[Snort-devel] prepossesors (fsportscan) not working

Rodrigo Montoro(Sp0oKeR) spooker at ...2499...
Thu Nov 28 05:29:00 EST 2013


sfportscan alerts are inside preprocessor.rules that based on snort.conf
isn't enable

#var PREPROC_RULE_PATH ../preproc_rules

....

# include $PREPROC_RULE_PATH/preprocessor.rules

This file is inside a snort tarball and you need to include this file to be
load.

Regards,



On Thu, Nov 28, 2013 at 3:03 AM, Mustafa Karci <mk at ...3455...> wrote:

> i have some problems with snort. The case is : I set up a
> snort-2.9.5.5-1.x86_64 on a CentOS 6 64 bit. This is working correctly,
> when i add a test rule like below, this is working oke. I can see the that
> the snort is writing to the snort-unified2.log.
>
> test.rules:
> alert icmp any any -> any any (msg:"ICMP test"; sid:200001; rev:100001;)
>
> I also configurated the fsportscan in the snort.conf
> # Portscan detection.  For more information, see README.sfportscan
> preprocessor sfportscan: proto  { all } \
>                          scan_type { all } \
>                          sense_level { high }
>                          #logfile { pscan1.log }
>
> But when i do a nmap -sS xxx.xxxx.xxx.xxx,  nmap -rR xxx.xxx.xxx.xxx or
> nmap -A -v xxx.xxx.xxx.xxx to the snort machine it will not generated any
> alerts!!! but when i enable the "logfile { pscan1.log }" I will get an out
> put to the pscan1.log in the /var.log/snort/pscan1.log...But until now i
> saw it working with only the nmap -sS commando. So my question is what am i
> doing wrong. And on other thing i don`t get it is, is there an dynamic
> predecessor library for the port-scan?? This couldn't be it because it will
> not generate a portscan alert in the pscan1.log...
>
> here are the results of the config:
> *snort.conf:*
> # Setup the network addresses you are protecting
> ipvar HOME_NET xxx.xxx.xxx.xxx/22
> # Set up the external network addresses. Leave as "any" in most situations
> ipvar EXTERNAL_NET !$HOME_NET
>
> # Portscan detection.  For more information, see README.sfportscan
> preprocessor sfportscan: proto  { all } \
>                          scan_type { all } \
>                          sense_level { high }
>                          #logfile { pscan1.log }
>
> var RULE_PATH /etc/snort/rules
> #var SO_RULE_PATH /etc/snort/rules/so_rules
> #var PREPROC_RULE_PATH ../preproc_rules
>
> # path to dynamic preprocessor libraries
> dynamicpreprocessor directory /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/
> # path to base preprocessor engine
> dynamicengine /usr/lib64/snort-2.9.5.5_dynamicengine/libsf_engine.so
> # path to dynamic rules libraries
> #dynamicdetection directory /usr/local/lib/snort_dynamicrules
>
> # Inline packet normalization. For more information, see README.normalize
> # Does nothing in IDS mode
> preprocessor normalize_ip4
> preprocessor normalize_tcp: ips ecn stream
> preprocessor normalize_icmp4
> preprocessor normalize_ip6
> preprocessor normalize_icmp6
>
>  # unified2
> output unified2: filename snort-unified2.log, limit 128
> # syslog
> # output alert_syslog: LOG_ALERT
> # pcap
> # output log_tcpdump: tcpdump.log
>
> # metadata reference data.  do not modify these lines
> include classification.config
> include reference.config
>
> include $RULE_PATH/test.rules
> include $RULE_PATH/local.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/server-mssql.rules
> include $RULE_PATH/server-mysql.rule
>
> # decoder and preprocessor event rules
> # include $PREPROC_RULE_PATH/preprocessor.rules
> # include $PREPROC_RULE_PATH/decoder.rules
> # include $PREPROC_RULE_PATH/sensitive-data.rules
> include threshold.conf
>
> */etc/sysconfig/snort*
> INTERFACE=eth1
> CONF=/etc/snort/snort.confCONF=/etc/snort/snort.conf
> # ALERTMODE=fastq
> # BINARY_LOG=1
>
> *start snort + barnyard*
> /etc/init.d/snortd start
>
> *output /var/log/message*
> Detection:
> Nov 26 11:16:30 NFS1-1 snort[11083]:    Search-Method = AC-Full-Q
> Nov 26 11:16:30 NFS1-1 snort[11083]:     Split Any/Any group = enabled
> Nov 26 11:16:30 NFS1-1 snort[11083]:     Search-Method-Optimizations =
> enabled
> Nov 26 11:16:30 NFS1-1 snort[11083]:     Maximum pattern length = 20
> Nov 26 11:16:30 NFS1-1 snort[11083]: Tagged Packet Limit: 256
> Nov 26 11:16:30 NFS1-1 snort[11083]: Loading dynamic engine
> /usr/lib64/snort-2.9.5.5_dynamicengine/libsf_engine.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]: Loading all dynamic preprocessor libs
> from /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/...
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_gtp_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_sdf_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_smtp_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dce2_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dns_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ssh_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_reputation_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_pop_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_dnp3_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_sip_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_imap_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_modbus_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Loading dynamic preprocessor
> library
> /usr/lib64/snort-2.9.5.5_dynamicpreprocessor//libsf_ssl_preproc.so...
> Nov 26 11:16:30 NFS1-1 snort[11083]: done
> Nov 26 11:16:30 NFS1-1 snort[11083]:   Finished Loading all dynamic
> preprocessor libs from /usr/lib64/snort-2.9.5.5_dynamicpreprocessor/
> Nov 26 11:16:30 NFS1-1 snort[11083]: Log directory = /var/log/snort
> Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: ip4 normalizations disabled
> because not inline.
> Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: tcp normalizations disabled
> because not inline.
> Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: icmp4 normalizations
> disabled because not inline.
> Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: ip6 normalizations disabled
> because not inline.
> Nov 26 11:16:30 NFS1-1 snort[11083]: WARNING: icmp6 normalizations
> disabled because not inline.
>
> Nov 26 11:16:30 NFS1-1 snort[11084]: Daemon initialized, signaled parent
> pid: 11083
> Nov 26 11:16:30 NFS1-1 snort[11084]: Reload thread starting...
> Nov 26 11:16:30 NFS1-1 snort[11084]: Reload thread started, thread
> 0x7fb89afd5700 (11086)
> Nov 26 11:16:30 NFS1-1 snort[11084]: Decoding Ethernet
> Nov 26 11:16:30 NFS1-1 snort[11084]: Checking PID path...
> Nov 26 11:16:30 NFS1-1 snort[11084]: PID path stat checked out ok, PID
> path set to /var/run/
> Nov 26 11:16:30 NFS1-1 snort[11084]: Writing PID "11084" to file
> "/var/run//snort_eth1.pid"
> Nov 26 11:16:30 NFS1-1 snort[11084]: Set gid to 500
> Nov 26 11:16:30 NFS1-1 snort[11084]: Set uid to 500
> Nov 26 11:16:30 NFS1-1 snort[11084]:
> Nov 26 11:16:30 NFS1-1 snort[11084]:         --== Initialization Complete
> ==--
> Nov 26 11:16:30 NFS1-1 snort[11084]: Commencing packet processing
> (pid=11084)
> Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Closing spool file
> '/var/log/snort/snort-unified2.log.1385467902'. Read 0 records
> Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Opened spool file
> '/var/log/snort/snort-unified2.log.1385468190'
> Nov 26 11:16:31 NFS1-1 barnyard2[7020]: Waiting for new data
>
> kind regards
> --
> Mustafa Karci
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131128/2838eb93/attachment.html>


More information about the Snort-devel mailing list