cef
> #-----------------------------
> #
> # Purpose:
> #  This output module provides the abilty to output alert information 
> to a
> # remote network host as well as the local host using the open standard
> # Common Event Format (CEF).
> #
> # Arguments: host=hostname[:port], severity facility
> #            arguments should be comma delimited.
> #   host                - specify a remote hostname or IP with 
> optional port number
> #                 this is only specific to WIN32 (and is not yet fully 
> supported)
> #        severity        - as defined in RFC 3164 (eg. LOG_WARN, 
> LOG_INFO)
> #        facility        - as defined in RFC 3164 (eg. LOG_AUTH, 
> LOG_LOCAL0)
> #
> # Examples:
> #        output alert_cef
> #        output alert_cef: host=192.168.10.1
> #        output alert_cef: host=sysserver.com:1001
> #        output alert_cef: LOG_AUTH LOG_INFO
> #
>
>
> # alert_fast
> #-----------------------------
> # Purpose: Converts data to an approximation of Snort's "fast alert" 
> mode.
> #
> # Arguments: file <file>, stdout
> #            arguments should be comma delimited.
> #   file - specifiy alert file
> #   stdout - no alert file, just print to screen
> #
> # Examples:
> #   output alert_fast
> #   output alert_fast: stdout
> #
> output alert_fast: stdout
>
>
> # prelude: log to the Prelude Hybrid IDS system
> # ---------------------------------------------
> #
> # Purpose:
> #  This output module provides logging to the Prelude Hybrid IDS system
> #
> # Arguments: profile=snort-profile
> #   snort-profile        - name of the Prelude profile to use (default 
> is snort).
> #
> # Snort priority to IDMEF severity mappings:
> # high < medium < low < info
> #
> # These are the default mapped from classification.config:
> # info   = 4
> # low    = 3
> # medium = 2
> # high   = anything below medium
> #
> # Examples:
> #   output alert_prelude
> #   output alert_prelude: profile=snort-profile-name
> #
>
>
> # alert_syslog
> #-----------------------------
> #
> # Purpose:
> #  This output module provides the abilty to output alert information 
> to a
> # remote network host as well as the local host.
> #
> # Arguments: host=hostname[:port], severity facility
> #            arguments should be comma delimited.
> #   host                - specify a remote hostname or IP with 
> optional port number
> #                 this is only specific to WIN32 (and is not yet fully 
> supported)
> #        severity        - as defined in RFC 3164 (eg. LOG_WARN, 
> LOG_INFO)
> #        facility        - as defined in RFC 3164 (eg. LOG_AUTH, 
> LOG_LOCAL0)
> #
> # Examples:
> #        output alert_syslog
> #        output alert_syslog: host=192.168.10.1
> #        output alert_syslog: host=sysserver.com:1001
> #        output alert_syslog: LOG_AUTH LOG_INFO
> #
>
>
> # log_ascii
> #-----------------------------
> #
> # Purpose: This output module provides the default packet logging 
> funtionality
> #
> # Arguments: None.
> #
> # Examples:
> #   output log_ascii
> #
>
>
> # log_tcpdump
> # -------------------------------------------------
> #
> # Purpose
> #  This output module logs packets in binary tcpdump format
> #
> # Arguments:
> #   The only argument is the output file name.
> #
> # Examples:
> #   output log_tcpdump: tcpdump.log
> #
>
>
> # sguil
> #-----------------------------
> #
> # Purpose: This output module provides logging ability for the sguil 
> interface
> # See doc/README.sguil
> #
> # Arguments: agent_port <port>, sensor_name <name>
> #            arguments should be comma delimited.
> #   agent_port        - explicitly set the sguil agent listening port
> #                                  (default: 7736)
> #   sensor_name - explicitly set the sensor name
> #                                  (default: machine hostname)
> #
> # Examples:
> #   output sguil
> #   output sguil: agent_port=7000
> #   output sguil: sensor_name=argyle
> #   output sguil: agent_port=7000, sensor_name=argyle
> #
>
>
> # database: log to a variety of databases
> # ---------------------------------------
> #
> # Purpose: This output module provides logging ability to a variety of 
> databases
> # See doc/README.database for additional information.
> #
> # Examples:
> #   output database: log, mysql, user=root password=test dbname=db 
> host=localhost
> #   output database: alert, postgresql, user=snort dbname=snort
> #   output database: log, odbc, user=snort dbname=snort
> #   output database: log, mssql, dbname=snort user=snort password=test
> #   output database: log, oracle, dbname=snort user=snort password=test
> #
> output database: log, mysql, user=snort password=mypwd dbname=snort 
> host=localhost
> #also tried with:
> #output database: alert, mysql, user=snort password=mypwd dbname=snort 
> host=localhost
>
>
>
> Thank you,
>
> Regards
>
>
> 	
> *Thomas LESTRIEZ**
> Apprenti Ingénieur*
> EDF - R&D
> SINETICS
> 1, avenue du Général de Gaulle
> BP 408
> 92141 Clamart Cedex
>
> *thomas.lestriez at ...3158...*
> Tél. : 0147653811
> 	Un geste simple pour l'environnement, n'imprimez ce message que si 
> vous en avez l'utilité.
>
>
>
>
>
> Ce message et toutes les pièces jointes (ci-après le 'Message') sont 
> établis à l'intention exclusive des destinataires et les informations 
> qui y figurent sont strictement confidentielles. Toute utilisation de 
> ce Message non conforme à sa destination, toute diffusion ou toute 
> publication totale ou partielle, est interdite sauf autorisation expresse.
>
> Si vous n'êtes pas le destinataire de ce Message, il vous est interdit 
> de le copier, de le faire suivre, de le divulguer ou d'en utiliser 
> tout ou partie. Si vous avez reçu ce Message par erreur, merci de le 
> supprimer de votre système, ainsi que toutes ses copies, et de n'en 
> garder aucune trace sur quelque support que ce soit. Nous vous 
> remercions également d'en avertir immédiatement l'expéditeur par 
> retour du message.
>
> Il est impossible de garantir que les communications par messagerie 
> électronique arrivent en temps utile, sont sécurisées ou dénuées de 
> toute erreur ou virus.
> ____________________________________________________
>
> This message and any attachments (the 'Message') are intended solely 
> for the addressees. The information contained in this Message is 
> confidential. Any use of information contained in this Message not in 
> accord with its purpose, any dissemination or disclosure, either whole 
> or partial, is prohibited except formal approval.
>
> If you are not the addressee, you may not copy, forward, disclose or 
> use any part of it. If you have received this message in error, please 
> delete it and all copies from your system and notify the sender 
> immediately by return message.
>
> E-mail communication cannot be guaranteed to be timely secure, error 
> or virus-free.
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110407/8620d546/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1816 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110407/8620d546/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1151 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110407/8620d546/attachment-0001.gif>


More information about the Snort-devel mailing list