[Snort-devel] confirm 343ec785cc752e98b958383c9c38dfab4b0200dc

박종일 pji5732 at ...3549...
Sat Jan 17 11:51:57 EST 2015


um.. i edit conf file and local rule however, Like symptoms before setting it


------------------snort.lua--------------------------
---------------------------------------------------------------------------
-- Snort++ configuration
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- setup environment
---------------------------------------------------------------------------
-- given:
-- export DIR=/install/path
-- configure --prefix=$DIR
-- make install
--
-- then:
-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
-- export SNORT_LUA_PATH=$DIR/conf/
---------------------------------------------------------------------------

---------------------------------------------------------------------------
-- setup the basics
---------------------------------------------------------------------------

require('snort_config')  -- for loading

-- Setup the network addresses you are protecting
HOME_NET = '192.168.223.0/24'

-- Set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = '!' .. HOME_NET

conf_dir = os.getenv('SNORT_LUA_PATH')

if ( not conf_dir ) then
    conf_dir = '.'
end

dofile(conf_dir .. '/snort_defaults.lua')
dofile(conf_dir .. '/classification.lua')
dofile(conf_dir .. '/reference.lua')

---------------------------------------------------------------------------
-- configure modules
---------------------------------------------------------------------------
--
-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod
-- comment or delete to disable mod functionality
--
-- you can also use default_ftp_server and default_wizard
---------------------------------------------------------------------------

--pcap file
--log_pcap = { }
--log_pcap.limit = 0
--log_pcap.units = B
-- uncomment ppm if you built with --enable-ppm
ppm = { }

-- uncomment profile if you built with --enable-perfprofile
--profile = { }

-- uncomment normalizer if you are inline or not --pedantic
--normalizer = { }

stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }

perf_monitor = { }
perf_monitor.console = true
perf_monitor.file = false
perf_monitor.seconds = 1
perf_monitor.packets = 1


arp_spoof = { }
back_orifice = { }
rpc_decode = { }
port_scan = { }
telnet = { }

-- use http_inspect or new_http_inspect (incomplete)
http_inspect = { }
--new_http_inspect = { }

ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }

wizard = default_wizard


--unified2 & output
alert_fast = { }
unified2 = { }
unified2.limit = 0
unified2.units = B
unified2.nostamp = false
unified2.mpls_event_types = true
unified2.vlan_event_types = true

output = { }
output.verbose = true
output.quiet = false
output.dump_payload = true
output.dump_payload_verbose =ture

---------------------command--------------------------------------

[root at ...196... ~]# snort -i eno16777736 -c /usr/local/etc/snort/snort.lua -R /etc/snort/rules -l /var/log/snort/ -K text -d -v -e

--------------------------------------------------
o")~   Snort++ 3.0.0-a1-130
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
        back_orifice
        classifications
        output
        alert_fast
        stream_tcp
        ftp_data
        unified2
        ftp_server
        http_inspect
        telnet
        port_scan
        rpc_decode
        arp_spoof
        perf_monitor
        stream_ip
        stream
        ftp_client
        stream_icmp
        references
        stream_udp
        wizard
Finished /usr/local/etc/snort/snort.lua.
Loading rules:
Loading /etc/snort/rules:
Finished /etc/snort/rules.
Finished rules.
Wizard
back_orifice
arpspoof configured
Stream5 TCP Policy config:
    Reassembly Policy: LAST
    Timeout: 30 seconds
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Require 3-Way Handshake: NO
Stream IP config:
    Timeout: 60 seconds
Defrag engine config:
    engine-based policy: LINUX
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Max frags: 8192
    Max overlaps:     0
    Min fragment Length:     0
Stream5 ICMP config:
    Timeout: 30 seconds
Stream5 UDP config:
    Timeout: 30 seconds
    Ignore Any -> Any Rules: NO
ftp_client:
    Check for Bounce Attacks: OFF
    Check for Telnet Cmds: OFF
    Ignore Telnet Cmd Operations: OFF
    Max Response Length: -1
ftp_server:
    Check for Telnet Cmds: ON
    Ignore Telnet Cmd Operations: ON
    Identify open data channels: YES
    Check for Encrypted Traffic: ON
    Continue to check encrypted data: NO
HttpInspect Config:
    GLOBAL CONFIG
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: (null)
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip sessions: 5825
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
    DEFAULT SERVER CONFIG:
      Server profile: All
      Server Flow Depth: 0
      Client Flow Depth: 0
      Max Chunk Length: 500000
      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
      Max Header Field Length: 750
      Max Number Header Fields: 100
      Max Number of WhiteSpaces allowed with header folding: 200
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Inspect HTTP Cookies: YES
      Inspect HTTP Responses: YES
      Unlimited decompression of gzip data from responses: YES
      Normalize Javascripts in HTTP Responses: YES
      Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP responses: 200
      Normalize HTTP Cookies: NO
      Enable XFF and True Client IP: NO
      Extended ASCII code support in URI: NO
      Log HTTP URI data: NO
      Log HTTP Hostname data: NO
      Extract Gzip from responses: YES
      Ascii: OFF
      Double Decoding: OFF
      %U Encoding: ON
      Bare Byte: OFF
      UTF 8: OFF
      IIS Unicode: OFF
      Multiple Slash: OFF
      IIS Backslash: OFF
      Directory Traversal: OFF
      Web Root Traversal: OFF
      Apache WhiteSpace: OFF
      IIS Delimiter: OFF
      IIS Unicode Map:  NOT CONFIGURED
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
    TELNET CONFIG:
      Are You There Threshold: -1
      Normalize: NO
    Check for Encrypted Traffic: OFF
      Continue to check encrypted data: NO
rpc_decode
Portscan Detection Config:
    Detect Protocols:
    Detect Scan Type:
    Sensitivity Level:
    Memcap (in bytes): 1048576
    Number of Nodes:   0
PerfMonitor config:
  Sample Time:      1 seconds
  Packet Count:     1
  Max File Size:    2147483647
  Base Stats:       ACTIVE (SUMMARY)
    Base Stats File:  INACTIVE
    Max Perf Stats:   INACTIVE
  Flow Stats:       INACTIVE (SUMMARY)
  Event Stats:      INACTIVE (SUMMARY)
  Flow IP Stats:    INACTIVE (SUMMARY)
  Console Mode:     ACTIVE
Binder
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] eno16777736

----------------------------------ll /var/log/snort/-----------------------------
[root at ...196... ~]# ll /var/log/snort/
total 40
-rw-r--r--. 1 root root     0 Jan 14 02:05 barnyard2.waldo
-rw-------. 1 root root 37516 Jan 15 23:18 log.pcap
-rw-------. 1 root root     0 Jan 15 23:16 unified2log.u2.1421381779
-rw-------. 1 root root     0 Jan 16 01:11 unified2log.u2.1421388663
[root at ...196... ~]#

--------------------------------------------rules -------------------------------------
[root at ...196... ~]# cat /etc/snort/rules/local.rules
# Copyright 2001-2013 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------
# LOCAL RULES
#-------------

alert icmp any any -> any any (msg:"icmp"; itype:8; sid:100000; rev:1;)
alert tcp any any -> any any (msg:"tcp"; sid:"1000001";)


[root at ...196... ~]#


---------------------------------------------------------------------------




블로그서명
시작했다면 끝을 보아라
자기소개를 입력하세요.



블로그서명시작했다면 끝을 보아라
자기소개를 입력하세요.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150118/30b9f81a/attachment.html>


More information about the Snort-devel mailing list